备份集防勒索解决方案

备份集防勒索解决方案

【导读】本文针对频发的勒索病毒事件下备份方案的防护优化提出了解决思路，并对Linux系统的部署给出了建议脚本。近期，周边发了几起勒索病毒事件，大多事件的备份集也一并被修改加密，导致系统瘫痪、备份不可用。针对此情况，我对我们当前的备份方案紧急做了个调整优化：原来备份的方式至挂在备份NAS，定时开启备份脚本，备份完成。修改之后，大致改为了到备份时间时，主动挂在备份NAS，调用备份脚本，开启备份，备份完成后，解挂备份NAS。另外增加操作系统挂在备份文件夹的权限管控，脚本大致如下：#修改chattr的默认命令名称#mv/usr/bin/chattr/usr/bin/Lo0ckBkFi1le#0，定时任务提前3分钟连接备份存储介质，并且测试连接成功#1，连接备份存储，调用备份脚本#备份文件至文件夹：/BackUpFiles/cp/ShengChanFiles/data.csv/BackUpFiles/data_20220829.csv#压缩备份文件，压缩密码为：Aa123456cd/BackUpFiles/tar-czdata_20220829.csv|openssldes3-salt-kAa123456-out/BackUpFiles/data_20220829.tar.gz#解压命令为：openssldes3-d-kAa123456-salt-indata_20220829.tar.gz|tarxzf-#给备份文件上锁Lo0ckBkFi1le+i/BackUpFiles/data_20220829.tar.gz#断开备份存储另：针对有备份软件的公司，建议启动备份软件防勒索的功能。大多windows感染勒索比较容易，但是现在Linux系统也频频出现中勒索的情况，建议部署Linux系统按照基线部署，可参考如下脚本：#!/bin/sh#Name:centos7-os-init.sh#Writeby:Jan#LastModify:2019-09-20#DESC:Linux系统优化和安全加固#CMD:shcentos7-os-init.sh#CMD说明:该脚本主要用于centos调优，作为相对通用的模板，有一定的普适性，但是一般在实际生产环境##########中会根据系统的不同功能，进行不同的参数优化，请各位注意。#--------------------------------------------------------------------#0添加epel的yum源##echo"[epel]">>/etc/yum.repos.d/epel.repo##echo"name=ExtraPackagesforCentos7-\$basearch">>/etc/yum.repos.d/epel.repo##echo"baseurl=/epel/7Server/\$basearch">>/etc/yum.repos.d/epel.repo##echo"failovermethod=priority">>/etc/yum.repos.d/epel.repo##echo"enabled=1">>/etc/yum.repos.d/epel.repo##echo"gpgcheck=0">>/etc/yum.repos.d/epel.repo###使配置生效##yumcleanall##yummakecache##yumrepolistyuminstall-ywgetwget-P/etc/yum.repos.d//repo/epel-7.repoyumcleanallyummakecacheyumrepolist##或者直接安装

rpm

-ivh

/epel/epel-release-latest-7.noarch.rpm

#1设定时区，自动同步时间,定义为每天自动同步一次yuminstall-yntpdate\cp/usr/share/zoneinfo/Asia/Shanghai/etc/localtimentp_path=`whichntpdate`$ntp_path9hwclock-wecho"101***$ntp_path9">>/var/spool/cron/root#设置hostname,一般安装的时候就会设置好

#2创建系统默认目录：##脚本存放目录mkdir-p/u01/shell##软件安装介质存放位置mkdir-p/u01/src##日志存放位置mkdir-p/u02/log##备份存放位置，一般也会挂载nas存储盘mkdir-p/u03/bakmkdir-p/u03/nas#mount-tcifs-ousername="jan",password="123456a?"//8/DB_bak/u03/nas

#3优化内核参数##3.1修改最大系统最大打开文件数和最大进程数。echo"*softnproc65536">>/etc/security/limits.confecho"*hardnproc65536">>/etc/security/limits.confecho"*softnofile65536">>/etc/security/limits.confecho"*hardnofile65536">>/etc/security/limits.confecho"*softnproc65536">/etc/security/limits.d/20-nproc.confecho

