目录:
1.BIOS2.SSH安全3.禁用telnet4.禁用代码编译5.ProFTP6.TCPwrappers7.创建一个SU组8.root通知9.history安全10.欢迎信息11.禁用所有特殊账户12.chmod危险文件13.指定允许root登陆的TTY设备14.选择一个安全的密码15.检查Rootkit16.安装补丁17.隐藏Apache信息18.隐藏php信息19.关闭不使用的服务20.检测监听中的端口21.关闭打开的端口和服务22.删除不用的rpm包23.禁用危险的php函数24.安装配置防火墙25.安装和配置BFD26.内核加固(sysctl.conf)27.更改SSH端口28./tmp /var/tmp,/dev/shm分区安全29.PHP IDS总结========================================================================介绍这个教程将一步步的指引你,使你的Linux系统变得安全。任何默认安装的操作系统都是不够安全的,本文将指引你如何建立一个相对安全的Linux系统。========================================================================1.BIOS你应该总是在系统启动的时候设置一个BIOS密码和禁用从CD-ROM和软盘引导。这将防止一些人未经允许访问你的系统和更改BIOS设置2.SSH安全SSH是一个协议,利用它可以登录到一个远程系统或远程执行系统命令,默认允许root登录,并且sshv1存在缺陷,我们应该在sshd_config禁止root访问和使用sshv2来让ssh更加安全。方法:- vi /etc/ssh/sshd_config
- PermitRootLogin = no
- sshd /etc/rc.d/init.d/sshd restart
- /etc/xinetd.d/telnet
- disable=yes
- /usr/sbin/groupadd compiler ,cd /usr/bin
- chgrp compiler *cc*
- chgrp compiler *++*
- chgrp compiler ld
- chgrp compiler as
- chgrp root mysqlaccess
- chmod 750 *cc*
- chmod 750 *++*
- chmod 750 ld
- chmod 750 as
- chmod 755 mysqlaccess
- compiler:x:520:user1,user2
- Add RootLogin off
- proftpd /sbin/service proftpd stop
- /sbin/service proftpd start
- #Approved IP addresses
- ALL:192.168.0.1
- ALL:192.168.5.2
- #CSV uploader machine
- proftpd:10.0.0.5
- #pop3 from antwhere
- ipop3:ALL
- ALL:ALL EXCEPT localhostENY
- chgrp wheel /bin/su
- chmod o-rwx /bin/su
- echo ‘ALERT ? Root Shell Access (Server Name) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” your@email.com
- chattr +a .bash_history
- chattr +i .bash_history
- /usr/sbin/usermod -L -s /bin/false user
- chmod 700 /bin/ping
- chmod 700 /usr/bin/finger
- chmod 700 /usr/bin/who
- chmod 700 /usr/bin/w
- chmod 700 /usr/bin/locate
- chmod 700 /usr/bin/whereis
- chmod 700 /sbin/ifconfig
- chmod 700 /usr/bin/pico
- chmod 700 /usr/bin/vi
- chmod 700 /usr/bin/which
- chmod 700 /usr/bin/gcc
- chmod 700 /usr/bin/make
- chmod 700 /bin/rpm
- vi /etc/securetty
- tty1
- tty2
- vi /etc/login.defs
- PASS_MIN_LEN 8
- wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
- wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
- tar -zxvf chkrootkit.tar.gz
- cd chkrootkit
- ./configure
- make sense
- vi /etc/cron.daily/chkrootkit.sh
- cd /root/chkrootkit/
- ./chkrootkit | mail -s “Daily chkrootkit from Server Name” your@email.com
- 列出可用更新:up2date -l
- 安装未排除的更新:up2date -u
- 安装包括排除的更新up2date -uf
- ServerSignature Off
- expose_php=Off
- cd /etc/xinetd.d
- grep disable *
- netstat -tulp或
- lsof -i -n | egrep ‘COMMAND|LISTEN|UDP’或
- nmap!
