KVM虚拟机配置及系统加固
1. 1 虚拟机操作
- 例:
- 制作虚拟机:
virt-install -n M10Srv20_80_14 --memory 4096 --vcpus=2 --disk /data/kvm/M10Srv20_80_14.img,format=qcow2,size=92 --os-type=linux --cdrom /data/kvm/ubuntu-18.04.3-live-server-amd64.iso --vnc --vncport=5904 --vnclisten=0.0.0.0 --network bridge=br0,model=virtio - 配置虚拟机:
- 操作虚拟机
virsh list --all
virsh start/shutdown M10Srv20_80_14
virsh edit (虚拟机name)
- 克隆虚拟机
virt-clone --connect=qemu:///system -o M10Srv20_80_14 -n M10Srv20_80_15 -f /data/kvm/M10Srv20_80_15.img
2. 系统加固
2.1. 升级前准备操作
- 开放root密码
- 升级内核
dpkg -i linux-image-unsigned-4.18.20-041820-generic_4.18.20-041820.201812030624_amd64.deb linux-modules-4.18.20-041820-generic_4.18.20-041820.201812030624_amd64.deb
- chown -R 1000:1000 /opt/
- 配置apt源(指向内部源)
- 注意:ntp指向内部时间同步服务器、有ktb字样的内容要删除、dns服务器给定再加、ntp源去掉KTB环境
2.2. 升级项
2.2.1. 磁盘分区
- 加固方法:
使用官方网站提供的ubuntu-18.04.3-live-server-amd64.iso镜像,按照安装提示将磁盘按表格分区,安装系统。 - 检查方法
lsblk
df -lTh
2.2.2. 添加内部环境的apt源
scp 10.10.108.121:/root/formssi.pub /root
cd /root;apt-key add formssi.pub
echo "deb http://10.10.108.121:1111 /packages/" >/etc/apt/sources.list
apt-get update
apt-get install -y python
2.2.3. 系统打补丁
- 加固方法
下载包地址:https://usn.ubuntu.com/4079-2/?_ga=2.234059806.1471299125.1572330724-850771604.1572330724
dpkg -i libsox3 sox
- 检查方法
dpkg -l | grep libsox3
dokg -l | greo sox
2.2.4. log files
- 要求
Log files are used by the system and application to record actions, errors, warnings, and problems. They are often quite useful for investigating system quirks, for discovering the root causes of tricky problems, and for watching attackers. There are typically two types of log files in the operating Environment system log files that are typically managed by the syslog daemon and application logs that are created by the application. Log files that are base on requirement, keeping the log files more than 7 days and require a log rotation.
系统和应用程序使用日志文件来记录操作,错误,警告和问题。它们通常对于调查系统异常,发现棘手问题的根本原因以及监视攻击者非常有用。操作系统环境日志文件中通常有两种类型的日志文件,它们通常由syslog守护程序管理,而应用程序由应用程序创建。根据需要的日志文件,将日志文件保留7天以上,并且需要轮换日志。
2.2.4.1. enable logging
- 加固方法
vi /etc/rsyslog.conf
echo "*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log" >> /etc/rsyslog.conf
- 检查方法
cat /etc/rsyslog.conf
systemctl is-enabled rsyslog #检查rsyslog是否开机自启动
2.2.4.2. kernel tunning(内核调优)
- 加固方法:
echo "%opergrp soft nofile 10000
%opergrp soft nofile 20000" >> /etc/security/limits.conf
2.2.4.2.1. 密码复杂度检测
- 加固方法
apt-get -y install libpam-cracklib
sed -i '/pam_cracklib.so/d' /etc/pam.d/common-password
sed -i '/pam_unix.so/d' /etc/pam.d/common-password
sed -i '/pam_deny.so/d' /etc/pam.d/common-password
sed -i '/pam_permit.so/d' /etc/pam.d/common-password
echo -e "
password\trequired\tpam_cracklib.so retry=3 minlen=8 difok=0 dcredit=-1 ucredit=0 lcredit=-1 ocredit=-1
password\tsufficient\tpam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password\trequisite\tpam_deny.so
password\trequired\tpam_permit.so
" >> /etc/pam.d/common-password
sed -i "s/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS\t30/g" /etc/login.defs
sed -i "s/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS\t7/g" /etc/login.defs
sed -i "s/^#PASS_MIN_LEN.*$/PASS_MIN_LEN\t8/g" /etc/login.defs
- 检查方法
grep "^password" /etc/pam.d/common-password
