|
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
欢迎大家来到仓酷云论坛!CentOS操纵体系装置完成以后,我们必要对现有的体系举行一些复杂的设置,才干利用操纵体系加倍宁静牢靠,上面我们来向人人先容一些最基础的宁静防护战略,进一步提拔操纵体系的宁静性。
1、修正客户暗码的长度
暗码的宁静是操纵体系的第一步,以是我们必需请求有一个健壮的暗码,能够经由过程修正/etc/login.defs文件来完成我们请求的暗码长度。
/etc/login.defs原始内容以下:
[root@localhost~]#vi/etc/login.defs
#
#Pleasenotethattheparametersinthisconfigurationfilecontrolthe
#behaviorofthetoolsfromtheshadow-utilscomponent.Noneofthese
#toolsusesthePAMmechanism,andtheutilitiesthatusePAM(suchasthe
#passwdcommand)shouldthereforebeconfiguredelsewhere.Referto
#/etc/pam.d/system-authformoreinformation.
#
#*REQUIRED*
#Directorywheremailboxesreside,_or_nameoffile,relativetothe
#homedirectory.Ifyou_do_defineboth,MAIL_DIRtakesprecedence.
#QMAIL_DIRisforQmail
#
#QMAIL_DIRMaildir
MAIL_DIR/var/spool/mail
#MAIL_FILE.mail
#Passwordagingcontrols:
#
#PASS_MAX_DAYSMaximumnumberofdaysapasswordmaybeused.
#PASS_MIN_DAYSMinimumnumberofdaysallowedbetweenpasswordchanges.
#PASS_MIN_LENMinimumacceptablepasswordlength.
#PASS_WARN_AGENumberofdayswarninggivenbeforeapasswordexpires.
#
PASS_MAX_DAYS99999
PASS_MIN_DAYS0
PASS_MIN_LEN5
PASS_WARN_AGE7
#
#Min/maxvaluesforautomaticuidselectioninuseradd
#
UID_MIN500
UID_MAX60000
#
#Min/maxvaluesforautomaticgidselectioningroupadd
#
GID_MIN500
GID_MAX60000
#
#Ifdefined,thiscommandisrunwhenremovingauser.
#Itshouldremoveanyat/cron/printjobsetc.ownedby
#theusertoberemoved(passedasthefirstargument).
#
#USERDEL_CMD/usr/sbin/userdel_local
#
#Ifuseraddshouldcreatehomedirectoriesforusersbydefault
#OnRHsystems,wedo.Thisoptionisoverriddenwiththe-mflagon
#useraddcommandline.
#
CREATE_HOMEyes
#Thepermissionmaskisinitializedtothisvalue.Ifnotspecified,
#thepermissionmaskwillbeinitializedto022.
UMASK077
#Thisenablesuserdeltoremoveusergroupsifnomembersexist.
#
USERGROUPS_ENAByes
#UseSHA512toencryptpassword.
ENCRYPT_METHODSHA512
#Passwordagingcontrols:
#
#PASS_MAX_DAYSMaximumnumberofdaysapasswordmaybeused.
#PASS_MIN_DAYSMinimumnumberofdaysallowedbetweenpasswordchanges.
#PASS_MIN_LENMinimumacceptablepasswordlength.
#PASS_WARN_AGENumberofdayswarninggivenbeforeapasswordexpires.
#
PASS_MAX_DAYS99999
PASS_MIN_DAYS0
PASS_MIN_LEN5
PASS_WARN_AGE7
#
#Min/maxvaluesforautomaticuidselectioninuseradd
#
UID_MIN500
UID_MAX60000
#
#Min/maxvaluesforautomaticgidselectioningroupadd
#
GID_MIN500
GID_MAX60000
#
#Ifdefined,thiscommandisrunwhenremovingauser.
#Itshouldremoveanyat/cron/printjobsetc.ownedby
#theusertoberemoved(passedasthefirstargument).
#
#USERDEL_CMD/usr/sbin/userdel_local
#
#Ifuseraddshouldcreatehomedirectoriesforusersbydefault
#OnRHsystems,wedo.Thisoptionisoverriddenwiththe-mflagon
#useraddcommandline.
#
CREATE_HOMEyes
#Thepermissionmaskisinitializedtothisvalue.Ifnotspecified,
#thepermissionmaskwillbeinitializedto022.
UMASK077
#Thisenablesuserdeltoremoveusergroupsifnomembersexist.
#
USERGROUPS_ENAByes
#UseSHA512toencryptpassword.
