CentOS 7 主机加固手册-下
0x1f 删除禁用非必要的服务
删除非必要的服务
# Remove yum remove xinetd yum remove telnet-server yum remove rsh-server yum remove telnet yum remove rsh-server yum remove rsh yum remove ypbind yum remove ypserv yum remove tftp-server yum remove cronie-anacron yum remove bind yum remove vsftpd yum remove httpd yum remove dovecot yum remove squid yum remove net-snmpd
禁止非必要的服务
#Disable / Enable systemctl disable xinetd systemctl disable rexec systemctl disable rsh systemctl disable rlogin systemctl disable ypbind systemctl disable tftp systemctl disable certmonger systemctl disable cgconfig systemctl disable cgred systemctl disable cpuspeed systemctl enable irqbalance systemctl disable kdump systemctl disable mdmonitor systemctl disable messagebus systemctl disable netconsole systemctl disable ntpdate systemctl disable oddjobd systemctl disable portreserve systemctl enable psacct systemctl disable qpidd systemctl disable quota_nld systemctl disable rdisc systemctl disable rhnsd systemctl disable rhsmcertd systemctl disable saslauthd systemctl disable smartd systemctl disable sysstat systemctl enable crond systemctl disable atd systemctl disable nfslock systemctl disable named systemctl disable httpd systemctl disable dovecot systemctl disable squid systemctl disable snmpd
禁用Secure RPC Client 服务
Disable rpcgssd:
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:
systemctl disable rpcgssd
禁止 Secure RPC Server Service
systemctl disable rpcsvcgssd
禁止 RPC ID Mapping Service
The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:
systemctl disable rpcidmapd
禁止 Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:
sudo systemctl disable netfs
禁止 Network File System (nfs)
systemctl disable nfs
如果不需要SSH,则删除之:
systemctl disable sshd
删除 SSH iptables 防火墙规则
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
Tips™ - You probable need to leave SSH alone
###Remove Rsh Trust Files
rm /etc/hosts.equiv
rm ~/.rhosts
禁止 Avahi Server Software
systemctl disable avahi-daemon
the CUPS Service
如果不需要CUPS,禁止之,减少攻击面
systemctl disable cups
禁止 DHCP 服务
systemctl disable dhcpd
卸载 DHCP Server Package
如果不需要DHCP客户端,就删除之
yum erase dhcp
禁止DHCP ,使用静态ip
Example:
BOOTPROTO=none NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1
指定 NTP服务器
vim /etc/ntp.conf
server ntpserver
当然最好使用内网的NTP服务器
启用 Postfix
systemctl enable postfix
删除 Sendmail
yum remove sendmail
设置Postfix仅本地监听
Open, /etc/postfix/main.cf and ensure the following inet_interfaces line appears:
vim
inet_interfaces = localhost
配置 SMTP banner
banner会暴露当前的 SMTP 服务器是 Postfix.
禁止 xinetd Service
sudo systemctl disable xinetd
System Audit Logs权限设置
System audit logs 权限最高为0640
sudo chmod 0640 audit_file
System Audit Logs 所有者为root
sudo chown root/var/log
禁止 autofs
chkconfig --level 0123456 autofs off service autofs stop
0x21 禁止不常见的文件系统
echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf echo "install udf /bin/false" > /etc/modprobe.d/udf.conf
0x22 禁止 core dumps
vi /etc/security/limits.conf * hard core 0
0x23 禁止SUID程序core dumps
Run sysctl -w fs.suid_dumpable=0 and fs.suid_dumpable = 0. # Set runtime for fs.suid_dumpable # sysctl -q -n -w fs.suid_dumpable=0 # # If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" # else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf # if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf else echo "" >> /etc/sysctl.conf echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf fi
0x24 防止缓冲区溢出
启用 ExecShield
用于防御 stack smashing / BOF.
sysctl -w kernel.exec-shield=1
在 /etc/sysctl.conf里面添加
kernel.exec-shield = 1
启用ASLR
Set runtime for kernel.randomize_va_space
sysctl -q -n -w kernel.randomize_va_space=2
在 /etc/sysctl.conf 里面添加一行:
kernel.randomize_va_space = 2
Enable XD or NX Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.
Check bios and ensure XD/NX is enabled, not relevant for VM’s.
