Chinaunix首页 | 论坛 | 博客
  • 博客访问: 561180
  • 博文数量: 107
  • 博客积分: 4406
  • 博客等级: 上校
  • 技术积分: 1279
  • 用 户 组: 普通用户
  • 注册时间: 2006-11-07 16:20
文章分类

全部博文(107)

文章存档

2014年(4)

2012年(4)

2011年(16)

2010年(7)

2009年(7)

2008年(11)

2007年(49)

2006年(9)

分类: LINUX

2007-04-24 18:01:36

1.使用Bastille工具
  
  Bastille是一组安全设置脚本的集合,很多设置可以使用Bastille来自动完成。
首次安装完Bastille后,BastilleBackEnd可以使用以前设置好的配置文件。
配置/etc/Bastille/config文件就可以完成安全脚本的定制。Bastille的一般配置中没包括防火墙等参数。
如果需要,可以在安装完后使用InteractiveBastille.pl交互安装。Bastille将会启动向导窗口,
只要选择是或者否就可以生成适合自己系统的配置文件。
Interactive prompt response
These settings are recommendations for the Perfect Setup install.
There may be certian values that may need to change if other software or packages have been installed.
accept
Would you like to set more restrictive permissions on the administration utilities? -> YES
Would you like to disable SUID status for mount/umount? -> YES
Would you like to disable SUID status for ping? -> YES
Would you like to disable SUID status for at? -> YES
Would you like to disable the r-tools? -> YES
Would you like to disable SUID status for usernetctl? -> YES
Would you like to disable SUID status for traceroute? -> YES
Should Bastille disable clear-text r-protocols that use IP-based authentication? -> YES
Would you like to enforce password aging? -> YES
Do you want to set the default umask? -> YES
What umask would you like to set for users on the system? -> 007
Should we disallow root login on tty's 1-6? -> NO
Should Bastille ask you for extraneous accounts to delete? -> NO
Would you like to password-protect the GRUB prompt? -> NO
Would you like to disable CTRL-ALT-DELETE rebooting? -> YES
Would you like to password protect single-user mode? -> NO
Would you like to set a default-deny on TCP Wrappers and xinetd? -> NO
Would you like to display "Authorized Use" messages at log-in time? -> YES
Who is responsible for granting authorization to use this machine? -> YOUR COMPANY NAME
Would you like to put limits on system resource usage? -> YES
Should we restrict console access to a small group of user accounts? -> YES
Which accounts should be able to login at console? -> root
Would you like to set up process accounting? -> NO
Would you like to disable acpid and/or apmd? -> YES
Would you like to disable PCMCIA services? -> YES
Would you like to disable GPM? -> YES
Would you like to deactivate the HP OfficeJet (hpoj) script on this machine? -> YES
Would you like to deactivate the ISDN script on this machine? -> YES
Would you like to deactivate kudzu's run at boot? -> YES
Do you want to stop sendmail from running in daemon mode? -> YES
Would you like to deactivate named, at least for now? -> NO
Would you like to deactivate the Apache web server? -> NO
Would you like to bind the Web server to listen only to the localhost? -> NO
Would you like to bind the web server to a particular interface? -> NO
Would you like to deactivate the following of symbolic links? -> YES
Would you like to disable printing? -> YES
Would you like to install TMPDIR/TMP scripts? -> NO
Would you like to run the packet filtering script? -> YES
Do you need the advanced networking options? -> NO
DNS Servers: [0.0.0.0/0] -> **LEAVE DEFAULT**
Public interfaces: -> eth+
TCP services to audit: -> telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
UDP services to audit: -> 31337
ICMP services to audit: -> **BLANK**
TCP service names or port numbers to allow on public interfaces: -> 21 22 25 53 80 110 111 143 443 631 953 993 995 3306
UDP service names or port numbers to allow on public interfaces: -> **BLANK**
Force passive mode? -> YES
TCP services to block: -> 2049 2065:2090 6000:6020 7100
UDP services to block: -> 2049 6770
ICMP allowed types: -> destination-unreachable echo-reply time-exceeded
Enable source address verification? -> YES
Reject method: -> DENY
Interfaces for DHCP queries: -> **BLANK**
NTP servers to query: -> **BLANK**
ICMP types to disallow outbound: -> destination-unreachable time-exceeded
Should Bastille run the firewall and enable it at boot time? -> YES
Would you like to setup psad? -> YES
psad check interval: -> 15
Port range scan threshold: -> 1
Enable scan persistence? -> NO
Scan timeout: -> 3600
Show all scan signatures? -> NO
Danger Levels: -> 5 50 1000 5000 10000
Email addresses: ->
Email alert danger level: -> 1
Alert on all new packets? -> YES
Enable automatic blocking of scanning IPs? -> NO
Should Bastille enable psad at boot time? -> YES
Are you finished answering the questions, i.e. may we make the changes? -> YES
2.编辑ssh配置:
vi /etc/ssh/sshd_config
Edit the following lines and remove the remark. Do not forget to save and exit.
#Protocol 2,1 -> Protocol 2
#PermitEmptyPasswords no -> PermitEmptyPasswords no
service sshd restart
3.限制su用户个数
  
  
增加对切换到root用户的限制。使用PAM 可以禁止除在wheel组以外的任何人su成root,
  /usr/sbin/usermod G10 nanwang    #将nanwang这个账号加入gid为10的组,就是wheel组。
修改/etc/pam.d/su文件,除去屏蔽标识#。
  vi /etc/pam.d/su
  # 使用密码验证
  auth sufficient /lib/security/pam_wheel.so debug
  # 限制wheel组用户才可以切换到root
  auth required /lib/security/pam_wheel.so use_uid
4。还应该删除不必要的用户和组。使用userdel和groupdel删除用户和组。
  
  #可以删除的用户
  userdel games
    userdel news
  userdeluucp
  userdel gopher
  

5.系统中的很多配置文件和命令是很敏感的,修改权限和增加只读属性可以在一定程度上避免安全问题。
  
chmod 700 /bin/rpm
chmod 600 /etc/exports
chmod 600 /etc/hosts.*
chmod -R 751 /var/log
chmod 644 /var/log/messages
chmod 640 /etc/syslog.conf
chmod 660 /var/log/wtmp
chmod 640 /var/log/lastlog
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod -R 750 /etc/pam.d
chmod 600 /etc/securetty
chmod 700 /etc/security
chmod -R 751 /etc/sysconfig
chmod 600 /etc/xinetd.conf
chmod -R 750 /etc/rc.d/init.d/
chmod 750 /etc/rc.d/init.d/*
chmod 600 /etc/crontab
chmod 400 /etc/cron.*
chmod 750 /etc/ssh
chattr +i /etc/services
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/hosts.*
chattr +i /etc/xinetd.conf
chattr +i /etc/exports
chattr +i /bin/login
chattr +a /var/log/messages
6.使用木马检查工具
  
  chkrootkit就是通过校验系统中重要的命令,来判断是否被替换,因为是根据已出现的木马与后门工具编写的,要注意经常更新。
 chkrootkit uses the following commands to make its tests:
 awk, cut,egrep, find, head, id, ls, netstat, ps, strings, sed, uname, echo 
 It is possible, with the `-p' option, to supply an alternate path to
 chkrootkit so it won't use the system's (possibly) compromised
 binaries to make its tests.
 
 Installation
 ---------------
 
 To compile the C programs type:
 
 # make sense
 
 mkdir /tmp/bin && tar xzf bin.tar.gz /tmp/bin
 To use, for example, binaries in /tmp/bin:
   # ./chkrootkit -p /tmp/bin
阅读(1223) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~