1. 禁用不使用的用户
#cat/etc/passwd|grep^# #adm:x:3:4:adm:/var/adm:/sbin/nologin #lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin #shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown #halt:x:7:0:halt:/sbin:/sbin/halt #uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin #operator:x:11:0:operator:/root:/sbin/nologin #games:x:12:100:games:/usr/games:/sbin/nologin #gopher:x:13:30:gopher:/var/gopher:/sbin/nologin #ftp:x:14:50:FTPUser:/var/ftp:/sbin/nologin #nfsnobody:x:65534:65534:AnonymousNFSUser:/var/lib/nfs:/sbin/nologin #postfix:x:89:89::/var/spool/postfix:/sbin/nologin
#cat/etc/group|grep^# #adm:x:4:adm,daemon #lp:x:7:daemon #uucp:x:14: #games:x:20: #gopher:x:30: #video:x:39: #dip:x:40: #ftp:x:50: #audio:x:63: #floppy:x:19: #postfix:x:89:
2. 关闭不使用的服务
#chkconfig--list|grep'3:on'
通用unix打印服务,对服务器无用: ```shell servicecupsstop chkconfigcups--level2345off
servicecpuspeedstop chkconfigcpuspeed--level2345off
servicebluetoothstop chkconfigbluetooth--level2345off
servicefirstbootstop chkconfigfirstboot--level2345off
servicenetfsstop chkconfignetfs--level2345off servicenfslockstop chkconfignfslock--level2345off
serviceacpidstart&&chkconfigacpidon
3. 禁用IPV6
禁止加载IPv6模块
aliasnet-pf-10off optionsipv6disable=1
#vi/etc/sysconfig/network NETWORKING_IPV6=no
#vi/etc/sysconfig/network-scripts/ifcfg-eth0 IPV6INIT=no IPV6_AUTOCONF=no
#chkconfigip6tablesoff
#lsmod|grepipv6 #ifconfig|grep-iinet6
4. iptables规则
5. SSH安全设置
#useraddcrm-d/apps/crm #passwdcrm #useraddsysmgr #passwdsysmgr
5.1 只允许wheel用户组的用户su切换
#usermod-Gwheelsysmgr #vi/etc/pam.d/su #Uncommentthefollowinglinetorequireausertobeinthe"wheel"group. authrequiredpam_wheel.souse_uid
5.2 登录超时
exportTMOUT=300 readonlyTMOUT
5.3 禁止root直接远程登录
#vi/etc/ssh/sshd_config PermitRootLoginno
5.4 限制登录失败次数并锁定
authrequiredpam_tally2.sodeny=6unlock_time=180even_deny_rootroot_unlock_time=180
5.5 登录IP限制
##allowedsshuseRSSysmgr AllowUseRSSysmgr@172.29.73.*
vi/etc/hosts.deny sshd:all
vi/etc/hosts.allow sshd:172.29.73.23 sshd:172.29.73.
6. 配置只能使用密钥文件登录
[dir@username~]$ssh-keygen-trsa-b2048 Generatingpublic/privatersakeypair. Enterfileinwhichtosavethekey(/root/.ssh/id_rsa)://默认路径,回车 Enterpassphrase(emptyfornopassphrase)://输入你的密钥短语,登录时使用 Entersamepassphraseagain: Youridentificationhasbeensavedin/root/.ssh/id_rsa. Yourpublickeyhasbeensavedin/root/.ssh/id_rsa.pub. Thekeyfingerprintis: 3e:fd:fc:e5:d3:22:86:8e:2c:4b:a7:3d:92:18:9f:64root@ibpak.tp-link.net Thekey'srandomartimageis: +--[RSA2048]----+ || … |o++o..oo..o| +-----------------+
$mv~/.ssh/id_rsa.pub~/.ssh/authorized_keys $chmod600~/.ssh/authorized_keys
RSAAuthenticationyes PubkeyAuthenticationyes AuthorizedKeysFile.ssh/authorized_keys
MatchUseritsection PasswordAuthenticationno
7. 减少history命令记录
vi/etc/profile
8. 增强特殊文件权限
chattr+i/etc/passwd chattr+i/etc/shadow chattr+i/etc/group chattr+i/etc/gshadow chattr+i/etc/services#给系统服务端口列表文件加锁,防止未经许可的删除或添加服务 chattr+i/etc/pam.d/su chattr+i/etc/ssh/sshd_config
lsattr/etc/passwd/etc/shadow/etc/services/etc/ssh/sshd_config
9. 防止一般网络攻击
9.1 禁ping
#echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all
iptables-AINPUT-picmp--icmp-type0-s0/0-jDROP
iptables-AOUTPUT-picmp--icmp-type8-jDROP
9.2. 防止IP欺骗
orderhosts,bind#名称解释顺序 multion#允许主机拥有多个IP地址 nospoofon#禁止IP地址欺骗
9.3 防止DoS攻击
*softcore0 *softnproc2048 *hardnproc16384 *softnofile1024 *hardnofile65536
sessionrequiredpam_limits.so
10. 修复已知安全漏洞
11. 定期做日志安全检查
-
/var/log/message– 记录系统日志或当前活动日志
-
/var/log/auth.log– 身份认证日志
-
/var/log/cron– Crond 日志 (cron 任务)
-
/var/log/maillog– 邮件服务器日志
-
/var/log/secure– 认证日志
-
/var/log/yum.logYum 日志