Linux安全配置雜文

Linux安全配置雜文 SSH 配置vim /etc/ssh/sshd_config <<VIM > /dev/null 2>&1:s/#LoginGraceTime 2m/LoginGraceTime 2m/:s/#PermitRootLogin yes/PermitRootLogin no/:s/#MaxAuthTries 6/MaxAuthTries 3/:%s$#AuthorizedKeysFile$AuthorizedKeysFile /dev/null$:%s/GSSAPIAuthentication yes/GSSAPIAuthentication no/:%s/GSSAPICleanupCredentials yes/GSSAPICleanupCredentials no/:wq VIM 禁止認證登陸 AuthorizedKeysFile /dev/null 鎖定使用者禁止登陸 passwd -l binpasswd -l daemonpasswd -l admpasswd -l lppasswd -l syncpasswd -l shutdownpasswd -l haltpasswd -l mailpasswd -l uucppasswd -l operatorpasswd -l gamespasswd -l gopherpasswd -l ftppasswd -l nobodypasswd -l vcsapasswd -l saslauth passwd -l postfix 檢查可以登陸的使用者與有密碼的使用者 Java代碼  #!/bin/bash    function section(){      local title=$1      echo "=================================================="      echo " $title "      echo "=================================================="  }    section "Check login user"  grep -v nologin /etc/passwd    section "Check login password"  grep '\$' /etc/shadow    section "Check SSH authorized_keys file"  for key in $(ls -1 /home)   do       if [ -e $key/.ssh/authorized_keys ]; then           echo "$key : $key/.ssh/authorized_keys"      else          echo "$key : "      fi  done   55.2.1. pam_tally2.so此模組的功能是，登陸錯誤輸入密碼3次，5分鐘後自動解禁，在未解禁期間輸入正確密碼也無法登陸。在設定檔 /etc/pam.d/sshd 頂端加入auth required pam_tally2.so deny=3 onerr=fail unlock_time=300 查看失敗次數# pam_tally2Login           Failures Latest failure     Fromroot               14    07/12/13 15:44:37  192.168.6.2neo                 8    07/12/13 15:45:36  192.168.6.2 重設計數器# pam_tally2 -r -u rootLogin           Failures Latest failure     Fromroot               14    07/12/13 15:44:37  192.168.6.2 # pam_tally2 -r -u neoLogin           Failures Latest failure     Fromneo                 8    07/12/13 15:45:36  192.168.6.2 pam_tally2 計數器日誌儲存在 /var/log/tallylog 注意，這是二進位格式的檔案例 55.1. /etc/pam.d/sshd# cat  /etc/pam.d/sshd#%PAM-1.0auth required pam_tally2.so deny=3 onerr=fail unlock_time=300 auth   required pam_sepermit.soauth       include      password-authaccount    required     pam_nologin.soaccount    include      password-authpassword   include      password-auth# pam_selinux.so close should be the first session rulesession    required     pam_selinux.so closesession    required     pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession    required     pam_selinux.so open env_paramssession    optional     pam_keyinit.so force revokesession    include      password-auth 以上配置root使用者不受限制, 如果需要限制root使用者，參考下面 auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800 55.2.2. pam_listfile.so使用者登陸限制將下面一行添加到 /etc/pam.d/sshd 中，這裡採用白名單方式，你也可以採用黑名單方式auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail 將允許登陸的使用者添加到 /etc/ssh/whitelist，除此之外的使用者將不能通過ssh登陸到你的系統# cat /etc/ssh/whitelistneowww 例 55.2. /etc/pam.d/sshd - pam_listfile.so# cat /etc/pam.d/sshd#%PAM-1.0auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=failauth       required     pam_tally2.so deny=3 onerr=fail unlock_time=300 auth   required pam_sepermit.soauth       include      password-authaccount    required     pam_nologin.soaccount    include      password-authpassword   include      password-auth# pam_selinux.so close should be the first session rulesession    required     pam_selinux.so closesession    required     pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession    required     pam_selinux.so open env_paramssession    optional     pam_keyinit.so force revokesession    include      password-auth  sense=allow 白名單方式, sense=deny 黑名單方式auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail