本文最后更新于 420 天前,其中的信息可能已经过时,如有错误请发送邮件到 wuxianglongblog@163.com
通过 kickstart 脚本安装操作系统,最小化安装,预分区并设置严格的挂载权限。
| |
| install |
| |
| auth |
| |
| cdrom |
| |
| eula |
| services |
| reboot |
| |
| |
| ignoredisk |
| |
| keyboard |
| |
| lang en_US.UTF-8 |
| |
| selinux |
| |
| network |
| network |
| |
| rootpw |
| |
| timezone Europe/London |
| |
| bootloader |
| |
| clearpart |
| ignoredisk |
| |
| |
| part pv.18 |
| part pv.11 |
| part /boot |
| volgroup lg_data |
| volgroup lg_os |
| logvol / |
| logvol /home |
| logvol /tmp |
| logvol /var |
| logvol /var/tmp |
| logvol /var/www |
| logvol /var/log |
| logvol /var/log/audit |
| logvol swap |
| %packages |
| @core |
| %end |
| %post |
| %end |
如果网站是动态网站,那么网站所在的盘不可以使用 noexec 挂载选项。像 /tmp 和 /var/tmp 应该使用 noexec 挂载选项,因为黑客通常在这两个目录里面上传并执行提权程序。
一个安全地 /etc/fstab 文件配置举例:
| |
| |
| |
| |
| |
| |
| |
| /dev/mapper/lg_os-lv_root / xfs defaults 1 1 |
| UUID=d73c5d22-75ed-416e-aad2-8c1bb1dfc713 /boot ext4 defaults,nosuid,noexec,nodev 1 2 |
| /dev/mapper/lg_data-lv_home /home xfs defaults 1 2 |
| /dev/mapper/lg_os-lv_tmp /tmp xfs defaults,nosuid,noexec,nodev 1 2 |
| /dev/mapper/lg_os-lv_var /var xfs defaults,nosuid 1 2 |
| /dev/mapper/lg_os-lv_var_tmp /var/tmp xfs defaults,nosuid,noexec,nodev 1 2 |
| /dev/mapper/lg_os-lv_var_tmp /var/log xfs defaults,nosuid,noexec,nodev 1 2 |
| /dev/mapper/lg_os-lv_var_tmp /var/log/audit xfs defaults,nosuid,noexec,nodev 1 2 |
| /dev/mapper/lg_data-lv_var_www /var/www xfs defaults,nosuid,noexec,nodev 1 2 |
| /dev/mapper/lg_data-lv_swap swap swap defaults 0 0 |
在进行一些合规性审计的时候 NTP 是必要的,同步时间有利于审计日志。
| yum install ntp ntpdate |
| chkconfig ntpd on |
| ntpdate pool.ntp.org |
| /etc/init.d/ntpd start |
Pre-linking binaries 功能缩短了运行时间,然而这种方式会导致 AIDE 出现故障,所以配置 AIDE 之前需要禁止此项。打开 /etc/sysconfig/prelink 确保 PRELINKING=no ,或者直接使用下面的脚本:
| |
| |
| if grep -q ^PRELINKING /etc/sysconfig/prelink |
| then |
| sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink |
| else |
| echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink |
| echo "PRELINKING=no" >> /etc/sysconfig/prelink |
| fi |
| Disable previous prelink changes to binaries: |
| Disable previous prelink changes to binaries |
| root:~ |
安装 AIDE
| yum install aide -y && /usr/sbin/aide --init && cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && /usr/sbin/aide --check |
| Configure periodic execution of AIDE, runs every morning at 04:30 |
| echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab |
| echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf |
下面这条命令将启用 SHA512 替代 MD5
| authconfig --passalgo=sha512 —update |
| vi /etc/security/pwquality.conf |
| |
| |
| |
| |
| |
| difok = 5 |
| |
| |
| |
| |
| minlen = 14 |
| |
| |
| |
| dcredit = 1 |
| |
| |
| |
| |
| ucredit = 1 |
| |
| |
| |
| |
| lcredit = 1 |
| |
| |
| |
| |
| ocredit = 1 |
| |
| |
| |
| minclass = 4 |
| |
| |
| |
| maxrepeat = 3 |
| |
| |
| |
| |
| maxclassrepeat = 3 |
| |
| |
| |
| gecoscheck = 1 |
| |
| |
| |
| Add the following to /etc/login.defs |
| PASS_MIN_LEN 14 |
| PASS_MIN_DAYS 1 |
| PASS_MAX_DAYS 60 |
| vim /etc/pam.d/system-auth |
| session required pam_lastlog.so showfailed |
0x09 设置每个会话最大密码尝试次数
Set the amount of password reprompts per session, by editing the pam_pwquality.so statement in
| vim /etc/pam.d/system-auth |
| auth pam_pwquality.so retry=3 |
编辑 /etc/pam.d/system-auth 和 /etc/pam.d/password-auth 两个 PAM 配置文件
| auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 |
| auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 |
使用 PAM 模块配置,在 /etc/pam.d/system-auth 这个 PAM 配置文件里面,在 pam_unix.so 所在的行添加 remember=24 。这样服务器就会记录历史上的前 24 个旧密码,为啥为 24?因为这是美国国防部的标准。
| password sufficient pam_unix.so existing_options remember``=``24 |
Set grub.conf to chmod 600:
设置 /boot/grub2/grub.cfg 的权限为 600
| sudo chmod /boot/grub2/grub.cfg 600 |
Grub2 BootLoader 需要配置一个 superuser 并设置密码。创建一个 superuser 并放到 /etc/grub.d 里面,由于明文密码不安全,要使用 grub2-mkpasswd-pbkdf2 生成一个 hash 过得密码存储。
grub2 superuser 账号要避免使用常用的管理员用户名比如 admin,root,administrator,要满足 FISMA Moderate 等级要求,BootLoader superuser 的密码必须和 root 用户不一样。
| grub2-mkconfig -o /boot/grub2/grub.cfg |
不应该手工像 grub.cfg 里面添加超级用户
因为 执行 grub2-mkconfig 会覆盖掉这个文件
| vim /etc/sysconfig/init |
| SINGLE=/sbin/sulogin |
| vim /etc/init/control-alt-delete.conf and modify the existing line: |
| exec /sbin/shutdown -r now "Control-Alt-Delete pressed" |
| To: |
| exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed" |
Screen 是一个可以在多个进程之间多路复用一个物理终端的窗口管理器。
当系统无法连接 DHCP server 的时候,就会尝试通过 ZEROCONF 来获取 IP。然后网卡将会被设置为 169.254.0.0 段的地址,可以禁止这项功能。
| echo "NOZEROCONF=yes" >> /etc/sysconfig/network |
| vim /etc/modprobe.d/disabled.conf |
| options ipv6 disable=1 |
| vim /etc/sysconfig/network |
| NETWORKING_IPV6=no |
| IPV6INIT=no |
像 NFSv4 这样的 RPC 服务会尝试使用 IPv6 ,为了防止这种行为打开 /etc/netconfig 将下面两行注释掉
| udp6 tpi_clts v inet6 udp - - |
| tcp6 tpi_cots_ord v inet6 tcp - - |
设置 root 只能从本地终端登录
| echo "tty1" > /etc/securetty |
| chmod 700 /root |
| perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc |
| perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc |
| echo "Idle users will be removed after 15 minutes" |
| echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh |
| echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh |
| chmod +x /etc/profile.d/os-security.sh |
| echo "Locking down Cron" |
| touch /etc/cron.allow |
| chmod 600 /etc/cron.allow |
| awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny |
| echo "Locking down AT" |
| touch /etc/at.allow |
| chmod 600 /etc/at.allow |
| awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny |
| vim /etc/sysctl.conf |
| net.ipv4.ip_forward = 0 |
| net.ipv4.conf.all.send_redirects = 0 |
| net.ipv4.conf.default.send_redirects = 0 |
| net.ipv4.tcp_max_syn_backlog = 1280 |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| net.ipv4.conf.all.accept_source_route = 0 |
| net.ipv4.conf.all.accept_redirects = 0 |
| net.ipv4.conf.all.secure_redirects = 0 |
| net.ipv4.conf.all.log_martians = 1 |
| net.ipv4.conf.default.accept_source_route = 0 |
| net.ipv4.conf.default.accept_redirects = 0 |
| net.ipv4.conf.default.secure_redirects = 0 |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 |
| net.ipv4.tcp_syncookies = 1 |
| net.ipv4.conf.all.rp_filter = 1 |
| net.ipv4.conf.default.rp_filter = 1 |
| net.ipv4.tcp_timestamps = 0 |
TCP wrappers 允许提供一种快捷方便的方法访问应用程序,比如
| echo "ALL:ALL" >> /etc/hosts.deny |
| echo "sshd:ALL" >> /etc/hosts.allow |
默认禁止全部入站,允许全部出站。
| |
| *filter |
| :INPUT DROP [0:0] |
| :FORWARD DROP [0:0] |
| :OUTPUT ACCEPT [0:0] |
| :RH-Firewall-1-INPUT - [0:0] |
| -A INPUT -j RH-Firewall-1-INPUT |
| -A FORWARD -j RH-Firewall-1-INPUT |
| -A RH-Firewall-1-INPUT -i lo -j ACCEPT |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT |
| |
| -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT |
| |
| |
| -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " |
| -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " |
| -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " |
| -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " |
| -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " |
| -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " |
| |
| -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| |
| -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT |
| |
| -A RH-Firewall-1-INPUT -j LOG |
| -A RH-Firewall-1-INPUT -j DROP |
| COMMIT |
| sudo systemctl enable iptables |
| systemctl start iptables.service |
可以禁用如下协议:
- Datagram Congestion Control Protocol (DCCP)
- Stream Control Transmission Protocol (SCTP)
- Reliable Datagram Sockets (RDS)
- Transparent Inter-Process Communication (TIPC)
| echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf |
| echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf |
| echo "install rds /bin/false" > /etc/modprobe.d/rds.conf |
| echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf |
| yum -y install rsyslog |
| systemctl enable rsyslog.service |
| systemctl start rsyslog.service |
开启 Auditd 审计服务
| systemctl enable auditd.service |
| systemctl start auditd.service |
Audit Processes Which Start Prior to auditd
在 /etc/grub.conf 里面添加一行:
| kernel ``/``vmlinuz``-``version ro vga``=``ext root``=``/``dev``/``VolGroup00``/``LogVol00 rhgb quiet audit``=``1 |
Auditd Number of Logs Retained
打开 /etc/audit/auditd.conf 添加:
Auditd 日志最大值
max_log_file = 30MB
Auditd max_log_file_action
| vim /etc/audit/auditd.conf |
| max_log_file_action = rotate |
Auditd space_left
Configure auditd to email you when space gets low, open /etc/audit/auditd.conf and modify the following:
| vim /etc/audit/auditd.conf |
| space_left_action = email |
Auditd admin_space_left
Configure auditd to halt when auditd log space is used up, forcing the system admin to rectify the space issue.
On some systems where monitoring is less important another action could be leveraged.
| admin_space_left_action = halt |
Auditd mail_acct
When space gets low auditd can send a email notification via email, to configure this and the following line to /etc/audit/auditd.conf:
启用 auditd audispd 插件
Aduitd 并不能将 logs 直接发送到外部日志服务器,需要通过 audispd 这个插件先将日志发送给本地 syslog 服务器。启用这个插件:编辑 /etc/audisp/plugins.d/syslog.conf ,然后设置 active=yes。然后重启 audispd daemon:
| sudo service auditd restart |
配置 Audit 策略
| vim /etc/audit/audit.rules |
| |
| -a always,exit -F arch=b64 -S adjtimex -k audit_time_rules |
| |
| -a always,exit -F arch=b64 -S settimeofday -k audit_time_rules |
| |
| -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime |
| -k audit_time_rules |
| |
| -a always,exit -F arch=b64 -S clock_settime -k audit_time_rules |
| |
| -w /etc/localtime -p wa -k audit_time_rules |
| |
| |
| -w /etc/group -p wa -k audit_account_changes |
| -w /etc/passwd -p wa -k audit_account_changes |
| -w /etc/gshadow -p wa -k audit_account_changes |
| -w /etc/shadow -p wa -k audit_account_changes |
| -w /etc/security/opasswd -p wa -k audit_account_changes |
| |
| |
| -a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_network_modifications |
| -w /etc/issue -p wa -k audit_network_modifications |
| -w /etc/issue.net -p wa -k audit_network_modifications |
| -w /etc/hosts -p wa -k audit_network_modifications |
| -w /etc/sysconfig/network -p wa -k audit_network_modifications |
| |
| -w /etc/selinux/ -p wa -k MAC-policy |
| |
| -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod |
| |
