linux安全基线加固
文章转载于:https://www.cnblogs.com/bmjoker/p/10485793.html
现在大多数企业都是使用linux作为服务器,不仅是linux是开源系统,更是因为linux比windows更安全。但是由于管理员的安全意识不全或者疏忽,导致linux的敏感端口和服务没有正确的配置,可能会被恶意利用,所以需要进行基线加固。
1.基线
即安全基线配置,诸如操作系统、中间件和数据库的一个整体配置,这个版本中各项配置都符合安全方面的标准。比如在系统安装后需要按安全基线标准,将新机器中各项配置调整到一个安全、高效、合理的数值。
2.基线扫描
使用自动化工具、抓取系统和服务的配置项。将抓取到的实际值和标准值进行对比,将不符合的项显示出来,最终以报告的形式体现出扫描结果有的工具将配置采集和配置对比分开,通过自动化脚本采集配置后再通过特别的软件转换为适合人类阅读的文档
3.基线加固自动化脚本的编写
本篇文章主要是记录和学习安全加固脚本,首先放几张安全加固shell脚本的命令语法:
基本命令语法介绍完了,借用网上的脚本来学习:
在执行脚本前需要提前做好备份:
#!/bin/bashcp /etc/login.defs /etc/login.defs.bakcp /etc/security/limits.conf /etc/security/limits.conf.bakcp /etc/pam.d/su /etc/pam.d/su.bakcp /etc/profile /etc/profile.bakcp /etc/issue.net /etc/issue.net.bakcp /etc/shadow /etc/shadow.bakcp /etc/passwd /etc/passwd.bakcp /etc/pam.d/passwd /etc/pam.d/passwd.bakcp /etc/pam.d/common-password /etc/pam.d/common-password.bakcp /etc/host.conf /etc/host.conf.bakcp /etc/hosts.allow /etc/hosts.allow.bakcp /etc/ntp.conf /etc/ntp.conf.bakcp -p /etc/sysctl.conf /etc/sysctl.conf.bakecho "============备份完成=================="
1.检查是否设置口令更改最小间隔天数
MINDAY=`cat -n /etc/login.defs | grep -v ".*#.*"| grep PASS_MIN_DAYS|awk '{print $1}'`sed -i ''$MINDAY's/.*PASS_MIN_DAYS.*/PASS_MIN_DAYS 6/' /etc/login.defs echo "检查口令更改最小间隔天数完成"
2.检查是否设置口令过期前警告天数
WARNAGE=`cat -n /etc/login.defs | grep -v ".*#.*"| grep PASS_WARN_AGE|awk '{print $1}'`sed -i ''$WARNAGE's/.*PASS_WARN.*/PASS_WARN_AGE 30/' /etc/login.defs echo "检查口令过期前警告天数完成"
3.检查口令生存周期
MAXDAY=`cat -n /etc/login.defs | grep -v ".*#.*"| grep PASS_MAX_DAYS|awk '{print $1}'` sed -i ''$MAXDAY's/.*PASS_MAX.*/PASS_MAX_DAYS 90/' /etc/login.defsecho "检查口令生存周期完成"
4.检查口令最小长度
MINLEN=`cat -n /etc/login.defs | grep -v ".*#.*"| grep PASS_MIN_LEN|awk '{print $1}'` sed -i ''$MINDAY's/.*PASS_MIN_LEN.*/PASS_MIN_ LEN 6/' /etc/login.defsecho "检查口令最小长度"
5.检查是否设置grub,lilo密码
grub="/etc/menu.lst" if [ ! -x "$grub" ];then touch "$grub" echo password=123456 >> "$grub" else echo password=123456 >> "$grub" fi lilo="/etc/lilo.conf" if [ ! -x "$lilo" ];then touch "$lilo" echo password=123456 >> "$lilo" else echo password=123456 >> "$lilo" fi
6.检查是否设置core
c=`cat -n /etc/security/limits.conf | grep "#root" | awk '{print $1}'`d=`cat -n /etc/security/limits.conf | grep "#root" | awk '{print $5}'`sed -i ''$c' s/$d/0/g' /etc/security/limits.confecho "设置* hard core 0完成"
