Centos系统安全防护工作
时间:2014-02-22 02:12 来源:www.it.net.cn 作者:IT网
1.安装系统 centos 6.2 64X
2.定制系统分区,
2.1 / 分区100G;
2.2.swap 2048M;
2.3./data 分区,使用剩余全部可用空间。
2.4.其它需求根据服务特点进行定制;
2.系统瘦身,卸载无用系统软件;(此步骤在线系统跳过)
yum -y groupremove "FTP Server" "Text-based Internet" "Windows File Server" "PostgreSQL Database"
"News Server" "DNS Name Server" "Web Server" "Dialup Networking Support" "Mail Server"
"Office/Productivity" "Ruby" "Office/Productivity" "Sound and Video" "X Window System" "X Software
Development" "Printing Support" "OpenFabrics Enterprise Distribution"
3.安装必要系统状态查看命令;
yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel
libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel zip unzip
ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl
openssh openssl-devel nss_ldap openldap openldap-devel openldap-clients openldap-servers libxslt-devel
libevent-devel ntp libtool-ltdl bison libtool vim-enhanced python wget lsof iptraf strace lrzsz
kernel-devel kernel-headers pam-devel Tcl/Tk cmake ncurses-devel bison setuptool
4.锁定无用账户;
passwd -l xfs
passwd -l news
passwd -l nscd
passwd -l dbus
passwd -l vcsa
passwd -l games
passwd -l nobody
passwd -l avahi
passwd -l haldaemon
passwd -l gopher
passwd -l ftp
passwd -l mailnull
passwd -l pcap
passwd -l mail
passwd -l shutdown
passwd -l halt
passwd -l uucp
passwd -l operator
passwd -l sync
passwd -l adm
passwd -l lp
5.限制关键命令,研发人员使用root密码或者将某用户提升至root级别,可以使用,现不适用ptmind;
#chmod 700 /bin/ping
#chmod 700 /usr/bin/finger
#chmod 700 /usr/bin/who
#chmod 700 /usr/bin/w
#chmod 700 /usr/bin/locate
#chmod 700 /usr/bin/whereis
#chmod 700 /sbin/ifconfig
#chmod 700 /usr/bin/pico
#chmod 700 /bin/vi
#chmod 700 /usr/bin/which
#chmod 700 /usr/bin/gcc
#chmod 700 /usr/bin/make
#chmod 700 /bin/rpm
6.修改密码输入失败3次,锁定5分钟;
sed -i 's#auth required pam_env.so#auth required pam_env.so auth
required pam_tally.so onerr=fail deny=3 unlock_time=300 auth required
/lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
7.修改30分钟无活动,自动退出 ;
echo "TMOUT=1800" >>/etc/profile
8.修改系统打开最大文件数;
echo "* soft nofile 66666" >> /etc/security/limits.conf
echo "* hard nofile 66666" >> /etc/security/limits.conf
9.关闭 ipv6;
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/sbin/chkconfig --level 35 ip6tables off
10.更改系统默认字体为UTF8;
sed -i 's@LANG=.*$@LANG=\"en_US.UTF-8\"@g' /etc/sysconfig/i18n
11.修改启动模式 到3;
sed -i 's/id:.*$/id:3:initdefault:/g' /etc/inittab
12.内核参数调整;
cat >> /etc/sysctl.conf << EOF
#michaelkang add 120724
net.ipv4.tcp_abort_on_overflow = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_retries1 = 2
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_max_orphans = 2000
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
EOF
sysctl -p
13.清理无用服务;
#!/bin/sh
for i in `ls /etc/rc3.d/S*`
do
CURSRV=`echo $i|cut -c 15-`
echo $CURSRV
case $CURSRV in
cpuspeed | crond | irqbalance | microcode_ctl | xinetd| network | mon | partmon | messagebus| udev-
post|sshd | rsyslog | syslog )
#这个启动的系统服务根据具体的应用情况设置,其中network、sshd、syslog是三项必须要启动的系统服务!
echo "Base services, Skip!"
