1. 系统更新和补丁管理
1.1 检查当前系统版本和内核信息
创建检查脚本文件:check_system_info.sh
#!/bin/bash
# 系统信息检查脚本
echo "=== 系统信息检查 ==="
# 检查系统版本
echo "1. 系统版本信息:"
cat /etc/os-release
echo ""
# 检查内核版本
echo "2. 内核版本信息:"
uname -r
echo ""
# 检查系统运行时间
echo "3. 系统运行时间:"
uptime
echo ""
# 检查已安装的安全更新
echo "4. 安全更新状态:"
if command -v apt-get &> /dev/null; then
echo "Debian/Ubuntu 系统:"
apt list --upgradable
elif command -v yum &> /dev/null; then
echo "CentOS/RHEL 系统:"
yum check-update
elif command -v dnf &> /dev/null; then
echo "Fedora/CentOS 8+ 系统:"
dnf check-update
fi
1.2 自动更新配置
创建自动更新配置文件:configure_auto_updates.sh
#!/bin/bash
# 自动更新配置脚本
echo "=== 配置自动安全更新 ==="
# 备份原有配置
backup_time=$(date +%Y%m%d_%H%M%S)
# 针对不同系统配置自动更新
if [ -f /etc/apt/apt.conf.d/20auto-upgrades ]; then
echo "备份原有APT自动更新配置..."
cp /etc/apt/apt.conf.d/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades.backup_$backup_time
fi
if [ -f /etc/yum/yum-cron.conf ]; then
echo "备份原有YUM自动更新配置..."
cp /etc/yum/yum-cron.conf /etc/yum/yum-cron.conf.backup_$backup_time
fi
# 配置自动更新
echo "配置自动安全更新..."
# Ubuntu/Debian 系统
if command -v apt-get &> /dev/null; then
cat > /etc/apt/apt.conf.d/20auto-upgrades << 'EOF'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
EOF
# 启用无人值守升级服务
systemctl enable unattended-upgrades
systemctl start unattended-upgrades
# CentOS/RHEL 7 系统
elif command -v yum &> /dev/null && [ -f /etc/yum/yum-cron.conf ]; then
sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/yum/yum-cron.conf
sed -i 's/update_cmd = default/update_cmd = security/g' /etc/yum/yum-cron.conf
# 启用yum-cron服务
systemctl enable yum-cron
systemctl start yum-cron
# CentOS/RHEL 8+ 系统
elif command -v dnf &> /dev/null; then
dnf install -y dnf-automatic
sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/dnf/automatic.conf
sed -i 's/upgrade_type = default/upgrade_type = security/g' /etc/dnf/automatic.conf
systemctl enable --now dnf-automatic.timer
fi
echo "自动安全更新配置完成!"
2. 用户账户和密码策略
2.1 检查用户账户安全性
创建用户安全检查脚本:user_security_audit.sh
#!/bin/bash
# 用户安全审计脚本
echo "=== 用户安全审计 ==="
# 检查空密码账户
echo "1. 检查空密码账户:"
awk -F: '($2 == "") {print $1}' /etc/shadow
echo ""
# 检查UID为0的账户(除了root)
echo "2. 检查非root的UID 0账户:"
awk -F: '($3 == 0) {print $1}' /etc/passwd | grep -v "^root$"
echo ""
# 检查最近登录的用户
echo "3. 最近登录的用户:"
last -n 10
echo ""
# 检查失败的登录尝试
echo "4. 失败的登录尝试:"
lastb -n 10
echo ""
# 检查sudo权限用户
echo "5. 具有sudo权限的用户:"
getent group sudo | cut -d: -f4
getent group wheel | cut -d: -f4
echo ""
# 检查密码过期信息
echo "6. 密码过期检查:"
chage -l root
echo ""
2.2 配置密码策略
创建密码策略配置文件:configure_password_policy.sh
#!/bin/bash
# 密码策略配置脚本
echo "=== 配置密码策略 ==="
# 备份原有PAM配置
backup_time=$(date +%Y%m%d_%H%M%S)
cp /etc/pam.d/common-password /etc/pam.d/common-password.backup_$backup_time 2>/dev/null || true
cp /etc/login.defs /etc/login.defs.backup_$backup_time
# 配置密码复杂度要求
if [ -f /etc/pam.d/common-password ]; then
# Debian/Ubuntu 系统
echo "配置Debian/Ubuntu密码策略..."