e=`cat -n /etc/security/limits.conf | grep soft | grep core | awk '{print $1}'`f=`cat -n /etc/security/limits.conf | grep soft | grep core | awk '{print $5}'`sed -i ''$e' s/'$f'/0/g' /etc/security/limits.confecho "设置* soft core 0完成"
7.检查系统是否禁用ctrl+alt+del组合
a=`cat -n /etc/control-alt-delete.conf|grep -v "#" | grep /sbin/shutdown | awk '{print $1}'` if [ -z $a ];then echo ok else sed -i ''$a' s/^/#/' /etc/control-alt-delete.conf fi
8.检查保留历史记录文件的大小与数量
echo "HISTFILESIZE=5" >> /etc/profile echo " 检查保留历史命令的记录文件大小完成" echo "HISTSIZE=5" >> /etc/profile echo "检查保留历史命令的条数完成"
9.检查是否使用PAM认证模块禁止wheel组之外的用户su为root
10.检查是否删除了/etc/issue.net文件
if [ -f /etc/issue.net ] then mv /etc/issue.net /etc/issue.net.bak else echo "issue.net 文件不存在" fi if [ -f /etc/issue ] then mv /etc/issue /etc/issue.bak else echo "issue 文件不存在" fi
11.是否删除与设备运行,维护等工作无关的账户
12.检查密码重复使用次数限制
13.检查是否配置账户认证失败次数限制
cd /etc/pam.d if [ -f system-auth ];then cp /etc/pam.d/system-auth /etc #num=`grep -n "md5" /etc/system-auth | cut -d ":" -f 1` #sed -i ''$num' r s/$/ remember=5' /etc/system-auth kk=`cat -n /etc/system-auth | grep -v ".*#.*"| grep md5|awk '{print $1}'` echo $kk version="password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=500" sed -i ""$kk"c $version" /etc/system-auth letter=`cat -n /etc/system-auth |grep password | grep requisite | awk '{print $1}'` sed -i ''$letter's/pam_cracklib.so/& ucredit=-1 lcredit=-1 dcredit=-1 /' /etc/pam.d/system-auth fi
14.检查是否配置关闭IP伪装与绑定
snu=`cat /etc/host.conf | awk '{print $2}'` if [ "$snu" = "on" ]; then echo "没有关闭ip伪装" fi sed -i 's/on/off/g' /etc/host.conf echo " 关闭IP伪装完成"
15.检查/etc/hosts配置
if [ -f hosts.allow ];then cp /etc/hosts.allow /etc/ echo "all:172.18.12.:all" >> /etc/hosts.allow echo "sshd:172.18.12.:all" >> /etc/hosts.allow fi cd /etc if [ -f hosts.deny ];then cp /etc/hosts.deny /etc/ echo "all:all" >> /etc/hosts.deny fi
16.
17.检查重要文件是否存在suid和sgid权限
find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /usr/sbin/traceroute /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm +6000 2>/dev/null >file.txtif [ -s file.txt ]; thenecho " find。。这条命令有输出"for i in `cat file.txt`dochmod 755 $idoneelseecho "find 。。这条命令没有输出"fi
18.