0x25 配置SELinux
确认SELinux开启
sed -i "s/selinux=0//gI" /etc/grub.conf sed -i "s/enforcing=0//gI" /etc/grub.conf
启用SELinux
vim /etc/selinux/config SELINUXTYPE=targeted
SELINUXTYPE=targeted 或者设置为 SELINUXTYPE=enforcing,这取决于实际情况。
启用SELinux restorecond 服务
estorecond (系统)利用 /etc/selinux/restorecond.conf 的设定来判断当新建文件时,该文件的 SELinux 类型应该如何还原。需要注意的是,如果你的系统有很多非正规的 SELinux 文件类型设定时,这个 daemon最好关闭,否则他会将你设定的 type 修改回默认值。
启用 restorecond for all run levels:
chkconfig --level 0123456 restorecond on
启动 restorecond:
service restorecond start
确保没有未被SELinux限制的守护进程
sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }’
0x26 防止空密码登录
sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth
0x27 加固 SSH服务
只允许SSH Protocol 2
vim /etc/ssh/sshd_config Protocol 2
限制特定用户SSH登录
vim /etc/ssh/sshd_config DenyUsers USER1 USER2
配置 Idle Log Out Timeout 间隔为600秒
ClientAliveInterval 600
Set SSH Client Alive Count
不要支持闲置会话
To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 0
禁止SSH支持.rhosts文件
IgnoreRhosts参数可以忽略以前登录过主机的记录
vim /etc/ssh/sshd_config: IgnoreRhosts yes
禁止基于主机的认证
SSH的加密主机身份验证比.rhosts身份验证更安全。 但是即使在一个组织内也不建议主机互相信任。
vim /etc/ssh/sshd_config: HostbasedAuthentication no
禁止SSH root登录
vim /etc/ssh/sshd_config PermitRootLogin no
禁止SSH空密码登录
vim /etc/ssh/sshd_config: PermitEmptyPasswords no
开启SSH 警告标语
开启告警标语,提高安全意识。
banner /etc/issue
禁止SSH Environment选项
当客户端从ssh登陆到服务端时,服务端禁止从本地的~/.ssh/environment读取特定客户端的环境变量配置文件。
PermitUserEnvironment no
仅使用被证明的加密算法
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
0x29 加固X桌面(X windows)
禁止X桌面,减少攻击面
yum groupremove "X Window System
0x2a 定时更新
yum -y install yum-cron chkconfig yum-cron on
另外设置 yum-cron 为 “check only”,不推荐自动安装更新。
原文:https://highon.coffee/blog/security-harden-centos-7/
CentOS 7 主机加固手册-下的更多相关文章
- CentOS 7 主机加固手册-中
CentOS 7 主机加固手册-上 CentOS 7 主机加固手册-中 CentOS 7 主机加固手册-下 0x0c 设置/boot/grub2/grub.cfg权限 Set grub.conf ...
- CentOS 7 主机加固手册-上
TIPs: 世界上有一撮人专门研究主机安全加固基线,有兴趣的读者可以到 http://benchmarks.cisecurity.org/ 获取更加详细专业的主机安全基线配置文档.或者到 https: ...
- 外网主机访问虚拟机下的Web服务器_服务器应用_Linux公社-Linux系统门户网站
body{ font-family: "Microsoft YaHei UI","Microsoft YaHei",SimSun,"Segoe UI& ...
- centos修改主机名命令
centos修改主机名命令 需要修改两处:一处是/etc/sysconfig/network,另一处是/etc/hosts,只修改任一处会导致系统启动异常.首先切换到root用户. vi / ...
- 主机加固之windows2003
这篇与上一篇的win7主机加固内容大体类似,部分有些不同.这篇也可以用来尝试加固windows XP. 1. 配置管理 1.1用户策略 注意:在对Windows系统加固之前先新建一个临时的系统管理员账 ...
- 主机加固之win7
这套主机加固方案很简单,一步一步按着顺序来弄就可以,部分步骤还配有相关图片.可以先用虚拟机来做一次加固,以防弄错后不好恢复.记得弄个快照,以防万一.下次有空写个win7暴力破解~ 1. 配置管理 1. ...
- Centos文本方式安装情况下lvm分区的创建
作者:马 岩(Furzoom) (http://www.cnblogs.com/furzoom/)版权声明:本文的版权归作者与博客园共同所有.转载时请在明显地方注明本文的详细链接,未经作者同意请不要删 ...
- CentOS 7主机名的弯弯绕绕
在CentOS 6中,修改主机名方式很简单,临时修改主机名使用hostname命令,永久修改主机名直接写进文件/etc/sysconfig/network中即可. 但在CentOS 7中,主机名就没那 ...
- Centos 修改主机名称
Centos 配置主机名称: 1.首先查询一下当前的主机名称 [root@localhost~]# hostnamectl status Static hostname: ****** //永久主机名 ...
随机推荐
- 存一些有用的CSS
reset ;} table{} fieldset,img{} address,caption,cite,code,dfn,em,strong,th,var{font-style:normal;fon ...
- CDateTimeUI类源码分析
CDateTimeUI是duilib里选择日期的控件,继承于CLabelUI控件,用于记录已经选择的日期,选择控件则是调用win32的日期选择控件. CDateTimeUI包含两个类,一个是CDate ...
- MySQL用户权限控制一例
Preface I supposed we are encountering a situation that there's an anonymous user has connec ...
- linux下安装redis及主从配置
安装比较简单,确保linux安装有gcc # gcc -v 查看gcc版本,如果没有yum安装即可 安装开始 1.redis-3.2.8.tar.gz 上传至服务器 (百度网盘:http://pan. ...
- 时间动态协同过滤(TimeSVD++)
原作者 原论文地址 http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.379.1951&rep=rep1&type=pd ...
- c# 复选下拉框
引用dll: http://pan.baidu.com/s/1qXa97UO 自定义类: namespace TMI_S { /// <summary> /// 功能描述:自定义多选下拉框 ...
- jquery UI 跟随学习笔记——拖拽(Draggable)
引言 这周暂时没有任务下达,所以老大给我的任务就是熟悉jquery相关插件,我就先选择了jquery UI插件,以及jquery库学习. 我用了两天的时候熟悉Interactions模块中的Dragg ...
- 【PHP】- 全局变量global和$GLOBALS的区别
1.global global关键字的作用是定义全局变量,但是这个全局变量不是应用于整个网站,而是应用于当前页面,包括include或require的所有文件. 但是在函数体内定义的global变量, ...
- 微信小程序开发中怎么设置转发(分享)的信息
如果什么都不设置,转发时默认名称是小程序的名称,转发的图片显示的是当前页面的截图,如图一 如何在自定义转发信息呢? 在进行转发的页面中: Page({ onShareAppMessage: funct ...
- QueryHelper插件类(hql)
package cn.itcast.core.util; import java.util.ArrayList; import java.util.List; public class QueryHe ...