首先确保所使用的linux系统中的所有软件都已经安装到最新版本。

linux下的漏洞或者叫做不规范大致如下几点:

用户登录,openssl, CA证书,GRUB加密,SMB密码永不过期,无任何所属用户用户组的文件,文件权限为777的,所使用到的软件严重滞后,tcp timstamp, 数据库的open access, ICMP redirection, ip forward, 

umask值的默认设置,磁盘分区的weakness

1. 使用root用户在终端登录。

sed -i '/^tty[0-9]$/d' /etc/securetty

sed -i '/^vc\/[0-9]$/d' /etc/securetty

2. 使用ssh协议的root登录

sed -i 's/#PermitRootLogin\ yes/PermitRootLogin\ no/' /etc/ssh/sshd_config

sed -i 's/#PermitRootLogin\ without-password/PermitRootLogin\ no/' /etc/ssh/sshd_config

3.  ICMP redirection 问题

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

4. 数据库的open access

使用iptables来加强数据库的访问认证。受信任的主机访问,通过设置数据库中的用户主机名称不使用%来匹配所有主机。

5. ssl使用的证书协议

不使用泛域名证书,使用至少2048bit以上的证书

The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server.

Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.

There is no server-side mitigation available against the BEAST attack. The only option is to disable the affected protocols (SSLv3 and TLS 1.0). The only fully safe configuration is to use Authenticated Encryption with Associated Data (AEAD), e.g. AES-GCM, AES-CCM in TLS 1.2.

Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.

Configure the server to disable support for 3DES suite.




6. TCP timestamp responses的问题

net.ipv4.tcp_timestamps=0

7. IP Source Routing

The host is configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.

Disable IP source routing

For Linux systems ensure the following sysctl value is set:

net.ipv4.conf.all.accept_source_route=0

It is also advised that packet forwarding be disabled, unless there is a legitimate reason not to, by setting the following sysctl values:

net.ipv4.conf.all.forwarding=0

net.ipv6.conf.all.forwarding=0

net.ipv4.conf.all.mc_forwarding=0

net.ipv6.conf.all.mc_forwarding=0

More Linux information can be found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html

8. 设置grub密码

Enable GRUB password

Configuration remediation steps



Set a password in the GRUB configuration file. This is often located in one of several locations, but can really be anywhere:

         /etc/grub.conf
         /boot/grub/grub.conf
         /boot/grub/grub.cfg
         /boot/grub/menu.lst        

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file and add the following line before the first uncommented line:

  password

To set an encrypted password, run grub-md5-crypt and use its output when adding the following line before the first uncommented line:

  password --md5

For either approach, choose an appropriately strong password.

9. 磁盘分区的挂载方式添加nodev参数

Partition Mounting Weakness

Configuration remediation steps



The specific way to modify the partition mount options varies from system to system. Consult your operating system's manual or mount man page.

The following issues were discovered: 
/boot partition does not have 'nodev' option set.
/data partition does not have 'nodev' option set.


10. 内核参数的一般优化

net.core.rmem_default = 2569600                                                    

net.core.rmem_max = 2569600                                                        

net.core.wmem_default = 2569600                                                    

net.core.wmem_max = 2569600                                                        

net.ipv4.tcp_timestamps = 0                                                        

net.ipv4.tcp_sack = 1                                                              

net.ipv4.tcp_window_scaling = 1                                                    

net.ipv4.tcp_keepalive_time = 600                                                  

kernel.sem = 500 64000 200 256                                                     

fs.file-max = 65536                                                                

net.ipv4.ip_local_port_range = 1024 65000                                          

net.ipv4.ip_forward = 0                                                            

net.ipv4.conf.default.rp_filter = 1                                                

kernel.sysrq = 0                                                                   

kernel.core_uses_pid = 1                                                           

net.ipv4.tcp_syncookies = 1                                                        

net.ipv4.tcp_max_syn_backlog = 2048                                                

net.ipv4.tcp_synack_retries = 2                                                    

net.ipv4.conf.all.accept_source_route = 0                                          

net.ipv4.conf.lo.accept_source_route = 0                                           

net.ipv4.conf.default.accept_source_route = 0                                      

net.ipv4.conf.all.rp_filter = 1                                                    

net.ipv4.conf.lo.rp_filter = 1                                                     

net.ipv4.conf.default.rp_filter = 1                                                

net.ipv4.conf.all.accept_redirects = 0                                             

net.ipv4.conf.lo.accept_redirects = 0                                              

net.ipv4.conf.default.accept_redirects = 0                                         

net.ipv4.conf.all.secure_redirects=0                                               

net.ipv4.conf.default.secure_redirects=0                                           

net.ipv4.tcp_timestamps=0


11. iptables 防***

-A FORWARD -p tcp --syn -m limit --limit 1de>de >/sde> de >--limit-burst 5 -j ACCEPT 限制每秒5个新连接de>

-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1de>de >/sde> de >-j ACCEPT  防端口扫描de>

-A FORWARD -p icmp --icmp-de>de >typede> de >echode>de >-request -m limit --limit 1de>de >/sde> de >-j ACCEPT  de>防止洪水***