linux系统加固.doc

目录：1.BIOS2.SSH安全3.禁用telnet4.禁用代码编译5.ProFTP6.TCPwrappers7.创建一个SU组8.root通知9.history安全10.欢迎信息11.禁用所有特殊账户12.chmod危险文件13.指定允许root登陆的TTY设备14.选择一个安全的密码15.检查Rootkit16.安装补丁17.隐藏Apache信息18.隐藏php信息19.关闭不使用的服务20.检测监听中的端口21.关闭打开的端口和服务22.删除不用的rpm包23.禁用危险的php函数24.安装配置防火墙25.安装和配置BFD26.内核加固(sysctl.conf)27.更改SSH端口28./tmp /var/tmp,/dev/shm分区安全29.PHP IDS总结=介绍这个教程将一步步的指引你，使你的Linux系统变得安全。任何默认安装的操作系统都是不够安全的，本文将指引你如何建立一个相对安全的Linux系统。=1.BIOS你应该总是在系统启动的时候设置一个BIOS密码和禁用从CD-ROM和软盘引导。这将防止一些人未经允许访问你的系统和更改BIOS设置2.SSH安全SSH是一个协议，利用它可以登录到一个远程系统或远程执行系统命令，默认允许root登录，并且sshv1存在缺陷，我们应该在sshd_config禁止root访问和使用sshv2来让ssh更加安全。方法：vi /etc/ssh/sshd_config复制代码把协议改为2PermitRootLogin = no复制代码重启sshd /etc/rc.d/init.d/sshd restart复制代码3.禁用telnet早期的Linux默认开启telnet服务，telnet,ftp,rlogin都是明文传输的协议是容易被嗅探到的，这就是为什么推荐使用安全的版本(sftp,scp,ssh)的原因如果你必须要使用telnet，那么至少应该隐藏banner信息方法：修改/etc/xinetd.d/telnetdisable=yes复制代码4.禁用代码编译你可以禁用代码编译并且只把编译的权限分配给一个用户组方法：添加编译用户组 /usr/sbin/groupadd compiler ，cd /usr/bin复制代码把常见的编译器所属组赋给编译用户组chgrp compiler *cc*chgrp compiler *+*chgrp compiler ldchgrp compiler as复制代码设置mysqlaccess的访问chgrp root mysqlaccess复制代码设置权限chmod 750 *cc*chmod 750 *+*chmod 750 ldchmod 750 aschmod 755 mysqlaccess复制代码把用户添加到组里修改/etc/groupcompiler:x:520:user1,user2复制代码5.ProFTP你可以通过修改proftpd.conf来禁止root登陆方法：修改/etc/proftpd.confAdd RootLogin off复制代码重启proftpd /sbin/service proftpd stop/sbin/service proftpd start复制代码6.TCP wrappers编辑hosts.allow和hosts.deny可以限制或允许访问inet服务方法：限制访问inet服务修改/etc/hosts.allow建议格式：#Approved IP addressesALL:ALL:#CSV uploader machineproftpd:#pop3 from antwhereipop3:ALL复制代码修改/etc/hosts.denyALL:ALL EXCEPT localhostENY复制代码7.创建SU用户组因为我们在SSH禁止了root用户访问并且禁用了telnet，所有我们应该分配给一些用户su权限来获取root特权方法：vi /etc/group添加一行 wheel:x:10:root,user1,user2chgrp wheel /bin/suchmod o-rwx /bin/su复制代码8.root通知当一个具有root权限的用户登录的时候发mail方法：编辑/root下的.bashrc ，当有root权限的用户登录时发生email通知echo ALERT ? Root Shell Access (Server Name) on: date who | mail -s “Alert: Root Access from who | cut -d”(” -f2 | cut -d”)” -f1” 复制代码9.history安全这是一个避免删除.bash_history或重定向到/dev/null的好主意因此他不能清除或删除他最后执行的命令方法：chattr +a .bash_historychattr +i .bash_history复制代码获取用户的人会知道他的历史命令锁定并且要同意才可以使用服务10.使用欢迎信息你必须提供一些信息让攻击者知道该系统不对公众开放。在国外有类似案件，攻击者入侵一个系统并且系统没有这些信息，这种情况下法院不能做任何裁决，因为系统说welcome方法：删除/etc/redhat-release编辑/etc/issue /etc/motd并显示警告信息11.禁用所有特殊账户你应该从系统中删除所有默认用户和组例如news,lp,sync,shutdown,uucp,games,halt 等方法：删除账户userdel name删除组 groupdel name锁定特定账户： /usr/sbin/usermod -L -s /bin/false user复制代码12.chmod危险文件这可能是限制不具有root权限的用户执行下面这些命令的好主意方法：chmod 700 /bin/pingchmod 700 /usr/bin/fingerchmod 700 /usr/bin/whochmod 700 /usr/bin/wchmod 700 /usr/bin/locatechmod 700 /usr/bin/whereischmod 700 /sbin/ifconfigchmod 700 /usr/bin/picochmod 700 /usr/bin/vichmod 700 /usr/bin/whichchmod 700 /usr/bin/gccchmod 700 /usr/bin/makechmod 700 /bin/rpm复制代码13.