用户权限1)限制root

  • echo "tty1" > /etc/securetty
  • chmod 700 /root

2)密码策略

  • echo "Passwords expire every 180 days"
  • perl -npe ‘s/PASS_MAX_DAYSs+99999/PASS_MAX_DAYS 180/’ -i /etc/login.defs
  • echo "Passwords may only be changed once a day"
  • perl -npe ‘s/PASS_MIN_DAYSs+0/PASS_MIN_DAYS 1/g’ -i /etc/login.defs

用sha512保护密码而不用md5

  • authconfig –passalgo=sha512 –update

3)umask限制
更改umask为077

  • perl -npe ‘s/umasks+0d2/umask 077/g’ -i /etc/bashrc
  • perl -npe ‘s/umasks+0d2/umask 077/g’ -i /etc/csh.cshrc

4)Pam修改

  • touch /var/log/tallylog

  • cat << ‘EOF’ > /etc/pam.d/system-auth
  • #%PAM-1.0
  • # This file is auto-generated.
  • # User changes will be destroyed the next time authconfig is run.
  • auth        required      pam_env.so
  • auth        sufficient    pam_unix.so nullok try_first_pass
  • auth        requisite     pam_succeed_if.so uid >= 500 quiet
  • auth        required      pam_deny.so
  • auth        required      pam_tally2.so deny=3 onerr=fail unlock_time=60
  • account     required      pam_unix.so
  • account     sufficient    pam_succeed_if.so uid < 500 quiet
  • account     required      pam_permit.so
  • account     required      pam_tally2.so per_user
  • password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=9 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
  • password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=10
  • password    required      pam_deny.so
  • session     optional      pam_keyinit.so revoke
  • session     required      pam_limits.so
  • session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
  • session     required      pam_unix.so
  • EOF

/var/log/tallylog是二进制日志,记录认证失败情况。可以使用pam_tally2 –reset -u username解锁
5)回收闲置用户

  • echo "Idle users will be removed after 15 minutes"
  • echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
  • echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
  • chmod +x /etc/profile.d/os-security.sh

6)cron和at限制

  • echo "Locking down Cron"
  • touch /etc/cron.allow
  • chmod 600 /etc/cron.allow
  • awk -F: ‘{print $1}’ /etc/passwd | grep -v root > /etc/cron.deny
  • echo "Locking down AT"
  • touch /etc/at.allow
  • chmod 600 /etc/at.allow
  • awk -F: ‘{print $1}’ /etc/passwd | grep -v root > /etc/at.deny

删除系统特殊的的用户和组

  • userdel username
  • userdel adm
  • userdel lp
  • userdel sync
  • userdel shutdown
  • userdel halt
  • userdel news
  • userdel uucp
  • userdel operator
  • userdel games
  • userdel gopher

以上所删除用户为系统默认创建,但是在常用服务器中基本不使用的一些帐号,但是这些帐号常被黑客利用和攻击服务器。

  • groupdel username
  • groupdel adm
  • groupdel lp
  • groupdel news
  • groupdel uucp
  • groupdel games
  • groupdel dip

同样,以上删除的是系统安装是默认创建的一些组帐号。这样就减少受攻击的机会。

发表评论