操作系统加固

  • 前置条件:

  • 安装easyctl

  • 版本支持:v0.7.12-alpha以上

  • 加固内容参考说明文档

  • 适用平台:

    • [x] CentOS7
    • [?] CentOS6 暂未测试,理论上兼容,欢迎使用测试。

使用

1.生成配置文件

$ easyctl harden os
INFO[0000] 生成配置文件样例, 请携带 -c 参数重新执行 -> config.yaml

2.调整配置

vi config.yaml,调整以下参数

  • server主机信息(用于做安全加固的主机)
server:
  - host: 10.10.10.[1:40] # 地址段
    username: root
    privateKeyPath: "" # ~/.ssh/id_rsa,为空默认走password登录;不为空默认走密钥登录
    password: 123456
    port: 22
excludes:
  - 192.168.235.132 # 用于排除地址区间内的元素

3.执行加固

$ easyctl harden os -c config.yaml --debug

结果输出如下:

$ easyctl harden os -c config.yaml
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 1] 禁ping
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  |        OUTPUT        | EXCEPTION |
|-----------------|--------|-----------|---------|----------------------|-----------|
| 192.168.109.137 | ****** |     0     | success | net.ipv4.icmp_echo_i |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 2] 关闭ICMP_TIMESTAMP应答
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [step 3] 设置系统空闲等待时间
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:35-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 4] 隐藏系统版本信息
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 5] 禁止Control-Alt-Delete 键盘重启系统命令
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 6] ssh用户密码加固
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [step 7] 删除系统默认用户
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:36-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 8] 修改允许密码错误次数
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 9] ssh关闭UseDNS
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 10] ssh关闭AgentForwarding
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [step 11] 加固系统日志文件
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:37-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 12] 删除非root用户定时任务
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 13] 定时清理僵尸进程
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 14] 添加sudo用户: easyctl 密码: YR4H0x*3wVyfyd
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  |        OUTPUT        | EXCEPTION |
|-----------------|--------|-----------|---------|----------------------|-----------|
| 192.168.109.137 | ****** |     0     | success | Changing password fo |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [step 15] 锁定敏感文件
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:38-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT | EXCEPTION |
|-----------------|--------|-----------|---------|--------|-----------|
| 192.168.109.137 | ****** |     0     | success |        |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | [step 16] 调整ssh登录端口为: 22122,禁止root直接登录.
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | 解析server列表完毕!
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | 开始并行执行命令...
[easyctl] localhost.localdomain | 2021-10-11T04:56:39-04:00 | info | [192.168.109.137] 开始执行指令 -> shell content
[easyctl] localhost.localdomain | 2021-10-11T04:56:40-04:00 | info | <- 192.168.109.137执行命令成功...
|   IP ADDRESS    |  CMD   | EXIT CODE | RESULT  | OUTPUT  | EXCEPTION |
|-----------------|--------|-----------|---------|---------|-----------|
| 192.168.109.137 | ****** |     0     | success | success |           |
|                 |        |           |         | success |           |
|                 |        |           |         |  succ   |           |
[easyctl] localhost.localdomain | 2021-10-11T04:56:40-04:00 | info | [done] 安全加固完毕,目标主机连方式改为:
ssh端口: 22122
ssh用户: easyctl
ssh密码: YR4H0x*3wVyfyd

4.加固后的主机如何登录?

根据上述返回信息,使用以下用户及端口登录

ssh端口: 22122
ssh用户: easyctl
ssh密码: YR4H0x*3wVyfyd

easyctl用户具有sudo权限,建议变更easyctl用户口令

说明文档

加固以下以下事项:

  1. Ping
sed -i "/net.ipv4.icmp_echo_ignore_all/d" /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_all=1"  >> /etc/sysctl.conf
sysctl -p

2.关闭ICMP_TIMESTAMP应答

iptables -I INPUT -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP || true
iptables -I INPUT -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP || true
  1. 设置系统空闲等待时间
sed -i '/export TMOUT=300/d' /etc/profile
sed -i '/readonly TMOUT/d' /etc/profile
echo "export TMOUT=300" >> /etc/profile
echo "readonly TMOUT" >> /etc/profile
  1. 隐藏系统版本信息
mv /etc/issue /etc/issue.bak || true
mv /etc/issue.net /etc/issue.net.bak || true

