Linux服务器基线加固
概念
基线:
即安全基线配置,诸如操作系统、中间件和数据库的一个整体配置,这个版本中各项配置都符合安全方面的标准。 比如在系统安装后需要按安全基线标准,将新机器中各项配置调整到一个安全、高效、合理的数值。
主流服务器
Anolis 8.6
禁止SSH agent转发
egrep -v "#" /etc/ssh/sshd_config | egrep -q "AllowAgentForwarding"
if [ $? -eq 0 ];then
egrep -q "AllowAgentForwarding.*no" /etc/ssh/sshd_config
if [ $? -eq 0 ];then
echo "check success"
else
sed -i.bak 's/AllowAgentForwarding.*/AllowAgentForwarding\tno/' /etc/ssh/sshd_config
fi
else
echo "AllowAgentForwarding no" >>/etc/ssh/sshd_config
fi
systemctl restart sshd
检查是否存在未授权的SUID或SGID文件
chmod a-s /usr/bin/chage
chmod a-s /usr/bin/gpasswd
chmod a-s /usr/bin/newgrp
chmod a-s /usr/bin/write
chmod a-s /bin/mount
chmod a-s /bin/umount检查口令重复次数限制
sed -ri.bak -e 's/^password[[:space:]]*requisite/#&/' -e '/password[[:space:]]*requisite/a\password\trequisite\tpam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember=5' /etc/pam.d/system-auth
sed -ri.bak -e 's/^password[[:space:]]*sufficient/#&/' -e '/password[[:space:]]*sufficient/a\password\tsufficient\tpam_unix.so sha512 shadow try_first_pass use_authtok remember=5' /etc/pam.d/system-auth
sed -ri.bak -e 's/^password[[:space:]]*requisite/#&/' -e '/password[[:space:]]*requisite/a\password\trequisite\tpam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember=5' /etc/pam.d/password-auth
sed -ri.bak -e 's/^password[[:space:]]*sufficient/#&/' -e '/password[[:space:]]*sufficient/a\password\tsufficient\tpam_unix.so sha512 shadow try_first_pass use_authtok remember=5' /etc/pam.d/password-auth
sysctl相关文件修改
cat << eof >>/etc/sysctl.d/99-sysctl.conf
#不接收源路由报文
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
#检查是否配置使能TCP SYN Cookies
net.ipv4.tcp_syncookies = 1
#关闭IP转发功能
net.ipv4.ip_forward=0
net.ipv4.conf.all.forwarding=0
net.ipv4.conf.default.forwarding=0
net.ipv6.conf.all.forwarding=0
#忽略广播ICMP 请求
net.ipv4.icmp_echo_ignore_broadcasts = 1
#忽略虚假ICMP 响应
net.ipv4.icmp_ignore_bogus_error_responses = 1
#检查是否禁止ICMP重定向
# ICMP重定向接收参数
#net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# 安全的ICMP重定向接收参数
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# 报文重定向发送参数
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
eof
sysctl -pcentos6 or redhat6
centos7 or redhat7
检查是否非活动时断线
egrep -v "#" /etc/ssh/sshd_config | egrep -q "ClientAliveCountMax"
if [ $? -eq 0 ];then
egrep -q "ClientAliveCountMax.*0" /etc/ssh/sshd_config
if [ $? -eq 0 ];then
echo "check success"
else
sed -i.bak 's/ClientAliveCountMax.*/ClientAliveCountMax\t0/' /etc/ssh/sshd_config
fi
else
echo "ClientAliveCountMax 0" >>/etc/ssh/sshd_config
fi
egrep -v "#" /etc/ssh/sshd_config | egrep -q "ClientAliveInterval"
if [ $? -eq 0 ];then
egrep -q "ClientAliveInterval.*300" /etc/ssh/sshd_config
if [ $? -eq 0 ];then
echo "check success"
else
sed -i.bak 's/ClientAliveInterval.*/ClientAliveInterval\t300/' /etc/ssh/sshd_config
fi
else
echo "ClientAliveInterval 300" >>/etc/ssh/sshd_config
fi
