CentOS服务器安全配置策略
时间:2016-7-20 | 作者:楼台听枫雨 | 分类:linux技术部 | 评论(0) | 浏览(2825) | uedbet最新网站: centos ssh防暴力破解 安全策略
近期服务器频繁有被入侵的,大致分析了一下入侵行为,整理了需要做的安全策略:
管理机端设置:
1.
跳板机权限只开放运维人员
a.运维人员密码必须重新设置,密码长度不小于
8
位
b.密码设置必须要有大小写,数字,特殊字符组合。
c.强制
90
天更改密码
d.设置密码避免重复使用
e.个人账户设定登录失败次数为
6
次,一旦超过
6
次,将会锁定账号。
2.
跳板机禁止root登录,每周update
3.
禁止在跳板机上保存登录密码,ip列表等信息,将history记录默认设置为
500
条。
4.
修改PPTP vpn服务器账户密码,定期更新补丁。
服务端设置:
a.登录段配置同之前配置。
b.定期修改密码。
c.服务器端每周update补丁。
d.禁用root直接登录,创建运维人员单独账号。必要时使用sudo成为root进行管理
e.服务器禁止ping操作,增加安全性。
d.隐藏系统版本号,防止版本信息泄露
d.优化sysct.conf预防DDoS攻击
e.定时检查主要配置文件,系统主要目录是否有异常,可通过MD5校验如发现有变动重新分发一份。如
/
etc
/
passwd
/
etc
/
shadow
/
etc
/
group
/
etc
/
sysctl.conf,
/
bin
/
sbin等。
具体细节如下:
#设定用户90天修改密码,提前7天提醒
UserList=$(ls /home/|awk '{print $NF}'|grep -v lost+found)
for user in $UserList
do
chage -M 90 -W 7 $user
done
echo
1 >
/proc/sys/net/ipv4/icmp_echo_ignore_all
cp
/etc/login
.defs
/etc/login
.defs.bak
sed
-i
'/PASS_MIN_LEN/s/[0-9]\{1,6\}/90/'
/etc/login
.defs
sed
-i
'/PASS_MIN_LEN/s/[0-9]\{1,3\}/8/'
/etc/login
.defs
echo
"account required pam_tally.so deny=100 no_magic_root reset"
>>
/etc/pam
.d
/system-auth
echo
"auth required pam_tally.so onerr=fail deny=6 unlock_time=300"
>>
/etc/pam
.d
/system-auth
mv
/etc/issue
/etc/isseu
mv
/etc/issue
.net
/etc/isseu
.net
mv
/etc/redhat-release
/etc/rehdat-release
echo
'
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
# ------------- Kernel Optimization -------------
net.ipv4.tcp_max_tw_buckets = 60000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_conntrack_max = 655360
net.ipv4.netfilter.ip_conntrack_max =655360
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180 ' >>
/etc/sysctl
.conf
#生效
sysctl -p
echo
'
#history
export
HISTTIMEFORMAT=
"%F %T `whoami` "
USER_IP=`
who
-u am i 2>
/dev/null
|
awk
'{print $NF}'
|
sed
-e
's/[()]//g'
`
HISTDIR=
/usr/local/bin/
.
history
if
[ -z $USER_IP ]
then
USER_IP=`
hostname
`
fi
if
[ ! -d $HISTDIR ]
then
mkdir
-p $HISTDIR
chmod
777 $HISTDIR
fi
if
[ ! -d $HISTDIR/${LOGNAME} ]
then
mkdir
-p $HISTDIR/${LOGNAME}
chmod
300 $HISTDIR/${LOGNAME}
fi
export
HISTSIZE=4000
DT=`
date
+%Y%m%d_%H%M%S`
export
HISTFILE=
"$HISTDIR/${LOGNAME}/${USER_IP}.history.$DT"
chmod
600 $HISTDIR/${LOGNAME}/*.
history
* 2>
/dev/null
'>>
/etc/profile
/etc/hosts
.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd:192.168.1.101
/etc/hosts
.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
sshd:all
iptables-save
useradd
mdf
echo
-e
'pwd123456'
|
passwd
mdf --stdin
sed
-i
's/#PermitRootLogin yes/PermitRootLogin no/g'
/etc/ssh/sshd_config
sed
-i
's/GSSAPIAuthentication yes/GSSAPIAuthentication no/'
/etc/ssh/sshd_config
sed
-i
'/#UseDNS yes/a\UseDNS no'
/etc/ssh/sshd_config
/etc/init
.d
/sshd
restart
本文固定链接:http://www.fengtec.net/?post=33
本文由楼台听枫雨原创或编辑,互联分享,尊重版权,转载请以链接形式标明本文地址
本文由楼台听枫雨原创或编辑,互联分享,尊重版权,转载请以链接形式标明本文地址
你可能感兴趣的话题
发表评论: