美文网首页
linux安全配置

linux安全配置

作者: Daisy小朋友 | 来源:发表于2019-04-15 16:03 被阅读0次

    系统:Centos7.2 腾讯云主机加固脚本

    1.关闭22端口,启用普通端口,关闭root登录,普通用户登录
    2.加固脚本
    #!/usr/bin/env bash
    # desc: setup linux system security for wupao
    # author:chy 20190415
    # Global vars
    DATE=`date +%F`
    log_name=anquanjiagu.log
    
    #account setup
    #锁定账户
    echo "当前用户列表:" >>$log_name
            cat /etc/passwd >>$log_name
    echo "锁定不需要的用户:" >>$log_name
        for user in lp nscd dbus vcsa nobody avahi sync ftp mail shutdown halt news uucp operator games gopher ; do
           echo "will disable login for $user" >>$log_name
           cp -p /etc/passwd /etc/passwd.bak${DATE}
           cp -p /etc/shadow /etc/shadow.bak${DATE}
           #直接在/etc/paswd文件上进行修改操作
           #sed -i "s/${user}$/nologin/" /etc/passwd
           usermod -L $user
           echo "The user $user login have disabled!" >>$log_name
        done
    
    ##密码长度设置为8
    len=`cat /etc/login.defs |grep PASS_MIN_LEN|grep -v \# | awk '{print $2}'`
      if [ ${len} != 8 ]; then
        cp -p /etc/login.defs /etc/login.defs.bak${DATE}
        echo "现在密码长度为:$len ,需要修改默认最小密码长度" >>$log_name
        sed  -i "/PASS_MIN_LEN/s/5/8/g" /etc/login.defs&&echo "密码默认长度已从5修改为8!!!" >>$log_name
      else
        echo "当前的密码长度为:"`cat /etc/login.defs |grep PASS_MIN_LEN|grep -v \#` >>$log_name
        echo "口令到期提醒时间为:"`cat /etc/login.defs | grep  PASS_WARN_AGE | grep -v \#` >>$log_name
     fi
     
    ##判断系统中是否存在具有root权限的用户
    su_num=`awk -F: '($3==0){print$1}' /etc/passwd | grep -v root`
      if [ -z $su_num ]; then
        echo "系统中不存在root用户之外具有root权限的用户" >>$log_name
      else
        echo "系统中存在root用户之外具有root权限的用户,需进行修改UID" >>$log_name
      fi
    
    
    # chattr /etc/passwd /etc/shadow,设定后后续添加用户无法添加
    #i:设定文件不能被删除、改名、设定链接关系,同时不能写入或新增内容。i参数对于文件 系统的安全设置有很大帮助。
    chattr +i /etc/passwd
    chattr +i /etc/shadow
    chattr +i /etc/group
    chattr +i /etc/gshadow
    echo "chattr /etc/passwd /etc/shadow  success" >>$log_name
    
    #设置密码复杂度
    cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak${DATE}
    sed -i "s/password    requisite.*/password    requisite     pam_cracklib.so retry=5 difok=1 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 dictpath=\/usr\/share\/cracklib\/pw_dict/" /etc/pam.d/system-auth
    echo "设置密码复杂度success" >>$log_name
    # 登陆失败5次,锁定账户,5分钟后尝试
    # sed -i 's#auth required pam_env.so#auth required pam_env.sonauth required pam_tally.so onerr=fail deny=3 unlock_time=300nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
    # # pam_tally2 --user  查看你被锁定用户
    # Login           Failures Latest failure     From
    # zabbix              7    04/15/19 15:19:25  221.198.218.86
    # # pam_tally2 -r -u zabbix  解锁zabbix用户
    # Login           Failures Latest failure     From
    # zabbix              7    04/15/19 15:19:25  221.198.218.86
    # # pam_tally2 --user
    cp -p /etc/pam.d/sshd /etc/pam.d/sshd.bak${DATE}
    sed -i '1aauth       required     pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/sshd
    echo "登录失败锁定已设置,使用pam_tally.so模块">>$log_name
    