grep "^PASS" /etc/login.defs
2.2.4.3. “身份认证”
- 加固方法
sed -i '/pam_unix.so/d' /etc/pam.d/common-auth
sed -i '/pam_deny.so/d' /etc/pam.d/common-auth
echo -e "
auth\trequired\tpam_env.so
auth\trequired\tpam_tally2.so noerr=fail deny=3
auth\tsufficient\tpam_unix.so nullok try_first_pass
auth\trequisite\tpam_succeed_if.so uid>=500 quiet
auth\trequired\tpam_deny.so
" >> /etc/pam.d/common-auth
- 检查方法
grep "^auth" /etc/pam.d/common-auth
2.2.4.4. 指定root用户可以从那台TTY设备登陆
- 加固方法
echo "console" > /etc/securetty
“/etc/securetty”文件允许你规定“root”用户可以从那个TTY设备登录。登录程序(通常是“/bin/login”)需要读取“/etc/securetty”文件。
- 检查方法
cat /etc/securetty
2.2.4.5. 账户锁定
- 加固方法:
echo "bin
daemon
adm
lp
mail
uucp
operator
games
gopher
ftp
nobody
nscd
mailnull
smmsp
vcsa
pcap
rpc
rpcuser
nfsnobody
sshd
dbus
hldaemon
avahi-autoipd
avahi
apache
ntp
xfs
gdm
sabayon" | while read line ; do passwd -l $line; done
- 检查方法:
echo "bin
daemon
adm
lp
mail
uucp
operator
games
gopher
ftp
nobody
nscd
mailnull
smmsp
vcsa
pcap
rpc
rpcuser
nfsnobody
sshd
dbus
hldaemon
avahi-autoipd
avahi
apache
ntp
xfs
gdm
sabayon" | while read line ; do passwd -S $line; done
2.2.4.6. 检查UID是否有重复
- 检查方法:
cat /etc/passwd |awk -F":" '{CNT[$3]++} END{for (i in CNT) {if (CNT[i] > 1) {printf "UID not ONCE: %s\n", i}}}'
2.2.4.7. 安全审计
- 加固方法:
apt-get -y install auditd
systemctl enable auditd
systemctl restart auditd
审计(audit)是linux安全体系的重要组成部分,他是一种“被动”的防御体系。
- 检查方法:
systemctl status auditd
2.2.4.8. 添加审计规则
- 加固方法
echo "-a always,exit -F arch=b64 -S create -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S create -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access"
> /etc/audit/rules.d/failedfileandprogramaccess.rules
systemctl restart auditd
- 检查方法
cat /etc/audit/audit.rules
2.2.4.9. log管理
2.2.4.9.1. enable system logging
- 加固方法
sed -i "s/^*.*;auth,authpriv.none/#*.*;auth,authpriv.none/g" /etc/rsyslog.d/50-default.conf
echo "*.info;mail.none;authpriv.none;cron.none /var/log/messages" >> /etc/rsyslog.d/50-default.conf
- 检查办法:
重启主机,查看/var/log/messages 文件是否存在,是否有日志信息
2.2.4.9.2. Successful and unsuccessful logins and logouts must enable
- 加固办法
echo "authpriv.* /var/log/secure" >> /etc/rsyslog.d/50-default.conf
- 检查办法:
登录一次,查看/var/log/secure文件是否存在,是否有登录信息
2.2.4.9.3. all log files must keep at least for 90 days
sed -i "s/rotate 7/rotate 91/g" /etc/logrotate.d/rsyslog
sed -i "s/rotate 4/rotate 13/g" /etc/logrotate.d/rsyslog
sed -i "s/rotate 1/rotate 3/" /etc/logrotate.conf
sed -i "s/rotate 4/rotate 13/" /etc/logrotate.conf
- 检查办法:
- 检查日志轮循的程序是否安装
logrotate --version
- 检查按周轮循的切割次数与次数
cat /etc/logrotate.conf
cat /etc/logrotate.d/rsyslog
按月切割,保留3份
如果按周切割,则至少保留 13 份
按日切割,保留91份
2.2.4.10. 关闭root远程登录,建议在集群创建完成后加固,不然重启服务root没法远程
sed -i "s/^PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
systemctl restart sshd
- 检查办法:
用root账号密码应该不能登录
参考文档:
2.2.4.11. 服务设置非开机自启
systemctl disable sendmail
/lib/systemd/systemd-sysv-install disable sendmail
systemctl disable cups
systemctl disable ypbind
systemctl disable ypserv
systemctl disable yppasswd
systemctl disable smb
systemctl disable autofs
systemctl disable portmap
systemctl disable rpcidmapd
systemctl disable rpcgssd
systemctl disable nfs
systemctl disable nfslock
systemctl disable telnet