指定允许root登陆的TTY设备/etc/securetty文件允许你指定root可以从哪个TTY设备登录方法：vi /etc/securetty复制代码只留2个连接tty1tty2复制代码14.选择一个安全的密码在/etc/login.defs文件中定义了shadow密码的具体配置默认密码长度最短为5字符，你应该至少设置为8方法：vi /etc/login.defsPASS_MIN_LEN 8复制代码15.检测Rootkit用chkrootkit或rkhunter，以chkrootkit为例方法：wget .br/pub/seg/pac/chkrootkit.tar.gzwget .br/pub/seg/pac/chkrootkit.md5复制代码首先检查md5校验值: md5sum chkrootkit.tar.gz然后解压安装tar -zxvf chkrootkit.tar.gzcd chkrootkit./configuremake sense复制代码然后运行./chkrootkit我们可以将其添加到contrab使其每天自动扫描：vi /etc/cron.daily/chkrootkit.sh复制代码#!/bin/bash# 输入chkrootkit的安装目录cd /root/chkrootkit/复制代码# 输入你想收到检测报告的email./chkrootkit | mail -s “Daily chkrootkit from Server Name” 复制代码16.安装补丁你要经常检查更新以修复某些缺陷或系统稳定性的改进否则你存在漏洞的系统将会不时的遭受新的攻击方法：列出可用更新:up2date -l安装未排除的更新:up2date -u安装包括排除的更新up2date -uf复制代码17.隐藏Apache信息你应该隐藏Apache的banner信息使攻击者不知道Apache的版本，从而使他们难以利用漏洞方法：修改/etc/httpd/conf/httpd.conf改变服务器签名:ServerSignature Off复制代码重启Apache /sbin/service httpd restart18.隐藏php信息你应该隐藏php的banner信息，原因同上方法：修改php.ini改变expose_php=Off复制代码重启Apache19.关闭不用的服务你应该把任何未使用的服务关闭，可以在/etc/xinetd.d文件夹里找到方法：cd /etc/xinetd.dgrep disable *复制代码这将显示所有服务开启或关闭的状态，然后根据需要来开启或关闭服务20.检测监听的端口检测是否有必要开放端口是非常重要的方法：netstat -tulp或lsof -i -n | egrep COMMAND|LISTEN|UDP或nmap！复制代码21.关闭端口和服务重点是关闭在系统启动时打开的不需要的端口方法：对于正在运行的服务，可以执行chkconfig -list | grep on禁用服务可以执行chkconfig servicename off然后停止正在运行的服务:/etc/init.d/service stop22.删除不用的rpm包首先应该清楚你的系统的作用，它是web,mail,file服务器或其他然后觉得哪些包是必要的，之后删除不需要的软件包方法：首先列出安装列表rpm -qa更详细的信息rpm -qi rpmname还可以检测删除包可能出现的冲突rpm -e ?test rpmname23.禁用危险的php函数你应该禁用php的危险函数防止在网站上执行系统命令方法：whereis php.inivi /usr/local/lib/php.ini复制代码编辑disable_functions = “symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg, escapeshellcmd”复制代码24.安装配置防火墙高级策略防火墙(APF)是一种IP表（网络过滤），它是基于当今互联网部署服务器防火墙系统的基本需要和客户部署LINUX安装的唯一需要而设计的。 它是最好的开源防火墙之一。配置APF防火墙方法：下载APF：wget http:/www.r-fx.ca/downloads/apf-current.tar.gz解压安装：tar -zxvf apf-current.tar.gzcd apf-0.9.7-1./install.sh复制代码然后我们配置它vi /etc/apf/conf.apf一般配置：启用防火墙使用DS块列表USE_DS=”1然后我将列出常规的配置和CPanel配置方式，因为CPanel是应该最广泛的虚拟主机管理软件1.常规配置(DNS,Mail,Web,FTP)Common ingress (inbound)# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,995# Common ingress (inbound) UDP ports IG_UDP_CPORTS=”53# Egress filtering 0 = Disabled / 1 = EnabledEGF=”1# Common egress (outbound) TCP portsEG_TCP_CPORTS=”21,25,80,443,43# Common egress (outbound) UDP portsEG_UDP_CPORTS=”20,21,532.CPanel配置Common ingress (inbound) ports# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS=”21,22,25,53,80,110,143,443,2082,2083, 