linux 安全加固

---1.使用Shell历史命令记录功能

#/etc/bashrc

HISTFILESIZE=4000
HISTSIZE=4000
HISTTIMEFORMAT='%F %T'
export HISTTIMEFORMAT 

source /etc/bashrc

---2.删减系统登录欢迎信息

---2.1删除记录了操作系统的名称和版本号

# vi /etc/ssh/sshd_config  #添加如下记录

Banner /etc/issue.net  

---2.2 删除全部内容或更新成自己想要添加的内容 

# vi /etc/motd

---3.system timeout 5 minite auto logout

echo "TMOUT=300" >>/etc/profile

source /etc/profile

----4.加固

# chmod危险文件

chmod 700 /bin/ping
chmod 700 /usr/bin/finger
chmod 700 /usr/bin/who
chmod 700 /usr/bin/w
chmod 700 /usr/bin/locate
chmod 700 /usr/bin/whereis
chmod 700 /sbin/ifconfig
chmod 700 /usr/bin/pico
chmod 700 /bin/vi
chmod 700 /usr/bin/which
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/make
chmod 700 /bin/rpm

# history安全

chattr +a /root/.bash_history
chattr +i /root/.bash_history

# chattr /etc/passwd /etc/shadow
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow

# add syncookie enable /etc/sysctl.conf

echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf

sysctl -p

#修改配置文件

vi /etc/login.defs
PASS_MAX_DAYS 90 #新建用户的密码最长使用天数
PASS_MIN_DAYS 0 #新建用户的密码最短使用天数
PASS_WARN_AGE 7 #新建用户的密码到期提前提醒天数
PASS_MIN_LEN 9 #最小密码长度9

---5.限制哪些账户能切换到root

1) #vi /etc/pam.d/su

auth required /lib/security/pam_wheel.so group=dba

#usermod -Gdba test  将test用户加入到dba组

---6.系统内核安全

vi /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
#Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
14
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Modify system limits for Ensim WEBppliance
fs.file-max = 65000
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
# Improve file system performance
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
# Improve virtual memory performance
vm.buffermem = 90 10 60
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the maximum total TCP buffer-space allocatable
net.ipv4.tcp_mem = 57344 57344 65536
# Increase the maximum TCP write-buffer-space allocatable
net.ipv4.tcp_wmem = 32768 65536 524288
15
# Increase the maximum TCP read-buffer space allocatable
net.ipv4.tcp_rmem = 98304 196608 1572864
# Increase the maximum and default receive socket buffer size
net.core.rmem_max = 524280
net.core.rmem_default = 524280
# Increase the maximum and default send socket buffer size
net.core.wmem_max = 524280
net.core.wmem_default = 524280
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344
# Increase the maximum number of skb-heads to be cached
net.core.hot_list_length = 1024
## DO NOT REMOVE THE FOLLOWING LINE!
## nsobuild:20051206 

sysctl -p

时间: 2024-10-10 15:31:53

linux 安全加固的相关文章

Linux服务器加固

一.信息安全防护的目标 *保密性,Confidentiality *完整性,Integrity 可用性,Usability 可控制性,Controlability 不可否认性,Non-repudiation 二.安全防护环节 物理安全:各种设备/主机.机房环境 系统安全:主机或设备的操作系统 应用安全:各种网络服务.应用程序 网络安全:对网络访问的控制.防火墙规则 数据安全:信息的备份与恢复.加密解密 管理安全:各种保障性的规范.流程.方法 网络&系统漏洞检测工具 X-Scan  . Fluxa

【安全运维】linux系统加固(第二部分),经测试可行

前言 接续系统加固第一部分未完的内容,第二部分主要涉及关闭多余的服务,用户账户的安全策略,以及内核网络参数的优化等等. <修改系统默认的账户密码策略> 这是通过编辑  /etc/login.defs  文件相关内容实现的.和前面一样的道理,修改前需要备份,然后把"鸡蛋"放在多个"篮子"里: [[email protected] 桌面]# cp -p  /etc/login.defs /etc/login.defs_backup 使用 vim 文本编辑器编

IT 安全概念&Linux 安全加固实施方案

1)学习 Linux 技术,主要的工作保证企业门户网站.业务系统.数据库安全.高效.稳定的运行,安全技能对运维人员的要求越来越高,一旦业务系统.数据库被heike攻破,所有数据被暴露在heike眼皮下: 2) 运维安全.IT 安全应该从哪些方面去考虑呢?如何才能做好运维安全呢? ? 硬件层面 IDC 机房.门禁.静电.消防设施.UPS 供电.机房温度.硬盘状态.电缆.网线.空凋: ? 软件层面 软件版本.程序代码.BUG 漏洞.程序权限.用户名.密码.数据库服务.后台植入: ? 系统层面 系统稳

Linux操作系统加固

1. 账号和口令 1.1 禁用或删除无用账号 减少系统无用账号,降低安全风险. 操作步骤 使用命令 userdel <用户名> 删除不必要的账号. 使用命令 passwd -l <用户名> 锁定不必要的账号. 使用命令 passwd -u <用户名> 解锁必要的账号. 1.2 检查特殊账号 检查是否存在空口令和root权限的账号. 操作步骤 查看空口令和root权限账号,确认是否存在异常账号: 使用命令 awk -F: '($2=="")' /etc

阿里云Linux操作系统加固

更新时间: 2018-02-27 本帮助手册旨在指导系统管理人员或安全检查人员进行Linux操作系统的安全合规性检查和加固. 1. 账号和口令 1.1 禁用或删除无用账号 减少系统无用账号,降低安全风险. 操作步骤 使用命令 userdel <用户名> 删除不必要的账号. 使用命令 passwd -l <用户名> 锁定不必要的账号. 使用命令 passwd -u <用户名> 解锁必要的账号. 1.2 检查特殊账号 检查是否存在空口令和root权限的账号. 操作步骤 查看

linux系统优化加固

本文系统: [[email protected]~]# cat /etc/issue Red Hat Enterprise Linux Server release 5.8 (Tikanga) [[email protected] ~]# uname -a Linux xxxxxx 2.6.18-308.el5 #1 SMP Fri Jan 27 17:17:51 EST 2012 x86_64 x86_64 x86_64 GNU/Linux 优化一./etc/security/limits.c

LINUX安全加固规范

1 概述 近几年来Internet变得更加不安全了.网络的通信量日益加大,越来越多的重要交易正在通过网络完成,与此同时数据被损坏.截取和修改的风险也在增加. 只要有值得偷窃的东西就会有想办法窃取它的人.Internet的今天比过去任何时候都更真实地体现出这一点,基于Linux的系统也不能摆脱这个“普遍规律”而独善其身.因此,优秀的系统应当拥有完善的安全措施,应当足够坚固.能够抵抗来自Internet的侵袭,这正是Linux之所以流行并且成为Internet骨干力量的主要原因.但是,如果你不适当地

RedHat linux系统加固

检查是否配置ntp服务: 备份cp /etc/ntp.conf  /etc/ntp.conf.bal1105 编辑vi /etc/ntp.conf 插入restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap 启动ntpd服务:service ntpd start 检查口令策略设置是否符合复杂度要求 cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth_bak vi /etc/pam.d/sy

Linux安全加固

1.检查shadow是否存在空口令用户和其他超级管理员用户: awk -F: '($2 == "") { print $1 }' /etc/shadow awk -F: '($3==0)' /etc/passwd 2.锁定系统中多余的自建(测试)帐号并备份 cat /etc/passwd  && cp /etc/passwd /etc/passwd.bak cat /etc/shadow  && cp /etc/shadow /etc/shadow.ba