找回密码
 立即注册

QQ登录

只需一步,快速开始

这里是centos 6.2 上做的一些安全增强,运维的同砚花了许多精神和时间整理的。 自建服务器的朋侪照旧必要本身加固一下。 如今应用多是在docker和vmware内里运行,以是纵然体系被人入侵只要数据安全就可以了。体系可以烧毁重修。vmware可以做本身做模板体系。至于docker我们还没有做加固,假如有我再更新。 另有centos7上的加固脚本还没时间整理,临时制作了,centos7克制root登岸,设置一个用户login只能登岸体系,没有其他的任何权限,login登岸之后su到root大概其他用户操纵。下面是centos 6.2的脚本。
备份数据

cp -p /etc/passwd /etc/passwd.bakcp -p /etc/shadow /etc/shadow.bakcp -p /etc/group /etc/group.bakcp -p /etc/security/pam_pwcheck.conf /etc/security/pam_pwcheck.conf.bakcp -p /etc/pam.d/passwd /etc/pam.d/passwd.bakcp -p /etc/login.defs /etc/login.defs.bakcp -p /etc/default/useradd /etc/default/useradd.bakcp -p /etc/pam.d/login /etc/pam.d/login.bakcp -p /etc/pam.d/sshd /etc/pam.d/sshd.bakcp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bakcp -p -r /etc/xinetd.d /etc/xinetd.d.bakcp -p /etc/ntp.conf /etc/ntp.conf.bakcp -p /etc/fstab /etc/fatab.bakcp -p /etc/exports /etc/exports.bakcp -p /etc/snmpd.conf /etc/snmpd.conf.bakcp -p /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bakcp -p /etc/profile /etc/profile.bakcp -p /etc/securetty /etc/securetty.bakcp -p /etc/pam.d/su /etc/pam.d/su.bakcp -p /etc/ftpusers /etc/ftpusers.bakcp -p /etc/vsftpd.conf /etc/vsftpd.conf.bakcp -p /etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.conf.bakcp -p /etc/hosts.allow /etc/hosts.allow.bakcp -p /etc/hosts.deny /etc/hosts.deny.bakcp -p /etc/inittab /etc/inittab.bakcp -p /etc/syslog.conf /etc/syslog.conf.bakcp -p /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bakcp -p /etc/motd /etc/motd.bakcp -p /etc/sshbanner /etc/sshbanner.bakcp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bakcp -p /etc/issue /etc/issue.bakcp -p /etc/issue.net /etc/issue.net.bakcp -p /etc/sysctl.conf /etc/sysctl.conf.bakcp -p -r /etc/xinetd.d /etc/xinetd.d.bakcp -p /etc/modprobe.conf /etc/modprobe.conf.bak锁定/删除无用帐号

