ʹÓÃÏÂÁîÐй¤¾ßÌá¸ßLinuxЧÀÍÆ÷µÄÇå¾²ÐÔ
ʹÓÃÏÂÁîÐй¤¾ßÌá¸ßLinuxЧÀÍÆ÷µÄÇå¾²ÐÔ
ÕªÒª£ºËæ×Å»¥ÁªÍøµÄÉú³¤£¬LinuxЧÀÍÆ÷Çå¾²ÐÔÎÊÌâÔ½À´Ô½Êܵ½ÖØÊÓ¡£±¾ÎĽ«ÏÈÈÝһЩ³£ÓõÄÏÂÁîÐй¤¾ß£¬ÒÔ×ÊÖúÖÎÀíÔ±Ìá¸ßLinuxЧÀÍÆ÷µÄÇå¾²ÐÔ¡£Í¬Ê±£¬ÎÒÃÇ»¹½«ÎªÃ¿¸ö¹¤¾ßÌṩ´úÂëʾÀý£¬ÒÔ±ã¶ÁÕ߸üºÃµØÃ÷È·ºÍÓ¦ÓÃÓÚÏÖÕæÏླÖС£
СÐò£º
Ëæ×Å»¥ÁªÍøµÄÆÕ¼°ºÍÊÖÒÕµÄÉú³¤£¬LinuxЧÀÍÆ÷ÒѳÉΪÐí¶àÆóÒµºÍСÎÒ˽ÈËʹÓõÄÊ×ѡϵͳ¡£È»¶ø£¬Óë´Ëͬʱ£¬Ð§ÀÍÆ÷Çå¾²ÐÔÎÊÌâÒ²ÈÕÒæÍ»³ö¡£ºÚ¿Í¹¥»÷¡¢Îó²îʹÓúÍÊý¾Ý鶶¼¸øЧÀÍÆ÷´øÀ´Á˼«´óµÄÍþв¡£ÎªÁ˱£»¤Ð§ÀÍÆ÷ºÍÊý¾ÝÇå¾²£¬ÖÎÀíÔ±ÃÇÐèÒª½ÓÄÉһЩ²½·¥À´Ìá¸ßLinuxЧÀÍÆ÷µÄÇå¾²ÐÔ¡£
Ò»¡¢Í×ÉÆÉèÖÃÃÜÂëÕ½ÂÔ
Ò»¸öÇå¾²µÄÃÜÂëÕ½ÂÔ¹ØÓÚЧÀÍÆ÷Çå¾²ÖÁ¹ØÖ÷Òª¡£ÎÒÃÇ¿ÉÒÔʹÓÃÏÂÁîÐй¤¾ßÀ´ÉèÖÃÃÜÂëÕ½ÂÔ£¬°üÀ¨ÃÜÂ볤¶È¡¢ÖØƯºóÒªÇóÒÔ¼°ÓÐÓÃÏÞÆÚ¡£
1.1 ÉèÖÃÃÜÂ볤¶È£º
ʹÓÃÏÂÁîÐй¤¾ßpasswd£¬ÎÒÃÇ¿ÉÒÔÐÞ¸Ä/etc/login.defsÎļþÖеÄPASS_MIN_LEN×Ö¶ÎÀ´ÉèÖÃÃÜÂë×îС³¤¶È¡£ÏÂÃæÊÇÒ»¸öʾÀý¾ç±¾£º
#!/bin/bash sed -i 's/^PASS_MIN_LEN.*$/PASS_MIN_LEN 8/' /etc/login.defs
µÇ¼ºó¸´ÖÆ
1.2 ÉèÖÃÃÜÂëÖØƯºó£º
ʹÓÃÏÂÁîÐй¤¾ßpam_pwquality£¬ÎÒÃÇ¿ÉÒÔÐÞ¸Ä/etc/security/pwquality.confÎļþÖеIJÎÊýÀ´ÉèÖÃÃÜÂëµÄÖØƯºóÒªÇó¡£ÒÔÏÂÊÇÒ»¸öʾÀý¾ç±¾£º
#!/bin/bash sed -i 's/^minlen.*$/minlen=8/' /etc/security/pwquality.conf sed -i 's/^dcredit.*$/dcredit=-1/' /etc/security/pwquality.conf sed -i 's/^ucredit.*$/ucredit=-1/' /etc/security/pwquality.conf sed -i 's/^ocredit.*$/ocredit=-1/' /etc/security/pwquality.conf sed -i 's/^lcredit.*$/lcredit=-1/' /etc/security/pwquality.conf
µÇ¼ºó¸´ÖÆ
1.3 ÉèÖÃÃÜÂëÓÐÓÃÏÞÆÚ£º
ʹÓÃÏÂÁîÐй¤¾ßchage£¬ÎÒÃÇ¿ÉÒÔÉó²éºÍÐÞ¸ÄÓû§µÄÃÜÂëÓÐÓÃÆÚ¡£ÏÂÃæÊÇÒ»¸öʾÀý¾ç±¾£º
#!/bin/bash # Éó²éÓû§µÄÃÜÂëÓÐÓÃÆÚ chage -l username # ÐÞ¸ÄÓû§µÄÃÜÂëÓÐÓÃÆÚΪ30Ìì chage -M 30 username