- whereis php.ini
- vi /usr/local/lib/php.ini
- disable_functions = “symlink,shell_exec,exec,proc_close,proc_open,popen,
- system,dl,passthru,escapeshellarg, escapeshellcmd”
- tar -zxvf apf-current.tar.gz
- cd apf-0.9.7-1
- ./install.sh
- Common ingress (inbound)
- # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,995″
- #
- # Common ingress (inbound) UDP ports IG_UDP_CPORTS=”53″
- # Egress filtering [0 = Disabled / 1 = Enabled]
- EGF=”1″
- # Common egress (outbound) TCP ports
- EG_TCP_CPORTS=”21,25,80,443,43″
- #
- # Common egress (outbound) UDP ports
- EG_UDP_CPORTS=”20,21,53″
- 2.CPanel配置
- Common ingress (inbound) ports
- # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,2083, 2086,2087,
- 2095, 2096,3000_3500″
- #
- # Common ingress (inbound) UDP ports
- IG_UDP_CPORTS=”53″
- Common egress (outbound) ports
- # Egress filtering [0 = Disabled / 1 = Enabled]
- EGF=”1″
- # Common egress (outbound) TCP ports
- EG_TCP_CPORTS=”21,25,80,443,43,2089″
- #
- # Common egress (outbound) UDP ports
- EG_UDP_CPORTS=”20,21,53″
- # Organization name to display on outgoing alert emails
- CONAME=”Your Company”
- # Send out user defined attack alerts [0=off,1=on]
- USR_ALERT=”0″
- #
- # User for alerts to be mailed to
- USR=you@yourco.com
- To make the firewall start with the Operating System: chkconfig ?level 2345 apf on
- wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
- tar -zxvf bfd-current.tar.gz
- cd bfd-0.9
- # Enable/disable user alerts [0 = off; 1 = on]
- ALERT_USR=”1″
- #
- # User alert email address
- EMAIL_USR=”your@mail.com”
- #
- # User alert email; subject
- SUBJ_USR=”Brute Force Warning for $HOSTNAME”
- #
- # Kernel sysctl configuration file for Red Hat Linux
- #
- # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
- # sysctl.conf(5) for more details.
- # Controls IP packet forwarding
- net.ipv4.ip_forward = 0
- # Controls source route verification
- net.ipv4.conf.default.rp_filter = 1
- # Controls the System Request debugging functionality of the kernel
- kernel.sysrq = 0
- # Controls whether core dumps will append the PID to the core filename.
- # Useful for debugging multi-threaded applications.
- kernel.core_uses_pid = 1
- #Prevent SYN attack
- net.ipv4.tcp_syncookies = 1
- net.ipv4.tcp_max_syn_backlog = 2048
- net.ipv4.tcp_synack_retries = 2
- # Disables packet forwarding
- net.ipv4.ip_forward=0
- # Disables IP source routing
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv4.conf.lo.accept_source_route = 0
- net.ipv4.conf.eth0.accept_source_route = 0
- net.ipv4.conf.default.accept_source_route = 0
- # Enable IP spoofing protection, turn on source route verification
- net.ipv4.conf.all.rp_filter = 1
- net.ipv4.conf.lo.rp_filter = 1
- net.ipv4.conf.eth0.rp_filter = 1
- net.ipv4.conf.default.rp_filter = 1
- # Disable ICMP Redirect Acceptance
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv4.conf.lo.accept_redirects = 0
- net.ipv4.conf.eth0.accept_redirects = 0
- net.ipv4.conf.default.accept_redirects = 0
- # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
- net.ipv4.conf.all.log_martians = 1
- net.ipv4.conf.lo.log_martians = 1
- net.ipv4.conf.eth0.log_martians = 1
- # Disables IP source routing
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv4.conf.lo.accept_source_route = 0
- net.ipv4.conf.eth0.accept_source_route = 0
- net.ipv4.conf.default.accept_source_route = 0
- # Enable IP spoofing protection, turn on source route verification
- net.ipv4.conf.all.rp_filter = 1
- net.ipv4.conf.lo.rp_filter = 1
- net.ipv4.conf.eth0.rp_filter = 1
- 14
- net.ipv4.conf.default.rp_filter = 1
- # Disable ICMP Redirect Acceptance
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv4.conf.lo.accept_redirects = 0
- net.ipv4.conf.eth0.accept_redirects = 0
- net.ipv4.conf.default.accept_redirects = 0
- # Disables the magic-sysrq key
- kernel.sysrq = 0
- # Modify system limits for Ensim WEBppliance
- fs.file-max = 65000
- # Decrease the time default value for tcp_fin_timeout connection
- net.ipv4.tcp_fin_timeout = 15
- # Decrease the time default value for tcp_keepalive_time connection
- net.ipv4.tcp_keepalive_time = 1800
- # Turn off the tcp_window_scaling
- net.ipv4.tcp_window_scaling = 0
- # Turn off the tcp_sack
- net.ipv4.tcp_sack = 0
- # Turn off the tcp_timestamps
- net.ipv4.tcp_timestamps = 0
- # Enable TCP SYN Cookie Protection
- net.ipv4.tcp_syncookies = 1
- # Enable ignoring broadcasts request
- net.ipv4.icmp_echo_ignore_broadcasts = 1
- # Enable bad error message Protection
- net.ipv4.icmp_ignore_bogus_error_responses = 1
- # Log Spoofed Packets, Source Routed Packets, Redirect Packets
- net.ipv4.conf.all.log_martians = 1
- # Set maximum amount of memory allocated to shm to 256MB
- kernel.shmmax = 268435456
- # Improve file system performance
- vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
- # Improve virtual memory performance
- vm.buffermem = 90 10 60
- # Increases the size of the socket queue (effectively, q0).