cat > /etc/pam.d/common-password << 'EOF'
# 密码复杂度配置
password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password required pam_pwhistory.so remember=5 use_authtok
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
password requisite pam_deny.so
password required pam_permit.so
EOF
elif [ -f /etc/pam.d/system-auth ]; then
# CentOS/RHEL 系统
echo "配置CentOS/RHEL密码策略..."
cat > /etc/pam.d/system-auth << 'EOF'
# 密码复杂度配置
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_unix.so
EOF
fi
# 配置登录定义
echo "配置登录定义..."
cat >> /etc/login.defs << 'EOF'
# 密码策略配置
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 12
PASS_WARN_AGE 14
# 用户ID范围
UID_MIN 1000
UID_MAX 60000
EOF
# 为现有用户应用密码策略
echo "为现有用户应用密码策略..."
for user in $(awk -F: '$3 >= 1000 && $1 != "nobody" {print $1}' /etc/passwd); do
chage --maxdays 90 --mindays 7 --warndays 14 "$user"
done
# 配置root密码策略
chage --maxdays 90 --mindays 7 --warndays 14 root
echo "密码策略配置完成!"
2.3 配置账户锁定策略
创建账户锁定配置脚本:configure_account_lockout.sh
#!/bin/bash
# 账户锁定策略配置脚本
echo "=== 配置账户锁定策略 ==="
# 备份PAM配置
backup_time=$(date +%Y%m%d_%H%M%S)
if [ -f /etc/pam.d/common-auth ]; then
cp /etc/pam.d/common-auth /etc/pam.d/common-auth.backup_$backup_time
echo "配置Debian/Ubuntu账户锁定..."
cat > /etc/pam.d/common-auth << 'EOF'
auth required pam_tally2.so onerr=fail deny=5 unlock_time=900
auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_permit.so
EOF
elif [ -f /etc/pam.d/system-auth ]; then
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup_$backup_time
echo "配置CentOS/RHEL账户锁定..."
# 在auth部分添加pam_tally2
if ! grep -q "pam_tally2" /etc/pam.d/system-auth; then
sed -i '/^auth.*pam_env.so/a auth required pam_tally2.so onerr=fail deny=5 unlock_time=900' /etc/pam.d/system-auth
fi
# 在account部分添加pam_tally2
if ! grep -q "pam_tally2" /etc/pam.d/system-auth; then
sed -i '/^account.*pam_unix.so/i account required pam_tally2.so' /etc/pam.d/system-auth
fi
fi
echo "账户锁定策略配置完成!"
3. SSH服务安全配置
3.1 SSH安全加固配置
创建SSH安全配置脚本:secure_ssh_config.sh
#!/bin/bash
# SSH安全配置脚本
echo "=== SSH服务安全加固 ==="
# 备份原有SSH配置
backup_time=$(date +%Y%m%d_%H%M%S)
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup_$backup_time
# 生成新的SSH配置
cat > /etc/ssh/sshd_config << 'EOF'
# SSH服务端口
Port 22
# 监听地址(根据实际情况调整)
# ListenAddress 0.0.0.0
# 协议版本
Protocol 2
# 主机密钥文件
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# 日志配置
SyslogFacility AUTH
LogLevel INFO
# 认证配置
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
MaxSessions 10
# 公钥认证
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# 密码认证(生产环境建议关闭)
PasswordAuthentication yes
PermitEmptyPasswords no
# Kerberos认证
KerberosAuthentication no
# GSSAPI认证
GSSAPIAuthentication no
# X11转发
X11Forwarding no
# 打印motd
PrintMotd no
PrintLastLog yes
# TCP保持连接
TCPKeepAlive yes
ClientAliveInterval 300
ClientAliveCountMax 2
# 使用PAM
UsePAM yes
# 允许用户/用户组(根据实际情况调整)
# AllowUsers user1 user2
# AllowGroups ssh-users
# 拒绝用户/用户组
# DenyUsers baduser
# DenyGroups badgroup
# 通道配置
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
# 子系统和SFTP配置
Subsystem sftp /usr/lib/openssh/sftp-server
# 密码过期警告
PasswordExpiryWarningTime 14
# 其他安全配置
UseDNS no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
EOF
# 设置正确的权限
chmod 600 /etc/ssh/sshd_config
chmod 644 /etc/ssh/ssh_config
# 重启SSH服务
systemctl restart sshd
systemctl enable sshd
echo "SSH安全配置完成!"
