美文网首页
Linux安全

Linux安全

作者: Liang_JC | 来源:发表于2020-03-20 12:06 被阅读0次

    实验环境:

    • server:192.168.139.100 client:192.168.139.101

    建立一个私有CA,为用户颁发证书

    1、建立CA(server)
    [root@CA CA]# cd /etc/pki/CA/
    [root@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096)    #CA的私钥
    [root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650  #CA证书
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:GD
    Locality Name (eg, city) [Default City]:GZ
    Organization Name (eg, company) [Default Company Ltd]:magedu
    Organizational Unit Name (eg, section) []:IT      
    Common Name (eg, your name or your server's hostname) []:ca.magedu.com
    Email Address []:
    [root@CA CA]# touch index.txt       #存放颁发的证书
    [root@CA CA]# echo 01 > serial      #颁发证书的编号
    
    2、申请证书(client)
    [root@client CA]# cd /etc/pki/CA/
    [root@client CA]# (umask 066;openssl genrsa -out app.key 1024)          #私钥
    [root@client CA]# openssl req -new -key app.key -out app.csr            #用私钥生成申请证书文件
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:GD
    Locality Name (eg, city) [Default City]:GZ
    Organization Name (eg, company) [Default Company Ltd]:magedu
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, your name or your server's hostname) []:ca.magedu.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:centos    
    An optional company name []:
    [root@client CA]# scp app.csr 192.168.139.100:/data
    
    3、颁发CA(server)
    [root@CA CA]# openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Mar  9 13:39:34 2020 GMT
                Not After : Mar  9 13:39:34 2021 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = GD
                organizationName          = magedu
                organizationalUnitName    = IT
                commonName                = ca.magedu.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    7C:29:7D:9C:D1:0C:2B:D6:BF:47:7B:00:55:49:9C:F6:B3:B5:D5:54
                X509v3 Authority Key Identifier: 
                    keyid:C9:BE:A0:61:55:C8:49:0B:D3:AC:95:4F:6B:5F:76:92:6B:D9:88:78
    
    Certificate is to be certified until Mar  9 13:39:34 2021 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [root@CA CA]# tree
    .
    ├── cacert.pem                  #CA证书
    ├── certs
    │   └── app.crt                 #申请的证书
    ├── crl
    ├── index.txt
    ├── index.txt.attr
    ├── index.txt.old
    ├── newcerts
    │   └── 01.pem                  #颁发的证书
    ├── private
    │   └── cakey.pem
    ├── serial
    └── serial.old
    
    4 directories, 9 files
    [root@CA CA]# openssl x509 -in cacert.pem -noout -text      #查看CA证书文件
    

    吊销证书

    #server
    openssl ca -revoke newcerts/01.pem      #吊销证书
    echo 01 > crlnumber                     #吊销证书编号
    openssl ca -gencrl -out crl.pem         #吊销列表
    

    基于KEY的ssh验证

    #client生成密钥对
    [root@client ~]# ssh-keygen                     #生成密钥对
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa): 
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:CYVWLR30rWBxUtMmvKPpisRkPjwcQMXs0E1ZfsvsTrI root@client
    The key's randomart image is:
    +---[RSA 2048]----+
    |    .=.=+**++.   |
    |   .. *.+.o=ooo  |
    |    .+.  .+ o+.  |
    |     ... o =oo   |
    |      + S  o=.   |
    |     B .  o.     |
    |      O  .. o    |
    |     . +  .=     |
    |      . ..E .    |
    +----[SHA256]-----+
    [root@client ~]# ssh-copy-id root@192.168.139.100       #把公钥传给服务器
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    root@192.168.139.100's password: 
    
    Number of key(s) added: 1
    
    Now try logging into the machine, with:   "ssh 'root@192.168.139.100'"
    and check to make sure that only the key(s) you wanted were added.
    [root@client ~]# ssh root@192.168.139.100
    Enter passphrase for key '/root/.ssh/id_rsa': 
    Last failed login: Mon Mar  9 22:33:37 CST 2020 from 192.168.139.107 on ssh:notty
    There was 1 failed login attempt since the last successful login.
    Last login: Mon Mar  9 21:14:46 2020 from 192.168.139.1
    [root@CA ~]# 
    
    

    基于KEY的ssh验证脚本

    #!/bin/bash
    PASS=centos
    if [ ! -f /root/.ssh/id_rsa ];then
        ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa &> /dev/null && echo "ssh-key is created"
    fi  
    rpm -q expect &> /dev/null || yum install -y expect &> /dev/null
    while read IP;do
    expect <<EOF
    set timeout 10
    spawn ssh-copy-id -f -i /root/.ssh/id_rsa.pub root@$IP
    expect {
        "yes/no" { send "yes\n";exp_continue}
        "password" { send "$PASS\n" }
    }
    EOF
    echo $IP is ready
    done < hosts.txt
    

    rsync同步

    #第一次全备份,第二次仅备份修改过的文件,注意拷贝文件最后需要加"/",不加"/"表示复制目录下的文件
    [root@SRV-1 ~]# rsync -av /etc/ 192.168.139.101:/root/etc_srv-1
    #测试
    [root@SRV-1 ~]# touch /etc/passwd                   #改变passwd文件的时间戳
    [root@SRV-1 ~]# rsync -av /etc/ 192.168.139.101:/root/etc_srv-1
    sending incremental file list
    passwd
    
    sent 84,978 bytes  received 829 bytes  19,068.22 bytes/sec
    total size is 31,884,689  speedup is 371.59
    

    pssh轻量化管理

    # 需要输密码
    [root@Client ~]# pssh -H "root@192.168.139.100" -A hostname
    Warning: do not enter your password if anyone else has superuser
    privileges or access to your account.
    Password: 
    [1] 15:53:43 [SUCCESS] root@192.168.139.100
    
    #基于key验证
    [root@Client ~]# ssh-keygen 
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa): 
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:WgjO36Y/U6o2LgDyVWdrW8vTupK0gFkPUzTMxz6v+ww root@Client
    The key's randomart image is:
    +---[RSA 2048]----+
    |       +o.       |
    |      . *.o      |
    |    .. + +       |
    |o  o..+.o +      |
    |.o .o+.=S+ =     |
    |  o o..++ = o    |
    |   .  ooo=E+     |
    |    . ooB oo     |
    |     +++.+o+o    |
    +----[SHA256]-----+
    [root@Client ~]# ssh-copy-id root@192.168.139.100
    [root@Client ~]# pssh -h "/data/script/hosts.txt" -i hostname       #hosts.txt批量IP
    
    #批量修改selinux策略
    [root@Client ~]# pssh -h "/data/script/hosts.txt" -i "sed -i 's#SELINUX=enforcing#SELINUX=disabled#' /etc/sysconfig/selinux"
    #输出结果重定向到指定目录
    [root@Client ~]# pssh -h "/data/script/hosts.txt" -i -o /data/ hostname
    # pscp复制本机文件到远程主机
    [root@Client ~]# pscp.pssh -h host.txt /data/script/ssh-key.sh /data/
    [root@Client ~]# pscp.pssh -h host.txt -r /data/script/ /data/
    # pslurp复制远程主机文件到本机
    pslurp -h host.txt -L /data /etc/passwd user    #远程主机的/etc/passwd复制到本机/data并改名为user
    

    ssh 端口转发

    环境:3台主机 
    A:client 192.168.139.101
    B:server 192.168.139.100
    C: telnet-server 192.168.139.108
    
    1、本地转发
      #A与C不能直接通讯,而A与B、B与C能通讯,实现A能telnet到C
        #C主机
        #centos6
        yum install telnet-server telnet -y
        vim /etc/xinetd.d/telnet
            disable = no
        service xinetd start
        iptables -A INPUT -s 192.168.1.101 -j REJECT
        
        #A主机
        #开启转发前
        [root@Client ~]# telnet 192.168.139.108
        Trying 192.168.139.108...
        telnet: connect to address 192.168.139.108: Connection refused
        #开启转发,利用B主机做跳板机
        [root@Client ~]# ssh -L 9527:192.168.139.108:23 192.168.139.100 -fN
        [root@Client ~]# ss -nt
        State       Recv-Q Send-Q                  Local Address:Port                                 Peer Address:Port              
        ESTAB       0      52                    192.168.139.101:22                                  192.168.139.1:52206              
        ESTAB       0      0                     192.168.139.101:36542                             192.168.139.100:22
        [root@Client ~]# telnet 127.0.0.1 9527
        Trying 127.0.0.1...
        Connected to 127.0.0.1.
        Escape character is '^]'.
        CentOS release 6.10 (Final)
        Kernel 2.6.32-754.el6.x86_64 on an x86_64
        centos6.localdomain login: liangjc
        Password: 
        Last login: Wed Mar 11 17:17:24 from 192.168.139.107
        [liangjc@centos6 ~]$ 
        
    2、远程转发  
      #A与C不能直接通讯,而A与B、B与C能通讯,实现C能telnet到A
        
        #A主机
        yum install telnet-server telnet -y
        systemctl start telnet.scoket
        iptables -A INPUT -s 192.168.139.108 -j REJECT
        
        #B主机
        [root@SRV-1 ~]# ssh -R 9527:192.168.139.101:23 192.168.139.108 -fN
        [root@SRV-1 ~]# ss -nt
        State       Recv-Q Send-Q                  Local Address:Port                                 Peer Address:Port              
        ESTAB       0      0                     192.168.139.100:22                                  192.168.139.1:52187              
        ESTAB       0      0                     192.168.139.100:34156                             192.168.139.108:22 
        
        #C主机
        iptables -D INPUT -s 192.168.1.101 -j REJECT
        #开启转发前
        [root@centos6 ~]$ telnet 192.168.139.101
        Trying 192.168.139.101...
        telnet: connect to address 192.168.139.101: Connection refused
        [root@centos6 ~]$ telnet 127.0.0.1 9527
        Trying 127.0.0.1...
        Connected to 127.0.0.1.
        Escape character is '^]'.
        
