linux安全加固
1、关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
2、关闭selinux
vi /etc/selinux/config
进入更改
SELINUX=disabled
setenforce 0
3、配置yum
Version="RHEL73"
mkdir /etc/yum.repos.d/BAK
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/BAK/
echo "[rhel-source-$Version]" > /etc/yum.repos.d/$Version.repo
echo "name=Red Hat Enterprise Linux $releasever Beta - $basearch - Source" >> /etc/yum.repos.d/$Version.repo
echo "baseurl=http://10.217.1.210/$Version" >> /etc/yum.repos.d/$Version.repo
echo "enabled=1" >> /etc/yum.repos.d/$Version.repo
echo "gpgcheck=0" >> /etc/yum.repos.d/$Version.repo
echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta,file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" >> /etc/yum.repos.d/$Version.repo
yum clean all
yum makecache
一、账号策略加固
查看哪些用户有bash账号
cat /etc/passwd | grep bash | cut -d ":" -f1
满足root xtgsadmin 符合
查看密码策略1
cat /etc/login.defs |grep PASS|grep -v "#"cat /etc/login.defs |grep PASS|grep -v "#"
不符合执行
sed -i '/PASS_MAX_DAYS/s/99999/90/g' /etc/login.defs
sed -i '/PASS_WARN_AGE/s/7/28/g' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/8/g' /etc/login.defs
查看密码策略2
cat /etc/pam.d/system-auth|grep -v "#"|egrep "remember|minlen|ucredit|lcredit|dcredit|ocredit"
为空需要下列步骤
vim /etc/pam.d/system-auth
password requisite pam_cracklib.so ucredit=-1 dcredit=-2 lcredit=-1 ocredit=-2 minlen=8 retry=5 difok=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
其他加固策略
编辑 su 文件(vi /etc/pam.d/su),在开头添加下面两行:
需要查看有相同策略,有的话可以不添加
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group=wheel
usermod -aG 10 xtgsadmin
1、参考配置操作
设置默认权限:
vi /etc/profile
vi /etc/csh.login
vi /etc/csh.cshrc
vi /etc/bashrc
在末尾增加umask 022
2.参考配置操作
chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 600 /etc/shadow
执行:#
lsattr /var/log/messages
lsattr /var/log/messages.*
lsattr /etc/shadow
lsattr /etc/passwd
lsattr /etc/group
参考配置操作
chattr +a /var/log/messages
chattr +i /var/log/messages.*
chattr +i /etc/shadow
chattr +i /etc/passwd
chattr +i /etc/group
添加日志错误策略
vim /etc/rsyslog.conf
authpriv.* /var/log/secure
*.err;kern.debug;daemon.notice; /var/adm/messages
添加超时剔除策略
vi /etc/profile
export TMOUT=300
source /etc/profile
添加ttl
vi /etc/sysctl.conf添加net.ipv4.ip_default_ttl = 128
添加时钟同步
crontab -e
30 5,13,21 * * * /usr/sbin/ntpdate 10.xx.xx.xx && /usr/sbin/hwclock -w
31 5,13,21 * * * /usr/sbin/nepdate 10.xx.xx.xx && /usr/sbin/hwclock -w
禁止服务
systemctl stop cups.socket;
systemctl stop cups.path;
systemctl stop cups;
systemctl disable cups;
systemctl stop postfix;
systemctl disable postfix
日志服务器
echo "*.* @XX.XX.XXX.XX:20514" >> /etc/rsyslog.conf
浙公网安备 33010602011771号