Linux服务器安全登录设置记录

 

在日常运维工作中，对加固服务器的安全设置是一个机器重要的环境。比较推荐的做法是：
1）严格限制ssh登陆（参考：Linux系统下的ssh使用(依据个人经验总结)）：
     修改ssh默认监听端口
     禁用root登陆，单独设置用于ssh登陆的账号或组；
     禁用密码登陆，采用证书登陆；
     ListenAddress绑定本机内网ip，即只能ssh连接本机的内网ip进行登陆；
2）对登陆的ip做白名单限制（iptables、/etc/hosts.allow、/etc/hosts.deny）
3）可以专门找两台机器作为堡垒机，其他机器做白名单后只能通过堡垒机登陆，将机房服务器的登陆进去的口子收紧；
     另外，将上面限制ssh的做法用在堡垒机上，并且最好设置登陆后的二次验证环境（Google-Authenticator身份验证）
4）严格的sudo权限控制（参考：linux系统下的权限知识梳理）
5）使用chattr命令锁定服务器上重要信息文件，如/etc/passwd、/etc/group、/etc/shadow、/etc/sudoers、/etc/sysconfig/iptables、/var/spool/cron/root等
6）禁ping（echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all）

今天这里主要说下服务器安全登陆的白名单设置，通过下面两种方法：
1）iptables对ssh端口做限制；
2）/etc/hosts.allow和/etc/hosts.deny限制；这两个文件是控制远程访问设置的，通过他可以允许或者拒绝某个ip或者ip段的客户访问linux的某项服务。
如果当iptables、hosts.allow和hosts.deny三者都设置时或设置出现冲突时，遵循的优先级是hosts.allow > hosts.deny >iptables

下面来看一下几个限制本地服务器登陆的设置：
1）iptables和hosts.allow设置一致，hosts.deny不设置。如果出现冲突，以hosts.allow设置为主。
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#                                                                                                      //切记:这里的192.168.1.*网段设置不能改为192.168.1.0/24;多个ip之间用逗号隔开
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow     //最后的allow可以省略

[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#

如上的设置，133.110.186.139虽然没有出现在iptables的白名单设置里，但是出现在hosts.allow设置里，那么它是允许登陆本地服务器的；
也就是说hosts.allow里设置的ip都可以登陆本地服务器，hosts.allow里没有设置而iptables里设置的ip不能登陆本地服务器；
所以，只要hosts.allow里设置了，iptables其实就没有必要再对ssh进行限制了；

2）hosts.allow不设置，iptables和hosts.deny设置（二者出现冲突，以hosts.deny为主）
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#

[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:133.110.186.130:deny                                               //最后的deny可以省略

以上虽然133.110.186.130在iptables里设置了，但是在hosts.deny里也设置了，这时要遵循hosts.deny的设置，即133.110.186.130这个ip不能登陆本地服务器；
也就是说上面只有192.168.1.0网段和114.165.77.144能登陆本地服务器；

3）当iptables、hosts.allow、hosts.deny三者都设置时，遵循的hosts.allow！
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.133 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.137 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow                 //最后的allow可以省略

[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
sshd:all:deny                                  //最后的deny可以省略

上面设置之后，只有hosts.allow里面设置的192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139这些ip能登陆本地服务器

4）还有一种设置，hosts.deny不动，在hosts.allow里面设置deny
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow             //最后的allow可以省略
sshd:all:deny                                            //这个本来是在hosts.deny里的设置，也可以放在这，表示出了上面的ip之外都被限制登陆了。

[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#

5）iptables关闭，则hosts.allow和hosts.deny文件同时设置才有效。

==========================================================
/etc/hosts.allow和/etc/hosts.deny文件配置后不生效问题：

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

如果在/etc/hosts.allow和/etc/hosts.deny文件里配置了相关服务(如sshd、ftp)的ip限制后，发现不生效！ 原因可能如下： 1）/etc/hosts.allow 与 /etc/hosts.deny 只对ssh应用调用了tcp_wrappers的服务器才起作用； 2）查看服务器的ssh是否支持tcp_wrappers。使用下面两个命令：    # strings /usr/sbin/sshd|grep hosts_access    # ldd `which sshd` | grep libwrap 3）如果上面的两个查看命令都没有结果，说明本机的ssh不支持tcp_wrappers 4）一般centos6默认的ssh都是支持tcp_wrappers的。但要是将服务器的ssh升级到openssh6.7之后，则就不支持了！    因为从openssh6.7开始，ssh官方就移除了对tcp wrappers的支持！！！！ 5）也就是说，centos6系统下默认的ssh版本(OpenSSH_5.3p1)如果升级到了openssh6.7之后，ssh应用就不支持tcp wrappers了。    这样/etc/hosts.allow和/etc/hosts.deny文件里的限制设置也就无效了！ 6）但是centos7默认的ssh版本是OpenSSH_7.4p1，centos7下默认的ssh版本是支持tcp wrappers的！   [root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core)   [root@localhost ~]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017   [root@localhost ~]# ldd `which sshd` | grep libwrap         libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fd302fc9000)           [root@localhost ~]# strings /usr/sbin/sshd|grep hosts_access hosts_access