一. 账号安全
passwd -l scu
passwd -u scu
本质:在/etc/shadow密码列前增加"!"
vi /etc/login.defs
PASS_MAX_DAYS 90 # 密码最长使用天数
PASS_MIN_DAYS 0
PASS_WARN_AGE 7 # 密码到期提前预警天数
PASS_MIN_LEN 8 # 密码最小长度,若使用pam_cracklib,该参数不再有效
vi /etc/pam.d/su
auth required /lib/security/pam_wheel.so # 默认group=wheel
auth required /lib/security/pam_wheel.so group=users
vi /etc/login.defs (Redhat)
SU_WHEEL_ONLY yes
chattr +i /etc/passwd
chattr +i /etc/shadow
chage -M 99999 root
二. 最小化服务
runlevel (who -r)
chkconfig --list
service nfs stop
chkconfig --level 3 nfs off
chkconfig --level 3,5 nfs on
三. 数据访问控制
vi /etc/profile
umask 027
/etc/redhat-release
/etc/SuSE-release
/etc/issue
/etc/motd
# 备份/tmp目录
mdkir /tmp_backup
cp -pr /tmp/* /tmp_backup 或者cp -R /tmp/ /tmp_backup
# 创建100M空文件
dd if=/dev/zero of=/dev/tmp bs=1024 count=100000
# 设置为扩展文件系统
mke2fs /dev/tmp
# 挂载文件系统
chmod 0777 /tmp
mount -o loop,rw,nosuid,noexec /dev/tmp /tmp
# 还原备份文件
cp -pr /tmp_backup/* /tmp
rm -rf /tmp_backup
# 添加到fstab
vi /etc/fstab
/dev/tmp /tmp ext3 loop,rw,nosuid,noexec 0 0
vi /etc/fstab
shm /dev/shm tmpfs defaults,nosuid,noexec,rw,size=24541576K 0 0
# 所有suid和sgid的文件
find / -type f -perm -4000 -o -perm 2000 | xargs ls -lg
# 没有属主或属组的文件
find / -nouser -o -nogroup
# group或others具有可读权限
find / -type f -perm -2 -o -perm -20 | xargs ls -lg
find / -type d -perm -2 -o -perm -20 | xargs ls -ldg
# suid和sgid文件,MD5值检查
find / -user root -type f -perm 2000 -exec md5sum {} \;
find / -user root -type f -perm 4000 -exec md5sum {} \;
四. 网络访问控制
ps -ef | grep sshd
service sshd start
vi /etc/ssh/sshd_config
AllowUsers *@10.134.*.*
service sshd restart
vi /etc/ssh/sshd_config
PermitRootLogin no
从配置文件中删除不必要的主机
/etc/hosts.equiv
$HOME/.rhosts
vi /etc/ssh/sshd_config
Banner NONE
vi /etc/motd (清空文件)
vi /etc/inittab
#ca::ctrlaltdel:/sbin/shutdown -r -t 4 now
vi /etc/ssh/sshd_config
Protocol 2
service sshd restart
ssh -2 [email protected]
vi /etc/xinetd.d/telnet
disable = yes
service xinetd restart
vi /etc/hosts.deny
ALL : 10.137.5.155
netstat -tulp
lsof -i -n | egrep 'COMMAND|LISTEN|UDP'
五. 用户鉴别
vi /etc/pam.d/system-auth
# 连续输错三次密码,锁定用户5分钟
auth required pam_tally.so onerr=fail deny=3 unlock_time=5
# root用户遵循上面的规则,并锁定10分钟
auth required pam_tally.so deny=3 unlock_time=5 even_deny_root root_unlock_time=10
# 解锁用户
faillog -u bmp -r
faillog -r
vi /etc/profile
export TMOUT=600 (600seconds)
vi /etc/ftpusers
root (禁止root用户登录ftp)
vi /etc/profile
export HISTSIZE=1000
export HISTFILESIZE=1000
# 添加编译组
groupadd compiler
# 修改编译器属组
cd /usr/bin
chgrp compiler *cc*
chgrp compiler *++*
chgrp compiler ld
chgrp compiler as
# 设置权限
chmod 750 *cc*
chmod 750 *++*
chmod 750 ld
chmod 750 as
# 添加用户到compiler组
vi /etc/group
compiler:x:520:user1,user2
chattr +a .bash_history
chattr +i .bash_history
六. 审计策略
vi /etc/syslog-ng/syslog-ng.conf
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };
vi /etc/rsyslog.conf (Redhat)
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
vi /etc/logrotate.conf
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment these to switch compression to bzip2
compresscmd /usr/bin/bzip2
uncompresscmd /usr/bin/bunzip2
vi /etc/logrotate.d/syslog
/var/log/warn /var/log/messages {
compress
dateext
maxage 365
rotate 99
missingok
notifempty
size +4096k
create 640 root root
sharedscripts
postrotate
/etc/init.d/syslog reload
endscript
}