# 显示当前SSH连接
echo "当前SSH连接:"
netstat -tulpn | grep :22
3.2 SSH密钥对管理
创建SSH密钥管理脚本:manage_ssh_keys.sh
#!/bin/bash
# SSH密钥管理脚本
echo "=== SSH密钥管理 ==="
# 创建SSH目录
mkdir -p /root/.ssh
chmod 700 /root/.ssh
# 生成新的SSH密钥对(如果不存在)
if [ ! -f /root/.ssh/id_ed25519 ]; then
echo "生成新的ED25519 SSH密钥对..."
ssh-keygen -t ed25519 -a 100 -f /root/.ssh/id_ed25519 -N "" -C "root@$(hostname)-$(date +%Y%m%d)"
fi
# 设置授权密钥文件
touch /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
# 显示公钥指纹
echo "SSH公钥指纹:"
ssh-keygen -lf /root/.ssh/id_ed25519.pub
# 检查已知主机文件权限
chmod 644 /root/.ssh/known_hosts 2>/dev/null || true
echo "SSH密钥管理完成!"
4. 防火墙配置
4.1 UFW防火墙配置(Ubuntu/Debian)
创建UFW配置脚本:configure_ufw_firewall.sh
#!/bin/bash
# UFW防火墙配置脚本
echo "=== 配置UFW防火墙 ==="
# 重置UFW规则
ufw --force reset
# 设置默认策略
ufw default deny incoming
ufw default allow outgoing
# 允许SSH连接
ufw allow 22/tcp comment 'SSH access'
# 允许HTTP/HTTPS(如果运行web服务)
# ufw allow 80/tcp comment 'HTTP'
# ufw allow 443/tcp comment 'HTTPS'
# 启用日志
ufw logging on
# 启用UFW
ufw --force enable
# 显示规则
echo "当前UFW规则:"
ufw status verbose
echo "UFW防火墙配置完成!"
4.2 firewalld配置(CentOS/RHEL)
创建firewalld配置脚本:configure_firewalld.sh
#!/bin/bash
# firewalld防火墙配置脚本
echo "=== 配置firewalld防火墙 ==="
# 确保firewalld运行
systemctl enable firewalld
systemctl start firewalld
# 设置默认区域
firewall-cmd --set-default-zone=public
# 移除不必要的服务
firewall-cmd --remove-service=dhcpv6-client --permanent
firewall-cmd --remove-service=cockpit --permanent
# 添加必要的服务
firewall-cmd --add-service=ssh --permanent
# 自定义端口(根据需要添加)
# firewall-cmd --add-port=80/tcp --permanent
# firewall-cmd --add-port=443/tcp --permanent
# 启用伪装(如果需要NAT)
# firewall-cmd --add-masquerade --permanent
# 重新加载配置
firewall-cmd --reload
# 显示配置
echo "当前firewalld配置:"
firewall-cmd --list-all
echo "firewalld配置完成!"
