Linux安全
2020-03-20 本文已影响0人
Liang_JC
实验环境:
-
server:192.168.139.100 client:192.168.139.101
建立一个私有CA,为用户颁发证书
1、建立CA(server)
[root@CA CA]# cd /etc/pki/CA/
[root@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 4096) #CA的私钥
[root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 #CA证书
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:GZ
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
[root@CA CA]# touch index.txt #存放颁发的证书
[root@CA CA]# echo 01 > serial #颁发证书的编号
2、申请证书(client)
[root@client CA]# cd /etc/pki/CA/
[root@client CA]# (umask 066;openssl genrsa -out app.key 1024) #私钥
[root@client CA]# openssl req -new -key app.key -out app.csr #用私钥生成申请证书文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:GZ
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:centos
An optional company name []:
[root@client CA]# scp app.csr 192.168.139.100:/data
3、颁发CA(server)
[root@CA CA]# openssl ca -in /data/app.csr -out /etc/pki/CA/certs/app.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 9 13:39:34 2020 GMT
Not After : Mar 9 13:39:34 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = GD
organizationName = magedu
organizationalUnitName = IT
commonName = ca.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7C:29:7D:9C:D1:0C:2B:D6:BF:47:7B:00:55:49:9C:F6:B3:B5:D5:54
X509v3 Authority Key Identifier:
keyid:C9:BE:A0:61:55:C8:49:0B:D3:AC:95:4F:6B:5F:76:92:6B:D9:88:78
Certificate is to be certified until Mar 9 13:39:34 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CA CA]# tree
.
├── cacert.pem #CA证书
├── certs
│ └── app.crt #申请的证书
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem #颁发的证书
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
[root@CA CA]# openssl x509 -in cacert.pem -noout -text #查看CA证书文件
吊销证书
#server
openssl ca -revoke newcerts/01.pem #吊销证书
echo 01 > crlnumber #吊销证书编号
openssl ca -gencrl -out crl.pem #吊销列表
基于KEY的ssh验证
#client生成密钥对
[root@client ~]# ssh-keygen #生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:CYVWLR30rWBxUtMmvKPpisRkPjwcQMXs0E1ZfsvsTrI root@client
The key's randomart image is:
+---[RSA 2048]----+
| .=.=+**++. |
| .. *.+.o=ooo |
| .+. .+ o+. |
| ... o =oo |
| + S o=. |
| B . o. |
| O .. o |
| . + .= |
| . ..E . |
+----[SHA256]-----+
[root@client ~]# ssh-copy-id root@192.168.139.100 #把公钥传给服务器
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.139.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.139.100'"
and check to make sure that only the key(s) you wanted were added.
[root@client ~]# ssh root@192.168.139.100
Enter passphrase for key '/root/.ssh/id_rsa':
Last failed login: Mon Mar 9 22:33:37 CST 2020 from 192.168.139.107 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Mar 9 21:14:46 2020 from 192.168.139.1
[root@CA ~]#
基于KEY的ssh验证脚本
#!/bin/bash
PASS=centos
if [ ! -f /root/.ssh/id_rsa ];then
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa &> /dev/null && echo "ssh-key is created"
fi
rpm -q expect &> /dev/null || yum install -y expect &> /dev/null
while read IP;do
expect <<EOF
set timeout 10
spawn ssh-copy-id -f -i /root/.ssh/id_rsa.pub root@$IP
expect {
"yes/no" { send "yes\n";exp_continue}
"password" { send "$PASS\n" }
}
EOF
echo $IP is ready
done < hosts.txt
rsync同步
#第一次全备份,第二次仅备份修改过的文件,注意拷贝文件最后需要加"/",不加"/"表示复制目录下的文件
[root@SRV-1 ~]# rsync -av /etc/ 192.168.139.101:/root/etc_srv-1
#测试
[root@SRV-1 ~]# touch /etc/passwd #改变passwd文件的时间戳
[root@SRV-1 ~]# rsync -av /etc/ 192.168.139.101:/root/etc_srv-1
sending incremental file list
passwd
sent 84,978 bytes received 829 bytes 19,068.22 bytes/sec
total size is 31,884,689 speedup is 371.59
pssh轻量化管理
# 需要输密码
[root@Client ~]# pssh -H "root@192.168.139.100" -A hostname
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password:
[1] 15:53:43 [SUCCESS] root@192.168.139.100
#基于key验证
[root@Client ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:WgjO36Y/U6o2LgDyVWdrW8vTupK0gFkPUzTMxz6v+ww root@Client
The key's randomart image is:
+---[RSA 2048]----+
| +o. |
| . *.o |
| .. + + |
|o o..+.o + |
|.o .o+.=S+ = |
| o o..++ = o |
| . ooo=E+ |
| . ooB oo |
| +++.+o+o |
+----[SHA256]-----+
[root@Client ~]# ssh-copy-id root@192.168.139.100
[root@Client ~]# pssh -h "/data/script/hosts.txt" -i hostname #hosts.txt批量IP
#批量修改selinux策略
[root@Client ~]# pssh -h "/data/script/hosts.txt" -i "sed -i 's#SELINUX=enforcing#SELINUX=disabled#' /etc/sysconfig/selinux"
#输出结果重定向到指定目录
[root@Client ~]# pssh -h "/data/script/hosts.txt" -i -o /data/ hostname
# pscp复制本机文件到远程主机
[root@Client ~]# pscp.pssh -h host.txt /data/script/ssh-key.sh /data/
[root@Client ~]# pscp.pssh -h host.txt -r /data/script/ /data/
# pslurp复制远程主机文件到本机
pslurp -h host.txt -L /data /etc/passwd user #远程主机的/etc/passwd复制到本机/data并改名为user
ssh 端口转发
环境:3台主机
A:client 192.168.139.101
B:server 192.168.139.100
C: telnet-server 192.168.139.108
1、本地转发
#A与C不能直接通讯,而A与B、B与C能通讯,实现A能telnet到C
#C主机
#centos6
yum install telnet-server telnet -y
vim /etc/xinetd.d/telnet
disable = no
service xinetd start
iptables -A INPUT -s 192.168.1.101 -j REJECT
#A主机
#开启转发前
[root@Client ~]# telnet 192.168.139.108
Trying 192.168.139.108...
