在日常運維工作中,對加固服務器的安全設置是一個機器重要的環境。比較推薦的做法是:
1)嚴格限制ssh登陸(參考:Linux系統下的ssh使用(依據個人經驗總結)):
修改ssh默認監聽端口
禁用root登陸,單獨設置用於ssh登陸的賬號或組;
禁用密碼登陸,采用證書登陸;
ListenAddress綁定本機內網ip,即只能ssh連接本機的內網ip進行登陸;
2)對登陸的ip做白名單限制(iptables、/etc/hosts.allow、/etc/hosts.deny)
3)可以專門找兩台機器作為堡壘機,其他機器做白名單后只能通過堡壘機登陸,將機房服務器的登陸進去的口子收緊;
另外,將上面限制ssh的做法用在堡壘機上,並且最好設置登陸后的二次驗證環境(Google-Authenticator身份驗證)
4)嚴格的sudo權限控制(參考:linux系統下的權限知識梳理)
5)使用chattr命令鎖定服務器上重要信息文件,如/etc/passwd、/etc/group、/etc/shadow、/etc/sudoers、/etc/sysconfig/iptables、/var/spool/cron/root等
6)禁ping(echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all)
今天這里主要說下服務器安全登陸的白名單設置,通過下面兩種方法:
1)iptables對ssh端口做限制;
2)/etc/hosts.allow和/etc/hosts.deny限制;這兩個文件是控制遠程訪問設置的,通過他可以允許或者拒絕某個ip或者ip段的客戶訪問linux的某項服務。
如果當iptables、hosts.allow和hosts.deny三者都設置時或設置出現沖突時,遵循的優先級是hosts.allow > hosts.deny >iptables
下面來看一下幾個限制本地服務器登陸的設置:
1)iptables和hosts.allow設置一致,hosts.deny不設置。如果出現沖突,以hosts.allow設置為主。
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
# //切記:這里的192.168.1.*網段設置不能改為192.168.1.0/24;多個ip之間用逗號隔開
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow //最后的allow可以省略
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
如上的設置,133.110.186.139雖然沒有出現在iptables的白名單設置里,但是出現在hosts.allow設置里,那么它是允許登陸本地服務器的;
也就是說hosts.allow里設置的ip都可以登陸本地服務器,hosts.allow里沒有設置而iptables里設置的ip不能登陸本地服務器;
所以,只要hosts.allow里設置了,iptables其實就沒有必要再對ssh進行限制了;
2)hosts.allow不設置,iptables和hosts.deny設置(二者出現沖突,以hosts.deny為主)
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:133.110.186.130:deny //最后的deny可以省略
以上雖然133.110.186.130在iptables里設置了,但是在hosts.deny里也設置了,這時要遵循hosts.deny的設置,即133.110.186.130這個ip不能登陸本地服務器;
也就是說上面只有192.168.1.0網段和114.165.77.144能登陸本地服務器;
3)當iptables、hosts.allow、hosts.deny三者都設置時,遵循的hosts.allow!
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.133 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.137 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow //最后的allow可以省略
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
sshd:all:deny //最后的deny可以省略
上面設置之后,只有hosts.allow里面設置的192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139這些ip能登陸本地服務器
4)還有一種設置,hosts.deny不動,在hosts.allow里面設置deny
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow //最后的allow可以省略
sshd:all:deny //這個本來是在hosts.deny里的設置,也可以放在這,表示出了上面的ip之外都被限制登陸了。
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
5)iptables關閉,則hosts.allow和hosts.deny文件同時設置才有效。
==========================================================
/etc/hosts.allow和/etc/hosts.deny文件配置后不生效問題:
如果在/etc/hosts.allow和/etc/hosts.deny文件里配置了相關服務(如sshd、ftp)的ip限制后,發現不生效!
原因可能如下:
1)/etc/hosts.allow 與 /etc/hosts.deny 只對ssh應用調用了tcp_wrappers的服務器才起作用;
2)查看服務器的ssh是否支持tcp_wrappers。使用下面兩個命令:
# strings /usr/sbin/sshd|grep hosts_access
# ldd `which sshd` | grep libwrap
3)如果上面的兩個查看命令都沒有結果,說明本機的ssh不支持tcp_wrappers
4)一般centos6默認的ssh都是支持tcp_wrappers的。但要是將服務器的ssh升級到openssh6.7之后,則就不支持了!
因為從openssh6.7開始,ssh官方就移除了對tcp wrappers的支持!!!!
5)也就是說,centos6系統下默認的ssh版本(OpenSSH_5.3p1)如果升級到了openssh6.7之后,ssh應用就不支持tcp wrappers了。
這樣/etc/hosts.allow和/etc/hosts.deny文件里的限制設置也就無效了!
6)但是centos7默認的ssh版本是OpenSSH_7.4p1,centos7下默認的ssh版本是支持tcp wrappers的!
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@localhost ~]# ldd `which sshd` | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fd302fc9000)
[root@localhost ~]# strings /usr/sbin/sshd|grep hosts_access
hosts_access