Chinaunix首页 | 论坛 | 博客
  • 博客访问: 437753
  • 博文数量: 121
  • 博客积分: 10
  • 博客等级: 民兵
  • 技术积分: 540
  • 用 户 组: 普通用户
  • 注册时间: 2012-01-16 16:28
文章分类

全部博文(121)

文章存档

2021年(3)

2018年(1)

2017年(5)

2016年(9)

2015年(23)

2014年(80)

我的朋友

分类: LINUX

2014-01-19 22:40:02




CentOS 5生产环境系统安全加固配置实例










版本历史
时间        版本        说明        编写者
2012-11-25        1.0        CentOS 5生产环境系统安全加固配置实例        崔四超
                        
                        
                        


备注:红色字体为加固命令

#############################################
1.检查开机启动服务,以下是要禁用的服务
chkconfig --list  |grep postfix 
chkconfig --list  |grep rsyncd
chkconfig  --list  |grep rlogin   
chkconfig  --list  |grep rsh
chkconfig  --list  |grep rexec 
chkconfig  --list  |grep snmpd
chkconfig  --list  |grep sendmail
chkconfig --list  |grep telnet
chkconfig --list  |grep vsftpd

另外如果是内网的话,也可以禁用iptabes  
vi /etc/se/config 将SELINUX=enforcing 改成SELINUX=disabled
###############################################
2.检查FTP匿名登入和snmpd密码:
    执行:grep anonymous /etc/ftpusers
    输出结果:anonymous_enable=NO


如使用vsftpd,则需要增加执行下面内容:
执行:grep anonymous /etc/vsftpd/vsftpd.conf
输出结果:anonymous_enable=NO
备注:当anonymous_enable=NO时,代表禁止匿名登录)

执行:
cat /etc/snmp/snmpd.conf
   输出结果:检查SNMP的通讯字符串rocommunity或rwcommunity是否是默认的public(只读)和private(可写)
(备注:应更改默认团体名public和private,才能满足安全要求)


grep anonymous /etc/ftpusers
grep anonymous /etc/vsftpd/vsftpd.conf
cat /etc/snmp/snmpd.conf
##############################################
3.删除不需要的用户和组:
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel gopher
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel dip

##############################################

4.查看系统文件权限是否有信息出现 没有出现则要更改
last  |more 

ls -la /etc/passwd  /etc/group /etc/shadow
    
输出结果:–rw-r—r— ******
输出结果:–rw-r—r— ******
输出结果:–r-------- ******
(备注:以下配置符合安全要求
/etc/passwd 必须所有用户都可读,root用户可写 –rw-r—r—
/etc/group 必须所有用户都可读,root用户可写 –rw-r—r—
/etc/shadow 只有root可读 –r--------)

执行:grep Protocol /etc/ssh/sshd_config
  输出结果:“Protocol 2” 

ls -la /etc/passwd  /etc/group /etc/shadow

grep Protocol /etc/ssh/sshd_config

grep PermitRootLogin /etc/ssh/sshd_config
查看root 账户是否可直接登入。目前,服务器只有root账户,还没有作限制


##############################################
5.系统日志增加

  执行:vi  /etc/syslog.conf
    输出结果:查看以下内容
*.err        /var/log/errors
authpriv.info    /var/log/authpriv_info
*.info        /var/log/info
auth.none     /var/log/auth_none

   service syslog restart
    执行以下命令:
head /var/log/errors  /var/log/authpriv_info  /var/log/info  /var/log/auth_none


echo "*.err                    /var/log/errors" >>/etc/syslog.conf
echo "authpriv.info            /var/log/authpriv_info" >>/etc/syslog.conf
echo "*.info                   /var/log/info" >>/etc/syslog.conf
echo "auth.none                /var/log/auth_none" >>/etc/syslog.conf

service syslog restart ; head /var/log/errors  /var/log/authpriv_info  /var/log/info  /var/log/auth_none

##############################################
6.系统登入时间限制
vi /etc/profile
TMOUT=180
export TMOUT

##############################################
7.更改密码强度策略

cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak ;vi /etc/pam.d/system-auth
password    requisite    pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
代表最短密码长度为8,其中至少包含一个大写字母,一个小写字母,一个数字和一个字符

vi /etc/pam.d/system-auth 
password    sufficient    pam_unix.so md5 use_authtok md5 shadow  remember=5
检查不能复用的密码次数
##############################################
8.密码使用有效期
vi /etc/login.defs 
    输出结果:PASS_MAX_DAYS 90        //代表密码最大有效期限为90天
             PASS_WARN_AGE 7         //密码过期之前7天内发出报警信息 

################################################ 
9.更改系统文件打开数:
vi /etc/security/limits.conf
*  soft nofile 65536
*  hard nofile 65536
*  soft nproc 16384
*  hard nproc 16384
一般是前面带有用户名,如果是*  就是匹配所有的用户

10.修改系统ssh 端口为 30022:
vi /etc/ssh/sshd_config
#Port 22 换成
Port 30022
  


  
  
