首页 » 系统安全 » Linux/Unix » Centos » 正文

CentOS 7 主机加固手册-1

最小化安装centos7系统

1、安装相关工具、默认最小安装缺少ifconfig等工具

# yum install lrzsz wget telnet net-tools

2、安全地挂载分区
如果网站是动态网站,那么网站所在的盘不可以使用noexec挂载选项。像/tmp和/var/tmp应该使用noexec挂载选项,因为黑客通常在这两个目录里面上传并执行提权程序。
相关参数            说明
noatime         对文件的读取不会更新文件属性中的atime信息
nodiratime      只设置 noatime 就可以了,不必再设置 nodiratime.
nosuid          禁止 suid 操作和 sgid 位
noexec          不允许二进位的执行档再该储存装置上运行.
nodev           禁止在分区中挂载设备

安全地/etc/fstab 文件配置举例:

# /etc/fstab

# /etc/fstab
/dev/mapper/lg_os-lv_root /                       xfs     defaults        1 1
UUID=d73c5d22-75ed-416e-aad2-8c1bb1dfc713 /boot                   ext4    defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_data-lv_home /home                   xfs     defaults        1 2
/dev/mapper/lg_os-lv_tmp /tmp                    xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_os-lv_var /var                    xfs     defaults,nosuid        1 2
/dev/mapper/lg_os-lv_var_tmp /var/tmp                xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_os-lv_var_tmp /var/log                xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_os-lv_var_tmp /var/log/audit                xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_data-lv_var_www /var/www                xfs     defaults,nosuid,noexec,nodev        1 2
/dev/mapper/lg_data-lv_swap swap                    swap    defaults        0 0

3、安装NTP服务

root:~# yum install ntp ntpdate
root:~# chkconfig ntpd on
root:~# ntpdate pool.ntp.org
root:~# /etc/init.d/ntpd start 

5、配置完整性检查工具AIDE

Pre-linking binaries功能缩短了运行时间,然而这种方式会导致AIDE出现故障,所以配置AIDE之前需要禁止此项。打开/etc/sysconfig/prelink确保PRELINKING=no ,或者直接使用下面的shell脚本:

# Disable prelinking altogether
# 
if grep -q ^PRELINKING /etc/sysconfig/prelink
then
  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
else
  echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink
  echo "PRELINKING=no" >> /etc/sysconfig/prelink
fi

执行生效
root:~# /usr/sbin/prelink -ua

安装AIDE

root:~# yum install aide -y && /usr/sbin/aide --init && cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && /usr/sbin/aide --check

设置计划任务每天自动检测

root:~# crontab -e
Configure periodic execution of AIDE, runs every morning at 04:30
echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab

4、阻止用户挂载USB

echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf

6、启用高强度的密码策略
下面这条命令将启用SHA512替代MD5

# authconfig --passalgo=sha512 —update

7、配置密码策略pwquality.conf
# vi /etc/security/pwquality.conf

# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password
difok = 5
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
minlen = 14
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
dcredit = 1
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
ucredit = 1
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
lcredit = 1
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
ocredit = 1
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
minclass = 4
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
maxrepeat = 3
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
maxclassrepeat = 3
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
gecoscheck = 1
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =

8、设置密码策略(修改以下参数)

# vi /etc/login.defs
PASS_MIN_LEN 14
PASS_MIN_DAYS 1
PASS_MAX_DAYS 60

9、设置提示上次登录信息

# vim /etc/pam.d/system-auth 
session required pam_lastlog.so showfailed

10、设置每个会话最大密码尝试次数

# vi /etc/pam.d/system-auth 
auth pam_pwquality.so  retry=3  

11、阻止错误密码尝试
编辑 /etc/pam.d/system-auth 和 /etc/pam.d/password-auth两个PAM配置文件(尝试三次错误,锁定时间20分钟)

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=1200 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=1200 fail_interval=900

12、限制密码重用
使用PAM模块配置,在 /etc/pam.d/system-auth这个PAM配置文件里面,在pam_unix.so所在的行添加 remember=24 。这样服务器就会记录历史上的前24个旧密码,为啥为24?因为这是美国国防部的标准。

password sufficient pam_unix.so existing_options remember=24

13、关闭seliux(此选项不建议)

# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config && setenforce 0

续……

发表评论