// 密码复杂度: 字母/数字/特殊符号,不小于8位; 用户密码 5 次不能重复;
vim /etc/pam.d/system-auth
auth required pam_tally2.so onerr=fail deny=3 unlock_time=1200 even_deny_root root_unlock_time=1200
auth sufficient pam_unix.so nullok try_first_pass remember=5
password requisite pam_cracklib.so retry=3 difork=3 minlen=8 lcredit=-1 dcredit=-1 ocredit=-1
// 设置定期修改密码时间
vim /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7
// 设置错误密码登录不超过3次, 超过锁定20分钟
find /lib* -iname "pam_tally2.so"
/lib64/security/pam_tally2.so
vim /etc/pam.d/sshd
auth required pam_tally2.so deny=3 unlock_time=12000
// 启用auditd审计功能, 审计覆盖到服务器及用户
/etc/init.d/auditd start
// 记录用户的登录与操作(操作日志记录 /tmp/dbasky/root/192.168.10.108)
vim /etc/profile
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]
then
USER_IP=`hostname`
fi
if [ ! -d /tmp/dbasky ]
then
mkdir /tmp/dbasky
chmod 755 /tmp/dbasky
fi
if [ ! -d /tmp/dbasky/${LOGNAME} ]
then
mkdir /tmp/dbasky/${LOGNAME}
chmod 300 /tmp/dbasky/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date "+%Y-%m-%d_%H-%M-%S"`
export HISTFILE="/tmp/dbasky/${LOGNAME}/${USER_IP}-dbasky.$DT"
export HISTTIMEFORMAT="[%Y.%m.%d %H:%M:%S]"
chmod 600 /tmp/dbasky/${LOGNAME}/*dbasky* 2>/dev/null
// 审计重要文件
auditctl -w /etc/passwd -p war
ausearch -f /etc/passwd -x rm/vim.... // 查询
vim /etc/audit/audit.rules
... ... // 添加(-w 路径; -p 权限; -k 关键字 ;r 读; w 写; x 执行; a 修改文件属性;)
-a exit,always -F arch=b64 -S umask -S chown -S chmod
-a exit,always -F arch=b64 -S unlink -S rmdir
-a exit,always -F arch=b64 -S setrlimit
-a exit,always -F arch=b64 -S setuid -S setreuid
-a exit,always -F arch=b64 -S setgid -S setregid
-a exit,always -F arch=b64 -S sethostname -S setdomainname
-a exit,always -F arch=b64 -S adjtimex -S settimeofday
-a exit,always -F arch=b64 -S mount -S _sysctl
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa
-w /etc/ssh/sshd_config
-w /etc/bashrc -p wa
-w /etc/profile -p wa
-w /etc/profile.d/
-w /etc/aliases -p wa
-w /etc/sysctl.conf -p wa
-w /var/log/lastlog
// 审计工具
aureport // 生成审计活动概述;
* -au // 查看授权失败的详细信息;
* -m // 所有账户修改的相关事件;
// 创建审计用户audit
useradd audit
passwd audit
12tianrong.
mkdir /tmp/dbasky
chown -R audit.audit /var/log/audit/
chmod 750 /var/log/audit/
chmod 600 /var/log/audit/audit.log
chown -R audit.audit /tmp/dbasky/
vim /etc/sudoers
audit node2.hkrt.cn.com=/bin/ls,/bin/cat,/usr/bin/tail,/usr/bin/sz
Defaults logfile=/var/log/sudo
%wheel node2.hkrt.cn.com=/sbin/*,/usr/bin/*,/usr/sbin/*,!/sbin/reboot,!/sbin/init,!/sbin/poweroff,!/sbin/shutdown
// 保护审计进程,避免受到未预期的中断
[root@localhost script]# vim audit_up.sh
#!/bin/sh
while true
do
ps -ef | grep " auditd" | grep -v "grep"
if [ "$?" -eq 1 ]
then
/etc/init.d/auditd start
echo "process has been restarted!"
else
echo "process already started!"
fi
sleep 10
done
chmod +x audit_up.sh
sh audit_up.sh >/dev/null &
// 审计记录保留半年以上
// 定时任务每周将日志内容切割分离
crontab -e
00 00 * * 1 /bin/mv /var/log/audit/audit.log /data/auditback/audit.log.$(date -d '1 days ago' +%d)
mkdir -p /data/auditback
// 文件完整性
tar xf tripwire-2.4.2.2-src.tar.bz2 -C /usr/src/
cd /usr/src/tripwire-2.4.1.2-src/
./configure --prefix=/usr/local/tripwire
make && make install
vim /usr/local/tripwire/etc/twcfg
9 LOOSEDIRECTORYCHECKING =true // 不监测所属目录的完整性
12 REPORTLEVEL =4 // 改变监测结果报告等级
// 建立加密格式
cd /usr/local/tripwire/etc/
/usr/local/tripwire/sbin/twadmin --create-cfgfile -S site.key twcfg.txt
/usr/local/tripwire/sbin/tripwire --init // 初始化数据库
/usr/local/tripwire/sbin/tripwire --init
/usr/local/tripwire/sbin/tripwire --check --interactive
find / -type f -name *.twr // 生成的检测文件
/usr/local/tripwire//sbin/twprint --print-report --twrfile /usr/local/tripwire/lib/tripwire/report/node2.hkrt.cn.com-20180318-002054.twr # 查看检查记录;
// 防恶意代码软件
tar xf maldetect-current.tar.gz -C /usr/src/
cd /usr/src/maldetect-1.6.2/
./install.sh
maldet --scan-all / // 检测
// 存储路径
/usr/local/maldetect/sess/session.180316-0921.16896
/usr/local/maldetect/sess/session.hits.180316-0921.16896
// 单个用户系统资源(CPU、内存、硬盘)的使用限度进行限制
// 以后每个一分钟就会检查一次,调整占用50%以上CPU或25%内存的进程的nice值,从而使这样的进程优先级变低,被调度的机会减少,同时会向root发邮件提示该进程被调整过。
cd /script
vim cpu.sh
#!/bin/sh
PIDS=`top -bn 1 | grep "^ *[1-9]" | awk '{ if($9 > 50 || $10 > 25 && id -u $2 > 500) print $1}'`
for PID in $PIDS
do
renice +10 $PID
echo "renice +10 $PID"
done
chmod +x /script/cpu.sh
crontab -e
* * * * * /scripts/cpu.sh >/dev/null
// 系统的最大并发会话连接数进行限制(注意新建Xshell,尝试是否能连接)
ulimit -n 8192
/etc/sysctl.conf中加入ip_conntrack_max=8192
/usr/include/bits/types.h 文件,改变__FD_SETSIZE 的值:
#define _ _FD_SETSIZE 8192
echo 8192 > /proc/sys/fs/file-max
ulimit -Hn 8192
执行sysctl -p 生效..
/bin/bash: Too many open files in system 报错
修改 /proc/sys/fs/file-max 执行上述命令生效