        Kernel 3.10.0-957.el7.x86_64 on an x86_64
        񂫩ent login: LiangJC
        Password: 
        Last login: Tue Mar 10 17:55:45 from ::ffff:192.168.139.108
        [LiangJC@Client ~]$
        
    3、动态转发
        #仅需要A、B共2台机器
        #B服务什么都不用配
        #A上操作
        [root@Client ~]# ssh -fND 9527 root@192.168.139.100
        [root@Client ~]# ss -nt
        State       Recv-Q Send-Q                  Local Address:Port                                 Peer Address:Port              
        ESTAB       0      52                    192.168.139.107:22                                  192.168.139.1:52206              
        ESTAB       0      0                     192.168.139.107:36548                             192.168.139.100:22
        [root@Client ~]# curl --socks5 127.0.0.1:9527 google.com
        <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
        <TITLE>301 Moved</TITLE></HEAD><BODY>
        <H1>301 Moved</H1>
        The document has moved
        <A HREF="http://www.google.com/">here</A>.
        </BODY></HTML>
        [root@Client ~]#
        
    killall ssh         #关闭所有隧道连接   
    

    sshd服务器优化安全配置

    vim /etc/ssh/sshd_config
    #修改默认端口
        port 9527
    #使用protocol version 2
        Protocol 2
    #限制可登录用户
        AllowUsers LiangJC
    #设定空闲会话超时时长
        LoginGraceTime 1m
    #仅监听特定的IP地址
        ListenAddress 192.168.139.100   
    #使用基于密钥的认证
        PasswordAuthentication yes
    #禁止使用空密码
        PermitEmptyPasswords no
    #禁止root用户直接登录
        PermitRootLogin no
    #限制ssh的访问频度和并发在线数
        MaxStartups
    #基于口令认证时,使用强密码策略    
    

    AIDE 检查文件完整性

    #安装aide
    [root@Centos7 ~]# yum install aide
    [root@Centos7 ~]# vim /etc/aide.conf        #指定对哪些目录和文件检查
        /etc/passwd         #用这个测试
    [root@Centos7 ~]# aide --init               #初始化,生成数据库位置/var/lib/aide
    
    #修改文件测试
    [root@Centos7 ~]# chmod +x /etc/passwd
    [root@Centos7 ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz  #改名才能检测
    [root@Centos7 ~]# aide --check
    AIDE 0.15.1 found differences between database and filesystem!!
    Start timestamp: 2020-03-10 21:30:13
    
    Summary:
      Total number of files:    162706
      Added files:          0
      Removed files:        0
      Changed files:        1
    
    
    ---------------------------------------------------
    Changed files:
    ---------------------------------------------------
    
    changed: /etc/passwd
    
    ---------------------------------------------------
    Detailed information about changes:
    ---------------------------------------------------
    
    
    File: /etc/passwd
     Perm     : -rw-r--r--                       , -rwxr-xr-x
     ACL      : old = A:
    ----
    user::rw-
    group::r--
    other::r--
    ----
                      D: <NONE>
                new = A:
    ----
    user::rwx
    group::r-x
    other::r-x
    ----
                      D: <NONE>
    
    #修改后可以选择更新数据
    aide --update
    

    sudo

    #安全隐患
    vim /etc/sudoers.d/liangjc
    liangjc ALL=(ALL) /bin/cat /var/log/messages*
    
    sudo - liangjc
    sudo /bin/cat /var/log/messages /etc/passwd /etc/shadow     #可以查看passwd,shadow
    
    #解决方法
    liangjc ALL=(ALL) /bin/cat /var/log/messages*,!/bin/cat /var/log/messages* *
    

    TCP_Wrappers

    #/etc/hosts.allow   优先级高
    #/etc/hosts.deny
    
    #仅允许192.168.139.0/24网段通过ssh连接
    echo "sshd: 192.168.139." >> /etc/hosts.allow
    echo "sshd: ALL" >> /etc/hosts.deny
    

    pam_limits 资源限制

    vim /etc/pam.d/system-auth      
        session required pam_limits.so      #查看是否被注释
    vim /etc/security/limits.conf           #添加限制
    * soft core unlimited
    * hard core unlimited
    * soft nproc 1000000
    * hard nproc 1000000
    * soft nofile 1000000
    * hard nofile 1000000
    * soft memlock 32000
    * hard memlock 32000
    * soft msgqueue 8192000
    * hard msgqueue 8192000
    

    相关文章

      网友评论

          本文标题:Linux安全

          本文链接:https://www.haomeiwen.com/subject/hphqshtx.html