Linux安全配置雜文
SSH 配置
vim /etc/ssh/sshd_config <<VIM > /dev/null 2>&1
:s/#LoginGraceTime 2m/LoginGraceTime 2m/
:s/#PermitRootLogin yes/PermitRootLogin no/
:s/#MaxAuthTries 6/MaxAuthTries 3/
:%s$#AuthorizedKeysFile$AuthorizedKeysFile /dev/null$
:%s/GSSAPIAuthentication yes/GSSAPIAuthentication no/
:%s/GSSAPICleanupCredentials yes/GSSAPICleanupCredentials no/
:wq
VIM
禁止證書登陸 AuthorizedKeysFile /dev/null
鎖定用戶禁止登陸
passwd -l bin
passwd -l daemon
passwd -l adm
passwd -l lp
passwd -l sync
passwd -l shutdown
passwd -l halt
passwd -l mail
passwd -l uucp
passwd -l operator
passwd -l games
passwd -l gopher
passwd -l ftp
passwd -l nobody
passwd -l vcsa
passwd -l saslauth
passwd -l postfix
檢查可以登陸的用戶與有密碼的用戶
Java代碼
#!/bin/bash
function section(){
local title=$1
echo "=================================================="
echo " $title "
echo "=================================================="
}
section "Check login user"
grep -v nologin /etc/passwd
section "Check login password"
grep '\$' /etc/shadow
section "Check SSH authorized_keys file"
for key in $(ls -1 /home)
do
if [ -e $key/.ssh/authorized_keys ]; then
echo "$key : $key/.ssh/authorized_keys"
else
echo "$key : "
fi
done
55.2.1. pam_tally2.so
此模塊的功能是,登陸錯誤輸入密碼3次,5分鐘後自動解禁,在未解禁期間輸入正確密碼也無法登陸。
在配置文件 /etc/pam.d/sshd 頂端加入
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
查看失敗次數
# pam_tally2
Login Failures Latest failure From
root 14 07/12/13 15:44:37 192.168.6.2
neo 8 07/12/13 15:45:36 192.168.6.2
重置計數器
# pam_tally2 -r -u root
Login Failures Latest failure From
root 14 07/12/13 15:44:37 192.168.6.2
# pam_tally2 -r -u neo
Login Failures Latest failure From
neo 8 07/12/13 15:45:36 192.168.6.2
pam_tally2 計數器日志保存在 /var/log/tallylog 注意,這是二進制格式的文件
例 55.1. /etc/pam.d/sshd
# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
以上配置root用戶不受限制, 如果需要限制root用戶,參考下面
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800
55.2.2. pam_listfile.so
用戶登陸限制
將下面一行添加到 /etc/pam.d/sshd 中,這裡采用白名單方式,你也可以采用黑名單方式
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
將允許登陸的用戶添加到 /etc/ssh/whitelist,除此之外的用戶將不能通過ssh登陸到你的系統
# cat /etc/ssh/whitelist
neo
www
例 55.2. /etc/pam.d/sshd - pam_listfile.so
# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
sense=allow 白名單方式, sense=deny 黑名單方式
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail
