Linux安全加固
1、检查shadow是否存在空口令用户和其他超级管理员用户:awk -F: '($2 == "") { print $1 }' /etc/shadow
awk -F: '($3==0)' /etc/passwd 2、锁定系统中多余的自建(测试)帐号并备份
cat /etc/passwd&& cp /etc/passwd /etc/passwd.bak
cat /etc/shadow&& cp /etc/shadow /etc/shadow.bak
cp /etc/profile /etc/profile.bak 3、检查系统口令策略
cat /etc/login.defs|grep PASS
#PASS_MAX_DAYSMaximum number of days a password may be used.
#PASS_MIN_DAYSMinimum number of days allowed between password changes.
#PASS_MIN_LENMinimum acceptable password length.
#PASS_WARN_AGENumber of days warning given before a password expires.
PASS_MAX_DAYS99999
PASS_MIN_DAYS0
PASS_MIN_LEN5
PASS_WARN_AGE7 4、停用或禁用无关的服务
who -r //查看当前的运行级别
chkconfig --list 5、设置访问控制策略
拒绝某些用户登录,允许某些用户登录,拒绝某些组登录,允许某些组登录
DenyUsers,AllowUsers,DenyGroups,AllowGroups
eg:DenyUsers aaa bbb //禁用多个账户用空格隔开 如果只写AllowUsers表示如果这里不匹配就拒绝所用用户
PermitRootLogin no //拒绝root用户登录cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
grep Banner /etc/ssh/sshd_config
Banner /etc/ssh/ssh_login_banner# Banner none //取消banner消息
cat/etc/ssh/ssh_login_banner
welcome to CentOS 6.5 看/etc/inittab里面有没有
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now //禁用ctrl+alt+del
vi /etc/pam.d/system-auth
auth required pam_tally.so onerr=fail deny=6 unlock_time=300 //密码连续输错6次,账户锁定300秒 vi /etc/profile
TMOUT=600 //无操作600秒自动退出
source /etc/profilecat /etc/grub.conf|grep password //查看grub是否设置密码 审计策略:
ps -aef | grep syslog |grep -v grep //确认syslog是否启用
grep weekly /etc/logrotate.conf
# rotate log files weekly
weekly
grep 4 /etc/logrotate.conf
# keep 4 weeks worth of backlogs
rotate 4
cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
页:
[1]