最近花了点时间整理了一系列的服务器系统初始化内容,包括安全加固、行为审计、***防护、系统优化等多个方面,相信linux系统服务器经过下面26项内容的初始化工作,在安全方面会有较大的提升。
1.安装系统 centos 6.2 64X
2.定制系统分区,
2.1 / 分区100G; 2.2.swap 2048M; 2.3./data 分区,使用剩余全部可用空间。 2.4.其它需求根据服务特点进行定制;2.系统瘦身,卸载无用系统软件;(此步骤在线系统跳过)
yum -y groupremove "FTP Server" "Text-based Internet" "Windows File Server" "PostgreSQL Database""News Server" "DNS Name Server" "Web Server" "Dialup Networking Support" "Mail Server"
"Office/Productivity" "Ruby" "Office/Productivity" "Sound and Video" "X Window System" "X Software
Development" "Printing Support" "OpenFabrics Enterprise Distribution"
3.安装必要系统状态查看命令; yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devellibxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel zip unzip
ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl
openssh openssl-devel nss_ldap openldap openldap-devel openldap-clients openldap-servers libxslt-devel
libevent-devel ntp libtool-ltdl bison libtool vim-enhanced python wget lsof iptraf strace lrzsz
kernel-devel kernel-headers pam-devel Tcl/Tk cmake ncurses-devel bison setuptool
4.锁定无用账户; passwd -l xfs passwd -l news passwd -l nscd passwd -l dbus passwd -l vcsa passwd -l games passwd -l nobody passwd -l avahi passwd -l haldaemon passwd -l gopher passwd -l ftp passwd -l mailnull passwd -l pcap passwd -l mail passwd -l shutdown passwd -l halt passwd -l uucp passwd -l operator passwd -l sync passwd -l adm passwd -l lp5.限制关键命令,研发人员使用root密码或者将某用户提升至root级别,可以使用,现不适用ptmind;
#chmod 700 /bin/ping #chmod 700 /usr/bin/finger #chmod 700 /usr/bin/who #chmod 700 /usr/bin/w #chmod 700 /usr/bin/locate #chmod 700 /usr/bin/whereis #chmod 700 /sbin/ifconfig #chmod 700 /usr/bin/pico #chmod 700 /bin/vi #chmod 700 /usr/bin/which #chmod 700 /usr/bin/gcc #chmod 700 /usr/bin/make #chmod 700 /bin/rpm 6.修改密码输入失败3次,锁定5分钟; sed -i 's#auth required pam_env.so#auth required pam_env.so authrequired pam_tally.so onerr=fail deny=3 unlock_time=300 auth required
/lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
7.修改30分钟无活动,自动退出 ;echo "TMOUT=1800" >>/etc/profile
8.修改系统打开最大文件数;
echo "* soft nofile 66666" >> /etc/security/limits.conf
echo "* hard nofile 66666" >> /etc/security/limits.conf 9.关闭 ipv6;echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf /sbin/chkconfig --level 35 ip6tables off 10.更改系统默认字体为UTF8; sed -i /etc/sysconfig/i18n 11.修改启动模式 到3;sed -i 's/id:.*$/id:3:initdefault:/g' /etc/inittab
12.内核参数调整;
cat >> /etc/sysctl.conf << EOF
#michaelkang add 120724 net.ipv4.tcp_abort_on_overflow = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_fin_timeout = 20 net.ipv4.tcp_retries1 = 2 net.ipv4.tcp_retries2 = 5 net.ipv4.tcp_max_orphans = 2000 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_synack_retries = 3 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000 EOFsysctl -p
13.清理无用服务;
#!/bin/sh for i in `ls /etc/rc3.d/S*` do CURSRV=`echo $i|cut -c 15-`echo $CURSRV
case $CURSRV in cpuspeed | crond | irqbalance | microcode_ctl | xinetd| network | mon | partmon | messagebus| udev-post|sshd | rsyslog | syslog )
#这个启动的系统服务根据具体的应用情况设置,其中network、sshd、syslog是三项必须要启动的系统服务! echo "Base services, Skip!" ;; *) echo "change $CURSRV to off" chkconfig --level 235 $CURSRV off service $CURSRV stop ;; esac done14.添加必要的用户和组
mkdir /workspace cp /etc/shadow /workspace/ cp /etc/passwd /workspace/ groupadd public useradd abc -g public echo 'abc:$1$V5X9cldh$skn2.IclKEc.HFVLW/' | chpasswd -e history -c15.关键文件添加特殊权限;
chattr +i /etc/passwd
chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow # history security chattr +a /root/.bash_history chattr +i /root/.bash_history 16.修改/data下目录权限chown user:group /data/
17.赋予user高级权限
echo "user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers 18.升级openssh登录程序; cd /workspace wgettar -xvf openssh-5.8p2.tar.gz
cd openssh-5.8p2#yum install pam-devel
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-