"root

soft

nproc

unlimited">>/etc/security/limits.d/20-nproc.confecho"测试方式:当前session退出后重新登录执行:ulimit-Snulimit-Hn"

##3.2调整内核参数、网络参数、安全参数以应对高并发环境。cp/etc/sysctl.conf/etc/sysctl.conf.bkecho''>/etc/sysctl.conf

#关闭ipv6echo"net.ipv6.conf.all.disable_ipv6=1">>/etc/sysctl.confecho"net.ipv6.conf.default.disable_ipv6=1">>/etc/sysctl.conf#避免放大攻击echo"net.ipv4.icmp_echo_ignore_broadcasts=1">>/etc/sysctl.conf#开启恶意icmp错误消息保护echo"net.ipv4.icmp_ignore_bogus_error_responses=1">>/etc/sysctl.conf#关闭路由转发echo"net.ipv4.ip_forward=0">>/etc/sysctl.confecho"net.ipv4.conf.all.send_redirects=0">>/etc/sysctl.confecho"net.ipv4.conf.default.send_redirects=0">>/etc/sysctl.conf#开启反向路径过滤echo"net.ipv4.conf.all.rp_filter=1">>/etc/sysctl.confecho"net.ipv4.conf.default.rp_filter=1">>/etc/sysctl.conf#处理无源路由的包echo"net.ipv4.conf.all.accept_source_route=0">>/etc/sysctl.confecho"net.ipv4.conf.default.accept_source_route=0">>/etc/sysctl.conf#关闭sysrq功能echo"kernel.sysrq=0">>/etc/sysctl.conf#core文件名中添加pid作为扩展名echo"kernel.core_uses_pid=1">>/etc/sysctl.conf#开启SYN洪水攻击保护echo"net.ipv4.tcp_syncookies=1">>/etc/sysctl.conf#修改消息队列长度echo"kernel.msgmnb=65536">>/etc/sysctl.confecho"kernel.msgmax=65536">>/etc/sysctl.conf#设置最大内存共享段大小bytes，这两个参数主要在安装oracle数据库的时候，结合SGA使用echo"kernel.shmmax>>/etc/sysctl.conf#建议修改为内存大小例如16G内存echo"kernel.shmall=4194304">>/etc/sysctl.conf#默认=kernel.shmmax/4KB(4096)#timewait的数量，默认180000echo"net.ipv4.tcp_max_tw_buckets=6000">>/etc/sysctl.confecho"net.ipv4.tcp_sack=1">>/etc/sysctl.confecho"net.ipv4.tcp_window_scaling=1">>/etc/sysctl.confecho"net.ipv4.tcp_rmem=4096873804194304">>/etc/sysctl.confecho"net.ipv4.tcp_wmem=4096163844194304">>/etc/sysctl.confecho"net.core.wmem_default=8388608">>/etc/sysctl.confecho"net.core.rmem_default=8388608">>/etc/sysctl.confecho"net.core.rmem_max=16777216">>/etc/sysctl.confecho"net.core.wmem_max=16777216">>/etc/sysctl.conf#每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目echo"dev_max_backlog=262144">>/etc/sysctl.conf#限制仅仅是为了防止简单的DoS攻击echo"net.ipv4.tcp_max_orphans=3276800">>/etc/sysctl.conf#未收到客户端确认信息的连接请求的最大值echo"net.ipv4.tcp_max_syn_backlog=262144">>/etc/sysctl.confecho"net.ipv4.tcp_timestamps=0">>/etc/sysctl.conf#内核放弃建立连接之前发送SYNACK包的数量echo"net.ipv4.tcp_synack_retries=1">>/etc/sysctl.conf#内核放弃建立连接之前发送SYN包的数量echo"net.ipv4.tcp_syn_retries=1">>/etc/sysctl.conf#启用timewait快速回收echo"net.ipv4.tcp_tw_recycle=1">>/etc/sysctl.conf#开启重用。允许将TIME-WAITsockets重新用于新的TCP连接echo"net.ipv4.tcp_tw_reuse=1">>/etc/sysctl.confecho"net.ipv4.tcp_mem=94500000915000000927000000">>/etc/sysctl.confecho"net.ipv4.tcp_fin_timeout=1">>/etc/sysctl.conf#当keepalive起用的时候，TCP发送keepalive消息的频度。缺省是2小时echo"net.ipv4.tcp_keepalive_time=30">>/etc/sysctl.conf#允许系统打开的端口范围echo"net.ipv4.ip_local_port_range=3276865000">>/etc/sysctl.conf#修改防火墙表大小，默认65536#filter.nf_conntrack_max=655350#filter.nf_conntrack_tcp_timeout_established=1200#确保无人能修改路由表echo"net.ipv4.conf.all.accept_redirects=0">>/etc/sysctl.confecho"net.ipv4.conf.default.accept_redirects=0">>/etc/sysctl.confecho"net.ipv4.conf.all.secure_redirects=0">>/etc/sysctl.confecho"net.ipv4.conf.default.secure_redirects=0">>/etc/sysctl.conf#开启并记录欺骗，源路由和重定向包echo"net.ipv4.conf.all.log_martians=1">>/etc/sysctl.confecho"net.ipv4.conf.default.log_martians=1">>/etc/sysctl.confecho"fs.file-max=6815744">>/etc/sysctl.confecho"fs.aio-max-nr=1048576">>/etc/sysctl.confecho"kernel.shmmni=4096">>/etc/sysctl.confecho"kernel.sem=25032000100128">>/etc/sysctl.confecho"net.ipv4.route.gc_timeout=100">>/etc/sysctl.conf