passwd -l at#设置用户口令复杂度
vi /etc/pam.d/passwd关闭不须要服务:(假如要开启,利用下令chkconfig servicename on)
chkconfig chargen offchkconfig chargen-udp offchkconfig cups-lpd offchkconfig cvs offchkconfig daytime offchkconfig daytime-udp offchkconfig echo-udp offchkconfig fam offchkconfig rsync offchkconfig servers offchkconfig services offchkconfig systat offchkconfig time offchkconfig time-udp offchkconfig Makefile offchkconfig SuSEfirewall2_init offchkconfig SuSEfirewall2_setup offchkconfig aaeventd offchkconfig acpid offchkconfig alsasound offchkconfig apache2 offchkconfig atd offchkconfig autoyast offchkconfig boot.apparmor offchkconfig boot.evms offchkconfig boot.multipath offchkconfig boot.sched offchkconfig boot.scsidev offchkconfig chargen offchkconfig chargen-udp offchkconfig cups offchkconfig cups-lpd offchkconfig cupsrenice offchkconfig cvs offchkconfig daytime offchkconfig daytime-udp offchkconfig drbd offchkconfig earlykbd offchkconfig echo-udp offchkconfig esound offchkconfig evms offchkconfig fam offchkconfig gpm offchkconfig gssd offchkconfig heartbeat offchkconfig idmapd offchkconfig ipmi offchkconfig ipvsadm offchkconfig iscsitarget offchkconfig joystick offchkconfig ksysguardd offchkconfig ldap offchkconfig ldirectord offchkconfig lm_sensors offchkconfig mdadmd offchkconfig microcode offchkconfig multipathd offchkconfig nfsserver offchkconfig novell-zmd offchkconfig nscd offchkconfig open-iscsi offchkconfig openct offchkconfig owcimomd offchkconfig pcscd offchkconfig postfix offchkconfig powerd offchkconfig powersaved offchkconfig pure-ftpd offchkconfig rexec offchkconfig rlogin offchkconfig rpasswdd offchkconfig rpmconfigcheck offchkconfig rsh offchkconfig rsync offchkconfig rsyncd offchkconfig sapinit offchkconfig saslauthd offchkconfig servers offchkconfig services offchkconfig skeleton.compat offchkconfig slurpd offchkconfig smartd offchkconfig smbfs offchkconfig smpppd offchkconfig splash offchkconfig splash_early offchkconfig suseRegister offchkconfig svcgssd offchkconfig systat offchkconfig time offchkconfig time-udp offchkconfig xendomains offchkconfig xend offchkconfig xfs offchkconfig ypbind offchkconfig telnet offchkconfig nfs offchkconfig nfsboot offchkconfig ocfs2 offchkconfig o2cb offchkconfig winbind offchkconfig klogin offchkconfig kshell offchkconfig swat off#限定关键文件和目次访问权限
chmod -R go-w /etcchmod 644 /etc/passwdchmod 644 /etc/groupchmod 755 /etc/securitychmod 400 /etc/shadow#限定root长途登录
vi /etc/pam.d/login
/*确生存在以下1行,并没被解释:vi /etc/securetty
/*解释掉以下内容:pts/1pts/2........pts/n*/vi /etc/ssh/sshd_config
/*将对应行改成以下内容 注:此项需查找再修改,确保修改到利用文件关闭图形界面登岸,双机不关==由于还没装oracle数据库,此步临时不做
/etc/init.d/xdm stop#限定某些用户ftp登岸
vi /etc/ftpusers需添加:
adabasamandaanonymousatbincyrusdaemondb2asdb2fenc1db2inst1db4webdbmakerdhcpddpboxempressfaxfirewallfnetftpgamesgdmgnatshaclusterhaldaemoninformixingresircixesslnxlpmailmailmanmanmdommessagebusmysqlnamednewsnobodynpsntporacleperforcepoppostfixpostgresrootsapdbskyrixsquidsshdsshusrsuse-nccuucpvirtuosovscanwnnwwwrunyardzope#ftp限定匿名登岸及不限定用户只访问家目次 vsftp
vi /etc/vsftpd/vsftpd.conf#克制ctrl+alt+del
vi /etc/inittab#记载用户登录信息
vi /etc/login.defs#设置登录乐成后告诫Banner
cd /etc#克制ICMP重定向(双机不做) vi /etc/sysctl.conf
net.ipv4.conf.default.secure_redirects=1net.ipv4.conf.all.secure_redirects=1net.ipv4.conf.default.send_redirects=0net.ipv4.conf.all.send_redirects=0net.ipv4.conf.default.accept_redirects =0net.ipv4.conf.all.accept_redirects =0net.ipv4.ip_forward =0net.ipv4.conf.all.accept_source_route =0net.ipv4.conf.default.accept_source_route =0#关闭IPv6 待续。
EqJEqWYcOcn5oOhJ.jpg
分享至 : QQ空间
收藏

6 个回复

倒序浏览
这个脚本我给非常,总分一百
回复 使用道具 举报
讲centos,弄个ubantu图干啥捏
回复 使用道具 举报
这东西是干什么的
回复 使用道具 举报
yuantou 举人 2018-4-17 16:31:04
5#
弄个ubuntu配图??
回复 使用道具 举报
翎丫头 举人 2018-4-17 16:43:32
6#
小菜程度
回复 使用道具 举报
linux
回复 使用道具 举报
您需要登录后才可以回帖 登录 | 立即注册