systemctl restart sshd检查是否禁止ctrl+alt+del
ll /usr/lib/systemd/system/ctrl-alt-del.target
mv /usr/lib/systemd/system/ctrl-alt-del.target /home/manage
ll /usr/lib/systemd/system/ctrl-alt-del.target
ls /home/manage|grep target检查主机访问控制(IP限制)—-(8版本可用)
touch /etc/hosts.allow
touch /etc/hosts.deny
echo 'all:10.0.0.0:allow' >> /etc/hosts.allow
echo 'sshd:10.0.0.0.:allow' >> /etc/hosts.allow
echo 'sshd:110.0.0.0:DENY' >> /etc/hosts.deny
cat /etc/hosts.allow
cat /etc/hosts.deny检查登录提示-是否设置ssh警告Banner
touch /etc/sshbanner
chown bin:bin /etc/sshbanner
chmod 644 /etc/sshbanner
echo " Authorized users onlu. All activity may be monitord and reported " > /etc/sshbanner
echo "Banner /etc/sshbanner" >> /etc/ssh/sshd_config
cat /etc/ssh/sshd_config|grep Banner检查是否禁止icmp重定向
cat /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf
cat /etc/sysctl.conf|grep accept_redirects
sysctl -p检查口令重复次数限制
sed -ri.bak -e 's/^password[[:space:]]*requisite/#&/' -e '/password[[:space:]]*requisite/a\password\trequisite\tpam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=3 minlen=8' /etc/pam.d/system-auth
sed -ri.bak -e 's/^password[[:space:]]*sufficient/#&/' -e '/password[[:space:]]*sufficient/a\password\tsufficient\tpam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5' /etc/pam.d/system-auth口令锁定策略
sed -i.bak '/^auth.*pam_env.so$/a\auth\trequired\tpam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120' /etc/pam.d/system-auth检查是否指定用户组成员使用su 命令
sed -i.bak '/auth[[:space:]]*required.*use_uid$/s/#//' /etc/pam.d/su定时账户自动退出
egrep -v "#" /etc/profile| egrep -q "TMOUT"
if [ $? -eq 0 ];then
egrep -q "export TMOUT=180" /etc/profile
if [ $? -eq 0 ];then
echo "check success"
fi
sed -i.bak -e "s/TMOUT=.*/TMOUT=180/" /etc/profile
else
echo "export TMOUT=180" >>/etc/profile
fi检查vsftp回显信息
egrep -v "#" /etc/vsftpd/vsftpd.conf | egrep -q "ftpd_banner"
if [ $? -eq 0 ];then
sed -ri.bak -e '/^ftpd_banner/d' /etc/vsftpd/vsftpd.conf
echo 'ftpd_banner="Authorized users only .All activity may be monitired and reported"' >>/etc/vsftpd/vsftpd.conf
else
echo 'ftpd_banner="Authorized users only .All activity may be monitired and reported"' >>/etc/vsftpd/vsftpd.conf
fi限制超级管理员的用户远程登录
egrep -v "#" /etc/ssh/sshd_config | egrep -q "PermitRootLogin"
if [ $? -eq 0 ];then
egrep -q "PermitRootLogin.*no" /etc/ssh/sshd_config
if [ $? -eq 0 ];then
echo "check success"
else
sed -i.bak 's/PermitRootLogin.*/PermitRootLogin\tno/' /etc/ssh/sshd_config
fi
else
echo "PermitRootLogin no" >>/etc/ssh/sshd_config
fi
systemctl restart sshd修改默认访问权限
sed -i.bak '/UMASK/s/077/027/' /etc/login.defs
sed -i.bak '/umask/s/002/027/' /etc/profile检查口令生存周期要求
sed -i.bak -e 's/^\(PASS_MIN_DAYS\).*/\1 6/' /etc/login.defs
sed -i.bak -e 's/^\(PASS_MIN_LEN\).*/\1 8/' /etc/login.defs
sed -i.bak -e 's/^\(PASS_WARN_AGE\).*/\1 30/' /etc/login.defs
sed -i.bak -e 's/^\(PASS_MAX_DAYS\).*/\1 90/' /etc/login.defsLinux服务器基线加固
http://www.jcwit.com/article/95/