19.权限设置
chmod 644 /etc/passwdchmod 644 /etc/groupchmod 400 /etc/shadow#chmod 600 /etc/xinetd.confchmod 644 /etc/serviceschmod 600 /etc/securitychmod 600 /etc/grub.confchmod 600 /boot/grub/grub.confchmod 600 /etc/lilo.conf echo "文件权限设置完成"
给出几个大佬的综合脚本:
1.
echo ---------------开始-------------------- echo ---------------aboutkey---------------- cd /etc if [ -f login.defs ];then cp /etc/login.defs /home/test1 MINDAY=`cat -n /home/test1/login.defs | grep -v ".*#.*"| grep PASS_MIN_DAYS|awk '{print $1}'` sed -i ''$MINDAY's/.*PASS_MIN_DAYS.*/PASS_MIN_DAYS 6/' /home/test1/login.defs WARNAGE=`cat -n /home/test1/login.defs | grep -v ".*#.*"| grep PASS_WARN_AGE|awk '{print $1}'` sed -i ''$WARNAGE's/.*PASS_WARN.*/PASS_WARN_AGE 30/' /home/test1/login.defs MAXDAY=`cat -n /home/test1/login.defs | grep -v ".*#.*"| grep PASS_MAX_DAYS|awk '{print $1}'` sed -i ''$MAXDAY's/.*PASS_MAX.*/PASS_MAX_DAYS 90/' /home/test1/login.defs MINLEN=`cat -n /home/test1/login.defs | grep -v ".*#.*"| grep PASS_MIN_LEN|awk '{print $1}'` sed -i ''$MINDAY's/.*PASS_MIN_LEN.*/PASS_MIN_ LEN 6/' /home/test1/login.defs fi echo --------------------ok--------------------------- echo -------------------stop the del------------------------ cd /etc/init if [ -f control-alt-delete.conf ];then cp /etc/init/control-alt-delete.conf /home/test1 #delete=`grep -n "/sbin/shutdown -r now" /home/test1/control-alt-delete.conf | cut -d ":" -f 1` #sed -i ''$delete' r s/^/#/' /home/test1/control-alt-delete.conf #cp /etc/init/control-alt-delete.conf /home/test1 #num1=`grep -n "/sbin/shutdown" /home/test1/control-alt-delete.conf | cut -d "" -f 1` #sed -i ''$num' r s/^/#/' /home/test1/control-alt-delete.conf #a=`cat -n /home/test1/control-alt-delete.conf|grep -v "#" | grep "/sbin/shutdown" | awk '{print $1}'` #text=`sed -n "$a"p /home/test1/control-alt-delete.conf` #sed -i ''$a'c # '$text'' /home/test1/control-alt-delete.conf a=`cat -n /home/test1/control-alt-delete.conf|grep -v "#" | grep /sbin/shutdown | awk '{print $1}'` if [ -z $a ];then echo ok else sed -i ''$a' s/^/#/' /home/test1/control-alt-delete.conf fi fi echo ---------------------ok--------------------------------------- echo ------------------------grub and lilo key------------------------ grub="/home/test1/menu.lst" if [ ! -x "$grub" ];then touch "$grub" echo password=123456 >> "$grub" else echo password=123456 >> "$grub" fi lilo="/home/test1/lilo.conf" if [ ! -x "$lilo" ];then touch "$lilo" echo password=123456 >> "$lilo" else echo password=123456 >> "$lilo" fi echo ---------------------ok-------------------------------------- echo ----------------------the history of mouthpasswd------------------ cd /etc if [ -f profile ];then cp /etc/profile /home/test1 #num=`sed -n /home/test1/profile | grep HISTFILESIZE | awk '{print $1}'` #/home/test1/profile | sed $num'c HISTFILESIZE=5' echo "HISTFILESIZE=5" >> /home/test1/profile echo "ulimit -S -c unlimited" >> /home/test1/profile fi echo -------------------------ok--------------------- echo ------------------------issue----------------- #issu="/etc/issue.net" cd /etc if [ -f issue.net ];then cp issue.net /home/test1/issue.net.bak echo ok fi echo ok if [ -f issue ];then cp issue /home/test1/issue.bak echo ok fi echo -----------------------allow/deny