#该加固脚本在centos 5.6系列系统上面实验,测试,本人根据自己的生产环境写的shell 
#!/bin/bash

chkconfig  postfix off
chkconfig  rsyncd off
chkconfig  rlogin    off
chkconfig  rsh off
chkconfig  rexec  off
chkconfig  snmpd off
chkconfig  sendmail off
chkconfig  telnet off
chkconfig  vsftpd off
chkconfig  smartd off

grep SELINUX=enforcing /etc/selinux/config >/dev/null
if test $? -eq 0 ; then
    sed -i -e "s/SELINUX=enforcing/SELINUX=disabled/g"  /etc/selinux/config 
     echo "sed SELINUX=disabled success+++++++++++++++"
  else
    echo "###############SELINUX=disabled do not set"
  fi




grep anonymous /etc/ftpusers >/dev/null
if  test $? -eq 0 ; then
   echo "#############not find /etc/ftpuser"
  fi


grep anonymous_enable=YES /etc/vsftpd/vsftpd.conf >/dev/null
if test $? -eq 0 ; then
    sed -i -e "s/anonymous_enable=YES/anonymous_enable=NO/g"  /etc/vsftpd/vsftpd.conf
    echo "sed anonymous_enable=NO success+++++++++++++++"
  fi


#cat /etc/snmp/snmpd.conf
if [ -f /etc/snmp/snmpd.conf ]  ; then
    echo "############SNMP config file server is exist" 
  fi


userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel gopher
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel dip


grep "Protocol 2" /etc/ssh/sshd_config >/dev/null
if test $? -eq 0 ; then
    echo "###############sshd_config Protocol 2" 
   echo "###############sshd_config  normal+++++++++++++++"
  fi

grep "#PermitRootLogin yes" /etc/ssh/sshd_config >/dev/null
if test $? -eq 0 ; then
    sed -i -e "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
    service sshd restart
    echo "sed PermitRootLogin no is  success+++++++++++++++"
else
   echo "###############PermitRootLogin no is exist ,do not set"
  fi

idnagios=`cat /etc/passwd |grep nagios`
if [ -z $idnagios ];then
/usr/sbin/useradd  nagios  
echo nagios | passwd nagios --stdin
echo "172.16.24.178             centos56nagios">>/etc/hosts
echo "create user nagios success +++++++++++++++"  
else
echo "####################client user nagios is exist,do not set"
fi




grep "*.err                    /var/log/errors" /etc/syslog.conf >/dev/null
if test $? -ne 0 ; then
echo "*.err                    /var/log/errors" >>/etc/syslog.conf
echo "authpriv.info            /var/log/authpriv_info" >>/etc/syslog.conf
echo "*.info                   /var/log/info" >>/etc/syslog.conf
echo "auth.none                /var/log/auth_none" >>/etc/syslog.conf

service syslog restart ; head /var/log/errors  /var/log/authpriv_info  /var/log/info  /var/log/auth_none
echo "sed syslog success+++++++++++++++"
else
echo "####################### syslog is exist.do not set"
fi

grep "TMOUT=180" /etc/profile >/dev/null
if test $? -ne 0 ; then
    echo "TMOUT=180">>/etc/profile
    echo "export TMOUT" >>/etc/profile
   source /etc/profile
   echo "set TMOUT success+++++++++++++++"
else
   echo "#############TMOUT is exist,do not set"
  fi



oldauth="password    requisite     pam_cracklib.so try_first_pass retry=3"
newauth="password    requisite    pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1"
grep "$oldauth" /etc/pam.d/system-auth >/dev/null
if test $? -eq 0 ; then
    sed -i -e "s/$oldauth/$newauth/g" /etc/pam.d/system-auth
    echo "sed password  strength success+++++++++++++++"
   else 
    echo "##################$newauth is exist,do not set"
  fi

oldauth1="password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok"
newauth1="password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5"
grep "$newauth1" /etc/pam.d/system-auth >/dev/null
if test $? -ne 0 ; then
    sed -i -e "s/$oldauth1/$newauth1/g" /etc/pam.d/system-auth
    echo "sed password count  success+++++++++++++++"
   else 
    echo "###################passwd auth is exist,do not set"
  fi

echo "auth      required  pam_tally2.so   deny=5  lock_time=180 even_deny_root root_unlock_time=10 " >> /etc/pam.d/login

oldauth2="99999"
newauth2="90"   
grep "$oldauth2" /etc/login.defs  >/dev/null
if test $? -eq 0 ; then
    sed -i -e "s/$oldauth2/$newauth2/g" /etc/login.defs
    echo "sed login.defs success+++++++++++++++" 
   else 
    echo "####################passwd date auth is exist,do not set"
  fi



grep "soft nofile 65536" /etc/security/limits.conf >/dev/null
if test $? -ne 0 ; then
echo "
*  soft nofile 65536
*  hard nofile 65536
*  soft nproc 16384
*  hard nproc 16384
" >> /etc/security/limits.conf
echo "set openfile soft is success+++++++++++++++"
else
echo "#############openfile soft is set ,do not set"
fi
阅读(899) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~