linux 系统简单加固

2020-01-13  本文已影响0人  KK7384

linux 系统简单加固

账户配置

修改ssh端口

使用命令 vi /etc/ssh/sshd_config 修改ssh服务配置文件, 将以 PORT 开头的行改为 PORT 30022, 并取消注释.

重启sshd服务后配置生效, ssh端口被改为30022.

注意: 需要在各层防火墙上开放新端口.

文件权限配置

使用命令 vi /etc/profile 修改配置文件, 添加行 umask 027, 即新创建的文件属主拥有读写执行权限, 同组用户拥有读和执行权限, 其他用户无权限.

登录超时配置

使用命令 vi /etc/profile 修改配置文件, 将以 TMOUT= 开头的行注释, 设置为TMOUT=180, 即超时时间为三分钟.

用户操作历史记录配置

通过脚本代码实现记录所有用户的登录操作日志, 防止出现安全事件后无据可查.

使用命令 vi /etc/profile 修改配置文件, 添加以下内容:

history
USER=${whoami}
USER_IP=$(who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g')
if [ "$USER_IP" = "" ]
then
  USER_IP=`hostname`
fi
if [ ! -d /var/log/history ]
then
  mkdir /var/log/history
  chmod 777 /var/log/history
fi
if [ ! -d /var/log/history/${LOGNAME} ]
then
  mkdir /var/log/history/${LOGNAME}
  chmod 300 /var/log/history/${LOGNAME}
fi
export HISTSIZE=4096
DT=$(date +"%Y%m%d_%H:%M:%S")
export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"
chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null

注意: /var/log/history 是记录日志的存放位置, 可以自定义.

通过上述步骤, 可以在 /var/log/history 目录下以每个用户为名新建一个文件夹, 每次用户退出后都会产生以用户名/登录IP/时间的日志文件, 包含此用户本次的所有操作(root用户除外).

防止ssh远程登录的暴力破解

使用fail2ban防止ssh远程登录的暴力破解. fail2ban是一套python脚本, 从系统日志中读取登录的IP和登录结果, 如果一定时长(findtime)内登录失败超过一定的次数(maxretry), 则将这个IP屏蔽相应的时间(bantime).

根据操作系统版本, 从下面选择相应的脚本, 执行即可安装并配置fail2ban.

centos7

yum -y install fail2ban-hostsdeny
sed 's/^loglevel.*=.*$/loglevel = ERROR/g' -i /etc/fail2ban/fail2ban.conf
tee /etc/fail2ban/jail.local <<- 'EOF'
[DEFAULT]
ignoreip = 127.0.0.0/8
bantime  = 3600
findtime  = 300
maxretry = 5
backend = auto
[sshd]
enabled  = true
filter   = sshd
action   = hostsdeny[daemon_list=sshd]
logpath  = /var/log/secure
maxretry = 5
bantime  = 3600
findtime  = 300
EOF
systemctl enable fail2ban
systemctl restart fail2ban

centos6

yum -y install fail2ban
sed 's/^loglevel.*=.*$/loglevel = ERROR/g' -i /etc/fail2ban/fail2ban.conf
tee /etc/fail2ban/jail.local <<- 'EOF'
[DEFAULT]
ignoreip = 127.0.0.0/8
bantime  = 3600
findtime  = 300
maxretry = 5
backend = auto
[sshd]
enabled  = true
filter   = sshd
action   = hostsdeny[daemon_list=sshd]
logpath  = /var/log/secure
maxretry = 5
bantime  = 3600
findtime  = 300
EOF
chkconfig fail2ban on
service fail2ban restart

ubuntu1604

apt-get update
apt-get -y install fail2ban
sed 's/^loglevel.*=.*$/loglevel = ERROR/g' -i /etc/fail2ban/fail2ban.conf
tee /etc/fail2ban/jail.local <<- 'EOF'
[DEFAULT]
ignoreip = 127.0.0.0/8
bantime  = 3600
findtime  = 300
maxretry = 5
backend = auto
[sshd]
enabled  = true
filter   = sshd
action   = hostsdeny[daemon_list=sshd]
logpath  = /var/log/auth.log
maxretry = 5
bantime  = 3600
findtime  = 300
EOF
systemctl enable fail2ban
systemctl restart fail2ban

ubuntu1404

apt-get update
apt-get -y install fail2ban
sed 's/^loglevel.*=.*$/loglevel = 1/g' -i /etc/fail2ban/fail2ban.conf
tee /etc/fail2ban/jail.local <<- 'EOF'
[DEFAULT]
ignoreip = 127.0.0.0/8
bantime  = 3600
findtime  = 300
maxretry = 5
backend = auto
[ssh]
enabled  = true
filter   = sshd
action   = hostsdeny[daemon_list=sshd]
logpath  = /var/log/auth.log
maxretry = 5
bantime  = 3600
findtime  = 300
EOF
service fail2ban restart
上一篇下一篇

猜你喜欢

热点阅读