ENCRYPT_METHODSHA512
将暗码最小的长度调剂为8
PASS_MIN_LEN8
2、正文失落操纵体系不必要利用的用户和用户组
Centos6.4操纵体系装置好以后,我们必要针对一些不必要利用的用户和用户组来举行设置,削减大概产生的宁静成绩。
/etc/passwd原始内容以下:
[root@localhost~]#vi/etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTPUser:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:Systemmessagebus:/:/sbin/nologin
usbmuxd:x:113:113:usbmuxduser:/:/sbin/nologin
vcsa:x:69:69:virtualconsolememoryowner:/dev:/sbin/nologin
rpc:x:32:32:RpcbindDaemon:/var/cache/rpcbind:/sbin/nologin
rtkit:x:499:497:RealtimeKit:/proc:/sbin/nologin
avahi-autoipd:x:170:170:AvahiIPv4LLStack:/var/lib/avahi-autoipd:/sbin/nologin
pulse:x:498:496:PulseAudioSystemDaemon:/var/run/pulse:/sbin/nologin
haldaemon:x:68:68:HALdaemon:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
saslauth:x:497:76:"Saslauthduser":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPCServiceUser:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:AnonymousNFSUser:/var/lib/nfs:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
sshd:x:74:74:Privilege-separatedSSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
ldap:x:55:55:LDAPUser:/var/lib/ldap:/sbin/nologin
正文失落以下用户
#userdeladm:x:3:4:adm:/var/adm:/sbin/nologin
#userdellp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
#userdelsync:x:5:0:sync:/sbin:/bin/sync
#userdelshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
#userdelhalt:x:7:0:halt:/sbin:/sbin/halt
#userdeluucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
#userdeloperator:x:11:0:operator:/root:/sbin/nologin
#userdelgames:x:12:100:games:/usr/games:/sbin/nologin
#userdelgopher:x:13:30:gopher:/var/gopher:/sbin/nologin
#userdelftp:x:14:50:FTPUser:/var/ftp:/sbin/nologin
/etc/group原始内容以下:
[root@localhost~]#vi/etc/group
root:x:0:
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sys:x:3:bin,adm
adm:x:4:adm,daemon
tty:x:5:
disk:x:6:
lp:x:7:daemon
mem:x:8:
kmem:x:9:
wheel:x:10:
mail:x:12:mail,postfix
uucp:x:14:
man:x:15:
games:x:20:
gopher:x:30:
video:x:39:
dip:x:40:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
dbus:x:81:
usbmuxd:x:113:
utmp:x:22:
utempter:x:35:
desktop_admin_r:x:499:
desktop_user_r:x:498:
floppy:x:19:
vcsa:x:69:
rpc:x:32:
rtkit:x:497:
avahi-autoipd:x:170:
cdrom:x:11:
tape:x:33:
dialout:x:18:
wbpriv:x:88:
pulse:x:496:
pulse-access:x:495:
fuse:x:494:
haldaemon:x:68:haldaemon
ntp:x:38:
apache:x:48:
saslauth:x:76:
postdrop:x:90:
postfix:x:89:
abrt:x:173:
rpcuser:x:29:
nfsnobody:x:65534:
gdm:x:42:
stapusr:x:156:
stapsys:x:157:
stapdev:x:158:
sshd:x:74:
tcpdump:x:72:
slocate:x:21:
ldap:x:55:
正文失落以下用户组
#groupdeladm:x:4:adm,daemon
#groupdellp:x:7:daemon
#groupdeluucp:x:14:
#groupdelgames:x:20:
#groupdeldip:x:40:
3、反省体系的宁静上岸文件
经由过程反省/var/log/secure该文件的信息,我们能够懂得到有哪些用户及IP地点举行上岸。
[root@localhost~]#more/var/log/securegreprefused
::::::::::::::
/var/log/secure
::::::::::::::
Jan1622:33:29localhostpolkitd(authority=local):UnregisteredAuthenticationAgentforsession/org/freed
esktop/ConsoleKit/Session1(systembusname:1.23,objectpath/org/gnome/PolicyKit1/AuthenticationAgent,lo
calezh_CN.UTF-8)(disconnectedfrombus)
Jan1622:33:32localhostsshd[1728]:Receivedsignal15;terminating.
Jan1622:33:32localhostsshd[2460]:Exitingonsignal15
Jan1622:33:32localhostsshd[2460]:pam_unix(sshd:session):sessionclosedforuserroot
Jan1715:54:27localhostsshd[1737]:Serverlisteningon0.0.0.0port22.
Jan1715:54:27localhostsshd[1737]:Serverlisteningon::port22.
Jan1715:54:35localhostpolkitd(authority=local):RegisteredAuthenticationAgentforsession/org/freedes
ktop/ConsoleKit/Session1(systembusname:1.24[/usr/libexec/polkit-gnome-authentication-agent-1],objectp
ath/org/gnome/PolicyKit1/AuthenticationAgent,localezh_CN.UTF-8)
Jan1715:54:50localhostsshd[2461]:Acceptedpasswordforrootfrom192.168.1.3port55918ssh2
Jan1715:54:50localhostsshd[2461]:pam_unix(sshd:session):sessionopenedforuserrootby(uid=0)
Jan1716:01:55localhostpolkitd(authority=local):UnregisteredAuthenticationAgentforsession/org/freed
esktop/ConsoleKit/Session1(systembusname:1.24,objectpath/org/gnome/PolicyKit1/AuthenticationAgent,lo
calezh_CN.UTF-8)(disconnectedfrombus)
Jan1716:01:58localhostsshd[1737]:Receivedsignal15;terminating.
