CentOS 5生产环境系统安全加固配置实例
版本历史
时间 版本 说明 编写者
2012-11-25 1.0 CentOS 5生产环境系统安全加固配置实例 崔四超
备注:红色字体为加固命令
#############################################
1.检查开机启动服务,以下是要禁用的服务
chkconfig --list |grep postfix
chkconfig --list |grep rsyncd
chkconfig --list |grep rlogin
chkconfig --list |grep rsh
chkconfig --list |grep rexec
chkconfig --list |grep snmpd
chkconfig --list |grep sendmail
chkconfig --list |grep telnet
chkconfig --list |grep vsftpd
另外如果是内网的话,也可以禁用iptabes
vi /etc/se/config 将SELINUX=enforcing 改成SELINUX=disabled
###############################################
2.检查FTP匿名登入和snmpd密码:
执行:grep anonymous /etc/ftpusers
输出结果:anonymous_enable=NO
如使用vsftpd,则需要增加执行下面内容:
执行:grep anonymous /etc/vsftpd/vsftpd.conf
输出结果:anonymous_enable=NO
备注:当anonymous_enable=NO时,代表禁止匿名登录)
执行:
cat /etc/snmp/snmpd.conf
输出结果:检查SNMP的通讯字符串rocommunity或rwcommunity是否是默认的public(只读)和private(可写)
(备注:应更改默认团体名public和private,才能满足安全要求)
grep anonymous /etc/ftpusers
grep anonymous /etc/vsftpd/vsftpd.conf
cat /etc/snmp/snmpd.conf
##############################################
3.删除不需要的用户和组:
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel gopher
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel dip
##############################################
4.查看系统文件权限是否有信息出现 没有出现则要更改
last |more
ls -la /etc/passwd /etc/group /etc/shadow
输出结果:–rw-r—r— ******
输出结果:–rw-r—r— ******
输出结果:–r-------- ******
(备注:以下配置符合安全要求
/etc/passwd 必须所有用户都可读,root用户可写 –rw-r—r—
/etc/group 必须所有用户都可读,root用户可写 –rw-r—r—
/etc/shadow 只有root可读 –r--------)
执行:grep Protocol /etc/ssh/sshd_config
输出结果:“Protocol 2”
ls -la /etc/passwd /etc/group /etc/shadow
grep Protocol /etc/ssh/sshd_config
grep PermitRootLogin /etc/ssh/sshd_config
查看root 账户是否可直接登入。目前,服务器只有root账户,还没有作限制
##############################################
5.系统日志增加
执行:vi /etc/syslog.conf
输出结果:查看以下内容
*.err /var/log/errors
authpriv.info /var/log/authpriv_info
*.info /var/log/info
auth.none /var/log/auth_none
service syslog restart
执行以下命令:
head /var/log/errors /var/log/authpriv_info /var/log/info /var/log/auth_none
echo "*.err /var/log/errors" >>/etc/syslog.conf
echo "authpriv.info /var/log/authpriv_info" >>/etc/syslog.conf
echo "*.info /var/log/info" >>/etc/syslog.conf
echo "auth.none /var/log/auth_none" >>/etc/syslog.conf
service syslog restart ; head /var/log/errors /var/log/authpriv_info /var/log/info /var/log/auth_none
##############################################
6.系统登入时间限制
vi /etc/profile
TMOUT=180
export TMOUT
##############################################
7.更改密码强度策略
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak ;vi /etc/pam.d/system-auth
password requisite pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
代表最短密码长度为8,其中至少包含一个大写字母,一个小写字母,一个数字和一个字符
vi /etc/pam.d/system-auth
password sufficient pam_unix.so md5 use_authtok md5 shadow remember=5
检查不能复用的密码次数
##############################################
8.密码使用有效期
vi /etc/login.defs
输出结果:PASS_MAX_DAYS 90 //代表密码最大有效期限为90天
PASS_WARN_AGE 7 //密码过期之前7天内发出报警信息
################################################
9.更改系统文件打开数:
vi /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
* soft nproc 16384
* hard nproc 16384
一般是前面带有用户名,如果是* 就是匹配所有的用户
10.修改系统ssh 端口为 30022:
vi /etc/ssh/sshd_config
#Port 22 换成
Port 30022
#该加固脚本在centos 5.6系列系统上面实验,测试,本人根据自己的生产环境写的shell
#!/bin/bash
chkconfig postfix off
chkconfig rsyncd off
chkconfig rlogin off
chkconfig rsh off
chkconfig rexec off
chkconfig snmpd off
chkconfig sendmail off
chkconfig telnet off
chkconfig vsftpd off
chkconfig smartd off
grep SELINUX=enforcing /etc/selinux/config >/dev/null
if test $? -eq 0 ; then
sed -i -e "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
echo "sed SELINUX=disabled success+++++++++++++++"
else
