关于加强Linux(CentOS)的安全设置
2014年03月25日
今天将和大家一起分享关于CentOS的安全设置问题,虽然Linux不像Windows那样容易受到攻击,
但是必要的安全设置还是需要的,尽量将隐患降到最低。
这里将从以下几点讨论如何加强CentOS的系统安全。
- 更新全部包
- 禁止root的远程登录
- 设置防火墙iptables
- 更改SSH端口号
- 停止不用的服务
- 日志监视设置
- 病毒软件安装设置
- Apache安全设置
1. 更新所有包
# yum –y update
注意:有些程序在整体更新包之后可能会出现一些意想不到的小问题,所有更新后请全面测试应用,像网站,邮件等服务器等最好都测试一遍。
2. 禁止root远程登录操作
root的权限太大了,万一root的密码被窃了,将会产生很严重的后果,所以禁止root远程登录,添加一个可以执行root权限的用户,相当于增加了一道安全城防,这里假设增加joe用户,并设置密码。
# useradd joe # passwd joe Changing password for user joe. New password: Retype new password: passwd: all authentication tokens updated successfully.
配置使wheel组并且只有wheel组的成员可以执行root权限。
更改joe所属的组为wheel
# usermod -G wheel joe
# vi /etc/pam.d/su
#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid <-- 将这一行的注释#去掉, 使得只有whell组的成员才能执行root操作 auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so
编辑/etc/sudoers,使wheel可以执行root的权限
# visudo
## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL <-- 去掉这一行的注释,使得wheel组成员可以执行root权限 ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d
禁止root通过ssh远程登录
# vi /etc/ssh/sshd_config
# Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes PermitRootLogin no <--添加这一行,不允许root远程登录 #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody
重新启动sshd,以使配置生效
/etc/init.d/sshd restart
分别测试 ssh root@**.***.***.** 与 ssh joe@**.***.***.**,将发现root不再可以登录,而joe可以登录,并且可以通过su切换到root。
3. 配置防火墙iptables
通过设置iptables关闭不必要的端口,以降低系统被攻击的风险。
# /sbin/iptables -L --line-number
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 ACCEPT icmp -- anywhere anywhere 3 ACCEPT all -- anywhere anywhere 4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 5 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination
我的系统只开了端口22,ssh的端口
接下来我们添加一个http端口,即80端口
# /sbin/iptables -I INPUT 5 -p tcp --dport http -j ACCEPT #HTTP
确认添加的端口
# # /sbin/iptables -L --line-number
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 ACCEPT icmp -- anywhere anywhere 3 ACCEPT all -- anywhere anywhere 4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh 5 ACCEPT tcp -- anywhere anywhere tcp dpt:http 6 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination
可以看到,我们的http端口开放了。通过类似的做法,我们可以开放其他端口,像25,465,143等。
保存设置
# /sbin/service iptables save
确认配置是否成功
# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Mar 25 07:44:07 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [32:4272] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Mar 25 07:44:07 2014
可以看到我们的80端口添加成功了。
4. 更改SSH端口,降低22端口被攻击的风险,如22->11022
更改端口前,一定要开放更改后的端口(如11022),否者进入不了系统。
# vim /etc/ssh/sshd_config
# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 Port 11022 <--添加这一行,改变默认端口 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2
使修改生效
# /etc/init.d/sshd restart
测试登录
# ssh -p 11022 joe@***.***.**.***
注意:我们的.ssh/known_hosts中可能已经保存了***.***.**.***的密钥信息,需要删除旧的密钥,才能顺利登录。
5. 停止不必要的服务
待续…….