systemctl disable rlogin
systemctl disable rexec
systemctl disable rexd
systemctl disable rsh
systemctl disable tftp
systemctl disable vsftp
systemctl disable eklogin
systemctl disable klogin
systemctl disable gssftp
systemctl disable kshell
systemctl disable shell
systemctl disable loginp
systemctl disable krb5-telnet
systemctl disable finger
systemctl disable chargen
systemctl disable daytime-udp
systemctl disable time-udp
systemctl disable daytime
systemctl disable time
systemctl disable echo-udp
systemctl disable rsync
/lib/systemd/systemd-sysv-install disable rsync
systemctl disable chargen-udp
systemctl disable echo
systemctl disable biff
systemctl disable discard
systemctl disable exec
systemctl disable name
systemctl disable printer
systemctl disable talk
systemctl disable uucp
systemctl disable sprayd
systemctl disable who
systemctl disable chargen-dgram
systemctl disable cvs
systemctl disable daytime-dgram
systemctl disable daytime-stream
systemctl disable discard-dgram
systemctl disable discard-stream
systemctl disable echo-stream
systemctl disable ekrb5-telnet
systemctl disable tcpmux-server
systemctl disable time-dgram
systemctl disable time-stream
systemctl disable acpid
/lib/systemd/systemd-sysv-install disable acpid
systemctl disable atd
/lib/systemd/systemd-sysv-install disable atd
systemctl disable autofs
systemctl disable avahi-daemon
systemctl disable avahi-dnsconfd
systemctl disable bluetooth
systemctl disable bind
systemctl disable conman
systemctl disable cpuspeed
systemctl disable dnsmasq
systemctl disable dovecot
systemctl disable dund
systemctl disable firstboot
systemctl disable gpm
systemctl disable haldeamon
systemctl disable hidd
systemctl disable httpd
systemctl disable ip6tables
systemctl disable ipmi
systemctl disable iptables
systemctl disable irda
systemctl disable irqbalance
/lib/systemd/systemd-sysv-install disable irqbalance
systemctl disable kdump
systemctl disable kudzu
systemctl disable mcstrans
systemctl disable mdmonitor
systemctl disable netconsole
systemctl disable netfs
systemctl disable netplugd
systemctl disable nscd
systemctl disable pand
systemctl disable pcscd
systemctl disable portmap
systemctl disable psacct
systemctl disable rdisc
systemctl disable readahead_early
systemctl disable readahead_later
systemctl disable restorecond
systemctl disable rhnsd
systemctl disable rpcgssd
systemctl disable rpcidmapd
systemctl disable rpcsvcgssd
systemctl disable rwhod
systemctl disable sendmail
systemctl disable setroubleshoot
systemctl disable smartd
systemctl disable smb
systemctl disable vncserver
systemctl disable vsftpd
systemctl disable wdaemon
systemctl disable winbind
systemctl disable wpa_supplicant
systemctl disable xfs
systemctl disable ypbind
systemctl disable yum-updatesd
systemctl disable snmp
- 检查方法:
service service_name status
2.2.4.12. 登陆后显示标语
vi /etc/motd
***********************************************
WARNING:
This system is restricted to KTB Computer Services (KTBCS) authorized users for business purposes only. Unauthorized access or use is a violation of laws and KTBCS security policy. This service may be monitored for administrative and security reasons. By proceeding, you consent to this monitoring.
