【easyctl】 使用easyctl加固操作系统

背景说明

最近公司有服务器安全审计，针对所管服务器需要做加固处理，由于数量较多，一个个来弄比较麻烦。本着能用工具干活绝不自己动手的原则，开发此功能。

优势：秒级批量加固

使用方式

• 前置条件：安装easyctl

• 版本支持：v0.7.12-alpha以上

• 加固内容参考文末说明文档部分

• 适用平台：

  • CentOS7
  • CentOS6 暂未测试，理论上兼容，欢迎使用测试。

安装easyctl

1. 编译安装最新版

git clone https://github.com/weiliang-ms/easyctl.git
cd easyctl
go build -ldflags "-w -s" -o /usr/local/bin/easyctl

2. 下载编译好的文件

easyctl-v0.7.12-alpha

chmod +x easyctl
mv easyctl /usr/local/bin

开始加固

1.生成配置文件

$ easyctl harden os
INFO[0000] 生成配置文件样例, 请携带 -c 参数重新执行 -> config.yaml

2.调整配置

vi config.yaml，调整以下参数

• server主机信息（用于做安全加固的主机）

server:
  - host: 10.10.10.[1:40] # 地址段
    username: root
    privateKeyPath: "" # ~/.ssh/id_rsa，为空默认走password登录；不为空默认走密钥登录
    password: 123456
    port: 22
excludes:
  - 192.168.235.132 # 用于排除地址区间内的元素

3.执行加固

$ easyctl harden os -c config.yaml --debug

结果输出如下：

$ easyctl harden os -c config.yaml
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 1] 禁ping
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  |        OUTPUT        | EXCEPTION |
|-----------------|--------|-----------|---------|----------------------|-----------|
| 192.168.109.137 | ****** |     0     | success | net.ipv4.icmp_echo_i |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 2] 关闭ICMP_TIMESTAMP应答
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 3] 设置系统空闲等待时间
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 4] 隐藏系统版本信息
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 5] 禁止Control-Alt-Delete 键盘重启系统命令
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 6] ssh用户密码加固
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 7] 删除系统默认用户
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 8] 修改允许密码错误次数
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 9] ssh关闭UseDNS
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 10] ssh关闭AgentForwarding
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 11] 加固系统日志文件
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 12] 删除非root用户定时任务
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 13] 定时清理僵尸进程
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 14] 添加sudo用户: easyctl 密码: YR4H0x*3wVyfyd
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  |        OUTPUT        | EXCEPTION |
|-----------------|--------|-----------|---------|----------------------|-----------|
| 192.168.109.137 | ****** |     0     | success | Changing password fo |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 15] 锁定敏感文件
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | [step 16] 调整ssh登录端口为: 22122，禁止root直接登录.
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:40-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT  | EXCEPTION |
|-----------------|--------|-----------|---------|---------|-----------|
| 192.168.109.137 | ****** |     0     | success | success |           |
|                 |        |           |         | success |           |
|                 |        |           |         |  succ   |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:40-04:00 | info | [done] 安全加固完毕，目标主机连方式改为：
ssh端口: 22122
ssh用户: easyctl
ssh密码: YR4H0x*3wVyfyd

4.加固后的主机如何登录？

根据上述返回信息，使用以下用户及端口登录

ssh端口: 22122
ssh用户: easyctl
ssh密码: YR4H0x*3wVyfyd

easyctl用户具有sudo权限，建议变更easyctl用户口令

说明文档

加固以下以下事项：

1. 禁Ping

sed -i "/net.ipv4.icmp_echo_ignore_all/d" /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_all=1"  >> /etc/sysctl.conf
sysctl -p

2.关闭ICMP_TIMESTAMP应答

iptables -I INPUT -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP || true
iptables -I INPUT -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP || true

3. 设置系统空闲等待时间

sed -i '/export TMOUT=300/d' /etc/profile
sed -i '/readonly TMOUT/d' /etc/profile
echo "export TMOUT=300" >> /etc/profile
echo "readonly TMOUT" >> /etc/profile

4. 隐藏系统版本信息

mv /etc/issue /etc/issue.bak || true
mv /etc/issue.net /etc/issue.net.bak || true