;;
*)
echo "change $CURSRV to off"
chkconfig --level 235 $CURSRV off
service $CURSRV stop
;;
esac
done
14.添加必要的用户和组
mkdir /workspace
cp /etc/shadow /workspace/
cp /etc/passwd /workspace/
groupadd public
useradd abc -g public
echo 'abc:$1$V5X9cldh$skn2.IclKEc.HFVLW/' | chpasswd -e
history -c
15.关键文件添加特殊权限;
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
# history security
chattr +a /root/.bash_history
chattr +i /root/.bash_history
16.修改/data下目录权限
chown user:group /data/
17.赋予user高级权限
echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
18.升级openssh登录程序;
cd /workspace
wget http://mirror.internode.on.net/p ... penssh-5.8p2.tar.gz
tar -xvf openssh-5.8p2.tar.gz
cd openssh-5.8p2
#yum install pam-devel
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-
dir=/usr/include/openssl --mandir=/usr/share/man
make
mkdir -p /etc/sshbak
mv /etc/ssh/* /etc/sshbak/
make install
chkconfig --add sshd
chkconfig sshd on
/etc/init.d/sshd restart
cd /workspace/
19.安装denyhost暴力破解软件;
wget http://sourceforge.net/projects/ ... enyHosts-2.6.tar.gz
tar -zxvf DenyHosts-2.6.tar.gz
mv DenyHosts-2.6 denyhost
cd denyhost/
yum install python -y
python setup.py install
cd /usr/share/denyhosts/
cp daemon-control-dist daemon-control
cp denyhosts.cfg-dist denyhosts.cfg
chown root daemon-control
chmod 700 daemon-control
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts
chkconfig --add denyhosts
chkconfig denyhosts on
mv denyhosts.cfg denyhosts.cfg.bak
cat > /usr/share/denyhosts/denyhost.cfg < EOF
SECURE_LOG = /var/log/secure
#ssh日志文件
HOSTS_DENY = /etc/hosts.deny
#将阻止IP写入到hosts.deny
PURGE_DENY = 1d
#过多久后清除已经禁止的,其中w代表周,d代表天,h代表小时,s代表秒,m代表分钟
BLOCK_SERVICE = ALL
#阻止服务名
DENY_THRESHOLD_INVALID = 5
#允许无效用户(在/etc/passwd未列出)登录失败次数,允许无效用户登录失败的次数.
DENY_THRESHOLD_VALID = 5
#允许普通用户登录失败的次数
DENY_THRESHOLD_ROOT = 5
#允许root登录失败的次数
DENY_THRESHOLD_RESTRICTED = 1
#设定 deny host 写入到该资料夹
WORK_DIR = /usr/share/denyhosts/data
#将deny的host或ip纪录到Work_dir中
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = YES
HOSTNAME_LOOKUP=YES
#是否做域名反解
LOCK_FILE = /var/lock/subsys/denyhosts
#将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务。
ADMIN_EMAIL = michaelkang@ptmind.com
#设置管理员邮件地址
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID = 1d
#有效用户登录失败计数归零的时间
AGE_RESET_ROOT = 1d
#root用户登录失败计数归零的时间
AGE_RESET_RESTRICTED = 5d
#用户的失败登录计数重置为0的时间(/usr/share/denyhosts/data/restricted-usernames)
AGE_RESET_INVALID= 10d
#无效用户登录失败计数归零的时间
DAEMON_LOG = /var/log/denyhosts
#自己的日志文件
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1d
#该项与PURGE_DENY 设置成一样,也是清除hosts.deniedssh 用户的时间
EOF
cd /workspace/
/etc/init.d/denyhosts start
20.安装DDOS防护防火墙;
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
21.增强系统安全,修改系统,设置通过history查看历史命令只显示10条;;
sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
22.部署用户行为审计;
mkdir -p /etc/share/
cat /dev/null >/usr/share/um.log
chown nobody:nobody /usr/share/um.log
chmod 002 /usr/share/um.log
chattr +a /usr/share/um.log
将下面的内容添加到 /etc/profile
export HISTORY_FILE=/etc/share/um/um.log
export PROMPT_COMMAND='{ date "+%y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") ####
$(id|awk "{print \$1}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
然后执行:source /etc/profile
23.给 /tmp 和/var/tmp设置了粘滞位;
chmod +t /var/
chmod +t /tmp/
18.修改用户ssh登录限制;
cat >> /etc/hosts.allow << EOF
sshd:192.168.16.0/255.255.255.0
EOF
echo 'sshd:all' >>/etc/hosts.deny
24.ssh安全加固;
#ssh安全加固,修改/etc/ssh/sshd_config 文件
#只允许SSH2方式的连
sed -i "s/#Protocol 2,1/Protocol 2/" /etc/ssh/sshd_config
#指定每个连接最大允许的认证次数。默认值是 6
sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
#不使用DNS解析
sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
#不允许root用户直接登录,但root用户可以使用证书直接登录
sed -i "s/#PermitRootLogin yes/PermitRootLogin without-password/" /etc/ssh/sshd_config
#SERVER_KEY 的长度
sed -i "s/#ServerKeyBits 768/#ServerKeyBits 1024/" /etc/ssh/sshd_config
sed -i "s/#UseLogin no/UseLogin yes/" /etc/ssh/sshd_config
#PermitEmptyPasswords no #不允许空密码用户login(仅仅是明文密码方式,非证书方式)。
sed -i "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/" /etc/ssh/sshd_config
#RSAAuthentication yes # 启用RSA 认证。
sed -i "s/#RSAAuthentication yes/RSAAuthentication yes/" /etc/ssh/sshd_config
#PubkeyAuthentication yes # 启用公钥认证。
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/" /etc/ssh/sshd_config
#补充:修改vi /etc/ssh/ssh_config 文件(全局配置文件)
#允许RSA私钥方式认证。
sed -i "s/#RSAAuthentication yes/RSAAuthentication yes/" /etc/ssh/sshd_config
#禁止使用空密码登录
sed -i "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/" /etc/ssh/sshd_config
#PasswordAuthentication no #,禁止明文密码登陆。
#sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
25.修改用户密码使用最长时间90天,修改密码最小长度8位;
/etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_LEN 8
26.导入管理证书
(责任编辑:IT)
1.安装系统 centos 6.2 64X
2.定制系统分区,
2.系统瘦身,卸载无用系统软件;(此步骤在线系统跳过) "News Server" "DNS Name Server" "Web Server" "Dialup Networking Support" "Mail Server" "Office/Productivity" "Ruby" "Office/Productivity" "Sound and Video" "X Window System" "X Software Development" "Printing Support" "OpenFabrics Enterprise Distribution"
libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel zip unzip ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssh openssl-devel nss_ldap openldap openldap-devel openldap-clients openldap-servers libxslt-devel libevent-devel ntp libtool-ltdl bison libtool vim-enhanced python wget lsof iptraf strace lrzsz kernel-devel kernel-headers pam-devel Tcl/Tk cmake ncurses-devel bison setuptool
5.限制关键命令,研发人员使用root密码或者将某用户提升至root级别,可以使用,现不适用ptmind;
required pam_tally.so onerr=fail deny=3 unlock_time=300 auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
echo "TMOUT=1800" >>/etc/profile
echo "* soft nofile 66666" >> /etc/security/limits.conf
echo "alias net-pf-10 off" >> /etc/modprobe.conf
sed -i 's@LANG=.*$@LANG=\"en_US.UTF-8\"@g' /etc/sysconfig/i18n
sed -i 's/id:.*$/id:3:initdefault:/g' /etc/inittab
12.内核参数调整;
cat >> /etc/sysctl.conf << EOF sysctl -p
13.清理无用服务;
echo $CURSRV
post|sshd | rsyslog | syslog ) 14.添加必要的用户和组
history -c 15.关键文件添加特殊权限;
chattr +i /etc/passwd
chown user:group /data/
tar -xvf openssh-5.8p2.tar.gz #yum install pam-devel ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-
dir=/usr/include/openssl --mandir=/usr/share/man
tar -zxvf DenyHosts-2.6.tar.gz cd denyhost/ yum install python -y python setup.py install
cd /usr/share/denyhosts/ cp denyhosts.cfg-dist denyhosts.cfg
chmod 700 daemon-control
chkconfig denyhosts on mv denyhosts.cfg denyhosts.cfg.bak
SECURE_LOG = /var/log/secure 20.安装DDOS防护防火墙;
wget http://www.inetbase.com/scripts/ddos/install.sh
mkdir -p /etc/share/ cat /dev/null >/usr/share/um.log chown nobody:nobody /usr/share/um.log chmod 002 /usr/share/um.log chattr +a /usr/share/um.log
export HISTORY_FILE=/etc/share/um/um.log export PROMPT_COMMAND='{ date "+%y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(id|awk "{print \$1}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
18.修改用户ssh登录限制;
cat >> /etc/hosts.allow << EOF EOF echo 'sshd:all' >>/etc/hosts.deny
#ssh安全加固,修改/etc/ssh/sshd_config 文件
#PasswordAuthentication no #,禁止明文密码登陆。
|