CentOS 7 主机加固手册-下

 

CentOS 7 主机加固手册-上

CentOS 7 主机加固手册-中

CentOS 7 主机加固手册-下

0x1f 删除禁用非必要的服务

删除非必要的服务

# Remove

yum remove xinetd

yum remove telnet-server

yum remove rsh-server

yum remove telnet

yum remove rsh-server

yum remove rsh

yum remove ypbind

yum remove ypserv

yum remove tftp-server

yum remove cronie-anacron

yum remove bind

yum remove vsftpd

yum remove httpd

yum remove dovecot

yum remove squid

yum remove net-snmpd

禁止非必要的服务

#Disable / Enable

systemctl disable xinetd

systemctl disable rexec

systemctl disable rsh

systemctl disable rlogin

systemctl disable ypbind

systemctl disable tftp

systemctl disable certmonger

systemctl disable cgconfig

systemctl disable cgred

systemctl disable cpuspeed

systemctl enable irqbalance

systemctl disable kdump

systemctl disable mdmonitor

systemctl disable messagebus

systemctl disable netconsole

systemctl disable ntpdate

systemctl disable oddjobd

systemctl disable portreserve

systemctl enable psacct

systemctl disable qpidd

systemctl disable quota_nld

systemctl disable rdisc

systemctl disable rhnsd

systemctl disable rhsmcertd

systemctl disable saslauthd

systemctl disable smartd

systemctl disable sysstat

systemctl enable crond

systemctl disable atd

systemctl disable nfslock

systemctl disable named

systemctl disable httpd

systemctl disable dovecot

systemctl disable squid

systemctl disable snmpd

禁用Secure RPC Client 服务

Disable rpcgssd:

The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. The rpcgssd service can be disabled with the following command:

systemctl disable rpcgssd

禁止 Secure RPC Server Service

systemctl disable rpcsvcgssd

禁止 RPC ID Mapping Service

The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. The rpcidmapd service can be disabled with the following command:

systemctl disable rpcidmapd 

禁止 Network File Systems (netfs)

The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following command:

sudo systemctl disable netfs

禁止 Network File System (nfs)

systemctl disable nfs

如果不需要SSH，则删除之：

systemctl disable sshd

删除 SSH iptables 防火墙规则

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Tips™ - You probable need to leave SSH alone

###Remove Rsh Trust Files
rm /etc/hosts.equiv
rm ~/.rhosts

禁止 Avahi Server Software

systemctl disable avahi-daemon

the CUPS Service

如果不需要CUPS，禁止之，减少攻击面

systemctl disable cups

禁止 DHCP 服务

systemctl disable dhcpd

卸载 DHCP Server Package

如果不需要DHCP客户端，就删除之

yum erase dhcp 

禁止DHCP ，使用静态ip

Example:

BOOTPROTO=none

NETMASK=255.255.255.0

IPADDR=192.168.1.2

GATEWAY=192.168.1.1

指定 NTP服务器

vim /etc/ntp.conf
server ntpserver

当然最好使用内网的NTP服务器

启用 Postfix

systemctl enable postfix

删除 Sendmail

yum remove sendmail

设置Postfix仅本地监听

Open, /etc/postfix/main.cf and ensure the following inet_interfaces line appears:

vim
inet_interfaces = localhost

配置 SMTP banner

banner会暴露当前的 SMTP 服务器是 Postfix.

禁止 xinetd Service

sudo systemctl disable xinetd

System Audit Logs权限设置

System audit logs 权限最高为0640

sudo chmod 0640 audit_file 

System Audit Logs  所有者为root

sudo chown root/var/log

禁止 autofs

chkconfig --level 0123456 autofs off

service autofs stop

0x21 禁止不常见的文件系统

echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf

echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf

echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf

echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf

echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf

echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf

echo "install udf /bin/false" > /etc/modprobe.d/udf.conf

0x22 禁止 core dumps

vi /etc/security/limits.conf

* hard core 0

0x23  禁止SUID程序core dumps  

Run sysctl -w fs.suid_dumpable=0 and fs.suid_dumpable = 0.

