CentOS 7 主机加固手册-上

CentOS 7 主机加固手册-中

CentOS 7 主机加固手册-下

0x1f 删除禁用非必要的服务

删除非必要的服务

# Remove

yum remove xinetd

yum remove telnet-server

yum remove rsh-server

yum remove telnet

yum remove rsh-server

yum remove rsh

yum remove ypbind

yum remove ypserv

yum remove tftp-server

yum remove cronie-anacron

yum remove bind

yum remove vsftpd

yum remove httpd

yum remove dovecot

yum remove squid

yum remove net-snmpd

禁止非必要的服务

#Disable / Enable

systemctl disable xinetd

systemctl disable rexec

systemctl disable rsh

systemctl disable rlogin

systemctl disable ypbind

systemctl disable tftp

systemctl disable certmonger

systemctl disable cgconfig

systemctl disable cgred

systemctl disable cpuspeed

systemctl enable irqbalance

systemctl disable kdump

systemctl disable mdmonitor

systemctl disable messagebus

systemctl disable netconsole

systemctl disable ntpdate

systemctl disable oddjobd

systemctl disable portreserve

systemctl enable psacct

systemctl disable qpidd

systemctl disable quota_nld

systemctl disable rdisc

systemctl disable rhnsd

systemctl disable rhsmcertd

systemctl disable saslauthd

systemctl disable smartd

systemctl disable sysstat

systemctl enable crond

systemctl disable atd

systemctl disable nfslock

systemctl disable named

systemctl disable httpd

systemctl disable dovecot

systemctl disable squid

systemctl disable snmpd

禁用Secure RPC Client 服务

Disable rpcgssd:

The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:

systemctl disable rpcgssd

禁止 Secure RPC Server Service

systemctl disable rpcsvcgssd

禁止 RPC ID Mapping Service

The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:

systemctl disable rpcidmapd 

禁止 Network File Systems (netfs)

The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:

sudo systemctl disable netfs

禁止 Network File System (nfs)

systemctl disable nfs

如果不需要SSH,则删除之:

systemctl disable sshd

删除 SSH iptables 防火墙规则

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Tips™ - You probable need to leave SSH alone

###Remove Rsh Trust Files
rm /etc/hosts.equiv
rm ~/.rhosts

禁止 Avahi Server Software

systemctl disable avahi-daemon

the CUPS Service

如果不需要CUPS,禁止之,减少攻击面

systemctl disable cups

禁止 DHCP 服务

systemctl disable dhcpd

卸载 DHCP Server Package

如果不需要DHCP客户端,就删除之

yum erase dhcp 

禁止DHCP ,使用静态ip

Example:

BOOTPROTO=none

NETMASK=255.255.255.0

IPADDR=192.168.1.2

GATEWAY=192.168.1.1

指定 NTP服务器

vim /etc/ntp.conf
server ntpserver

当然最好使用内网的NTP服务器

启用 Postfix

systemctl enable postfix

删除 Sendmail

yum remove sendmail

设置Postfix仅本地监听

Open, /etc/postfix/main.cf and ensure the following inet_interfaces line appears:

vim
inet_interfaces = localhost

配置 SMTP banner

banner会暴露当前的 SMTP 服务器是 Postfix.

禁止 xinetd Service

sudo systemctl disable xinetd

System Audit Logs权限设置

System audit logs 权限最高为0640

sudo chmod 0640 audit_file 

System Audit Logs  所有者为root

sudo chown root/var/log

禁止 autofs

chkconfig --level 0123456 autofs off

service autofs stop

0x21 禁止不常见的文件系统

echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf

echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf

echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf

echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf

echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf

echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf

echo "install udf /bin/false" > /etc/modprobe.d/udf.conf

0x22 禁止 core dumps

vi /etc/security/limits.conf

* hard core 0

0x23  禁止SUID程序core dumps  

Run sysctl -w fs.suid_dumpable=0 and fs.suid_dumpable = 0.