2086,2087,2095, 2096,3000_3500# Common ingress (inbound) UDP portsIG_UDP_CPORTS=”53Common egress (outbound) ports# Egress filtering 0 = Disabled / 1 = EnabledEGF=”1# Common egress (outbound) TCP portsEG_TCP_CPORTS=”21,25,80,443,43,2089# Common egress (outbound) UDP portsEG_UDP_CPORTS=”20,21,53复制代码之后启动防火墙 /etc/apf/apf -s如果运行良好我在回去修改配置文件，使DEVM=”0然后我们配置APF的AntiDos: vi /etc/apf/ad/conf.antidos找到下面的内容并替换成你的资料# Organization name to display on outgoing alert emailsCONAME=”Your Company”# Send out user defined attack alerts 0=off,1=onUSR_ALERT=”0# User for alerts to be mailed toUSR=复制代码你应把USR_ALERT改为1保存后重启APF：/etc/apf/apf ?rTo make the firewall start with the Operating System: chkconfig ?level 2345 apf on复制代码APF开机自启动：chkconfig ?level 2345 apf on禁止一个IP用/etc/apf/apf -d ip或vi /etc/apf/deny_hosts.rules允许一个IP用/etc/apf/apf -a ip或vi /etc/apf/deny_hosts.rules25.安装配置BFD(暴力破解检测)BFD是一个用于分析应用日志和检测验证失败的模块化shell脚本而且安装配置和用法都是非常容易的。使用BFD的原因很简单。其实在LINUX领域几乎没有结合防火墙或实时设备来监控不验证和暴力攻击审计的程序。在用BFD之前你必须安装APF防火墙。方法：wget http:/www.r-fx.ca/downloads/bfd-current.tar.gztar -zxvf bfd-current.tar.gzcd bfd-0.9复制代码然后我们来配置它 vi /usr/local/bfd/conf.bfd把以下内容改为你的资料# Enable/disable user alerts 0 = off; 1 = onALERT_USR=”1# User alert email addressEMAIL_USR=””# User alert email; subjectSUBJ_USR=”Brute Force Warning for $HOSTNAME”#复制代码然后vi /usr/local/bfd/ignore.hosts把你的IP设置成允许主机，避免意外的锁定自己。之后重启BFD /usr/local/sbin/bfd -s26.内核加固(sysctl.conf)sysctl.conf用来加固内核，目的是避免DOS和欺骗攻击方法：到/proc/sys目录或sysctl -a命令了解下当前配置的大概情况然后vi /etc/sysctl.conf添加如下内容：# Kernel sysctl configuration file for Red Hat Linux# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and# sysctl.conf(5) for more details.# Controls IP packet forwardingnet.ipv4.ip_forward = 0# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# Controls the System Request debugging functionality of the kernelkernel.sysrq = 0# Controls whether core dumps will append the PID to the core filename.# Useful for debugging multi-threaded applications.kernel.core_uses_pid = 1#Prevent SYN attacknet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 2# Disables packet forwardingnet.ipv4.ip_forward=0# Disables IP source routingnet.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.lo.accept_source_route = 0net.ipv4.conf.eth0.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0# Enable IP spoofing protection, turn on source route verificationnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.lo.rp_filter = 1net.ipv4.conf.eth0.rp_filter = 1net.ipv4.conf.default.rp_filter = 1# Disable ICMP Redirect Acceptancenet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.eth0.