ip------------------- cd /etc if [ -f hosts.allow ];then cp /etc/hosts.allow /home/test1 echo "all:172.18.12.:all" >> /home/test1/hosts.allow echo "sshd:172.18.12.:all" >> /home/test1/hosts.allow fi cd /etc if [ -f hosts.deny ];then cp /etc/hosts.deny /home/test1 echo "all:all" >> /home/test1/hosts.deny fi echo -----------------ok------------------------ #/etc/init.d/xinetd restart echo -----------------------------core dump------------------- cd /etc/security if [ -f limits.conf ];then cp /etc/security/limits.conf /home/test1 echo "*soft core 0" >> /home/test1/limits.conf echo "*hard core 0" >> /home/test1/limits.conf fi echo --------------ok------------------------- echo ----------------------------passwdrepeat--------------------- cd /etc/pam.d if [ -f system-auth ];then cp /etc/pam.d/system-auth /home/test1 #num=`grep -n "md5" /home/test1/system-auth | cut -d ":" -f 1` #sed -i ''$num' r s/$/ remember=5' /home/test1/system-auth kk=`cat -n /home/test1/system-auth | grep -v ".*#.*"| grep md5|awk '{print $1}'` echo $kk version="password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=500" sed -i ""$kk"c $version" /home/test1/system-auth letter=`cat -n /home/test1/system-auth |grep password | grep requisite | awk '{print $1}'` sed -i ''$letter's/pam_cracklib.so/& ucredit=-1 lcredit=-1 dcredit=-1 /' /etc/pam.d/system-auth fi echo -----------------ok-------------------- echo --------------------超出退出-------------- cd /etc if [ -f profile ];then cp /etc/profile /home/test1 echo "export TMOUT=600" >> /home/test1/profile fi echo ------------------ok------------------- echo ------------------权限------------------- chmod 644 /etc/passwd chmod 644 /etc/group chmod 400 /etc/shadow #chmod 600 /etc/xinetd.conf chmod 644 /etc/services chmod 600 /etc/security chmod 600 /etc/grub.conf chmod 600 /boot/grub/grub.conf chmod 600 /etc/lilo.conf echo ------------------unmask-------------------- cp /etc/csh.cshrc /home/test1 cp /etc/csh.login /home/test1 cp /etc/bashrc /home/test1 cp /etc/profile /home/test1 sed -i '11 s/.*umask.*/umask 077/' /home/test1/csh.cshrc sed -i '58 s/.*umask.*/umask 077/' /home/test1/csh.login sed -i '66 s/.*UMASK.*/UMASK 077/' /home/test1/bashrc sed -i '62s/.*umask.*/umask 077/' /home/test1/profile echo --------------------before login banner------------------- cd /etc if [ -f ssh_banner ];then touch /etc/ssh_banner chown bin:bin /etc/ssh_banner chmod 644 /etc/ssh_banner echo "Authorized only.All activity will be monitored and reported" > /etc/ssh_banner fi echo -----------------------ok---------------------------- echo -------------------stop root ssh login------------------ cp /etc/pam.d/login /home/test1 echo "auth required pam_securetty.so" >> /home/test1/login cp /etc/ssh/sshd_config /home/test1 echo "Banner /etc/ssh_banner" >> /home/test1/sshd_config echo "PermitRootLogin no" >> /home/test1/sshd_config service sshd restart echo -------------------------ok------------------- echo --------------------openssh---------------------------- openssh=`cat -n /home/test1/sshd_config | grep -v ".*#.*"| grep Protocol |awk '{print $1}'` sed -i ''$openssh's/.*Protocol.*/Protocol 2/' /home/test1/sshd_config echo -------------ok---------------------------
2.