5. 文件系统和权限加固
5.1 文件权限检查与修复
创建文件权限检查脚本:check_file_permissions.sh
#!/bin/bash
# 文件权限检查脚本
echo "=== 文件系统权限检查 ==="
# 检查关键文件权限
echo "1. 检查关键文件权限:"
critical_files=(
"/etc/passwd"
"/etc/shadow"
"/etc/group"
"/etc/gshadow"
"/etc/sudoers"
"/etc/ssh/sshd_config"
"/etc/crontab"
)
for file in "${critical_files[@]}"; do
if [ -f "$file" ]; then
permissions=$(stat -c "%a %U:%G" "$file")
echo "$file: $permissions"
fi
done
echo ""
# 检查SUID/SGID文件
echo "2. 检查SUID/SGID文件:"
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/null | head -20
echo ""
# 检查世界可写文件
echo "3. 检查世界可写文件:"
find / -type f -perm -0002 ! -path "/proc/*" ! -path "/sys/*" -exec ls -l {} \; 2>/dev/null | head -20
echo ""
# 检查无主文件
echo "4. 检查无主文件:"
find / -nouser -o -nogroup 2>/dev/null | head -20
5.2 修复关键文件权限
创建权限修复脚本:fix_critical_permissions.sh
#!/bin/bash
# 关键文件权限修复脚本
echo "=== 修复关键文件权限 ==="
# 修复passwd文件权限
chmod 644 /etc/passwd
chown root:root /etc/passwd
# 修复shadow文件权限
chmod 600 /etc/shadow
chown root:shadow /etc/shadow
# 修复group文件权限
chmod 644 /etc/group
chown root:root /etc/group
# 修复gshadow文件权限
chmod 600 /etc/gshadow
chown root:shadow /etc/gshadow
# 修复sudoers文件权限
chmod 440 /etc/sudoers
chown root:root /etc/sudoers
# 修复crontab文件权限
chmod 600 /etc/crontab
chown root:root /etc/crontab
# 修复cron目录权限
chmod 700 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
chown root:root /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
# 修复SSH目录权限
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys 2>/dev/null || true
chown root:root /root/.ssh
echo "关键文件权限修复完成!"
6. 服务管理和加固
6.1 不必要的服务禁用
创建服务管理脚本:manage_services.sh
#!/bin/bash
# 服务管理脚本
echo "=== 服务管理和加固 ==="
# 定义需要禁用的服务(根据实际情况调整)
services_to_disable=(
"telnet"
"rsh"
"rlogin"
"rexec"
"nfs"
"nfs-server"
"vsftpd"
"tftp"
"ypserv"
"ypbind"
"rpcbind"
"portmap"
"echo"
"discard"
"daytime"
"chargen"
"xinetd"
"avahi-daemon"
"cups"
"dhcpd"
)
# 禁用不必要的服务
for service in "${services_to_disable[@]}"; do
if systemctl is-active --quiet "$service" 2>/dev/null; then
echo "停止并禁用服务: $service"
systemctl stop "$service"
systemctl disable "$service"
fi
done
# 定义需要启用的服务
services_to_enable=(
"ssh"
"ufw"
"firewalld"
"auditd"
"rsyslog"
)
# 启用必要的安全服务
for service in "${services_to_enable[@]}"; do
if systemctl is-enabled --quiet "$service" 2>/dev/null; then
echo "确保服务已启用: $service"
systemctl enable "$service"
systemctl start "$service"
fi
done
# 显示当前运行的服务
echo "当前运行的服务:"
systemctl list-units --type=service --state=running | head -20
echo "服务管理完成!"