5.禁止Control-Alt-Delete键盘重启系统命令

rm -rf /usr/lib/systemd/system/ctrl-alt-del.target || true

6ssh用户密码加固

PASS_MAX_DAYS=$(grep -e ^PASS_MAX_DAYS /etc/login.defs |awk '{print $2}')
if [ $PASS_MAX_DAYS -gt 90 ];then
    echo "密码最长保留期限为：$PASS_MAX_DAYS, 更改为90天"
    sed -i "/^PASS_MAX_DAYS/d" /etc/login.defs
    echo "PASS_MAX_DAYS   90" >> /etc/login.defs
fi

PASS_MIN_DAYS=$(grep -e ^PASS_MIN_DAYS /etc/login.defs |awk '{print $2}')
if [ $PASS_MIN_DAYS -ne 0 ];then
    echo "密码最段保留期限为：$PASS_MIN_DAYS, 更改为1天"
    sed -i "/^PASS_MIN_DAYS/d" /etc/login.defs
    echo "PASS_MIN_DAYS   0" >> /etc/login.defs
fi

PASS_MIN_LEN=$(grep -e ^PASS_MIN_LEN /etc/login.defs |awk '{print $2}')
if [ $PASS_MIN_LEN -lt 8 ];then
    echo "密码最少字符为：$PASS_MIN_LEN, 更改为8"
    sed -i "/^PASS_MIN_LEN/d" /etc/login.defs
    echo "PASS_MIN_LEN   8" >> /etc/login.defs
fi

PASS_WARN_AGE=$(grep -e ^PASS_WARN_AGE /etc/login.defs |awk '{print $2}')
if [ $PASS_WARN_AGE -ne 7 ];then
  echo "密码到期前$PASS_MIN_LEN天提醒, 更改为7"
  sed -i "/^PASS_WARN_AGE/d" /etc/login.defs
  echo "PASS_WARN_AGE   7" >> /etc/login.defs
fi

7. 删除系统默认用户

users=(adm lp sync shutdown halt mail news uucp operator games gopher ftp)
for i in ${users[@]};
do
  userdel $i &>/dev/null || true
done

for i in ${users[@]};
do
  userdel $i &>/dev/null || true
done

8. 修改允许密码错误次数

sed -i "/MaxAuthTries/d" /etc/ssh/sshd_config
echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
service sshd restart

9. 关闭ssh UseDNS

sed -i "/UseDNS/d" /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
service sshd restart

10. 关闭ssh的AgentForwarding和TcpForwarding

sed -i "/AgentForwarding/d" /etc/ssh/sshd_config
sed -i "/TcpForwarding/d" /etc/ssh/sshd_config
echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
service sshd restart

11. 加固系统日志文件

touch /var/log/secure
chown root:root /var/log/secure
chmod 600 /var/log/secure

12. 删除非root用户定时任务

rm -f /etc/cron.deny

13. 定时清理僵尸进程

crontab -l | grep -v '#' > /tmp/file1
echo "0 3 * * * ps -A -ostat,ppid | grep -e '^[Zz]' | awk '{print $2}' | xargs kill -HUP > /dev/null 2>&1" >> /tmp/file1 && awk ' !x[$0]++{print > "/tmp/file1"}' /tmp/file1
crontab /tmp/file1

14. 创建sudo用户

chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
useradd -m easyctl &>/dev/null || true
echo YR4H0x*3wVyfyd | passwd --stdin easyctl || true
sed -i '/easyctl/d' /etc/sudoers
echo "easyctl        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers

15. 锁定敏感文件并降权

chown root:root /etc/{passwd,shadow,group}
chmod 644 /etc/{passwd,group}
chmod 400 /etc/shadow
chattr +i /etc/services || true
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

16. 修改ssh port& 禁止root登录

sed -i "/PermitRootLogin/d" /etc/ssh/sshd_config
sed -i "/Port 22/d" /etc/ssh/sshd_config
echo "Port 22122" >> /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config

setenforce 0
firewall-cmd --zone=public --add-port=22122/tcp --permanent || true
firewall-cmd --zone=public --add-port=22122/tcp --permanent || true
firewall-cmd --reload || true

iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 22122 -j ACCEPT || true
/etc/rc.d/init.d/iptables save || ture
service iptables restart || ture

service sshd restart