| -w /var/log/faillog -p wa -k logins |
| -w /var/log/lastlog -p wa -k logins |
| |
| -w /var/run/utmp -p wa -k session |
| -w /var/log/btmp -p wa -k session |
| -w /var/log/wtmp -p wa -k session |
| |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access |
| -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access |
| -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access |
| |
| |
| |
| |
| |
| |
| |
| |
| -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export |
| |
| -a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete |
| |
| -w /etc/sudoers -p wa -k actions |
| |
| -w /sbin/insmod -p x -k modules |
| -w /sbin/rmmod -p x -k modules |
| -w /sbin/modprobe -p x -k modules |
| -a always,exit -F arch=b64 -S init_module -S delete_module -k modules |
| |
| -e 2 |
| |
删除非必要的服务
| # Remove |
| yum remove xinetd |
| yum remove telnet-server |
| yum remove rsh-server |
| yum remove telnet |
| yum remove rsh-server |
| yum remove rsh |
| yum remove ypbind |
| yum remove ypserv |
| yum remove tftp-server |
| yum remove cronie-anacron |
| yum remove bind |
| yum remove vsftpd |
| yum remove httpd |
| yum remove dovecot |
| yum remove squid |
| yum remove net-snmpd |
禁止非必要的服务
| |
| systemctl disable xinetd |
| systemctl disable rexec |
| systemctl disable rsh |
| systemctl disable rlogin |
| systemctl disable ypbind |
| systemctl disable tftp |
| systemctl disable certmonger |
| systemctl disable cgconfig |
| systemctl disable cgred |
| systemctl disable cpuspeed |
| systemctl enable irqbalance |
| systemctl disable kdump |
| systemctl disable mdmonitor |
| systemctl disable messagebus |
| systemctl disable netconsole |
| systemctl disable ntpdate |
| systemctl disable oddjobd |
| systemctl disable portreserve |
| systemctl enable psacct |
| systemctl disable qpidd |
| systemctl disable quota_nld |
| systemctl disable rdisc |
| systemctl disable rhnsd |
| systemctl disable rhsmcertd |
| systemctl disable saslauthd |
| systemctl disable smartd |
| systemctl disable sysstat |
| systemctl enable crond |
| systemctl disable atd |
| systemctl disable nfslock |
| systemctl disable named |
| systemctl disable httpd |
| systemctl disable dovecot |
| systemctl disable squid |
| systemctl disable snmpd |
禁用 Secure RPC Client 服务
Disable rpcgssd:
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:
| systemctl disable rpcgssd |
禁止 Secure RPC Server Service
| systemctl disable rpcsvcgssd |
禁止 RPC ID Mapping Service
The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:
| systemctl disable rpcidmapd |
禁止 Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:
| sudo systemctl disable netfs |
禁止 Network File System (nfs)
如果不需要 SSH,则删除之:
删除 SSH iptables 防火墙规则
| -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT |
Tips™ - You probable need to leave SSH alone
| ###Remove Rsh Trust Files |
| rm /etc/hosts.equiv |
| rm ~/.rhosts |
禁止 Avahi Server Software
| systemctl disable avahi-daemon |
the CUPS Service
如果不需要 CUPS,禁止之,减少攻击面
禁止 DHCP 服务
卸载 DHCP Server Package
如果不需要 DHCP 客户端,就删除之
禁止 DHCP ,使用静态 ip
Example:
| BOOTPROTO=none |
| NETMASK=255.255.255.0 |
| IPADDR=192.168.1.2 |
| GATEWAY=192.168.1.1 |
指定 NTP 服务器
| vim /etc/ntp.conf |
| server ntpserver |
当然最好使用内网的 NTP 服务器
启用 Postfix
删除 Sendmail
设置 Postfix 仅本地监听
Open, /etc/postfix/main.cf and ensure the following inet_interfaces line appears:
| vim |
| inet_interfaces = localhost |
配置 SMTP banner
banner 会暴露当前的 SMTP 服务器是 Postfix.
