美文网首页
【easyctl】 使用easyctl加固操作系统

【easyctl】 使用easyctl加固操作系统

作者: 微凉哇 | 来源:发表于2021-10-11 17:18 被阅读0次

    背景说明

    最近公司有服务器安全审计,针对所管服务器需要做加固处理,由于数量较多,一个个来弄比较麻烦。本着能用工具干活绝不自己动手的原则,开发此功能。

    优势:秒级批量加固

    使用方式

    • 前置条件:安装easyctl

    • 版本支持:v0.7.12-alpha以上

    • 加固内容参考文末说明文档部分

    • 适用平台:

      • CentOS7
      • CentOS6 暂未测试,理论上兼容,欢迎使用测试。

    安装easyctl

    1. 编译安装最新版
    git clone https://github.com/weiliang-ms/easyctl.git
    cd easyctl
    go build -ldflags "-w -s" -o /usr/local/bin/easyctl
    
    1. 下载编译好的文件

    easyctl-v0.7.12-alpha

    chmod +x easyctl
    mv easyctl /usr/local/bin
    

    开始加固

    1.生成配置文件

    $ easyctl harden os
    INFO[0000] 生成配置文件样例, 请携带 -c 参数重新执行 -> config.yaml
    

    2.调整配置

    vi config.yaml,调整以下参数

    • server主机信息(用于做安全加固的主机)
    server:
      - host: 10.10.10.[1:40] # 地址段
        username: root
        privateKeyPath: "" # ~/.ssh/id_rsa,为空默认走password登录;不为空默认走密钥登录
        password: 123456
        port: 22
    excludes:
      - 192.168.235.132 # 用于排除地址区间内的元素
    

    3.执行加固

    $ easyctl harden os -c config.yaml --debug
    

    结果输出如下:

    $ easyctl harden os -c config.yaml
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 1] 禁ping
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  |        OUTPUT        | EXCEPTION |
    |-----------------|--------|-----------|---------|----------------------|-----------|
    | 192.168.109.137 | ****** |     0     | success | net.ipv4.icmp_echo_i |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 2] 关闭ICMP_TIMESTAMP应答
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 3] 设置系统空闲等待时间
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 4] 隐藏系统版本信息
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 5] 禁止Control-Alt-Delete 键盘重启系统命令
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 6] ssh用户密码加固
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 7] 删除系统默认用户
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 8] 修改允许密码错误次数
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 9] ssh关闭UseDNS
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 10] ssh关闭AgentForwarding
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 11] 加固系统日志文件
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 12] 删除非root用户定时任务
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 13] 定时清理僵尸进程
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 14] 添加sudo用户: easyctl 密码: YR4H0x*3wVyfyd
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  |        OUTPUT        | EXCEPTION |
    |-----------------|--------|-----------|---------|----------------------|-----------|
    | 192.168.109.137 | ****** |     0     | success | Changing password fo |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 15] 锁定敏感文件
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
    |-----------------|--------|-----------|---------|--------|-----------|
    | 192.168.109.137 | ****** |     0     | success |        |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | [step 16] 调整ssh登录端口为: 22122,禁止root直接登录.
    [easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | 解析server列表完毕!
    [easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | 开始并行执行命令...
    [easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
    [easyctl] localhost.localdomain | 2021-10-11T04:56:40-04:00 | info | <- 192.168.109.137执行命令成功...
    |   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT  | EXCEPTION |
    |-----------------|--------|-----------|---------|---------|-----------|
    | 192.168.109.137 | ****** |     0     | success | success |           |
    |                 |        |           |         | success |           |
    |                 |        |           |         |  succ   |           |
    [easyctl] localhost.localdomain | 2021-10-11T04:56:40-04:00 | info | [done] 安全加固完毕,目标主机连方式改为:
    ssh端口: 22122
    ssh用户: easyctl
    ssh密码: YR4H0x*3wVyfyd
    

    4.加固后的主机如何登录?

    根据上述返回信息,使用以下用户及端口登录

    ssh端口: 22122
    ssh用户: easyctl
    ssh密码: YR4H0x*3wVyfyd
    

    easyctl用户具有sudo权限,建议变更easyctl用户口令

    说明文档

    加固以下以下事项:

    1. Ping
    sed -i "/net.ipv4.icmp_echo_ignore_all/d" /etc/sysctl.conf
    echo "net.ipv4.icmp_echo_ignore_all=1"  >> /etc/sysctl.conf
    sysctl -p
    

    2.关闭ICMP_TIMESTAMP应答

    iptables -I INPUT -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP || true
    iptables -I INPUT -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP || true
    
    1. 设置系统空闲等待时间
    sed -i '/export TMOUT=300/d' /etc/profile
    sed -i '/readonly TMOUT/d' /etc/profile
    echo "export TMOUT=300" >> /etc/profile
    echo "readonly TMOUT" >> /etc/profile
    
    1. 隐藏系统版本信息
    mv /etc/issue /etc/issue.bak || true
    mv /etc/issue.net /etc/issue.net.bak || true
    

