首页 » 系统安全 » Linux/Unix » Centos » 正文

CentOS 7 主机加固手册-3

1、删除禁用非必要的服务

# Remove
yum remove xinetd
yum remove telnet-server
yum remove rsh-server
yum remove telnet
yum remove rsh-server
yum remove rsh
yum remove ypbind
yum remove ypserv
yum remove tftp-server
yum remove cronie-anacron
yum remove bind
yum remove vsftpd
yum remove httpd
yum remove dovecot
yum remove squid
yum remove net-snmpd

2、禁止非必要的服务

#Disable / Enable
systemctl disable xinetd
systemctl disable rexec
systemctl disable rsh
systemctl disable rlogin
systemctl disable ypbind
systemctl disable tftp
systemctl disable certmonger
systemctl disable cgconfig
systemctl disable cgred
systemctl disable cpuspeed
systemctl enable irqbalance
systemctl disable kdump
systemctl disable mdmonitor
systemctl disable messagebus
systemctl disable netconsole
systemctl disable ntpdate
systemctl disable oddjobd
systemctl disable portreserve
systemctl enable psacct
systemctl disable qpidd
systemctl disable quota_nld
systemctl disable rdisc
systemctl disable rhnsd
systemctl disable rhsmcertd
systemctl disable saslauthd
systemctl disable smartd
systemctl disable sysstat
systemctl enable crond
systemctl disable atd
systemctl disable nfslock
systemctl disable named
systemctl disable httpd
systemctl disable dovecot
systemctl disable squid
systemctl disable snmpd

禁用Secure RPC Client 服务
systemctl disable rpcgssd

禁止 Secure RPC Server Service
systemctl disable rpcsvcgssd

禁止 RPC ID Mapping Service
systemctl disable rpcidmapd 

禁止 Network File Systems (netfs)
systemctl disable netfs

禁止 Network File System (nfs)
systemctl disable nfs

如果不需要SSH,则删除之:
systemctl disable sshd

删除 SSH iptables 防火墙规则
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

Tips™ – You probable need to leave SSH alone
###Remove Rsh Trust Files
rm /etc/hosts.equiv
rm ~/.rhosts

禁止 Avahi Server Software
systemctl disable avahi-daemon

如果不需要CUPS,禁止之,减少攻击面 
systemctl disable cups

禁止 DHCP 服务
systemctl disable dhcpd

卸载 DHCP Server Package
如果不需要DHCP客户端,就删除之
yum erase dhcp 

指定 NTP服务器
vim /etc/ntp.conf  
server ntpserver

启用 Postfix
systemctl enable postfix

删除 Sendmail
yum remove sendmail

设置Postfix仅本地监听
Open, /etc/postfix/main.cf and ensure the following inet_interfaces line appears:
inet_interfaces = localhost

配置 SMTP banner
banner会暴露当前的 SMTP 服务器是 Postfix.

禁止 xinetd Service
systemctl disable xinetd

System audit logs 权限最高为0640
sudo chmod 0640 audit_file 

System Audit Logs  所有者为root
chown root /var/log

禁止 autofs
chkconfig –level 0123456 autofs off
service autofs stop

禁止不常见的文件系统

echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf
echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf
echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf
echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf
echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf
echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf
echo "install udf /bin/false" > /etc/modprobe.d/udf.conf

禁止 core dumps
vi /etc/security/limits.conf
* hard core 0

禁止SUID程序core dumps  

Run sysctl -w fs.suid_dumpable=0 and fs.suid_dumpable = 0.
# Set runtime for fs.suid_dumpable
#
sysctl -q -n -w fs.suid_dumpable=0
#
# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"
#     else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf
#
if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then
     sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf
else
     echo "" >> /etc/sysctl.conf
     echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf
     echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
fi

防止缓冲区溢出
启用 ExecShield
用于防御 stack smashing / BOF.
sysctl -w kernel.exec-shield=1
或在 /etc/sysctl.conf里面添加
kernel.exec-shield = 1

启用ASLR
sysctl -q -n -w kernel.randomize_va_space=2

在 /etc/sysctl.conf 里面添加一行:
kernel.randomize_va_space = 2

配置SELinux,确认SELinux开启
sed -i “s/selinux=0//gI” /etc/grub.conf
sed -i “s/enforcing=0//gI” /etc/grub.conf
启用SELinux
vim  /etc/selinux/config 
SELINUXTYPE=targeted 
SELINUXTYPE=targeted 或者设置为 SELINUXTYPE=enforcing,这取决于实际情况。

防止空密码登录
sed -i ‘s/\<nullok\>//g’ /etc/pam.d/system-auth

加固 SSH服务
只允许SSH  Protocol 2
vim /etc/ssh/sshd_config
Protocol 2

限制特定用户SSH登录
vim  /etc/ssh/sshd_config  
DenyUsers USER1 USER2

配置 Idle Log Out Timeout 间隔为600秒 
ClientAliveInterval 600

不要支持闲置会话
ClientAliveCountMax 0

禁止SSH支持.rhosts文件
IgnoreRhosts参数可以忽略以前登录过主机的记录
vim /etc/ssh/sshd_config:
IgnoreRhosts yes

禁止基于主机的认证
SSH的加密主机身份验证比.rhosts身份验证更安全。 但是即使在一个组织内也不建议主机互相信任。
vim /etc/ssh/sshd_config:
HostbasedAuthentication no

禁止SSH root登录
vim  /etc/ssh/sshd_config 
PermitRootLogin no

禁止SSH空密码登录
vim /etc/ssh/sshd_config:
PermitEmptyPasswords no

开启SSH 警告标语
开启告警标语,提高安全意识。
banner /etc/issue

禁止SSH Environment选项
当客户端从ssh登陆到服务端时,服务端禁止从本地的~/.ssh/environment读取特定客户端的环境变量配置文件。
PermitUserEnvironment no

仅使用被证明的加密算法
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

禁止X桌面,减少攻击面
yum groupremove “X Window System”

定时更新
yum -y install yum-cron
chkconfig yum-cron on
另外设置 yum-cron 为 “check only”,不推荐自动安装更新。

发表评论