#!/bin/bash read key echo "警告:本脚本只是一个检查的操作,未对服务器做任何修改,管理员可以根据此报告进行相应的设置。" echo ---------------------------------------主机安全检查----------------------- echo "系统版本" uname -a echo -------------------------------------------------------------------------- echo "本机的ip地址是:" ifconfig | grep --color "\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}" echo -------------------------------------------------------------------------- awk -F":" '{if($2!~/^!|^*/){print "("$1")" " 是一个未被锁定的账户,请管理员检查是否需要锁定它或者删除它。"}}' /etc/shadow echo -------------------------------------------------------------------------- more /etc/login.defs | grep -E "PASS_MAX_DAYS" | grep -v "#" |awk -F' ' '{if($2!=90){print "/etc/login.defs里面的"$1 "设置的是"$2"天,请管理员改成90天。"}}' echo -------------------------------------------------------------------------- more /etc/login.defs | grep -E "PASS_MIN_LEN" | grep -v "#" |awk -F' ' '{if($2!=6){print "/etc/login.defs里面的"$1 "设置的是"$2"个字符,请管理员改成6个字符。"}}' echo -------------------------------------------------------------------------- more /etc/login.defs | grep -E "PASS_WARN_AGE" | grep -v "#" |awk -F' ' '{if($2!=10){print "/etc/login.defs里面的"$1 "设置的是"$2"天,请管理员将口令到期警告天数改成10天。"}}' echo -------------------------------------------------------------------------- grep TMOUT /etc/profile /etc/bashrc > /dev/null|| echo "未设置登录超时限制,请设置之,设置方法:在/etc/profile或者/etc/bashrc里面添加TMOUT=600参数" echo -------------------------------------------------------------------------- if ps -elf |grep xinet |grep -v "grep xinet";then echo "xinetd 服务正在运行,请检查是否可以把xinnetd服务关闭" else echo "xinetd 服务未开启" fi echo -------------------------------------------------------------------------- echo "查看系统密码文件修改时间" ls -ltr /etc/passwd echo -------------------------------------------------------------------------- echo "查看是否开启了ssh服务" if service sshd status | grep -E "listening on|active \(running\)"; then echo "SSH服务已开启" else echo "SSH服务未开启" fi echo -------------------------------------------------------------------------- echo "查看是否开启了TELNET服务" if more /etc/xinetd.d/telnetd 2>&1|grep -E "disable=no"; then echo "TELNET服务已开启 " else echo "TELNET服务未开启 " fi echo -------------------------------------------------------------------------- echo "查看系统SSH远程访问设置策略(host.deny拒绝列表)" if more /etc/hosts.deny | grep -E "sshd: ";more /etc/hosts.deny | grep -E "sshd"; then echo "远程访问策略已设置 " else echo "远程访问策略未设置 " fi echo -------------------------------------------------------------------------- echo "查看系统SSH远程访问设置策略(hosts.allow允许列表)" if more /etc/hosts.allow | grep -E "sshd: ";more /etc/hosts.allow | grep -E "sshd"; then echo "远程访问策略已设置 " else echo "远程访问策略未设置 " fi echo "当hosts.allow和 host.deny相冲突时,以hosts.allow设置为准。" echo ------------------------------------------------------------------------- echo "查看shell是否设置超时锁定策略" if more /etc/profile | grep -E "TIMEOUT= "; then echo "系统设置了超时锁定策略 " else echo "未设置超时锁定策略 " fi echo ------------------------------------------------------------------------- echo "查看syslog日志审计服务是否开启" if service syslog status | egrep " active \(running";then echo "syslog服务已开启" else echo "syslog服务未开启,建议通过service syslog start开启日志审计功能" fi echo ------------------------------------------------------------------------- echo "查看syslog日志是否开启外发" if more /etc/rsyslog.conf | egrep "@...\.|@..\.|@.\.|\*.\* @...\.|\*\.\* @..\.|\*\.\* @.