linux安全配置

2019-04-15  本文已影响0人  Daisy小朋友

系统:Centos7.2 腾讯云主机加固脚本

1.关闭22端口,启用普通端口,关闭root登录,普通用户登录
2.加固脚本
#!/usr/bin/env bash
# desc: setup linux system security for wupao
# author:chy 20190415
# Global vars
DATE=`date +%F`
log_name=anquanjiagu.log

#account setup
#锁定账户
echo "当前用户列表:" >>$log_name
        cat /etc/passwd >>$log_name
echo "锁定不需要的用户:" >>$log_name
    for user in lp nscd dbus vcsa nobody avahi sync ftp mail shutdown halt news uucp operator games gopher ; do
       echo "will disable login for $user" >>$log_name
       cp -p /etc/passwd /etc/passwd.bak${DATE}
       cp -p /etc/shadow /etc/shadow.bak${DATE}
       #直接在/etc/paswd文件上进行修改操作
       #sed -i "s/${user}$/nologin/" /etc/passwd
       usermod -L $user
       echo "The user $user login have disabled!" >>$log_name
    done

##密码长度设置为8
len=`cat /etc/login.defs |grep PASS_MIN_LEN|grep -v \# | awk '{print $2}'`
  if [ ${len} != 8 ]; then
    cp -p /etc/login.defs /etc/login.defs.bak${DATE}
    echo "现在密码长度为:$len ,需要修改默认最小密码长度" >>$log_name
    sed  -i "/PASS_MIN_LEN/s/5/8/g" /etc/login.defs&&echo "密码默认长度已从5修改为8!!!" >>$log_name
  else
    echo "当前的密码长度为:"`cat /etc/login.defs |grep PASS_MIN_LEN|grep -v \#` >>$log_name
    echo "口令到期提醒时间为:"`cat /etc/login.defs | grep  PASS_WARN_AGE | grep -v \#` >>$log_name
 fi
 
##判断系统中是否存在具有root权限的用户
su_num=`awk -F: '($3==0){print$1}' /etc/passwd | grep -v root`
  if [ -z $su_num ]; then
    echo "系统中不存在root用户之外具有root权限的用户" >>$log_name
  else
    echo "系统中存在root用户之外具有root权限的用户,需进行修改UID" >>$log_name
  fi


# chattr /etc/passwd /etc/shadow,设定后后续添加用户无法添加
#i:设定文件不能被删除、改名、设定链接关系,同时不能写入或新增内容。i参数对于文件 系统的安全设置有很大帮助。
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
echo "chattr /etc/passwd /etc/shadow  success" >>$log_name

#设置密码复杂度
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak${DATE}
sed -i "s/password    requisite.*/password    requisite     pam_cracklib.so retry=5 difok=1 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 dictpath=\/usr\/share\/cracklib\/pw_dict/" /etc/pam.d/system-auth
echo "设置密码复杂度success" >>$log_name
# 登陆失败5次,锁定账户,5分钟后尝试
# sed -i 's#auth required pam_env.so#auth required pam_env.sonauth required pam_tally.so onerr=fail deny=3 unlock_time=300nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
# # pam_tally2 --user  查看你被锁定用户
# Login           Failures Latest failure     From
# zabbix              7    04/15/19 15:19:25  221.198.218.86
# # pam_tally2 -r -u zabbix  解锁zabbix用户
# Login           Failures Latest failure     From
# zabbix              7    04/15/19 15:19:25  221.198.218.86
# # pam_tally2 --user
cp -p /etc/pam.d/sshd /etc/pam.d/sshd.bak${DATE}
sed -i '1aauth       required     pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/sshd
echo "登录失败锁定已设置,使用pam_tally.so模块">>$log_name

# 5分钟自动退出
cp -p /etc/profile /etc/profile${DATE}
echo "TMOUT=300" >>/etc/profile
echo "当前的登录超时设置为:"`cat /etc/profile | grep TMOUT` >>$log_name

# will system save history command list to 4000
cat>>/etc/profile<<EOF
HISTFILESIZE=4000   
HISTSIZE=4000         
HISTTIMEFORMAT='%F %T '
export HISTTIMEFORMAT 
EOF

# enable /etc/profile go!
source /etc/profile

# add syncookie enable /etc/sysctl.conf
#表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
cp -p /etc/sysctl.conf  /etc/sysctl.conf.bak${DATE}
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -p 
echo "开启SYN Cookies">>$log_name

# exec sysctl.conf enable
# optimizer sshd_config
#限制服务器被SSH尝试,默认为6

sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
echo "限制服务器被SSH尝试,默认为6">>$log_name

# limit chmod important commands
chmod 700 /bin/ping
chmod 700 /usr/bin/finger
chmod 700 /usr/bin/who
chmod 700 /usr/bin/w
chmod 700 /usr/bin/locate
chmod 700 /usr/bin/whereis
chmod 700 /sbin/ifconfig
chmod 700 /usr/bin/pico
chmod 700 /bin/vi
chmod 700 /usr/bin/which
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/make
chmod 700 /bin/rpm

# history security
chattr +a /root/.bash_history
chattr +i /root/.bash_history

# write important command md5
cat > list << "EOF" &&
/bin/ping
/bin/finger
/usr/bin/who
/usr/bin/w
/usr/bin/locate
/usr/bin/whereis
/sbin/ifconfig
/bin/pico
/bin/vi
/usr/bin/vim
/usr/bin/which
/usr/bin/gcc
/usr/bin/make
/bin/rpm
EOF

for i in `cat list`
do
if [ ! -x $i ];then
echo "$i not found,no md5sum!"
else
md5sum $i >> /var/log/`hostname`.log
fi
done
rm -f list

内网普通用户密钥登录

  1. 修改sshd_config配置文件
vim /etc/ssh/sshd_config 
PermitRootLogin no  ##不允许root登录
PasswordAuthentication no   #不允许密码登录
Port 21201  ##修改默认22端口登录

2.生成密钥
使用普通用户登录


image.png

箭头指的方向输入密钥登录的密码即可,就会发现已经生成一对密钥

-bash-4.2$ pwd
/nginx/.ssh
-bash-4.2$ ll
total 8
-rw------- 1 nginx nginx 1766 May 22 17:22 id_rsa
-rw-r--r-- 1 nginx nginx  403 May 22 17:22 id_rsa.pub
将公钥放置到~/.ssh/authorized_keys中,如下
-bash-4.2$ chmod 400 authorized_keys    #赋权
-bash-4.2$ ll
total 8
-r-------- 1 nginx nginx  403 May 22 17:25 authorized_keys
drwxrwxr-x 2 nginx nginx 4096 May 22 17:26 rsa
-bash-4.2$ pwd
/nginx/.ssh

3.使用xshell等工具登录


image.png

配置好即可登录
4.赋予sudo权限

vim /etc/sudoers
nginx   ALL=(ALL)       ALL

问题:
可能出现无法登陆的情况:
登录失败锁定已设置

sed -i '1aauth       required     pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/sshd
手动解除锁定:
查看某一用户错误登陆次数:
pam_tally2 –-user
例如,查看work用户的错误登陆次数:
pam_tally2 –-user work
清空某一用户错误登陆次数:
pam_tally2 –-user –-reset
例如,清空 work 用户的错误登陆次数,
pam_tally2 –-user work –-reset

上一篇下一篇

猜你喜欢

热点阅读