linux安全加固VIP

Linux查看程序端口占用情況今天發(fā)現(xiàn)服務(wù)器上Tomcat 8080端口起不來，老提示端口已經(jīng)被占用。使用命令：ps -aux | grep tomcat發(fā)現(xiàn)并沒有8080端口的Tomcat進程。使用命令：netstat apn查看所有的進程和端口使用情況。發(fā)現(xiàn)下面的進程列表，其中最后一欄是PID/Program name發(fā)現(xiàn)8080端口被PID為9658的Java進程占用。進一步使用命令：ps -aux | grep java，或者直接：ps -aux | grep pid 查看就可以明確知道8080端口是被哪個程序占用了！然后判斷是否使用KILL命令干掉！方法二：直接使用 netstat -anp | grepportno即：netstat apn | grep 8080Mysql 數(shù)據(jù)庫不推薦root用戶，普通用戶Sql 不推薦sa用戶Apcht 不推薦系統(tǒng)用戶普通用戶漏洞名稱漏洞定級漏洞危害漏洞詳情修復(fù)建議Linux查看用戶輸入vi /etc/passwd 可以查看此文件的內(nèi)容 。本機內(nèi)容如下：rootlocalhost # vi /etc/passwdroot:x:0:0:root:/root:/bin/bashroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologin其中每一行代表一個賬號，所以，想查看本機一共有多少賬號，直接數(shù)passwd文件的行數(shù)就可以了，用命令rootlocalhost # cat /etc/passwd | wc -l42則代表本機一共有42個賬號查找root用戶的個數(shù)可以這樣做：rootlocalhost # cat /etc/passwd | grep :0root:x:0:0:root:/root:/bin/bashsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltoperator:x:11:0:operator:/root:/sbin/nologin看哪些賬號的第三個字段是0.那么這個就是管理員組賬號Linux安全加固So本博文提供了關(guān)于Linux系統(tǒng)安全加固的具體實現(xiàn)腳本及基線檢查規(guī)范，以供主機維護人員參考學(xué)習(xí)。其中以下腳本主要實現(xiàn)的功能包括：*加固項包括：密碼長度、session超時時間、刪除不用的帳號和組、限制root用戶直接telnet或rlogin、ssh*檢查是否存在除root之外UID為0的用戶、確保root用戶的系統(tǒng)路徑中不包含父目錄，在非必要的情況下，不應(yīng)包含組權(quán)限為777的目錄*檢查操作系統(tǒng)Linux用戶umask設(shè)置、檢查重要目錄和文件的權(quán)限、禁止除root之外的用戶su操作、查找系統(tǒng)中任何人都有寫權(quán)限的目錄*查找系統(tǒng)中沒有屬主的文件、查找系統(tǒng)中的隱藏文件、判斷日志與審計是否合規(guī)、登錄超時設(shè)置、禁用不必要的服務(wù)*linux 安全加固適用于redhat、centos5.8至6.2具體內(nèi)容如下，請結(jié)合自身業(yè)務(wù)需求進行系統(tǒng)級加固：#1、-echo 刪除不用的帳號和組echo delete unused users and grupsfor i in lp sync shutdown halt news uucp operator games gopherdoecho will delete user $iuserdel $iecho user $i have deletedonefor i in lp sync shutdown halt news uucp operator games gopherdoecho will delete group $igroupdel $iecho group $i have deletedonedate=date +%F#2、-#section1 密碼要求密碼長度大于8,口令90天過期/etc/login.defs#-#-echo cp /etc/login.defs to /etc/login.defs.bak_%dateecho #-cp /etc/login.defs /etc/login.defs.bak_$date#echo 檢查密碼的配置echo Check the configure for users password.echo #-for i in PASS_MAX_DAYS PASS_MIN_LEN PASS_MIN_DAYS PASS_WARN_AGEdocat /etc/login.defs |grep $i|grep -v #done#set password min length 8echo #-echo Set users password min length is 8sed -i /PASS_MIN_LEN/s/5/8/g /etc/login.defsecho #-#set password max day 90#echo set password expired 90 day#sed -i /PASS_MAX_DAYS/s/99999/90/g /etc/login.defs#3、-echo #檢查是否存在空口令echo Check if there have user without password!echo #-awk -F: ($2 = ) print $1 /etc/shadow#4、-#section2 限制root用戶直接telnet或rlogin，ssh無效#建議在/etc/securetty文件中配置：CONSOLE = /dev/tty01#-#帳號與口令-檢查是否存在除root之外UID為0的用戶#echo #檢查系統(tǒng)中是否存在其它id為0的用戶echo Check if the system have other users id is 0echo #-mesg=awk -F: ($3 = 0) print $1 /etc/passwd|grep -v rootif -z $mesg thenecho There dont have other user uid=0elseechoecho !echo $mesg uid=0echo !fi#5、-echo #確保root用戶的系統(tǒng)路徑中不包含父目錄，在非必要的情況下，不應(yīng)包含組權(quán)限為777的目錄echo check the Path set for root,make sure the path for root dont have father directory and 777 rightsecho #-echo $PATH | egrep (|:)(.