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packetsnet.ipv4.conf.all.log_martians = 1net.ipv4.conf.lo.log_martians = 1net.ipv4.conf.eth0.log_martians = 1# Disables IP source routingnet.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.lo.accept_source_route = 0net.ipv4.conf.eth0.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0# Enable IP spoofing protection, turn on source route verificationnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.lo.rp_filter = 1net.ipv4.conf.eth0.rp_filter = 114net.ipv4.conf.default.rp_filter = 1# Disable ICMP Redirect Acceptancenet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.eth0.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0# Disables the magic-sysrq keykernel.sysrq = 0# Modify system limits for Ensim WEBppliancefs.file-max = 65000# Decrease the time default value for tcp_fin_timeout connectionnet.ipv4.tcp_fin_timeout = 15# Decrease the time default value for tcp_keepalive_time connectionnet.ipv4.tcp_keepalive_time = 1800# Turn off the tcp_window_scalingnet.ipv4.tcp_window_scaling = 0# Turn off the tcp_sacknet.ipv4.tcp_sack = 0# Turn off the tcp_timestampsnet.ipv4.tcp_timestamps = 0# Enable TCP SYN Cookie Protectionnet.ipv4.tcp_syncookies = 1# Enable ignoring broadcasts requestnet.ipv4.icmp_echo_ignore_broadcasts = 1# Enable bad error message Protectionnet.ipv4.icmp_ignore_bogus_error_responses = 1# Log Spoofed Packets, Source Routed Packets, Redirect Packetsnet.ipv4.conf.all.log_martians = 1# Set maximum amount of memory allocated to shm to 256MBkernel.shmmax = 268435456# Improve file system performancevm.bdflush = 100 1200 128 512 15 5000 500 1884 2# Improve virtual memory performancevm.buffermem = 90 10 60# Increases the size of the socket queue (effectively, q0).net.ipv4.tcp_max_syn_backlog = 1024# Increase the maximum total TCP buffer-space allocatablenet.ipv4.tcp_mem = 57344 57344 65536# Increase the maximum TCP write-buffer-space allocatablenet.ipv4.tcp_wmem = 32768 65536 52428815# Increase the maximum TCP read-buffer space allocatablenet.ipv4.tcp_rmem = 98304 196608 1572864# Increase the maximum and default receive socket buffer sizenet.core.rmem_max = 524280net.core.rmem_default = 524280# Increase the maximum and default send socket buffer sizenet.core.wmem_max = 524280net.core.wmem_default = 524280# Increase the tcp-time-wait buckets pool sizenet.ipv4.tcp_max_tw_buckets = 1440000# Allowed local port rangenet.ipv4.ip_local_port_range = 16384 65536# Increase the maximum memory used to reassemble IP fragmentsnet.ipv4.ipfrag_high_thresh = 512000net.ipv4.ipfrag_low_thresh =