linux 安全加固
---1.使用Shell历史命令记录功能 #/etc/bashrc HISTFILESIZE=4000 HISTSIZE=4000 HISTTIMEFORMAT='%F %T' export HISTTIMEFORMAT source /etc/bashrc ---2.删减系统登录欢迎信息 ---2.1删除记录了操作系统的名称和版本号 # vi /etc/ssh/sshd_config #添加如下记录 Banner /etc/issue.net ---2.2 删除全部内容或更新成自己想要添加的内容 # vi /etc/motd ---3.system timeout 5 minite auto logout echo "TMOUT=300" >>/etc/profile source /etc/profile ----4.加固 # chmod危险文件 chmod 700 /bin/ping chmod 700 /usr/bin/finger chmod 700 /usr/bin/who chmod 700 /usr/bin/w chmod 700 /usr/bin/locate chmod 700 /usr/bin/whereis chmod 700 /sbin/ifconfig chmod 700 /usr/bin/pico chmod 700 /bin/vi chmod 700 /usr/bin/which chmod 700 /usr/bin/gcc chmod 700 /usr/bin/make chmod 700 /bin/rpm # history安全 chattr +a /root/.bash_history chattr +i /root/.bash_history # chattr /etc/passwd /etc/shadow chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow # add syncookie enable /etc/sysctl.conf echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf sysctl -p #修改配置文件 vi /etc/login.defs PASS_MAX_DAYS 90 #新建用户的密码最长使用天数 PASS_MIN_DAYS 0 #新建用户的密码最短使用天数 PASS_WARN_AGE 7 #新建用户的密码到期提前提醒天数 PASS_MIN_LEN 9 #最小密码长度9 ---5.限制哪些账户能切换到root 1) #vi /etc/pam.d/su auth required /lib/security/pam_wheel.so group=dba #usermod -Gdba test 将test用户加入到dba组 ---6.系统内核安全 vi /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 #Prevent SYN attack net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 # Disables packet forwarding net.ipv4.ip_forward=0 # Disables IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.lo.log_martians = 1 net.ipv4.conf.eth0.log_martians = 1 # Disables IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 14 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Disables the magic-sysrq key kernel.sysrq = 0 # Modify system limits for Ensim WEBppliance fs.file-max = 65000 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 15 # Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1800 # Turn off the tcp_window_scaling net.ipv4.tcp_window_scaling = 0 # Turn off the tcp_sack net.ipv4.tcp_sack = 0 # Turn off the tcp_timestamps net.ipv4.tcp_timestamps = 0 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1 # Set maximum amount of memory allocated to shm to 256MB kernel.shmmax = 268435456 # Improve file system performance vm.bdflush = 100 1200 128 512 15 5000 500 1884 2 # Improve virtual memory performance vm.buffermem = 90 10 60 # Increases the size of the socket queue (effectively, q0). net.ipv4.tcp_max_syn_backlog = 1024 # Increase the maximum total TCP buffer-space allocatable net.ipv4.tcp_mem = 57344 57344 65536 # Increase the maximum TCP write-buffer-space allocatable net.ipv4.tcp_wmem = 32768 65536 524288 15 # Increase the maximum TCP read-buffer space allocatable net.ipv4.tcp_rmem = 98304 196608 1572864 # Increase the maximum and default receive socket buffer size net.core.rmem_max = 524280 net.core.rmem_default = 524280 # Increase the maximum and default send socket buffer size net.core.wmem_max = 524280 net.core.wmem_default = 524280 # Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 1440000 # Allowed local port range net.ipv4.ip_local_port_range = 16384 65536 # Increase the maximum memory used to reassemble IP fragments net.ipv4.ipfrag_high_thresh = 512000 net.ipv4.ipfrag_low_thresh = 446464 # Increase the maximum amount of option memory buffers net.core.optmem_max = 57344 # Increase the maximum number of skb-heads to be cached net.core.hot_list_length = 1024 ## DO NOT REMOVE THE FOLLOWING LINE! ## nsobuild:20051206 sysctl -p
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。