**********************************************
- 检查方法:
重新登录系统,登录成功后显示上述标语。
2.2.4.13. 设置会话保持时间
sudo vim /etc/profile
##最后一行添加
export TMOUT=600
source /etc/profile
- 检查方法:
重新登录系统,开启新的会话,不做任何操作,10分钟后time out 自动退出,则表示配置已生效。
2.2.4.14. 设置内核运行参数
vi /etc/sysctl.conf
#Enable TCP SYN Cookie to prevent SYN flood
net.ipv4.tcp_syncookies=1
#Disable IP Source Routing
net.ipv4.conf.all.accept_source_route=0
#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects=0
#Disable Secure ICMP Redirect Acceptance to prevent outsider update system routing tables
net.ipv4.conf.all.secure_redirects=0
#Enable IP Spoofing Protection
net.ipv4.conf.all.rp_filter=1
#Enable Ignoring Broadcasts Request
net.ipv4.icmp_echo_ignore_broadcasts=1
#Enable Bad Error Message Protection to prevent kernel from logging bogus responses
net.ipv4.icmp_ignore_bogus_error_responses=1
#Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packet
net.ipv4.conf.all.log_martians=1
- 检查方法:
sysctl -p
2.2.4.15. 默认为 umask 0022, 不需要修改
2.2.4.16. secure shell (ssh)
-
要求:
建议安装许可证/购买的SSH(F-secure,SSH)或开源(OpenSSH),以确保在传输过程中对数据进行加密。所有安装了SSH的服务器都应关闭“ telnet”和“ ftp”
港口。即20、21、23端口。 -
加固方法:
sed -i "s/OpenSSH_7.6p1\ Ubuntu-4ubuntu0.3/ /g" /usr/sbin/sshd #删除
sed -i "s/OpenSSH_7.6/ /g" /usr/sbin/sshd
service sshd restart
- 检查方法:
检查OpenSSH的版本信息:
ssh -V
检查是否已消除对外暴露的版本信息:
telnet 10.10.108.12 22
检查20,21,23端口是否开启:
netstat -ntpl|grep 20
netstat -ntpl|grep 21
netstat -ntpl|grep 23
因系统并没开启telnet和ftp端口,因此不需要关闭
再从外部检查:
telnet 10.10.108.12 20
telnet 10.10.108.12 21
telnet 10.10.108.12 23
telnet 10.10.108.12 22
2.2.4.17. 时钟同步
All server must be configured to be time synchronize with a ntp service. Depending on the environment or segment which the server is located, these servers should be time synchronized.
- 加固放法:
apt-get install ntp ntpdate -y
修改配置文件: vim /etc/ntp.conf
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
#server
prefer #此行为本地环境时钟服务器,同步正确时间的时候用,客户现场应以以下两个为准
#server NTP_PBS_ST1.kcs
#server NTP_BBT_ST1.kcs
停止ntp服务:
systemctl stop ntp
先手工同步正确的时间:
本地环境:
ntpdate 10.10.108.121 #选择本地或客户环境是要求而定
客户环境:
ntpdate NTP_PBS_ST1.kcs
开启ntp服务:
systemctl start ntp
设置开机启动:
systemctl enable ntp
检查是否同步:
ntpq -p
2.2.4.18. 修改sync账号nologin
root@KTBDEVPU24:/home/ktb# vi /etc/passwd
sync:x:4:65534:sync:/bin:/usr/sbin/nologin
2.2.4.19. 修改日志保存
- 加固方法:
root@KTBDEVPU24:/home/ktb# vi /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
#weekly
daily
# use the syslog group by default, since this is the owning group
# of /var/log/syslog.
su root syslog
# keep 4 weeks worth of backlogs
rotate 90
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
daily
create 0664 root utmp
rotate 3
}
/var/log/btmp {
missingok
daily
create 0660 root utmp
rotate 3
}
/var/log/secure {
daily
create 0664 root root
compress
rotate 90
}
/var/log/message {
daily
create 0640 root root
compress
rotate 90
}
/var/log/audit/audit.log {
daily
create 0640 root root
compress
rotate 90
}
# system-specific logs may be configured here
2.2.4.20. 去掉ubunt版本(登陆前显示)
root@KTBDEVPU24:/home/ktb# vi /etc/issue #删除内容
root@KTBDEVPU24:/home/ktb# vi /etc/issue.net #删除内容
浙公网安备 33010602011771号