    # 5分钟自动退出
    cp -p /etc/profile /etc/profile${DATE}
    echo "TMOUT=300" >>/etc/profile
    echo "当前的登录超时设置为:"`cat /etc/profile | grep TMOUT` >>$log_name
    
    # will system save history command list to 4000
    cat>>/etc/profile<<EOF
    HISTFILESIZE=4000   
    HISTSIZE=4000         
    HISTTIMEFORMAT='%F %T '
    export HISTTIMEFORMAT 
    EOF
    
    # enable /etc/profile go!
    source /etc/profile
    
    # add syncookie enable /etc/sysctl.conf
    #表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
    cp -p /etc/sysctl.conf  /etc/sysctl.conf.bak${DATE}
    echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
    sysctl -p 
    echo "开启SYN Cookies">>$log_name
    
    # exec sysctl.conf enable
    # optimizer sshd_config
    #限制服务器被SSH尝试,默认为6
    
    sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
    sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
    echo "限制服务器被SSH尝试,默认为6">>$log_name
    
    # limit chmod important commands
    chmod 700 /bin/ping
    chmod 700 /usr/bin/finger
    chmod 700 /usr/bin/who
    chmod 700 /usr/bin/w
    chmod 700 /usr/bin/locate
    chmod 700 /usr/bin/whereis
    chmod 700 /sbin/ifconfig
    chmod 700 /usr/bin/pico
    chmod 700 /bin/vi
    chmod 700 /usr/bin/which
    chmod 700 /usr/bin/gcc
    chmod 700 /usr/bin/make
    chmod 700 /bin/rpm
    
    # history security
    chattr +a /root/.bash_history
    chattr +i /root/.bash_history
    
    # write important command md5
    cat > list << "EOF" &&
    /bin/ping
    /bin/finger
    /usr/bin/who
    /usr/bin/w
    /usr/bin/locate
    /usr/bin/whereis
    /sbin/ifconfig
    /bin/pico
    /bin/vi
    /usr/bin/vim
    /usr/bin/which
    /usr/bin/gcc
    /usr/bin/make
    /bin/rpm
    EOF
    
    for i in `cat list`
    do
    if [ ! -x $i ];then
    echo "$i not found,no md5sum!"
    else
    md5sum $i >> /var/log/`hostname`.log
    fi
    done
    rm -f list
    

    内网普通用户密钥登录

    1. 修改sshd_config配置文件
    vim /etc/ssh/sshd_config 
    PermitRootLogin no  ##不允许root登录
    PasswordAuthentication no   #不允许密码登录
    Port 21201  ##修改默认22端口登录
    

    2.生成密钥
    使用普通用户登录


    image.png

    箭头指的方向输入密钥登录的密码即可,就会发现已经生成一对密钥

    -bash-4.2$ pwd
    /nginx/.ssh
    -bash-4.2$ ll
    total 8
    -rw------- 1 nginx nginx 1766 May 22 17:22 id_rsa
    -rw-r--r-- 1 nginx nginx  403 May 22 17:22 id_rsa.pub
    将公钥放置到~/.ssh/authorized_keys中,如下
    -bash-4.2$ chmod 400 authorized_keys    #赋权
    -bash-4.2$ ll
    total 8
    -r-------- 1 nginx nginx  403 May 22 17:25 authorized_keys
    drwxrwxr-x 2 nginx nginx 4096 May 22 17:26 rsa
    -bash-4.2$ pwd
    /nginx/.ssh
    

    3.使用xshell等工具登录


    image.png

    配置好即可登录
    4.赋予sudo权限

    vim /etc/sudoers
    nginx   ALL=(ALL)       ALL
    

    问题:
    可能出现无法登陆的情况:
    登录失败锁定已设置

    sed -i '1aauth       required     pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/sshd
    
    手动解除锁定:
    查看某一用户错误登陆次数:
    pam_tally2 –-user
    例如,查看work用户的错误登陆次数:
    pam_tally2 –-user work
    清空某一用户错误登陆次数:
    pam_tally2 –-user –-reset
    例如,清空 work 用户的错误登陆次数,
    pam_tally2 –-user work –-reset
    
    

    相关文章

      网友评论

          本文标题:linux安全配置

          本文链接:https://www.haomeiwen.com/subject/wfauwqtx.html