# Set runtime for fs.suid_dumpable

#

sysctl -q -n -w fs.suid_dumpable=0

#

# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"

#     else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf

#

if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then

     sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf

else

     echo "" >> /etc/sysctl.conf

     echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf

     echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf

fi

0x24 防止缓冲区溢出

启用 ExecShield

用于防御 stack smashing / BOF.

sysctl -w kernel.exec-shield=1

在 /etc/sysctl.conf里面添加

kernel.exec-shield = 1

启用ASLR

Set runtime for kernel.randomize_va_space

sysctl -q -n -w kernel.randomize_va_space=2

在 /etc/sysctl.conf 里面添加一行:

kernel.randomize_va_space = 2

Enable XD or NX Support on x86 Systems

Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.

Check bios and ensure XD/NX is enabled, not relevant for VM’s.

0x25 配置SELinux

确认SELinux开启

sed -i "s/selinux=0//gI" /etc/grub.conf

sed -i "s/enforcing=0//gI" /etc/grub.conf

启用SELinux

vim  /etc/selinux/config  

SELINUXTYPE=targeted 

SELINUXTYPE=targeted 或者设置为 SELINUXTYPE=enforcing,这取决于实际情况。

启用SELinux restorecond 服务

estorecond (系统)利用 /etc/selinux/restorecond.conf 的设定来判断当新建文件时,该文件的 SELinux 类型应该如何还原。需要注意的是,如果你的系统有很多非正规的 SELinux 文件类型设定时,这个 daemon最好关闭,否则他会将你设定的 type 修改回默认值。

启用 restorecond for all run levels:

chkconfig --level 0123456 restorecond on

启动 restorecond:

service restorecond start 

确保没有未被SELinux限制的守护进程

sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }’

0x26 防止空密码登录

sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth

0x27 加固 SSH服务

只允许SSH  Protocol 2

vim /etc/ssh/sshd_config  

Protocol 2

限制特定用户SSH登录

vim  /etc/ssh/sshd_config  

DenyUsers USER1 USER2

配置 Idle Log Out Timeout 间隔为600秒

ClientAliveInterval 600

Set SSH Client Alive Count

不要支持闲置会话

To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:

ClientAliveCountMax 0

禁止SSH支持.rhosts文件

IgnoreRhosts参数可以忽略以前登录过主机的记录

vim /etc/ssh/sshd_config:

IgnoreRhosts yes

禁止基于主机的认证

SSH的加密主机身份验证比.rhosts身份验证更安全。 但是即使在一个组织内也不建议主机互相信任。

vim /etc/ssh/sshd_config:

HostbasedAuthentication no

禁止SSH root登录

vim  /etc/ssh/sshd_config 

PermitRootLogin no

禁止SSH空密码登录


vim /etc/ssh/sshd_config:

PermitEmptyPasswords no

开启SSH 警告标语

开启告警标语,提高安全意识。


banner /etc/issue

禁止SSH Environment选项

当客户端从ssh登陆到服务端时,服务端禁止从本地的~/.ssh/environment读取特定客户端的环境变量配置文件。

PermitUserEnvironment no

仅使用被证明的加密算法

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

0x29 加固X桌面(X windows)

禁止X桌面,减少攻击面


yum groupremove "X Window System 

0x2a 定时更新

yum -y install yum-cron

chkconfig yum-cron on

另外设置 yum-cron 为 “check only”,不推荐自动安装更新。

原文:https://highon.coffee/blog/security-harden-centos-7/

CentOS 7 主机加固手册-下的更多相关文章

  1. CentOS 7 主机加固手册-中

      CentOS 7 主机加固手册-上 CentOS 7 主机加固手册-中 CentOS 7 主机加固手册-下 0x0c 设置/boot/grub2/grub.cfg权限 Set grub.conf ...

  2. CentOS 7 主机加固手册-上

    TIPs: 世界上有一撮人专门研究主机安全加固基线,有兴趣的读者可以到 http://benchmarks.cisecurity.org/ 获取更加详细专业的主机安全基线配置文档.或者到 https: ...

