操作系统加固
前置条件:
安装easyctl
版本支持:v0.7.12-alpha以上
加固内容参考说明文档
适用平台:
- [x]
CentOS7
- [?]
CentOS6
暂未测试,理论上兼容,欢迎使用测试。
- [x]
使用
1.生成配置文件
$ easyctl harden os
INFO[0000] 生成配置文件样例, 请携带 -c 参数重新执行 -> config.yaml
2.调整配置
vi config.yaml
,调整以下参数
server
主机信息(用于做安全加固的主机)
server:
- host: 10.10.10.[1:40] # 地址段
username: root
privateKeyPath: "" # ~/.ssh/id_rsa,为空默认走password登录;不为空默认走密钥登录
password: 123456
port: 22
excludes:
- 192.168.235.132 # 用于排除地址区间内的元素
3.执行加固
$ easyctl harden os -c config.yaml --debug
结果输出如下:
$ easyctl harden os -c config.yaml
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 1] 禁ping
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|----------------------|-----------|
| 192.168.109.137 | ****** | 0 | success | net.ipv4.icmp_echo_i | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 2] 关闭ICMP_TIMESTAMP应答
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 3] 设置系统空闲等待时间
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 4] 隐藏系统版本信息
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 5] 禁止Control-Alt-Delete 键盘重启系统命令
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 6] ssh用户密码加固
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 7] 删除系统默认用户
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 8] 修改允许密码错误次数
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 9] ssh关闭UseDNS
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 10] ssh关闭AgentForwarding
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 11] 加固系统日志文件
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 12] 删除非root用户定时任务
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 13] 定时清理僵尸进程
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 14] 添加sudo用户: easyctl 密码: YR4H0x*3wVyfyd
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|----------------------|-----------|
| 192.168.109.137 | ****** | 0 | success | Changing password fo | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 15] 锁定敏感文件
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** | 0 | success | | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | [step 16] 调整ssh登录端口为: 22122,禁止root直接登录.
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:40-04:00 | info | <- 192.168.109.137执行命令成功...
| IP ADDRESS | CMD | EXIT CODE | RESULT | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|---------|-----------|
| 192.168.109.137 | ****** | 0 | success | success | |
| | | | | success | |
| | | | | succ | |
[easyctl] localhost.localdomain | 2021-10-11T04:56:40-04:00 | info | [done] 安全加固完毕,目标主机连方式改为:
ssh端口: 22122
ssh用户: easyctl
ssh密码: YR4H0x*3wVyfyd
4.加固后的主机如何登录?
根据上述返回信息,使用以下用户及端口登录
ssh端口: 22122
ssh用户: easyctl
ssh密码: YR4H0x*3wVyfyd
easyctl
用户具有sudo
权限,建议变更easyctl
用户口令
说明文档
加固以下以下事项:
- 禁
Ping
sed -i "/net.ipv4.icmp_echo_ignore_all/d" /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
sysctl -p
2.关闭ICMP_TIMESTAMP
应答
iptables -I INPUT -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP || true
iptables -I INPUT -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP || true
- 设置系统空闲等待时间
sed -i '/export TMOUT=300/d' /etc/profile
sed -i '/readonly TMOUT/d' /etc/profile
echo "export TMOUT=300" >> /etc/profile
echo "readonly TMOUT" >> /etc/profile
- 隐藏系统版本信息
mv /etc/issue /etc/issue.bak || true
mv /etc/issue.net /etc/issue.net.bak || true
5.禁止Control-Alt-Delete
键盘重启系统命令
rm -rf /usr/lib/systemd/system/ctrl-alt-del.target || true
6ssh
用户密码加固
PASS_MAX_DAYS=$(grep -e ^PASS_MAX_DAYS /etc/login.defs |awk '{print $2}')
if [ $PASS_MAX_DAYS -gt 90 ];then
echo "密码最长保留期限为:$PASS_MAX_DAYS, 更改为90天"
sed -i "/^PASS_MAX_DAYS/d" /etc/login.defs
echo "PASS_MAX_DAYS 90" >> /etc/login.defs
fi
PASS_MIN_DAYS=$(grep -e ^PASS_MIN_DAYS /etc/login.defs |awk '{print $2}')
if [ $PASS_MIN_DAYS -ne 0 ];then
echo "密码最段保留期限为:$PASS_MIN_DAYS, 更改为1天"
sed -i "/^PASS_MIN_DAYS/d" /etc/login.defs
echo "PASS_MIN_DAYS 0" >> /etc/login.defs
fi
PASS_MIN_LEN=$(grep -e ^PASS_MIN_LEN /etc/login.defs |awk '{print $2}')
if [ $PASS_MIN_LEN -lt 8 ];then
echo "密码最少字符为:$PASS_MIN_LEN, 更改为8"
sed -i "/^PASS_MIN_LEN/d" /etc/login.defs
echo "PASS_MIN_LEN 8" >> /etc/login.defs
fi
PASS_WARN_AGE=$(grep -e ^PASS_WARN_AGE /etc/login.defs |awk '{print $2}')
if [ $PASS_WARN_AGE -ne 7 ];then
echo "密码到期前$PASS_MIN_LEN天提醒, 更改为7"
sed -i "/^PASS_WARN_AGE/d" /etc/login.defs
echo "PASS_WARN_AGE 7" >> /etc/login.defs
fi
- 删除系统默认用户
users=(adm lp sync shutdown halt mail news uucp operator games gopher ftp)
for i in ${users[@]};
do
userdel $i &>/dev/null || true
done
for i in ${users[@]};
do
userdel $i &>/dev/null || true
done
- 修改允许密码错误次数
sed -i "/MaxAuthTries/d" /etc/ssh/sshd_config
echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
service sshd restart
- 关闭
ssh UseDNS
sed -i "/UseDNS/d" /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
service sshd restart
- 关闭
ssh
的AgentForwarding
和TcpForwarding
sed -i "/AgentForwarding/d" /etc/ssh/sshd_config
sed -i "/TcpForwarding/d" /etc/ssh/sshd_config
echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
service sshd restart
- 加固系统日志文件
touch /var/log/secure
chown root:root /var/log/secure
chmod 600 /var/log/secure
- 删除非
root
用户定时任务
rm -f /etc/cron.deny
- 定时清理僵尸进程
crontab -l | grep -v '#' > /tmp/file1
echo "0 3 * * * ps -A -ostat,ppid | grep -e '^[Zz]' | awk '{print $2}' | xargs kill -HUP > /dev/null 2>&1" >> /tmp/file1 && awk ' !x[$0]++{print > "/tmp/file1"}' /tmp/file1
crontab /tmp/file1
- 创建
sudo
用户
chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
useradd -m easyctl &>/dev/null || true
echo YR4H0x*3wVyfyd | passwd --stdin easyctl || true
sed -i '/easyctl/d' /etc/sudoers
echo "easyctl ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
- 锁定敏感文件并降权
chown root:root /etc/{passwd,shadow,group}
chmod 644 /etc/{passwd,group}
chmod 400 /etc/shadow
chattr +i /etc/services || true
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
- 修改
ssh port
& 禁止root
登录
sed -i "/PermitRootLogin/d" /etc/ssh/sshd_config
sed -i "/Port 22/d" /etc/ssh/sshd_config
echo "Port 22122" >> /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
setenforce 0
firewall-cmd --zone=public --add-port=22122/tcp --permanent || true
firewall-cmd --zone=public --add-port=22122/tcp --permanent || true
firewall-cmd --reload || true
iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 22122 -j ACCEPT || true
/etc/rc.d/init.d/iptables save || ture
service iptables restart || ture
service sshd restart