1. 关闭不必要的服务
chkconfig --list | awk '{print "chkconfig " $1 " off"}' > /tmp/chkconfiglist.sh;/bin/sh /tmp/chkconfiglist.sh;rm -rf /tmp/chkconfiglist.sh
chkconfig crond on
chkconfig irqbalance on
chkconfig network on
chkconfig sshd on
chkconfig syslog on
chkconfig iptables on
setenforce 0
sed -i 's/^SELINUX=.*$/SELINUX=disabled/g' /etc/sysconfig/selinux
2. 删除不必要rpm包
yum -y groupremove "FTP Server" "Text-based Internet" "Windows File Server" "PostgreSQL Database" "News Server" "DNS Name Server" "Web Server" "Dialup Networking Support" "Mail Server" "Office/Productivity" "Ruby" "Office/Productivity" "Sound and Video" "X Window System" "X Software Development" "Printing Support" "OpenFabrics Enterprise Distribution"
3. 删除系统特殊的的用户帐号
禁止所有默认的被操作系统本身启动的且不需要的帐号,当你第一次装上系统时就应该做此检查,Linux提供了各种帐号,你可能不需要,如果你不需要这个帐号,就移走它,你有的帐号越多,就越容易受到攻击
for i in adm lp sync shutdown halt mail news uucp operator games gopher ftp
do
userdel $i
done
for i in adm lp mail news uucp games dip
do
groupdel $i
done
4. 对用户和口令文件进行权限控制,并加上不可更改属性
chmod 600 /etc/passwd
chmod 600 /etc/shadow
chmod 600 /etc/group
chmod 600 /etc/gshadow
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/services
5. 禁止ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all #临时生效
echo 'net.ipv4.icmp_echo_ignore_all=1>>/etc/sysctl.conf' #重启永久生效
6. 修改ssh服务的root登录权限
前提不行建立另一个一般用户,修改ssh服务配置文件,使的ssh服务不允许直接使用root用户来登录。
vi /etct/ssh/sshd_config
PermitRootLogin yes
将这行前的#去掉后,修改为:PermitRootLogin no
7. 密码输错5次锁定180s
sed -i '4a auth required pam_tally2.so deny=5 unlock_time=180' /etc/pam.d/system-auth
8. 修改shell命令的history记录个数
sed -i 's/HISTSIZE=.*$/HISTSIZE=100/g' /etc/profile
source /etc/profile
9. 修改自动注销帐号时间
自动注销帐号的登录,在Linux系统中root账户是具有最高特权的。如果系统管理员在离开系统之前忘记注销root账户,那将会带来很大的安全隐患,应该让系统会自动注销。通过修改账户中“TMOUT”参数,可以实现此功能。TMOUT按秒计算。编辑你的profile文件(vi /etc/profile),在"HISTSIZE="后面加入下面这行:
TMOUT=300
300,表示300秒,也就是表示5分钟。这样,如果系统中登陆的用户在5分钟内都没有动作,那么系统会自动注销这个账户。
10. 记录每个在服务器上操作的命令
mkdir /root/logs #记录日志位置自己更改,最好隐藏
echo "export PROMPT_COMMAND='{ msg=\$(history 1 | { read x y; echo \$y; });user=\$(whoami); echo \$(date \"+%Y-%m-%d %H:%M:%S\"):\$user:\`pwd\`/:\$msg ---- \$(who am i); } >> \$HOME/logs/\`hostname\`.\`whoami\`.history-timestamp'" >> /root/.bash_profile
11. 优化网络参数
sed -i 's/net.ipv4.tcp_syncookies.*$/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf #TCP SYN Cookie保护生效
echo 'net.ipv4.tcp_tw_reuse = 1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_tw_recycle = 1' >> /etc/sysctl.conf
echo 'net.ipv4.ip_local_port_range = 1024 65000' >> /etc/sysctl.conf
sysctl -p
12. iptables配置
sed -i 's/IPTABLES_MODULES="ip_conntrack_netbios_ns"/#IPTABLES_MODULES="ip_conntrack_netbios_ns"/g' /etc/sysconfig/iptables-config
cat > /etc/sysconfig/iptables << EOF
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
# -A INPUT -p udp -m udp --dport 20 -j ACCEPT
COMMIT
EOF
/sbin/service atd start
echo "/sbin/service iptables stop" | at now+3minutes
/sbin/service iptables restart
iptables根据实际情况设置
|