telnet: connect to address 192.168.139.108: Connection refused
#开启转发,利用B主机做跳板机
[root@Client ~]# ssh -L 9527:192.168.139.108:23 192.168.139.100 -fN
[root@Client ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 52 192.168.139.101:22 192.168.139.1:52206
ESTAB 0 0 192.168.139.101:36542 192.168.139.100:22
[root@Client ~]# telnet 127.0.0.1 9527
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
CentOS release 6.10 (Final)
Kernel 2.6.32-754.el6.x86_64 on an x86_64
centos6.localdomain login: liangjc
Password:
Last login: Wed Mar 11 17:17:24 from 192.168.139.107
[liangjc@centos6 ~]$
2、远程转发
#A与C不能直接通讯,而A与B、B与C能通讯,实现C能telnet到A
#A主机
yum install telnet-server telnet -y
systemctl start telnet.scoket
iptables -A INPUT -s 192.168.139.108 -j REJECT
#B主机
[root@SRV-1 ~]# ssh -R 9527:192.168.139.101:23 192.168.139.108 -fN
[root@SRV-1 ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.139.100:22 192.168.139.1:52187
ESTAB 0 0 192.168.139.100:34156 192.168.139.108:22
#C主机
iptables -D INPUT -s 192.168.1.101 -j REJECT
#开启转发前
[root@centos6 ~]$ telnet 192.168.139.101
Trying 192.168.139.101...
telnet: connect to address 192.168.139.101: Connection refused
[root@centos6 ~]$ telnet 127.0.0.1 9527
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Kernel 3.10.0-957.el7.x86_64 on an x86_64
ent login: LiangJC
Password:
Last login: Tue Mar 10 17:55:45 from ::ffff:192.168.139.108
[LiangJC@Client ~]$
3、动态转发
#仅需要A、B共2台机器
#B服务什么都不用配
#A上操作
[root@Client ~]# ssh -fND 9527 root@192.168.139.100
[root@Client ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 52 192.168.139.107:22 192.168.139.1:52206
ESTAB 0 0 192.168.139.107:36548 192.168.139.100:22
[root@Client ~]# curl --socks5 127.0.0.1:9527 google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
[root@Client ~]#
killall ssh #关闭所有隧道连接
sshd服务器优化安全配置
vim /etc/ssh/sshd_config
#修改默认端口
port 9527
#使用protocol version 2
Protocol 2
#限制可登录用户
AllowUsers LiangJC
#设定空闲会话超时时长
LoginGraceTime 1m
#仅监听特定的IP地址
ListenAddress 192.168.139.100
#使用基于密钥的认证
PasswordAuthentication yes
#禁止使用空密码
PermitEmptyPasswords no
#禁止root用户直接登录
PermitRootLogin no
#限制ssh的访问频度和并发在线数
MaxStartups
#基于口令认证时,使用强密码策略
AIDE 检查文件完整性
#安装aide
[root@Centos7 ~]# yum install aide
[root@Centos7 ~]# vim /etc/aide.conf #指定对哪些目录和文件检查
/etc/passwd #用这个测试
[root@Centos7 ~]# aide --init #初始化,生成数据库位置/var/lib/aide
#修改文件测试
[root@Centos7 ~]# chmod +x /etc/passwd
[root@Centos7 ~]# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz #改名才能检测
[root@Centos7 ~]# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2020-03-10 21:30:13
Summary:
Total number of files: 162706
Added files: 0
Removed files: 0
Changed files: 1
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /etc/passwd
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/passwd
Perm : -rw-r--r-- , -rwxr-xr-x
ACL : old = A:
----
user::rw-
group::r--
other::r--
----
D: <NONE>
new = A:
----
user::rwx
group::r-x
other::r-x
----
D: <NONE>
#修改后可以选择更新数据
aide --update
sudo
#安全隐患
vim /etc/sudoers.d/liangjc
liangjc ALL=(ALL) /bin/cat /var/log/messages*
sudo - liangjc
sudo /bin/cat /var/log/messages /etc/passwd /etc/shadow #可以查看passwd,shadow
#解决方法
liangjc ALL=(ALL) /bin/cat /var/log/messages*,!/bin/cat /var/log/messages* *
TCP_Wrappers
#/etc/hosts.allow 优先级高
#/etc/hosts.deny
#仅允许192.168.139.0/24网段通过ssh连接
echo "sshd: 192.168.139." >> /etc/hosts.allow
echo "sshd: ALL" >> /etc/hosts.deny
pam_limits 资源限制
vim /etc/pam.d/system-auth
session required pam_limits.so #查看是否被注释
vim /etc/security/limits.conf #添加限制
* soft core unlimited
* hard core unlimited
* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
* soft memlock 32000
* hard memlock 32000
* soft msgqueue 8192000
* hard msgqueue 8192000