|:|$)find echo $PATH | tr : -type d ( -perm -002 -o -perm -020 ) -ls#6、-echo #檢查操作系統(tǒng)Linux遠程連接echo Check if system have remote connection setingecho #-find / -name .netrcfind / -name .rhostsecho 檢查操作系統(tǒng)Linux用戶umask設(shè)置echo Check the system users umask settingecho #-for i in /etc/profile /etc/csh.login /etc/csh.cshrc /etc/bashrcdogrep -H umask $i|grep -v #done#設(shè)置umask為027#7、-#echo #檢查重要目錄和文件的權(quán)限#echo Check the important files and directory rightsecho #-for i in /etc /etc/rc.d/init.d /tmp /etc/inetd.conf /etc/passwd /etc/shadow /etc/group /etc/security /etc/services /etc/rc*.ddols -ld $idoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#8、-#echo #配置rc.d下腳本的權(quán)限echo Configure the scripts right(750) in rc.d directoryecho #-chmod -R 750 /etc/rc.d/init.d/*chmod 755 /bin/su 改了之后只能root su，沒有了s位別的用戶無法成功suchmod 664 /var/log/wtmp#chattr +a /var/log/messages#9、-echo #查找系統(tǒng)中存在的SUID和SGID程序echo Find the files have suid or Sgidecho #-for PART in grep -v # /etc/fstab | awk ($6 != 0) print $2 ; dofind $PART ( -perm -04000 -o -perm -02000 ) -type f -xdev -print |xargs ls -lddoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#10、- echo #查找系統(tǒng)中任何人都有寫權(quán)限的目錄echo Find the directory everyone have the write rightecho #-for PART in awk ($3 = ext2 | $3 = ext3) print $2 /etc/fstab; dofind $PART -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print |xargs ls -lddoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#11、-#echo #查找系統(tǒng)中任何人都有寫權(quán)限的文件echo Find the files everyone have write rightecho #-for PART in grep -v # /etc/fstab | awk ($6 != 0) print $2 ; dofind $PART -xdev -type f ( -perm -0002 -a ! -perm -1000 ) -print |xargs ls -lddoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#12、- echo #查找系統(tǒng)中沒有屬主的文件echo Find no owner or no group files in systemecho #-for PART in grep -v # /etc/fstab |grep -v swap| awk ($6 != 0) print $2 ; dofind $PART -nouser -o -nogroup |grep -v vmware|grep -v dev|xargs ls -lddoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#13、- #echo #查找系統(tǒng)中的隱藏文件#echo Find the hiding file in system#echo #-#linux執(zhí)行報錯排除/dev”目錄下的那些文件#find / -name (. * -o * -o .xx -o .mail ) -print -xdev# #find / -name * -print -xdev | cat -v#find / ( -name .* -o -name * -o -name .xx -o -name .mail ) -xdev#echo -n If you have check all the output files if correct yes or no ? :#read i# case $i in# y|yes)# break# ;# n|no)# echo Please recheck the output!# echo !# continue# ;# *)# echo please input yes or no# ;# esac#14、- echo #判斷日志與審計是否合規(guī)echo Judge if the syslog audition if follow the rulesecho #-autmesg=cat /etc/syslog.conf |egrep authprivif ! -n $autmesg thenecho there dont have authpriv set in /etc/syslog.confecho !echo -n If you have know this y or n ?read icase $i iny|yes)break;n|no)echo there dont have authpriv set in /etc/syslog.confecho !continue;*)echo please input yes or no;esacelse# echo 日志與審計合規(guī)echo syslog audition follow the rulesfi#15、- echo #關(guān)閉linux core dumpecho Turn off the system core dumpecho #-mesg1=grep * soft core 0 /etc/security/limits.confmesg2=grep * hard core 0 /etc/security/limits.confif ! -n $mesg1 -o ! -n $mesg2 thencp /etc/security/limits.conf /etc/security/limits.conf_$dateif ! -n $mesg1 thenecho * soft core 0 /etc/security/limits.conffiif ! -n $mesg2 thenecho * hard core 0 /etc/security/limits.conffifi#修改login文件使limits限制生效cp /etc/pam.d/login /etc/pam.d/login_$dateecho session required /lib/security/pam_limits.so /etc/pam.d/login#16、- #登錄超時設(shè)置#檢查/etc/pam.d/system-auth文件是否存在account required /lib/security/pam_tally.so deny=的相關(guān)設(shè)置#建議設(shè)置為auth required pam_tally.so onerr=fail deny=6 unlock_time=300#17、- #su命令使用,對su命令使用進行限制設(shè)置#檢查/etc/pam.d/su文件設(shè)置#文件中包含#auth sufficient /lib/security/pam_rootok.so debug#auth required /lib/security/pam_wheel.so group=isd#20、- echo #登錄超時自動退出echo set session time out terminal echo #-tmout=grep -i TMOUT /etc/profileif ! -n $tmout thenechoecho -n do you want to set login timeout to 300s? yes:read icase $i iny|yes)cp /etc/profile /etc/profile_$dateecho export TMOUT=300 /etc/profile. /etc/profile;n|no)break;*)echo please input yes or no;esacelsemesg=echo $tmout |awk -F= print $2if $mesg -ne 300 thenecho The login session timeout is $mesg now will change to 300 secondscp /etc/profile /etc/profile_$dateecho export TMOUT=300 /etc/profile. /etc/profilefifised -i s/HISTSIZE=1000/HISTSIZE=100/g /etc/profile#21、- echo #禁用telnet啟用sshecho Stop telnet and start up sshdecho #-mesg1=lsof -i:23mesg2=lsof -i:22if ! -n $mesg2 thenservice start sshdchkconfig sshd onmesg2=lsof -i:22fiif ! -n $mesg1 -a ! -n $mesg2 thenechoecho Will Deactive telnet chkconfig krb5-telnet offchkconfig ekrb5-telnet offfi#22、- #echo #設(shè)置終端超時，使系統(tǒng)10分鐘后自動退出不活動的Shell#echo #-#mesg=grep export TMOUT=600 /etc/profile#if -z $mesg #then#echo export TMOUT=600 /etc/profile#. /etc/profile#fi#23、- echo #禁用不必要的服務(wù)echo Stop unuseing servicesecho #-list=avahi-daemon bluetooth cups firstboot hplip ip6tables iptables iscsi iscsid isdn kudzu pcscd rhnsd rhsmcertd rpcgssd rpcidmapd sendmail smartd yum-updatesd netfs portmap autofs nfslock nfsfor i in $listdochkconfig $i offservice $i stopdoneecho change kernel parameter for network securecp /etc/sysctl.conf /etc/sysctl.conf.$date#echo net.ipv4.icmp_echo_ignore_all = 1/etc/sysctl.confsysctl -a |grep arp_filter|sed -e s/= 0/= 1/g /etc/sysctl.confsysctl -a |grep accept_redirects|sed -e s/= 1/= 0/g /etc/sysctl.confsysctl -a |gre