#启用内核中的SYNcookie保护：(一般情况下操作系统已经默认开启)echo"1">/proc/sys/net/ipv4/tcp_syncookies#优化swapecho"vm.swappiness=10">>/etc/sysctl.confsysctl-p

#4安全加固相关：#4.1关闭selinuxsed-i's/SELINUX=enforcing/SELINUX=disabled/g'/etc/selinux/config

#4.2关闭不常用服务。根据服务器的用途和安装系统时候的选择进行优化，将不必要的服务关闭，提高性能。#chkconfigiptablesoff#chkconfigip6tablesoff#chkconfigabrt-ccppoff#chkconfigabrtdoff#chkconfigacpidoff#chkconfigatdoff#chkconfigauditdoff#chkconfigautofsoff#chkconfigblk-availabilityoff#chkconfigbluetoothoff#chkconfigcertmongeroff#chkconfigcpuspeedoff#chkconfigcupsoff#chkconfigdnsmasqoff#chkconfigfirstbootoff#chkconfigkdumpoff#chkconfigmdmonitoroff#chkconfignetconsoleoff#chkconfigpostfixoff#chkconfigquota_nldoff#chkconfigrdiscoff#chkconfigrestorecondoff#chkconfigsaslauthdoff#chkconfigsmartdoff#chkconfigwpa_supplicantoff#chkconfigypbindoff

#4.3安装监控客户端##安装监控客户端

#4.4清除不必要的系统帐户userdeladmuserdellpuserdelsyncuserdelshutdownuserdelhaltuserdeloperatoruserdelftp

#4.5隐藏linux版本号#>/etc/issue#>/etc/

#4.6系统关闭Ping#关闭ping，使系统对ping不做反应，对网络安全大有好处。#echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all#echo"echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all">>/etc/rc.d/rc.local#恢复系统的Ping响应：#echo0>/proc/sys/net/ipv4/icmp_echo_ignore_all

###4.7升级OpenSSHOpenSSL至安全版本#######禁止root账户远程登录,更改ssh端口##sed-i's/#Port22/Port2022/g'/etc/ssh/sshd_config##sed-i's/#PermitRootLoginyes/PermitRootLoginno/g'/etc/ssh/sshd_config

#4.8安装telnetyuminstall-ytelnet

###4.9创建普通用户,指定/u01u02u03所属##groupaddgapp##useradd-ggappappuser##echo"apuserPWD"|passwd--stdinappuser##chown-Rappuser.gapp/u01##chown-Rappuser.gapp/u02##chown-Rappuser.gapp/u03##chown-R