    5.禁止Control-Alt-Delete键盘重启系统命令

    rm -rf /usr/lib/systemd/system/ctrl-alt-del.target || true
    

    6ssh用户密码加固

    PASS_MAX_DAYS=$(grep -e ^PASS_MAX_DAYS /etc/login.defs |awk '{print $2}')
    if [ $PASS_MAX_DAYS -gt 90 ];then
        echo "密码最长保留期限为:$PASS_MAX_DAYS, 更改为90天"
        sed -i "/^PASS_MAX_DAYS/d" /etc/login.defs
        echo "PASS_MAX_DAYS   90" >> /etc/login.defs
    fi
    
    PASS_MIN_DAYS=$(grep -e ^PASS_MIN_DAYS /etc/login.defs |awk '{print $2}')
    if [ $PASS_MIN_DAYS -ne 0 ];then
        echo "密码最段保留期限为:$PASS_MIN_DAYS, 更改为1天"
        sed -i "/^PASS_MIN_DAYS/d" /etc/login.defs
        echo "PASS_MIN_DAYS   0" >> /etc/login.defs
    fi
    
    PASS_MIN_LEN=$(grep -e ^PASS_MIN_LEN /etc/login.defs |awk '{print $2}')
    if [ $PASS_MIN_LEN -lt 8 ];then
        echo "密码最少字符为:$PASS_MIN_LEN, 更改为8"
        sed -i "/^PASS_MIN_LEN/d" /etc/login.defs
        echo "PASS_MIN_LEN   8" >> /etc/login.defs
    fi
    
    PASS_WARN_AGE=$(grep -e ^PASS_WARN_AGE /etc/login.defs |awk '{print $2}')
    if [ $PASS_WARN_AGE -ne 7 ];then
      echo "密码到期前$PASS_MIN_LEN天提醒, 更改为7"
      sed -i "/^PASS_WARN_AGE/d" /etc/login.defs
      echo "PASS_WARN_AGE   7" >> /etc/login.defs
    fi
    
    1. 删除系统默认用户
    users=(adm lp sync shutdown halt mail news uucp operator games gopher ftp)
    for i in ${users[@]};
    do
      userdel $i &>/dev/null || true
    done
    
    for i in ${users[@]};
    do
      userdel $i &>/dev/null || true
    done
    
    1. 修改允许密码错误次数
    sed -i "/MaxAuthTries/d" /etc/ssh/sshd_config
    echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
    service sshd restart
    
    1. 关闭ssh UseDNS
    sed -i "/UseDNS/d" /etc/ssh/sshd_config
    echo "UseDNS no" >> /etc/ssh/sshd_config
    service sshd restart
    
    1. 关闭sshAgentForwardingTcpForwarding
    sed -i "/AgentForwarding/d" /etc/ssh/sshd_config
    sed -i "/TcpForwarding/d" /etc/ssh/sshd_config
    echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
    echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
    service sshd restart
    
    1. 加固系统日志文件
    touch /var/log/secure
    chown root:root /var/log/secure
    chmod 600 /var/log/secure
    
    1. 删除非root用户定时任务
    rm -f /etc/cron.deny
    
    1. 定时清理僵尸进程
    crontab -l | grep -v '#' > /tmp/file1
    echo "0 3 * * * ps -A -ostat,ppid | grep -e '^[Zz]' | awk '{print $2}' | xargs kill -HUP > /dev/null 2>&1" >> /tmp/file1 && awk ' !x[$0]++{print > "/tmp/file1"}' /tmp/file1
    crontab /tmp/file1
    
    1. 创建sudo用户
    chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
    useradd -m easyctl &>/dev/null || true
    echo YR4H0x*3wVyfyd | passwd --stdin easyctl || true
    sed -i '/easyctl/d' /etc/sudoers
    echo "easyctl        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
    
    1. 锁定敏感文件并降权
    chown root:root /etc/{passwd,shadow,group}
    chmod 644 /etc/{passwd,group}
    chmod 400 /etc/shadow
    chattr +i /etc/services || true
    chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
    
    1. 修改ssh port& 禁止root登录
    sed -i "/PermitRootLogin/d" /etc/ssh/sshd_config
    sed -i "/Port 22/d" /etc/ssh/sshd_config
    echo "Port 22122" >> /etc/ssh/sshd_config
    echo "PermitRootLogin no" >> /etc/ssh/sshd_config
    
    setenforce 0
    firewall-cmd --zone=public --add-port=22122/tcp --permanent || true
    firewall-cmd --zone=public --add-port=22122/tcp --permanent || true
    firewall-cmd --reload || true
    
    iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 22122 -j ACCEPT || true
    /etc/rc.d/init.d/iptables save || ture
    service iptables restart || ture
    
    service sshd restart
    

    相关文章

      网友评论

          本文标题:【easyctl】 使用easyctl加固操作系统

          本文链接:https://www.haomeiwen.com/subject/daaloltx.html