dir=/usr/include/openssl --mandir=/usr/share/man
make mkdir -p /etc/sshbak mv /etc/ssh/* /etc/sshbak/ make install chkconfig --add sshd chkconfig sshd on /etc/init.d/sshd restart cd /workspace/ 19.安装denyhost暴力破解软件; wgettar -zxvf DenyHosts-2.6.tar.gz
mv DenyHosts-2.6 denyhostcd denyhost/
yum install python -y
python setup.py install
cd /usr/share/denyhosts/
cp daemon-control-dist daemon-controlcp denyhosts.cfg-dist denyhosts.cfg
chown root daemon-controlchmod 700 daemon-control
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts chkconfig --add denyhostschkconfig denyhosts on
mv denyhosts.cfg denyhosts.cfg.bak
cat > /usr/share/denyhosts/denyhost.cfg < EOFSECURE_LOG = /var/log/secure
#ssh日志文件 HOSTS_DENY = /etc/hosts.deny #将阻止IP写入到hosts.deny PURGE_DENY = 1d #过多久后清除已经禁止的,其中w代表周,d代表天,h代表小时,s代表秒,m代表分钟 BLOCK_SERVICE = ALL #阻止服务名 DENY_THRESHOLD_INVALID = 5 #允许无效用户(在/etc/passwd未列出)登录失败次数,允许无效用户登录失败的次数. DENY_THRESHOLD_VALID = 5 #允许普通用户登录失败的次数 DENY_THRESHOLD_ROOT = 5 #允许root登录失败的次数 DENY_THRESHOLD_RESTRICTED = 1 #设定 deny host 写入到该资料夹 WORK_DIR = /usr/share/denyhosts/data #将deny的host或ip纪录到Work_dir中 SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = YES HOSTNAME_LOOKUP=YES #是否做域名反解 LOCK_FILE = /var/lock/subsys/denyhosts #将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务。 ADMIN_EMAIL = #设置管理员邮件地址 SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <> SMTP_SUBJECT = DenyHosts Report AGE_RESET_VALID = 1d #有效用户登录失败计数归零的时间 AGE_RESET_ROOT = 1d #root用户登录失败计数归零的时间 AGE_RESET_RESTRICTED = 5d #用户的失败登录计数重置为0的时间(/usr/share/denyhosts/data/restricted-usernames) AGE_RESET_INVALID= 10d #无效用户登录失败计数归零的时间 DAEMON_LOG = /var/log/denyhosts #自己的日志文件 DAEMON_SLEEP = 30s DAEMON_PURGE = 1d #该项与PURGE_DENY 设置成一样,也是清除hosts.deniedssh 用户的时间 EOF cd /workspace/ /etc/init.d/denyhosts start20.安装DDOS防护防火墙;
wget
chmod 0700 install.sh ./install.sh 21.增强系统安全,修改系统,设置通过history查看历史命令只显示10条;; sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile 22.部署用户行为审计;mkdir -p /etc/share/
cat /dev/null >/usr/share/um.log
chown nobody:nobody /usr/share/um.log
chmod 002 /usr/share/um.log
chattr +a /usr/share/um.log
将下面的内容添加到 /etc/profileexport HISTORY_FILE=/etc/share/um/um.log
export PROMPT_COMMAND='{ date "+%y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") ####
$(id|awk "{print \$1}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
然后执行:source /etc/profile23.给 /tmp 和/var/tmp设置了粘滞位; chmod +t /var/ chmod +t /tmp/
18.修改用户ssh登录限制;
cat >> /etc/hosts.allow << EOF
sshd:192.168.16.0/255.255.255.0EOF
echo 'sshd:all' >>/etc/hosts.deny
24.ssh安全加固;#ssh安全加固,修改/etc/ssh/sshd_config 文件
#只允许SSH2方式的连 sed -i "s/#Protocol 2,1/Protocol 2/" /etc/ssh/sshd_config #指定每个连接最大允许的认证次数。默认值是 6 sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config #不使用DNS解析 sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config #不允许root用户直接登录,但root用户可以使用证书直接登录 sed -i "s/#PermitRootLogin yes/PermitRootLogin without-password/" /etc/ssh/sshd_config #SERVER_KEY 的长度 sed -i "s/#ServerKeyBits 768/#ServerKeyBits 1024/" /etc/ssh/sshd_config sed -i "s/#UseLogin no/UseLogin yes/" /etc/ssh/sshd_config #PermitEmptyPasswords no #不允许空密码用户login(仅仅是明文密码方式,非证书方式)。 sed -i "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/" /etc/ssh/sshd_config #RSAAuthentication yes # 启用RSA 认证。 sed -i "s/#RSAAuthentication yes/RSAAuthentication yes/" /etc/ssh/sshd_config #PubkeyAuthentication yes # 启用公钥认证。 sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/" /etc/ssh/sshd_config #补充:修改vi /etc/ssh/ssh_config 文件(全局配置文件) #允许RSA私钥方式认证。 sed -i "s/#RSAAuthentication yes/RSAAuthentication yes/" /etc/ssh/sshd_config #禁止使用空密码登录 sed -i "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/" /etc/ssh/sshd_config#PasswordAuthentication no #,禁止明文密码登陆。
#sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config 25.修改用户密码使用最长时间90天,修改密码最小长度8位; /etc/login.defs PASS_MAX_DAYS 90 PASS_MIN_LEN 8 26.导入管理证书