5.禁止Control-Alt-Delete键盘重启系统命令

rm -rf /usr/lib/systemd/system/ctrl-alt-del.target || true

6ssh用户密码加固

PASS_MAX_DAYS=$(grep -e ^PASS_MAX_DAYS /etc/login.defs |awk '{print $2}')
if [ $PASS_MAX_DAYS -gt 90 ];then
    echo "密码最长保留期限为:$PASS_MAX_DAYS, 更改为90天"
    sed -i "/^PASS_MAX_DAYS/d" /etc/login.defs
    echo "PASS_MAX_DAYS   90" >> /etc/login.defs
fi

PASS_MIN_DAYS=$(grep -e ^PASS_MIN_DAYS /etc/login.defs |awk '{print $2}')
if [ $PASS_MIN_DAYS -ne 0 ];then
    echo "密码最段保留期限为:$PASS_MIN_DAYS, 更改为1天"
    sed -i "/^PASS_MIN_DAYS/d" /etc/login.defs
    echo "PASS_MIN_DAYS   0" >> /etc/login.defs
fi

PASS_MIN_LEN=$(grep -e ^PASS_MIN_LEN /etc/login.defs |awk '{print $2}')
if [ $PASS_MIN_LEN -lt 8 ];then
    echo "密码最少字符为:$PASS_MIN_LEN, 更改为8"
    sed -i "/^PASS_MIN_LEN/d" /etc/login.defs
    echo "PASS_MIN_LEN   8" >> /etc/login.defs
fi

PASS_WARN_AGE=$(grep -e ^PASS_WARN_AGE /etc/login.defs |awk '{print $2}')
if [ $PASS_WARN_AGE -ne 7 ];then
  echo "密码到期前$PASS_MIN_LEN天提醒, 更改为7"
  sed -i "/^PASS_WARN_AGE/d" /etc/login.defs
  echo "PASS_WARN_AGE   7" >> /etc/login.defs
fi
  1. 删除系统默认用户
users=(adm lp sync shutdown halt mail news uucp operator games gopher ftp)
for i in ${users[@]};
do
  userdel $i &>/dev/null || true
done

for i in ${users[@]};
do
  userdel $i &>/dev/null || true
done
  1. 修改允许密码错误次数
sed -i "/MaxAuthTries/d" /etc/ssh/sshd_config
echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
service sshd restart
  1. 关闭ssh UseDNS
sed -i "/UseDNS/d" /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
service sshd restart
  1. 关闭sshAgentForwardingTcpForwarding
sed -i "/AgentForwarding/d" /etc/ssh/sshd_config
sed -i "/TcpForwarding/d" /etc/ssh/sshd_config
echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
service sshd restart
  1. 加固系统日志文件
touch /var/log/secure
chown root:root /var/log/secure
chmod 600 /var/log/secure
  1. 删除非root用户定时任务
rm -f /etc/cron.deny
  1. 定时清理僵尸进程
crontab -l | grep -v '#' > /tmp/file1
echo "0 3 * * * ps -A -ostat,ppid | grep -e '^[Zz]' | awk '{print $2}' | xargs kill -HUP > /dev/null 2>&1" >> /tmp/file1 && awk ' !x[$0]++{print > "/tmp/file1"}' /tmp/file1
crontab /tmp/file1
  1. 创建sudo用户
chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
useradd -m easyctl &>/dev/null || true
echo YR4H0x*3wVyfyd | passwd --stdin easyctl || true
sed -i '/easyctl/d' /etc/sudoers
echo "easyctl        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
  1. 锁定敏感文件并降权
chown root:root /etc/{passwd,shadow,group}
chmod 644 /etc/{passwd,group}
chmod 400 /etc/shadow
chattr +i /etc/services || true
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
  1. 修改ssh port& 禁止root登录
sed -i "/PermitRootLogin/d" /etc/ssh/sshd_config
sed -i "/Port 22/d" /etc/ssh/sshd_config
echo "Port 22122" >> /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config

setenforce 0
firewall-cmd --zone=public --add-port=22122/tcp --permanent || true
firewall-cmd --zone=public --add-port=22122/tcp --permanent || true
firewall-cmd --reload || true

iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 22122 -j ACCEPT || true
/etc/rc.d/init.d/iptables save || ture
service iptables restart || ture

service sshd restart
Copyright © weiliang-ms 2021 all right reserved,powered by Gitbook本书发布时间: 2023-09-06 14:36:05

results matching ""

    No results matching ""