主机安全加固
目录
网络访问
ssh访问控制
通过主机的 /etc/hosts.allow 与 /etc/hosts.deny 实现ssh的访问控制
|
1 2 3 4 5 6 |
# /etc/hosts.allow sshd:<ip>:allow sshd:192.168.31.0/255.255.255.0:allow # /etc/hosts.deny ssh:all |
配置 /etc/ssh/sshd_config
|
1 2 3 4 5 6 7 8 9 |
# 禁止root用户ssh登录 PermitRootLogin no # 禁止ssh端口转发 GatewayPorts no # 例1:拒绝工作用户 ssh,必须从个人用户登录后sudo 切换 # 例2:拒绝特点用户登录,仅限本地使用 DenyUsers user |
ssh双因素认证
使用freeipa统一解决
ssh空闲断开
|
1 2 3 |
# /etc/profile.d/temp.sh TMOUT=7200 typeset -r TMOUT |
主机密码
密码复杂度
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# centos6 /etc/pam.d/system-auth_ac password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=12 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2 enforce_for_root password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 password sufficient pam_sss.so use_authtok password required pam_deny.so # centos7 /etc/pam.d/system-auth_ac password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=12 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2 enforce_for_root password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5 password sufficient pam_sss.so use_authtok password required pam_deny.so |
密码过期时间
|
1 2 3 4 5 |
# /etc/login.defs PASS_MAX_DAYS 90 PASS_MIN_DAYS 60 PASS_MIN_LEN 8 PASS_WARN_AGE 14 |
日志审计
用户行为记录
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
mkdir /var/log/history chmod 753 /var/log/history # 脚本 # /etc/profile.d/temp.sh HISTTIMEFORMAT='%F %T ' HISTSIZE="5000" HISTFILESIZE=5000 PROMPT_COMMAND='(umask 000; msg=$(history 1 | { read x y; echo $y; }); echo [$(who am i | awk "{print \$(NF-2),\$(NF-1),\$1,\$NF}")] [$(whoami)@`pwd`]" $msg" >>/var/log/history/$USER)' export HISTTIMEFORMAT HISTSIZE HISTFILESIZE PROMPT_COMMAND TMOUT typeset -r HISTTIMEFORMAT typeset -r HISTFILE typeset -r PROMPT_COMMAND typeset -r HISTFILESIZE |
日志收集
通过系统组件syslog将日志收集到kafka,会依赖 rsyslog-kafka的包
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
module(load="omkafka") module(load="imfile") template(name="KafkaSyslog" type="string" string="%hostname% %syslogtag%: %msg%\n") ruleset(name="kafka-message") { action ( type="omkafka" template="KafkaSyslog" confParam=["compression.codec=snappy", "queue.buffering.max.messages=40000"] partitions.number="20" topic="org.syslog_message.log" broker=["127.0.0.1:9092"] ) } ruleset(name="kafka-secure") { action ( type="omkafka" template="KafkaSyslog" confParam=["compression.codec=snappy", "queue.buffering.max.messages=40000"] partitions.number="20" topic="org.syslog_secure.log" broker=["127.0.0.1:9092"] ) } ruleset(name="kafka-audit") { action ( type="omkafka" template="KafkaSyslog" confParam=["compression.codec=snappy", "queue.buffering.max.messages=40000"] partitions.number="20" topic="org.syslog_audit.log" broker=["127.0.0.1:9092"] ) } ruleset(name="kafka-wtmp") { action ( type="omkafka" template="KafkaSyslog" confParam=["compression.codec=snappy", "queue.buffering.max.messages=40000"] partitions.number="20" topic="org.syslog_wtmp.log" broker=["127.0.0.1:9092"] ) } ruleset(name="kafka-salt") { action ( type="omkafka" template="KafkaSyslog" confParam=["compression.codec=snappy", "queue.buffering.max.messages=40000"] partitions.number="20" topic="org.syslog_salt.log" broker=["127.0.0.1:9092"] ) } ruleset(name="kafka-history") { action ( type="omkafka" template="KafkaSyslog" confParam=["compression.codec=snappy", "queue.buffering.max.messages=40000"] partitions.number="20" topic="org.syslog_history.log" broker=["127.0.0.1:9092"] ) } input(type="imfile" Tag="message" File="/var/log/messages" Ruleset="kafka-message") input(type="imfile" Tag="secure" File="/var/log/secure" Ruleset="kafka-secure") input(type="imfile" Tag="audit" File="/var/log/audit/audit.log" Ruleset="kafka-audit") input(type="imfile" Tag="wtmp" File="/var/log/wtmp" Ruleset="kafka-wtmp") input(type="imfile" Tag="salt" File="/var/log/salt/minion" Ruleset="kafka-salt") input(type="imfile" Tag="history" File="/var/log/history/*" Ruleset="kafka-history") |
备份
…