禁止 xinetd Service
| sudo systemctl disable xinetd |
System Audit Logs 权限设置
System audit logs 权限最高为 0640
| sudo chmod 0640 audit_file |
System Audit Logs 所有者为 root
禁止 autofs
| chkconfig --level 0123456 autofs off |
| service autofs stop |
| echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf |
| echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf |
| echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf |
| echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf |
| echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf |
| echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf |
| echo "install udf /bin/false" > /etc/modprobe.d/udf.conf |
| vi /etc/security/limits.conf |
| * hard core 0 |
| Run sysctl -w fs.suid_dumpable=0 and fs.suid_dumpable = 0. |
| |
| |
| sysctl -q -n -w fs.suid_dumpable=0 |
| |
| |
| |
| |
| if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then |
| sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf |
| else |
| echo "" >> /etc/sysctl.conf |
| echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf |
| echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf |
| fi |
启用 ExecShield
用于防御 stack smashing / BOF.
| sysctl -w kernel.exec-shield=1 |
在 /etc/sysctl.conf 里面添加
启用 ASLR
Set runtime for kernel.randomize_va_space
| sysctl -q -n -w kernel.randomize_va_space=2 |
在 /etc/sysctl.conf 里面添加一行:
| kernel.randomize_va_space = 2 |
Enable XD or NX Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.
Check bios and ensure XD/NX is enabled, not relevant for VM’s.
确认 SELinux 开启
| sed -i "s/selinux=0//gI" /etc/grub.conf |
| sed -i "s/enforcing=0//gI" /etc/grub.conf |
启用 SELinux
| vim /etc/selinux/config |
| SELINUXTYPE=targeted |
SELINUXTYPE=targeted 或者设置为 SELINUXTYPE=enforcing,这取决于实际情况。
estorecond (系统) 利用 /etc/selinux/restorecond.conf 的设定来判断当新建文件时,该文件的 SELinux 类型应该如何还原。需要注意的是,如果你的系统有很多非正规的 SELinux 文件类型设定时,这个 daemon 最好关闭,否则他会将你设定的 type 修改回默认值。
启用 restorecond for all run levels:
| chkconfig --level 0123456 restorecond on |
启动 restorecond:
| service restorecond start |
确保没有未被 SELinux 限制的守护进程
| sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }’ |
0x26 防止空密码登录
| sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth |
只允许 SSH Protocol 2
| vim /etc/ssh/sshd_config |
| Protocol 2 |
限制特定用户 SSH 登录
| vim /etc/ssh/sshd_config |
| DenyUsers USER1 USER2 |
配置 Idle Log Out Timeout 间隔为 600 秒
| ClientAliveInterval ``600 |
Set SSH Client Alive Count
不要支持闲置会话
To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:
禁止 SSH 支持.rhosts 文件
IgnoreRhosts 参数可以忽略以前登录过主机的记录
| vim /etc/ssh/sshd_config: |
| IgnoreRhosts yes |
禁止基于主机的认证
SSH 的加密主机身份验证比.rhosts 身份验证更安全。 但是即使在一个组织内也不建议主机互相信任。
| vim /etc/ssh/sshd_config: |
| HostbasedAuthentication no |
禁止 SSH root 登录
| vim /etc/ssh/sshd_config |
| PermitRootLogin no |
禁止 SSH 空密码登录
| vim /etc/ssh/sshd_config: |
| PermitEmptyPasswords no |
开启 SSH 警告标语
开启告警标语,提高安全意识。
禁止 SSH Environment 选项
当客户端从 ssh 登陆到服务端时,服务端禁止从本地的~/.ssh/environment 读取特定客户端的环境变量配置文件。
仅使用被证明的加密算法
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
| ciphers aes128``-``ctr,aes192``-``ctr,aes256``-``ctr,aes128``-``cbc,``3des``-``cbc,aes192``-``cbc,aes256``-``cbc |
禁止 X 桌面,减少攻击面
| yum groupremove "X Window System |
| yum -y install yum-cron |
| chkconfig yum-cron on |
另外设置 yum-cron 为 “check only”, 不推荐自动安装更新。