linux安全加固

Linux查看程序端口占用情况今天发现服务器上Tomcat 8080端口起不来，老提示端口已经被占用。使用命令：ps -aux | grep tomcat发现并没有8080端口的Tomcat进程。使用命令：netstat apn查看所有的进程和端口使用情况。发现下面的进程列表，其中最后一栏是PID/Program name发现8080端口被PID为9658的Java进程占用。进一步使用命令：ps -aux | grep java，或者直接：ps -aux | grep pid 查看就可以明确知道8080端口是被哪个程序占用了！然后判断是否使用KILL命令干掉！方法二：直接使用 netstat -anp | grepportno即：netstat apn | grep 8080Mysql 数据库不推荐root用户，普通用户Sql 不推荐sa用户Apcht 不推荐系统用户普通用户漏洞名称漏洞定级漏洞危害漏洞详情修复建议Linux查看用户输入vi /etc/passwd 可以查看此文件的内容 。本机内容如下：rootlocalhost # vi /etc/passwdroot:x:0:0:root:/root:/bin/bashroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologin其中每一行代表一个账号，所以，想查看本机一共有多少账号，直接数passwd文件的行数就可以了，用命令rootlocalhost # cat /etc/passwd | wc -l42则代表本机一共有42个账号查找root用户的个数可以这样做：rootlocalhost # cat /etc/passwd | grep :0root:x:0:0:root:/root:/bin/bashsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltoperator:x:11:0:operator:/root:/sbin/nologin看哪些账号的第三个字段是0.那么这个就是管理员组账号Linux安全加固So本博文提供了关于Linux系统安全加固的具体实现脚本及基线检查规范，以供主机维护人员参考学习。其中以下脚本主要实现的功能包括：*加固项包括：密码长度、session超时时间、删除不用的帐号和组、限制root用户直接telnet或rlogin、ssh*检查是否存在除root之外UID为0的用户、确保root用户的系统路径中不包含父目录，在非必要的情况下，不应包含组权限为777的目录*检查操作系统Linux用户umask设置、检查重要目录和文件的权限、禁止除root之外的用户su操作、查找系统中任何人都有写权限的目录*查找系统中没有属主的文件、查找系统中的隐藏文件、判断日志与审计是否合规、登录超时设置、禁用不必要的服务*linux 安全加固适用于redhat、centos5.8至6.2具体内容如下，请结合自身业务需求进行系统级加固：#1、-echo 删除不用的帐号和组echo delete unused users and grupsfor i in lp sync shutdown halt news uucp operator games gopherdoecho will delete user $iuserdel $iecho user $i have deletedonefor i in lp sync shutdown halt news uucp operator games gopherdoecho will delete group $igroupdel $iecho group $i have deletedonedate=date +%F#2、-#section1 密码要求密码长度大于8,口令90天过期/etc/login.defs#-#-echo cp /etc/login.defs to /etc/login.defs.bak_%dateecho #-cp /etc/login.defs /etc/login.defs.bak_$date#echo 检查密码的配置echo Check the configure for users password.echo #-for i in PASS_MAX_DAYS PASS_MIN_LEN PASS_MIN_DAYS PASS_WARN_AGEdocat /etc/login.defs |grep $i|grep -v #done#set password min length 8echo #-echo Set users password min length is 8sed -i /PASS_MIN_LEN/s/5/8/g /etc/login.defsecho #-#set password max day 90#echo set password expired 90 day#sed -i /PASS_MAX_DAYS/s/99999/90/g /etc/login.defs#3、-echo #检查是否存在空口令echo Check if there have user without password!echo #-awk -F: ($2 = ) print $1 /etc/shadow#4、-#section2 限制root用户直接telnet或rlogin，ssh无效#建议在/etc/securetty文件中配置：CONSOLE = /dev/tty01#-#帐号与口令-检查是否存在除root之外UID为0的用户#echo #检查系统中是否存在其它id为0的用户echo Check if the system have other users id is 0echo #-mesg=awk -F: ($3 = 0) print $1 /etc/passwd|grep -v rootif -z $mesg thenecho There dont have other user uid=0elseechoecho !echo $mesg uid=0echo !fi#5、-echo #确保root用户的系统路径中不包含父目录，在非必要的情况下，不应包含组权限为777的目录echo check the Path set for root,make sure the path for root dont have father directory and 777 rightsecho #-echo $PATH | egrep (|:)(.|:|$)find echo $PATH | tr : -type d ( -perm -002 -o -perm -020 ) -ls#6、-echo #检查操作系统Linux远程连接echo Check if system have remote connection setingecho #-find / -name .netrcfind / -name .rhostsecho 检查操作系统Linux用户umask设置echo Check the system users umask settingecho #-for i in /etc/pro /etc/csh.cshrc /etc/bashrcdogrep -H umask $i|grep -v #done#设置umask为027#7、-#echo #检查重要目录和文件的权限#echo Check the important files and directory rightsecho #-for i in /etc /etc/rc.d/init.d /tmp /etc/inetd.conf /etc/passwd /etc/shadow /etc/group /etc/security /etc/services /etc/rc*.ddols -ld $idoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#8、-#echo #配置rc.d下脚本的权限echo Configure the scripts right(750) in rc.d directoryecho #-chmod -R 750 /etc/rc.d/init.d/*chmod 755 /bin/su 改了之后只能root su，没有了s位别的用户无法成功suchmod 664 /var/log/wtmp#chattr +a /var/log/messages#9、-echo #查找系统中存在的SUID和SGID程序echo Find the files have suid or Sgidecho #-for PART in grep -v # /etc/fstab | awk ($6 != 0) print $2 ; dofind $PART ( -perm -04000 -o -perm -02000 ) -type f -xdev -print |xargs ls -lddoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#10、- echo #查找系统中任何人都有写权限的目录echo Find the directory everyone have the write rightecho #-for PART in awk ($3 = ext2 | $3 = ext3) print $2 /etc/fstab; dofind $PART -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print |xargs ls -lddoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#11、-#echo #查找系统中任何人都有写权限的文件echo Find the files everyone have write rightecho #-for PART in grep -v # /etc/fstab | awk ($6 != 0) print $2 ; dofind $PART -xdev -type f ( -perm -0002 -a ! -perm -1000 ) -print |xargs ls -lddoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#12、- echo #查找系统中没有属主的文件echo Find no owner or no group files in systemecho #-for PART in grep -v # /etc/fstab |grep -v swap| awk ($6 != 0) print $2 ; dofind $PART -nouser -o -nogroup |grep -v vmware|grep -v dev|xargs ls -lddoneecho -n Please check if the output is ok ? yes or no :read icase $i iny|yes)break;n|no)echo Please recheck the output!echo !continue;*)echo please input yes or no;esac#13、- #echo #查找系统中的隐藏文件#echo Find the hiding system#echo #-#linux执行报错排除/dev”目录下的那些文件#find / -name (. * -o * -o .xx -o .mail ) -print -xdev# #find / -name * -print -xdev | cat -v#find / ( -name .* -o -name * -o -name .xx -o -name .mail ) -xdev#echo -n If you have check all the output files if correct yes or no ? :#read i# case $i in# y|yes)# break# ;# n|no)# echo Please recheck the output!# echo !# continue# ;# *)# echo please input yes or no# ;# esac#14、- echo #判断日志与审计是否合规echo Judge if the syslog audition if follow the rulesecho #-autmesg=cat /etc/syslog.conf |egrep authprivif ! -n $autmesg thenecho there dont have authpriv set in /etc/syslog.confecho !echo -n If you have know this y or n ?read icase $i iny|yes)break;n|no)echo there dont have authpriv set in /etc/syslog.confecho !continue;*)echo please input yes or no;esacelse# echo 日志与审计合规echo syslog audition follow the rulesfi#15、- echo #关闭linux core dumpecho Turn off the system core dumpecho #-mesg1=grep * soft core 0 /etc/security/limits.confmesg2=grep * hard core 0 /etc/security/limits.confif ! -n $mesg1 -o ! -n $mesg2 thencp /etc/security/limits.conf /etc/security/limits.conf_$dateif ! -n $mesg1 thenecho * soft core 0 /etc/security/limits.conffiif ! -n $mesg2 thenecho * hard core 0 /etc/security/limits.conffifi#修改login文件使limits限制生效cp /etc/pam.d/login /etc/pam.d/login_$dateecho session required /lib/security/pam_limits.so /etc/pam.d/login#16、- #登录超时设置#检查/etc/pam.d/system-auth文件是否存在account required /lib/security/pam_tally.so deny=的相关设置#建议设置为auth required pam_tally.so onerr=fail deny=6 unlock_time=300#17、- #su命令使用,对su命令使用进行限制设置#检查/etc/pam.d/su文件设置#文件中包含#auth sufficient /lib/security/pam_rootok.so debug#auth required /lib/security/pam_wheel.so group=isd#20、- echo #登录超时自动退出echo set session time out terminal echo #-tmout=grep -i TMOUT /etc/profileif ! -n $tmout thenechoecho -n do you want to set login timeout to 300s? yes:read icase $i iny|yes)cp /etc/pro$dateecho export TMOUT=300 /etc/profile. /etc/profile;n|no)break;*)echo please input yes or no;esacelsemesg=echo $tmout |awk -F= print $2if $mesg -ne 300 thenecho The login session timeout is $mesg now will change to 300 secondscp /etc/pro$dateecho export TMOUT=300 /etc/profile. /etc/profised -i s/HISTSIZE=1000/HISTSIZE=100/g /etc/pro、- echo #禁用telnet启用sshecho Stop telnet and start up sshdecho #-mesg1=lsof -i:23mesg2=lsof -i:22if ! -n $mesg2 thenservice start sshdchkconfig sshd onmesg2=lsof -i:22fiif ! -n $mesg1 -a ! -n $mesg2 thenechoecho Will Deactive telnet chkconfig krb5-telnet offchkconfig ekrb5-telnet offfi#22、- #echo #设置终端超时，使系统10分钟后自动退出不活动的Shell#echo #-#mesg=grep export TMOUT=600 /etc/profile#if -z $mesg #then#echo export TMOUT=600 /etc/profile#. /etc/pro#23、- echo #禁用不必要的服务echo Stop unuseing servicesecho #-list=avahi-daemon bluetooth cups firstboot hplip ip6tables iptables iscsi iscsid isdn kudzu pcscd rhnsd rhsmcertd rpcgssd rpcidmapd sendmail smartd yum-updatesd netfs portmap autofs nfslock nfsfor i in $listdochkconfig $i offservice $i stopdoneecho change kernel parameter for network securecp /etc/sysctl.conf /etc/sysctl.conf.$date#echo net.ipv4.icmp_echo_ignore_all = 1/etc/sysctl.confsysctl -a |grep arp_filter|sed -e s/= 0/= 1/g /etc/sysctl.confsysctl -a |grep accept_redirects|sed -e s/= 1/= 0/g /etc/sysctl.confsysctl -a |grep send_redirects|sed -e s/= 1/= 0/g /etc/sysctl.confsysctl -a |grep