用户管理
用户权限1)限制root
- echo "tty1" > /etc/securetty
- chmod 700 /root
2)密码策略
- echo "Passwords expire every 180 days"
- perl -npe ‘s/PASS_MAX_DAYSs+99999/PASS_MAX_DAYS 180/’ -i /etc/login.defs
- echo "Passwords may only be changed once a day"
- perl -npe ‘s/PASS_MIN_DAYSs+0/PASS_MIN_DAYS 1/g’ -i /etc/login.defs
用sha512保护密码而不用md5
- authconfig –passalgo=sha512 –update
3)umask限制
更改umask为077
- perl -npe ‘s/umasks+0d2/umask 077/g’ -i /etc/bashrc
- perl -npe ‘s/umasks+0d2/umask 077/g’ -i /etc/csh.cshrc
4)Pam修改
- touch /var/log/tallylog
- cat << ‘EOF’ > /etc/pam.d/system-auth
- #%PAM-1.0
- # This file is auto-generated.
- # User changes will be destroyed the next time authconfig is run.
- auth required pam_env.so
- auth sufficient pam_unix.so nullok try_first_pass
- auth requisite pam_succeed_if.so uid >= 500 quiet
- auth required pam_deny.so
- auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
- account required pam_unix.so
- account sufficient pam_succeed_if.so uid < 500 quiet
- account required pam_permit.so
- account required pam_tally2.so per_user
- password requisite pam_cracklib.so try_first_pass retry=3 minlen=9 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
- password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=10
- password required pam_deny.so
- session optional pam_keyinit.so revoke
- session required pam_limits.so
- session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
- session required pam_unix.so
- EOF
/var/log/tallylog是二进制日志,记录认证失败情况。可以使用pam_tally2 –reset -u username解锁
5)回收闲置用户
- echo "Idle users will be removed after 15 minutes"
- echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
- echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
- chmod +x /etc/profile.d/os-security.sh
6)cron和at限制
- echo "Locking down Cron"
- touch /etc/cron.allow
- chmod 600 /etc/cron.allow
- awk -F: ‘{print $1}’ /etc/passwd | grep -v root > /etc/cron.deny
- echo "Locking down AT"
- touch /etc/at.allow
- chmod 600 /etc/at.allow
- awk -F: ‘{print $1}’ /etc/passwd | grep -v root > /etc/at.deny
删除系统特殊的的用户和组
- userdel username
- userdel adm
- userdel lp
- userdel sync
- userdel shutdown
- userdel halt
- userdel news
- userdel uucp
- userdel operator
- userdel games
- userdel gopher
以上所删除用户为系统默认创建,但是在常用服务器中基本不使用的一些帐号,但是这些帐号常被黑客利用和攻击服务器。
- groupdel username
- groupdel adm
- groupdel lp
- groupdel news
- groupdel uucp
- groupdel games
- groupdel dip
同样,以上删除的是系统安装是默认创建的一些组帐号。这样就减少受攻击的机会。