CentOS 7 主机加固手册-下
0x1f 删除禁用非必要的服务
删除非必要的服务
# Remove yum remove xinetd yum remove telnet-server yum remove rsh-server yum remove telnet yum remove rsh-server yum remove rsh yum remove ypbind yum remove ypserv yum remove tftp-server yum remove cronie-anacron yum remove bind yum remove vsftpd yum remove httpd yum remove dovecot yum remove squid yum remove net-snmpd
禁止非必要的服务
#Disable / Enable systemctl disable xinetd systemctl disable rexec systemctl disable rsh systemctl disable rlogin systemctl disable ypbind systemctl disable tftp systemctl disable certmonger systemctl disable cgconfig systemctl disable cgred systemctl disable cpuspeed systemctl enable irqbalance systemctl disable kdump systemctl disable mdmonitor systemctl disable messagebus systemctl disable netconsole systemctl disable ntpdate systemctl disable oddjobd systemctl disable portreserve systemctl enable psacct systemctl disable qpidd systemctl disable quota_nld systemctl disable rdisc systemctl disable rhnsd systemctl disable rhsmcertd systemctl disable saslauthd systemctl disable smartd systemctl disable sysstat systemctl enable crond systemctl disable atd systemctl disable nfslock systemctl disable named systemctl disable httpd systemctl disable dovecot systemctl disable squid systemctl disable snmpd
禁用Secure RPC Client 服务
Disable rpcgssd:
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:
systemctl disable rpcgssd
禁止 Secure RPC Server Service
systemctl disable rpcsvcgssd
禁止 RPC ID Mapping Service
The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:
systemctl disable rpcidmapd
禁止 Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:
sudo systemctl disable netfs
禁止 Network File System (nfs)
systemctl disable nfs
如果不需要SSH,则删除之:
systemctl disable sshd
删除 SSH iptables 防火墙规则
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
Tips™ - You probable need to leave SSH alone
###Remove Rsh Trust Files rm /etc/hosts.equiv rm ~/.rhosts
禁止 Avahi Server Software
systemctl disable avahi-daemon
the CUPS Service
如果不需要CUPS,禁止之,减少攻击面
systemctl disable cups
禁止 DHCP 服务
systemctl disable dhcpd
卸载 DHCP Server Package
如果不需要DHCP客户端,就删除之
yum erase dhcp
禁止DHCP ,使用静态ip
Example:
BOOTPROTO=none NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1
指定 NTP服务器
vim /etc/ntp.conf
server ntpserver
当然最好使用内网的NTP服务器
启用 Postfix
systemctl enable postfix
删除 Sendmail
yum remove sendmail
设置Postfix仅本地监听
Open, /etc/postfix/main.cf and ensure the following inet_interfaces line appears:
vim
inet_interfaces = localhost
配置 SMTP banner
banner会暴露当前的 SMTP 服务器是 Postfix.
禁止 xinetd Service
sudo systemctl disable xinetd
System Audit Logs权限设置
System audit logs 权限最高为0640
sudo chmod 0640 audit_file
System Audit Logs 所有者为root
sudo chown root/var/log
禁止 autofs
chkconfig --level 0123456 autofs off
service autofs stop
0x21 禁止不常见的文件系统
echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf echo "install udf /bin/false" > /etc/modprobe.d/udf.conf
0x22 禁止 core dumps
vi /etc/security/limits.conf
* hard core 0
0x23 禁止SUID程序core dumps
Run sysctl -w fs.suid_dumpable=0 and fs.suid_dumpable = 0. # Set runtime for fs.suid_dumpable # sysctl -q -n -w fs.suid_dumpable=0 # # If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" # else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf # if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf else echo "" >> /etc/sysctl.conf echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf fi
0x24 防止缓冲区溢出
启用 ExecShield
用于防御 stack smashing / BOF.
sysctl -w kernel.exec-shield=1
在 /etc/sysctl.conf里面添加
kernel.exec-shield = 1
启用ASLR
Set runtime for kernel.randomize_va_space
sysctl -q -n -w kernel.randomize_va_space=2
在 /etc/sysctl.conf 里面添加一行:
kernel.randomize_va_space = 2
Enable XD or NX Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.
Check bios and ensure XD/NX is enabled, not relevant for VM’s.
0x25 配置SELinux
确认SELinux开启
sed -i "s/selinux=0//gI" /etc/grub.conf sed -i "s/enforcing=0//gI" /etc/grub.conf
启用SELinux
vim /etc/selinux/config
SELINUXTYPE=targeted
SELINUXTYPE=targeted 或者设置为 SELINUXTYPE=enforcing,这取决于实际情况。
启用SELinux restorecond 服务
estorecond (系统)利用 /etc/selinux/restorecond.conf 的设定来判断当新建文件时,该文件的 SELinux 类型应该如何还原。需要注意的是,如果你的系统有很多非正规的 SELinux 文件类型设定时,这个 daemon最好关闭,否则他会将你设定的 type 修改回默认值。
启用 restorecond for all run levels:
chkconfig --level 0123456 restorecond on
启动 restorecond:
service restorecond start
确保没有未被SELinux限制的守护进程
sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }’
0x26 防止空密码登录
sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth
0x27 加固 SSH服务
只允许SSH Protocol 2
vim /etc/ssh/sshd_config
Protocol 2
限制特定用户SSH登录
vim /etc/ssh/sshd_config
DenyUsers USER1 USER2
配置 Idle Log Out Timeout 间隔为600秒
ClientAliveInterval 600
Set SSH Client Alive Count
不要支持闲置会话
To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 0
禁止SSH支持.rhosts文件
IgnoreRhosts参数可以忽略以前登录过主机的记录
vim /etc/ssh/sshd_config:
IgnoreRhosts yes
禁止基于主机的认证
SSH的加密主机身份验证比.rhosts身份验证更安全。 但是即使在一个组织内也不建议主机互相信任。
vim /etc/ssh/sshd_config:
HostbasedAuthentication no
禁止SSH root登录
vim /etc/ssh/sshd_config
PermitRootLogin no
禁止SSH空密码登录
vim /etc/ssh/sshd_config: PermitEmptyPasswords no
开启SSH 警告标语
开启告警标语,提高安全意识。
banner /etc/issue
禁止SSH Environment选项
当客户端从ssh登陆到服务端时,服务端禁止从本地的~/.ssh/environment读取特定客户端的环境变量配置文件。
PermitUserEnvironment no
仅使用被证明的加密算法
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
0x29 加固X桌面(X windows)
禁止X桌面,减少攻击面
yum groupremove "X Window System
0x2a 定时更新
yum -y install yum-cron chkconfig yum-cron on
另外设置 yum-cron 为 “check only”,不推荐自动安装更新。