echo "###############SELINUX=disabled do not set"
fi
grep anonymous /etc/ftpusers >/dev/null
if test $? -eq 0 ; then
echo "#############not find /etc/ftpuser"
fi
grep anonymous_enable=YES /etc/vsftpd/vsftpd.conf >/dev/null
if test $? -eq 0 ; then
sed -i -e "s/anonymous_enable=YES/anonymous_enable=NO/g" /etc/vsftpd/vsftpd.conf
echo "sed anonymous_enable=NO success+++++++++++++++"
fi
#cat /etc/snmp/snmpd.conf
if [ -f /etc/snmp/snmpd.conf ] ; then
echo "############SNMP config file server is exist"
fi
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel gopher
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel dip
grep "Protocol 2" /etc/ssh/sshd_config >/dev/null
if test $? -eq 0 ; then
echo "###############sshd_config Protocol 2"
echo "###############sshd_config normal+++++++++++++++"
fi
grep "#PermitRootLogin yes" /etc/ssh/sshd_config >/dev/null
if test $? -eq 0 ; then
sed -i -e "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
service sshd restart
echo "sed PermitRootLogin no is success+++++++++++++++"
else
echo "###############PermitRootLogin no is exist ,do not set"
fi
idnagios=`cat /etc/passwd |grep nagios`
if [ -z $idnagios ];then
/usr/sbin/useradd nagios
echo nagios | passwd nagios --stdin
echo "172.16.24.178 centos56nagios">>/etc/hosts
echo "create user nagios success +++++++++++++++"
else
echo "####################client user nagios is exist,do not set"
fi
grep "*.err /var/log/errors" /etc/syslog.conf >/dev/null
if test $? -ne 0 ; then
echo "*.err /var/log/errors" >>/etc/syslog.conf
echo "authpriv.info /var/log/authpriv_info" >>/etc/syslog.conf
echo "*.info /var/log/info" >>/etc/syslog.conf
echo "auth.none /var/log/auth_none" >>/etc/syslog.conf
service syslog restart ; head /var/log/errors /var/log/authpriv_info /var/log/info /var/log/auth_none
echo "sed syslog success+++++++++++++++"
else
echo "####################### syslog is exist.do not set"
fi
grep "TMOUT=180" /etc/profile >/dev/null
if test $? -ne 0 ; then
echo "TMOUT=180">>/etc/profile
echo "export TMOUT" >>/etc/profile
source /etc/profile
echo "set TMOUT success+++++++++++++++"
else
echo "#############TMOUT is exist,do not set"
fi
oldauth="password requisite pam_cracklib.so try_first_pass retry=3"
newauth="password requisite pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1"
grep "$oldauth" /etc/pam.d/system-auth >/dev/null
if test $? -eq 0 ; then
sed -i -e "s/$oldauth/$newauth/g" /etc/pam.d/system-auth
echo "sed password strength success+++++++++++++++"
else
echo "##################$newauth is exist,do not set"
fi
oldauth1="password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok"
newauth1="password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5"
grep "$newauth1" /etc/pam.d/system-auth >/dev/null
if test $? -ne 0 ; then
sed -i -e "s/$oldauth1/$newauth1/g" /etc/pam.d/system-auth
echo "sed password count success+++++++++++++++"
else
echo "###################passwd auth is exist,do not set"
fi
echo "auth required pam_tally2.so deny=5 lock_time=180 even_deny_root root_unlock_time=10 " >> /etc/pam.d/login
oldauth2="99999"
newauth2="90"
grep "$oldauth2" /etc/login.defs >/dev/null
if test $? -eq 0 ; then
sed -i -e "s/$oldauth2/$newauth2/g" /etc/login.defs
echo "sed login.defs success+++++++++++++++"
else
echo "####################passwd date auth is exist,do not set"
fi
grep "soft nofile 65536" /etc/security/limits.conf >/dev/null
if test $? -ne 0 ; then
echo "
* soft nofile 65536
* hard nofile 65536
* soft nproc 16384
* hard nproc 16384
" >> /etc/security/limits.conf
echo "set openfile soft is success+++++++++++++++"
else
echo "#############openfile soft is set ,do not set"
fi
阅读(899) | 评论(0) | 转发(0) |