0x1f 刪除禁用非必要的服務
刪除非必要的服務
# Remove yum remove xinetd yum remove telnet-server yum remove rsh-server yum remove telnet yum remove rsh-server yum remove rsh yum remove ypbind yum remove ypserv yum remove tftp-server yum remove cronie-anacron yum remove bind yum remove vsftpd yum remove httpd yum remove dovecot yum remove squid yum remove net-snmpd
禁止非必要的服務
#Disable / Enable systemctl disable xinetd systemctl disable rexec systemctl disable rsh systemctl disable rlogin systemctl disable ypbind systemctl disable tftp systemctl disable certmonger systemctl disable cgconfig systemctl disable cgred systemctl disable cpuspeed systemctl enable irqbalance systemctl disable kdump systemctl disable mdmonitor systemctl disable messagebus systemctl disable netconsole systemctl disable ntpdate systemctl disable oddjobd systemctl disable portreserve systemctl enable psacct systemctl disable qpidd systemctl disable quota_nld systemctl disable rdisc systemctl disable rhnsd systemctl disable rhsmcertd systemctl disable saslauthd systemctl disable smartd systemctl disable sysstat systemctl enable crond systemctl disable atd systemctl disable nfslock systemctl disable named systemctl disable httpd systemctl disable dovecot systemctl disable squid systemctl disable snmpd
禁用Secure RPC Client 服務
Disable rpcgssd:
The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:
systemctl disable rpcgssd
禁止 Secure RPC Server Service
systemctl disable rpcsvcgssd
禁止 RPC ID Mapping Service
The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:
systemctl disable rpcidmapd
禁止 Network File Systems (netfs)
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:
sudo systemctl disable netfs
禁止 Network File System (nfs)
systemctl disable nfs
如果不需要SSH,則刪除之:
systemctl disable sshd
刪除 SSH iptables 防火牆規則
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
Tips™ - You probable need to leave SSH alone
###Remove Rsh Trust Files rm /etc/hosts.equiv rm ~/.rhosts
禁止 Avahi Server Software
systemctl disable avahi-daemon
the CUPS Service
如果不需要CUPS,禁止之,減少攻擊面
systemctl disable cups
禁止 DHCP 服務
systemctl disable dhcpd
卸載 DHCP Server Package
如果不需要DHCP客戶端,就刪除之
yum erase dhcp
禁止DHCP ,使用靜態ip
Example:
BOOTPROTO=none NETMASK=255.255.255.0 IPADDR=192.168.1.2 GATEWAY=192.168.1.1
指定 NTP服務器
vim /etc/ntp.conf
server ntpserver
當然最好使用內網的NTP服務器
啟用 Postfix
systemctl enable postfix
刪除 Sendmail
yum remove sendmail
設置Postfix僅本地監聽
Open, /etc/postfix/main.cf and ensure the following inet_interfaces line appears:
vim
inet_interfaces = localhost
配置 SMTP banner
banner會暴露當前的 SMTP 服務器是 Postfix.
禁止 xinetd Service
sudo systemctl disable xinetd
System Audit Logs權限設置
System audit logs 權限最高為0640
sudo chmod 0640 audit_file
System Audit Logs 所有者為root
sudo chown root/var/log
禁止 autofs
chkconfig --level 0123456 autofs off
service autofs stop
0x21 禁止不常見的文件系統
echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf echo "install udf /bin/false" > /etc/modprobe.d/udf.conf
0x22 禁止 core dumps
vi /etc/security/limits.conf
* hard core 0
0x23 禁止SUID程序core dumps
Run sysctl -w fs.suid_dumpable=0 and fs.suid_dumpable = 0. # Set runtime for fs.suid_dumpable # sysctl -q -n -w fs.suid_dumpable=0 # # If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0" # else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf # if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf else echo "" >> /etc/sysctl.conf echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf fi
0x24 防止緩沖區溢出
啟用 ExecShield
用於防御 stack smashing / BOF.
sysctl -w kernel.exec-shield=1
在 /etc/sysctl.conf里面添加
kernel.exec-shield = 1
啟用ASLR
Set runtime for kernel.randomize_va_space
sysctl -q -n -w kernel.randomize_va_space=2
在 /etc/sysctl.conf 里面添加一行:
kernel.randomize_va_space = 2
Enable XD or NX Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.
Check bios and ensure XD/NX is enabled, not relevant for VM’s.
0x25 配置SELinux
確認SELinux開啟
sed -i "s/selinux=0//gI" /etc/grub.conf sed -i "s/enforcing=0//gI" /etc/grub.conf
啟用SELinux
vim /etc/selinux/config
SELINUXTYPE=targeted
SELINUXTYPE=targeted 或者設置為 SELINUXTYPE=enforcing,這取決於實際情況。
啟用SELinux restorecond 服務
estorecond (系統)利用 /etc/selinux/restorecond.conf 的設定來判斷當新建文件時,該文件的 SELinux 類型應該如何還原。需要注意的是,如果你的系統有很多非正規的 SELinux 文件類型設定時,這個 daemon最好關閉,否則他會將你設定的 type 修改回默認值。
啟用 restorecond for all run levels:
chkconfig --level 0123456 restorecond on
啟動 restorecond:
service restorecond start
確保沒有未被SELinux限制的守護進程
sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }’
0x26 防止空密碼登錄
sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth
0x27 加固 SSH服務
只允許SSH Protocol 2
vim /etc/ssh/sshd_config
Protocol 2
限制特定用戶SSH登錄
vim /etc/ssh/sshd_config
DenyUsers USER1 USER2
配置 Idle Log Out Timeout 間隔為600秒
ClientAliveInterval 600
Set SSH Client Alive Count
不要支持閑置會話
To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:
ClientAliveCountMax 0
禁止SSH支持.rhosts文件
IgnoreRhosts參數可以忽略以前登錄過主機的記錄
vim /etc/ssh/sshd_config:
IgnoreRhosts yes
禁止基於主機的認證
SSH的加密主機身份驗證比.rhosts身份驗證更安全。 但是即使在一個組織內也不建議主機互相信任。
vim /etc/ssh/sshd_config:
HostbasedAuthentication no
禁止SSH root登錄
vim /etc/ssh/sshd_config
PermitRootLogin no
禁止SSH空密碼登錄
vim /etc/ssh/sshd_config: PermitEmptyPasswords no
開啟SSH 警告標語
開啟告警標語,提高安全意識。
banner /etc/issue
禁止SSH Environment選項
當客戶端從ssh登陸到服務端時,服務端禁止從本地的~/.ssh/environment讀取特定客戶端的環境變量配置文件。
PermitUserEnvironment no
僅使用被證明的加密算法
Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
0x29 加固X桌面(X windows)
禁止X桌面,減少攻擊面
yum groupremove "X Window System
0x2a 定時更新
yum -y install yum-cron chkconfig yum-cron on
另外設置 yum-cron 為 “check only”,不推薦自動安裝更新。