# Set runtime for fs.suid_dumpable

#

sysctl -q -n -w fs.suid_dumpable=0

#

# If fs.suid_dumpable present in /etc/sysctl.conf, change value to "0"

#     else, add "fs.suid_dumpable = 0" to /etc/sysctl.conf

#

if grep --silent ^fs.suid_dumpable /etc/sysctl.conf ; then

     sed -i 's/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g' /etc/sysctl.conf

else

     echo "" >> /etc/sysctl.conf

     echo "# Set fs.suid_dumpable to 0 per security requirements" >> /etc/sysctl.conf

     echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf

fi

0x24 防止缓冲区溢出

启用 ExecShield

用于防御 stack smashing / BOF.

sysctl -w kernel.exec-shield=1

在 /etc/sysctl.conf里面添加

kernel.exec-shield = 1

启用ASLR

Set runtime for kernel.randomize_va_space

sysctl -q -n -w kernel.randomize_va_space=2

在 /etc/sysctl.conf 里面添加一行：

kernel.randomize_va_space = 2

Enable XD or NX Support on x86 Systems

Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.

Check bios and ensure XD/NX is enabled, not relevant for VM’s.

0x25 配置SELinux

确认SELinux开启

sed -i "s/selinux=0//gI" /etc/grub.conf

sed -i "s/enforcing=0//gI" /etc/grub.conf

启用SELinux

vim  /etc/selinux/config  

SELINUXTYPE=targeted 

SELINUXTYPE=targeted 或者设置为 SELINUXTYPE=enforcing，这取决于实际情况。

启用SELinux restorecond 服务

estorecond (系统)利用 /etc/selinux/restorecond.conf 的设定来判断当新建文件时，该文件的 SELinux 类型应该如何还原。需要注意的是，如果你的系统有很多非正规的 SELinux 文件类型设定时，这个 daemon最好关闭，否则他会将你设定的 type 修改回默认值。

启用 restorecond for all run levels:

chkconfig --level 0123456 restorecond on

启动 restorecond：

service restorecond start 

确保没有未被SELinux限制的守护进程

sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }’

0x26 防止空密码登录

sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth

0x27 加固 SSH服务

只允许SSH  Protocol 2

vim /etc/ssh/sshd_config  

Protocol 2

限制特定用户SSH登录

vim  /etc/ssh/sshd_config  

DenyUsers USER1 USER2

配置 Idle Log Out Timeout 间隔为600秒

ClientAliveInterval 600

Set SSH Client Alive Count

不要支持闲置会话

To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows:

ClientAliveCountMax 0

禁止SSH支持.rhosts文件

IgnoreRhosts参数可以忽略以前登录过主机的记录

vim /etc/ssh/sshd_config:

IgnoreRhosts yes

禁止基于主机的认证

SSH的加密主机身份验证比.rhosts身份验证更安全。 但是即使在一个组织内也不建议主机互相信任。

vim /etc/ssh/sshd_config:

HostbasedAuthentication no

禁止SSH root登录

vim  /etc/ssh/sshd_config 

PermitRootLogin no

禁止SSH空密码登录

vim /etc/ssh/sshd_config:

PermitEmptyPasswords no

开启SSH 警告标语

开启告警标语，提高安全意识。

banner /etc/issue

禁止SSH Environment选项

当客户端从ssh登陆到服务端时，服务端禁止从本地的~/.ssh/environment读取特定客户端的环境变量配置文件。

PermitUserEnvironment no

仅使用被证明的加密算法

Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers:

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

0x29 加固X桌面（X windows）

禁止X桌面，减少攻击面

yum groupremove "X Window System 

0x2a 定时更新

yum -y install yum-cron

chkconfig yum-cron on

另外设置 yum-cron 为 “check only”,不推荐自动安装更新。

原文:https://highon.coffee/blog/security-harden-centos-7/