\.";then echo "客户端syslog日志已开启外发" else echo "客户端syslog日志未开启外发" fi echo ------------------------------------------------------------------------- echo "查看passwd文件中有哪些特权用户" awk -F: '$3==0 {print $1}' /etc/passwd echo ------------------------------------------------------------------------ echo "查看系统中是否存在空口令账户" awk -F: '($2=="!!") {print $1}' /etc/shadow echo "该结果不适用于Ubuntu系统" echo ------------------------------------------------------------------------ echo "查看系统中root用户外连情况" lsof -u root |egrep "ESTABLISHED|SYN_SENT|LISTENING" echo ----------------------------状态解释------------------------------ echo "ESTABLISHED的意思是建立连接。表示两台机器正在通信。" echo "LISTENING的" echo "SYN_SENT状态表示请求连接" echo ------------------------------------------------------------------------ echo "查看系统中root用户TCP连接情况" lsof -u root |egrep "TCP" echo ------------------------------------------------------------------------ echo "查看系统中存在哪些非系统默认用户" echo "root:x:“该值大于500为新创建用户,小于或等于500为系统初始用户”" more /etc/passwd |awk -F ":" '{if($3>500){print "/etc/passwd里面的"$1 "的值为"$3",请管理员确认该账户是否正常。"}}' echo ------------------------------------------------------------------------ echo "检查系统守护进程" more /etc/xinetd.d/rsync | grep -v "^#" echo ------------------------------------------------------------------------ echo "检查系统是否存在入侵行为" more /var/log/secure |grep refused echo ------------------------------------------------------------------------ echo "-----------------------检查系统是否存在PHP脚本后门---------------------" if find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn\)|专用网马|udf.dll|class PHPzip\{|ZIP压缩程序 荒野无灯修改版|$writabledb|AnonymousUserName|eval\(|Root_CSS\(\)|黑狼PHP木马|eval\(gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP木马|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提权|phpspy|后门" |sort -n|uniq -c |sort -rn 1>/dev/null 2>&1;then echo "检测到PHP脚本后门" find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn\)|专用网马|udf.dll|class PHPzip\{|ZIP压缩程序 荒野无灯修改版|$writabledb|AnonymousUserName|eval\(|Root_CSS\(\)|黑狼PHP木马|eval\(gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP木马|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提权|phpspy|后门" |sort -n|uniq -c |sort -rn find / -type f -name *.php | xargs egrep -l "mysql_query\($query, $dbconn\)|专用网马|udf.dll|class PHPzip\{|ZIP压缩程序 荒野无灯修改版|$writabledb|AnonymousUserName|eval\(|Root_CSS\(\)|黑狼PHP木马|eval\(gzuncompress\(base64_decode|if\(empty\($_SESSION|$shellname|$work_dir |PHP木马|Array\("$filename"| eval\($_POST\[|class packdir|disk_total_space|wscript.shell|cmd.exe|shell.application|documents and settings|system32|serv-u|提权|phpspy|后门" |sort -n|uniq -c |sort -rn |awk '{print $2}' | xargs -I{} cp {} /tmp/ echo "后门样本已拷贝到/tmp/目录" else echo "未检测到PHP脚本后门" fi echo ------------------------------------------------------------------------ echo "-----------------------检查系统是否存在JSP脚本后门---------------------" find / -type f -name *.jsp | xargs egrep -l "InputStreamReader\(this.is\)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提权|jspspy|后门" |sort -n|uniq -c |sort -rn 2>&1 find / -type f -name *.jsp | xargs egrep -l "InputStreamReader\(this.is\)|W_SESSION_ATTRIBUTE|strFileManag|getHostAddress|wscript.shell|gethostbyname|cmd.exe|documents and settings|system32|serv-u|提权|jspspy|后门" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/ 2>&1 echo ------------------------------------------------------------------------ echo "----------------------检查系统是否存在HTML恶意代码---------------------" if find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" 1>/dev/null 2>&1;then echo "发现HTML恶意代码" find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn find / -type f -name *.html | xargs egrep -l "WriteData|svchost.exe|DropPath|wsh.Run|WindowBomb|a1.createInstance|CurrentVersion|myEncString|DropFileName|a = prototype;|204.351.440.495.232.315.444.550.64.330" |sort -n|uniq -c |sort -rn| awk '{print $2}' | xargs -I{} cp {} /tmp/ echo