Jan1716:01:58localhostsshd[2461]:Exitingonsignal15
Jan1716:01:58localhostsshd[2461]:pam_unix(sshd:session):sessionclosedforuserroot
Jan2910:49:52localhostsshd[1728]:Serverlisteningon0.0.0.0port22.
Jan2910:49:52localhostsshd[1728]:Serverlisteningon::port22.
Jan2910:49:57localhostpolkitd(authority=local):RegisteredAuthenticationAgentforsession/org/freedes
ktop/ConsoleKit/Session1(systembusname:1.23[/usr/libexec/polkit-gnome-authentication-agent-1],objectp
ath/org/gnome/PolicyKit1/AuthenticationAgent,localezh_CN.UTF-8)
Jan2910:50:02localhostsshd[2452]:Acceptedpasswordforrootfrom192.168.1.4port53853ssh2
Jan2910:50:02localhostsshd[2452]:pam_unix(sshd:session):sessionopenedforuserrootby(uid=0)
Jan2910:51:43localhostvsftpd[2482]:pam_unix(vsftpd:auth):checkpass;userunknown
Jan2910:51:43localhostvsftpd[2482]:pam_unix(vsftpd:auth):authenticationfailure;logname=uid=0euid=0
tty=ftpruser=fsdafrhost=192.168.1.4
Jan2910:51:43localhostvsftpd[2482]:pam_succeed_if(vsftpd:auth):errorretrievinginformationaboutuser
fsdaf
Jan2910:51:58localhostvsftpd[2484]:pam_unix(vsftpd:auth):checkpass;userunknown
Jan2910:51:58localhostvsftpd[2484]:pam_unix(vsftpd:auth):authenticationfailure;logname=uid=0euid=0
tty=ftpruser=ithovrhost=192.168.1.4
Jan2910:51:58localhostvsftpd[2484]:pam_succeed_if(vsftpd:auth):errorretrievinginformationaboutuser
ithov
Jan2910:54:35localhostsshd[2452]:pam_unix(sshd:session):sessionclosedforuserroot
Jan2910:54:36localhostsshd[2493]:Acceptedpasswordforrootfrom192.168.1.4port54693ssh2
Jan2910:54:36localhostsshd[2493]:pam_unix(sshd:session):sessionopenedforuserrootby(uid=0)
grep:没有谁人文件或目次
refused:没有谁人文件或目次
4、利用chattr下令给以下文件加上不成变动的属性
无效避免不法用户举行文件的修正。
[root@localhost~]#chattr+i/etc/passwd
[root@localhost~]#chattr+i/etc/shadow
[root@localhost~]#chattr+i/etc/group
[root@localhost~]#chattr+i/etc/gshadow
5、变动SSH端口增强上岸宁静
CentOS6.4装置好以后,默许利用22端口举行毗连,就像WindowsServer2008操纵体系一样利用3389,关于一样平常的用户很简单就推测到这个端口是供应甚么办事的,以是倡议利用10000以上的端口,如许他人在扫描的时分,能扫描到端口的机率也会下降一些。
不要同意利用低版本的SSH协定举行毗连
[root@localhost~]#vi/etc/ssh/sshd_config
将#protocol2,1改成
protocol2
(注:centos6下已默许作废了低版本协定,默许值为protocol2)
将PORT改成1000以上端口
[root@localhost~]#vi/etc/ssh/sshd_config
Port10000
开启防火墙端口,偏重新启动防火墙失效
[root@localhost~]#vi/etc/sysconfig/iptables
-AINPUT-mstate--stateNEW-mtcp-ptcp--dport10000-jACCEPT
[root@localhost~]#serviceiptablesrestart
iptables:扫除防火墙划定规矩:[断定]
iptables:将链设置为政策ACCEPT:filter[断定]
iptables:正在卸载模块:[断定]
iptables:使用防火墙划定规矩:[断定]
iptables:载进分外模块:ip_nat_ftp[断定]
6、避免IP棍骗
编纂/etc/host.conf文件并增添以下几行来避免IP棍骗打击。
orderbind,hosts
multioff
nospoofon
如果您觉得本篇CentOSLinux教程讲得好,请记得点击右边漂浮的分享程序,把好文章分享给你的小伙伴们! |
|
|Archiver|手机版|仓酷云
鄂ICP备14007578号-2
发表于 2015-1-14 20:23:58
收藏
转播
分享
淘帖
顶
踩
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主