  3. 外网主机访问虚拟机下的Web服务器_服务器应用_Linux公社-Linux系统门户网站

    body{ font-family: "Microsoft YaHei UI","Microsoft YaHei",SimSun,"Segoe UI& ...

  4. centos修改主机名命令

    centos修改主机名命令   需要修改两处:一处是/etc/sysconfig/network,另一处是/etc/hosts,只修改任一处会导致系统启动异常.首先切换到root用户.    vi / ...

  5. 主机加固之windows2003

    这篇与上一篇的win7主机加固内容大体类似,部分有些不同.这篇也可以用来尝试加固windows XP. 1. 配置管理 1.1用户策略 注意:在对Windows系统加固之前先新建一个临时的系统管理员账 ...

  6. 主机加固之win7

    这套主机加固方案很简单,一步一步按着顺序来弄就可以,部分步骤还配有相关图片.可以先用虚拟机来做一次加固,以防弄错后不好恢复.记得弄个快照,以防万一.下次有空写个win7暴力破解~ 1. 配置管理 1. ...

  7. Centos文本方式安装情况下lvm分区的创建

    作者:马 岩(Furzoom) (http://www.cnblogs.com/furzoom/)版权声明:本文的版权归作者与博客园共同所有.转载时请在明显地方注明本文的详细链接,未经作者同意请不要删 ...

  8. CentOS 7主机名的弯弯绕绕

    在CentOS 6中,修改主机名方式很简单,临时修改主机名使用hostname命令,永久修改主机名直接写进文件/etc/sysconfig/network中即可. 但在CentOS 7中,主机名就没那 ...

  9. Centos 修改主机名称

    Centos 配置主机名称: 1.首先查询一下当前的主机名称 [root@localhost~]# hostnamectl status Static hostname: ****** //永久主机名 ...

随机推荐

  1. 存一些有用的CSS

    reset ;} table{} fieldset,img{} address,caption,cite,code,dfn,em,strong,th,var{font-style:normal;fon ...

  2. CDateTimeUI类源码分析

    CDateTimeUI是duilib里选择日期的控件,继承于CLabelUI控件,用于记录已经选择的日期,选择控件则是调用win32的日期选择控件. CDateTimeUI包含两个类,一个是CDate ...

  3. MySQL用户权限控制一例

      Preface       I supposed we are encountering a situation that there's an anonymous user has connec ...

  4. linux下安装redis及主从配置

    安装比较简单,确保linux安装有gcc # gcc -v 查看gcc版本,如果没有yum安装即可 安装开始 1.redis-3.2.8.tar.gz 上传至服务器 (百度网盘:http://pan. ...

  5. 时间动态协同过滤(TimeSVD++)

    原作者 原论文地址 http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.379.1951&rep=rep1&type=pd ...

  6. c# 复选下拉框

    引用dll: http://pan.baidu.com/s/1qXa97UO 自定义类: namespace TMI_S { /// <summary> /// 功能描述:自定义多选下拉框 ...

  7. jquery UI 跟随学习笔记——拖拽(Draggable)

    引言 这周暂时没有任务下达,所以老大给我的任务就是熟悉jquery相关插件,我就先选择了jquery UI插件,以及jquery库学习. 我用了两天的时候熟悉Interactions模块中的Dragg ...

  8. 【PHP】- 全局变量global和$GLOBALS的区别

    1.global global关键字的作用是定义全局变量,但是这个全局变量不是应用于整个网站,而是应用于当前页面,包括include或require的所有文件. 但是在函数体内定义的global变量, ...

  9. 微信小程序开发中怎么设置转发(分享)的信息

    如果什么都不设置,转发时默认名称是小程序的名称,转发的图片显示的是当前页面的截图,如图一 如何在自定义转发信息呢? 在进行转发的页面中: Page({ onShareAppMessage: funct ...

  10. QueryHelper插件类(hql)

    package cn.itcast.core.util; import java.util.ArrayList; import java.util.List; public class QueryHe ...