- net.ipv4.tcp_max_syn_backlog = 1024
- # Increase the maximum total TCP buffer-space allocatable
- net.ipv4.tcp_mem = 57344 57344 65536
- # Increase the maximum TCP write-buffer-space allocatable
- net.ipv4.tcp_wmem = 32768 65536 524288
- 15
- # Increase the maximum TCP read-buffer space allocatable
- net.ipv4.tcp_rmem = 98304 196608 1572864
- # Increase the maximum and default receive socket buffer size
- net.core.rmem_max = 524280
- net.core.rmem_default = 524280
- # Increase the maximum and default send socket buffer size
- net.core.wmem_max = 524280
- net.core.wmem_default = 524280
- # Increase the tcp-time-wait buckets pool size
- net.ipv4.tcp_max_tw_buckets = 1440000
- # Allowed local port range
- net.ipv4.ip_local_port_range = 16384 65536
- # Increase the maximum memory used to reassemble IP fragments
- net.ipv4.ipfrag_high_thresh = 512000
- net.ipv4.ipfrag_low_thresh = 446464
- # Increase the maximum amount of option memory buffers
- net.core.optmem_max = 57344
- # Increase the maximum number of skb-heads to be cached
- net.core.hot_list_length = 1024
- ## DO NOT REMOVE THE FOLLOWING LINE!
- ## nsobuild:20051206
- sysctl -w net.ipv4.route.flush=1
- /sbin/mke2fs /dev/tmpMnt (“…is not a block special device. continue?”回答yes)
- cp -R /tmp/ /tmp_backup
- mount -o loop,rw,nosuid,noexec /dev/tmpMnt /tmp
- chmod 0777 /tmp
- cp -R /tmp_backup/* /tmp/
- rm -rf /tmp_backup
- /dev/tmpMnt /tmp ext2 loop,rw,nosuid,noexec 0 0
- mv /var/tmp /var/tmpbak
- ln -s /tmp /var/tmp
- cp /var/tmpbak/* /tmp/
- none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
安全补充:
账号安全管理: 1.限制使用su的用户并合理利用sudo: vi /etc/pam.d/su,添加auth required /lib/security/$ISA/pam_wheel.so group=wheel行, 用命令“usermod -G 10 <用户名>”来添加允许使用su的用户 合理利用sudo大家可以查看资料,也可以有人整理专题讨论。 2.禁止root使用ssh远程登入: vi /etc/ssh/sshd_config,找到#PermitRootLogin yes 改成?> PermitRootLogin no,重启ssh服务 3.给重要文件加锁,拒绝修改: # chattr +i /etc/passwd # chattr +i /etc/shadow 4.删除大部分不必要帐号,取消帐号中不必要的shell。 如下帐号可被删除: adm,lp,sync,shutdown,halt,mail,news,uucp,operator,games,gopher,ftp,rpm,nscd,rpc, rpcuser,nfsnobody,mailnull,smmsp,pcap,xfs,ntp 如果要使用KDE之类的图形窗口,则有些帐号如rpc,xfs是需要的。 文件系统权限 1) 找出系统中所有含s"位的程序,把不必要的"s"位去掉,或者把根本不用的直接删除,这样可以防止用户滥用及提升权限的可能性,其命令如下: find / -type f -perm -4000 -o -perm -2000 -print | xargs ls -lg 2) 把重要文件加上不可改变属性(一般情况不用这么做): chattr +i /etc/passwd Immutable,系统不允许对这个文件进行任何的修改。如果目录具有这个属性,那么任何的进程只能修改目录之下的文件,不允许建立和删除文件。 3) 找出系统中没有属主的文件: find / -nouser -o -nogroup 4) 找出任何都有写权限的文件和目录: find / -type f -perm -2 -o -perm -20 |xargs ls -lg find / -type d -perm -2 -o -perm -20 |xargs ls -ldg 5) Suid及sgid文件检查: 执行如下命令: find / -user root -perm -4000 -print -exec md5sum {} \; find / -user root -perm -2000 -print -exec md5sum {} \; 将结果重定向到一个文件,保存起来以后备查。 Banner伪装 1)系统banner 2)各服WEB服务软件banner伪装及隐藏。