µÇ¼ºó¸´ÖÆ
¶þ¡¢ÏÞÖÆÓû§Ô¶³ÌµÇ¼
ΪÁ˽µµÍЧÀÍÆ÷±»ÈëÇÖµÄΣº¦£¬ÎÒÃÇ¿ÉÒÔÏÞÖÆÓû§µÄÔ¶³ÌµÇ¼ȨÏÞ¡£Ïêϸ¶øÑÔ£¬ÎÒÃÇ¿ÉÒÔʹÓÃÏÂÁîÐй¤¾ßsshdÀ´ÉèÖÃ/etc/ssh/sshd_configÎļþ£¬ÏÞÖÆÓû§µÄSSHµÇ¼¡£
2.1 եȡrootÔ¶³ÌµÇ¼£º
ͨ¹ýÐÞ¸Ä/etc/ssh/sshd_configÎļþ£¬½«PermitRootLogin×ֶεÄÖµ¸ÄΪno¡£ÒÔÏÂÊÇÒ»¸öʾÀý¾ç±¾£º
#!/bin/bash sed -i 's/^PermitRootLogin.*$/PermitRootLogin no/' /etc/ssh/sshd_config
µÇ¼ºó¸´ÖÆ
2.2 ÏÞÖÆSSHµÇ¼µÄIP¹æÄ££º
ͨ¹ýÐÞ¸Ä/etc/ssh/sshd_configÎļþ£¬Ê¹ÓÃAllowUsers×Ö¶ÎÏÞÖÆÔÊÐíSSHµÇ¼µÄIP¹æÄ£¡£ÒÔÏÂÊÇÒ»¸öʾÀý¾ç±¾£º
#!/bin/bash echo "AllowUsers 192.168.1.0/24" >> /etc/ssh/sshd_config
µÇ¼ºó¸´ÖÆ
Èý¡¢Ê¹Ó÷À»ðǽ±£»¤Ð§ÀÍÆ÷
·À»ðǽÊDZ£»¤Ð§ÀÍÆ÷Çå¾²µÄÖ÷Òª×é³É²¿·Ö£¬ÎÒÃÇ¿ÉÒÔʹÓÃÏÂÁîÐй¤¾ßiptablesÀ´ÉèÖ÷À»ðǽ¹æÔò¡£
3.1 ¹Ø±Õ²»ÐëÒªµÄ¶Ë¿Ú£º
ʹÓÃiptablesÏÂÁîÀ´¹Ø±ÕЧÀÍÆ÷Éϲ»ÐëÒªµÄ¶Ë¿Ú£¬ÎªÐ§ÀÍÆ÷Ìṩ¸üºÃµÄ±£»¤¡£ÒÔÏÂÊÇÒ»¸öʾÀý¾ç±¾£º
#!/bin/bash # ¹Ø±Õ80¶Ë¿Ú iptables -A INPUT -p tcp --dport 80 -j DROP
µÇ¼ºó¸´ÖÆ
3.2 ÉèÖÃALLOW/DENY¹æÔò£º
ʹÓÃiptablesÏÂÁîÉèÖÃALLOW/DENY¹æÔò£¬ÔÊÐí»ò¾Ü¾øÌض¨IP»òIP¹æÄ£µÄ»á¼û¡£ÒÔÏÂÊÇÒ»¸öʾÀý¾ç±¾£º
#!/bin/bash # ÔÊÐí192.168.1.100»á¼û80¶Ë¿Ú iptables -A INPUT -s 192.168.1.100 -p tcp --dport 80 -j ACCEPT # ¾Ü¾ø192.168.1.200»á¼û22¶Ë¿Ú iptables -A INPUT -s 192.168.1.200 -p tcp --dport 22 -j DROP
µÇ¼ºó¸´ÖÆ
½áÂÛ£º
±¾ÎÄÏÈÈÝÁ˼¸¸ö³£ÓõÄÏÂÁîÐй¤¾ß£¬ÒÔ×ÊÖúÖÎÀíÔ±Ìá¸ßLinuxЧÀÍÆ÷µÄÇå¾²ÐÔ¡£Í¨¹ýÉèÖÃÃÜÂëÕ½ÂÔ¡¢ÏÞÖÆÓû§Ô¶³ÌµÇ¼ºÍʹÓ÷À»ðǽµÈ·½·¨£¬ÎÒÃÇ¿ÉÒÔÓÐÓõر£»¤Ð§ÀÍÆ÷ÃâÊܹ¥»÷ºÍÊý¾Ý鶵ÄΣº¦¡£Ï£Íû¶ÁÕßÄܹ»ÕÆÎÕÕâЩ¹¤¾ß²¢ÔÚʵ¼ùÖмÓÒÔÔËÓã¬ÒÔÌá¸ßЧÀÍÆ÷µÄÇå¾²ÐÔ¡£
²Î¿¼ÎÄÏ×£º
ÎÞ
ÒÔÉϾÍÊÇʹÓÃÏÂÁîÐй¤¾ßÌá¸ßLinuxЧÀÍÆ÷µÄÇå¾²ÐÔµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