7. 系统审计和日志配置
7.1 auditd审计配置
创建审计配置脚本:configure_auditd.sh
#!/bin/bash
# auditd审计配置脚本
echo "=== 配置系统审计 ==="
# 安装auditd(如果未安装)
if command -v apt-get &> /dev/null; then
apt-get update
apt-get install -y auditd audispd-plugins
elif command -v yum &> /dev/null; then
yum install -y audit audit-libs
elif command -v dnf &> /dev/null; then
dnf install -y audit audit-libs
fi
# 备份原有配置
backup_time=$(date +%Y%m%d_%H%M%S)
cp /etc/audit/auditd.conf /etc/audit/auditd.conf.backup_$backup_time
cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules.backup_$backup_time 2>/dev/null || true
# 配置auditd
cat > /etc/audit/auditd.conf << 'EOF'
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
EOF
# 配置审计规则
cat > /etc/audit/rules.d/audit.rules << 'EOF'
# 删除所有现有规则
-D
# 缓冲区和设置
-b 8192
-f 1
--backlog_wait_time 60000
# 不可变的审计规则
-e 2
# 监控系统调用
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
# 监控用户和组变更
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# 监控网络配置
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
# 监控SELinux配置
-w /etc/selinux/ -p wa -k MAC-policy
# 监控登录记录
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
# 监控进程和会话
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
# 监控权限变更
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
# 监控文件删除
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
# 监控系统管理操作
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d -p wa -k scope
# 监控内核模块加载卸载
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
# 监控挂载操作
-a always,exit -F arch=b64 -S mount -S umount2 -k mounts
# 监控特权命令
-w /usr/bin/passwd -p x -k privileged-passwd
-w /usr/sbin/useradd -p x -k privileged-useradd
-w /usr/sbin/usermod -p x -k privileged-usermod
-w /usr/sbin/userdel -p x -k privileged-userdel
-w /usr/sbin/groupadd -p x -k privileged-groupadd
-w /usr/sbin/groupmod -p x -k privileged-groupmod
-w /usr/sbin/groupdel -p x -k privileged-groupdel
EOF
# 重启auditd服务
systemctl enable auditd
systemctl restart auditd
# 检查审计状态
echo "审计服务状态:"
auditctl -s
echo "系统审计配置完成!"
8. 内核安全参数加固
8.1 sysctl安全配置
创建内核参数配置脚本:configure_sysctl_security.sh
#!/bin/bash
# 内核安全参数配置脚本
echo "=== 配置内核安全参数 ==="
# 备份原有配置
backup_time=$(date +%Y%m%d_%H%M%S)
cp /etc/sysctl.conf /etc/sysctl.conf.backup_$backup_time
# 添加安全配置到sysctl.conf
cat >> /etc/sysctl.conf << 'EOF'
# 网络安全配置
# 禁用IP转发
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# 禁用源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# 禁用ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# 启用IP欺骗保护
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 记录可疑数据包
net.ipv4.conf.all.log_martians = 1
# 禁用ICMP广播
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 忽略错误ICMP消息
net.ipv4.icmp_ignore_bogus_error_responses = 1
# 保护SYN洪水攻击
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# 系统安全配置
# 启用ExecShield保护
kernel.exec-shield = 1
kernel.randomize_va_space = 2
# 核心转储限制
fs.suid_dumpable = 0
# 保护符号链接
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
# 限制内核消息
kernel.dmesg_restrict = 1
# 限制调试信息
kernel.kptr_restrict = 2
# 限制ptrace
kernel.yama.ptrace_scope = 1
# 内存保护
vm.mmap_min_addr = 65536
# 限制用户命名空间
user.max_user_namespaces = 0
# 文件系统保护
fs.file-max = 65535
# 网络安全增强
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_rfc1337 = 1
EOF
# 重新加载sysctl配置
sysctl -p
# 显示当前配置
echo "当前安全相关sysctl配置:"
sysctl -a | grep -E "(ip_forward|accept_source_route|accept_redirects|send_redirects|rp_filter|log_martians|exec-shield|randomize_va_space|suid_dumpable|protected_symlinks|dmesg_restrict|kptr_restrict)" | head -20
echo "内核安全参数配置完成!"
9. 入侵检测和文件完整性检查
9.1 AIDE文件完整性检查
创建AIDE配置脚本:configure_aide.sh
#!/bin/bash
# AIDE文件完整性检查配置脚本
echo "=== 配置AIDE文件完整性检查 ==="
# 安装AIDE
if command -v apt-get &> /dev/null; then
apt-get install -y aide aide-common
elif command -v yum &> /dev/null; then
yum install -y aide
elif command -v dnf &> /dev/null; then
dnf install -y aide
fi
# 初始化AIDE数据库
echo "初始化AIDE数据库..."
aideinit --yes
# 备份初始数据库
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# 创建AIDE配置文件
cat > /etc/aide/aide.conf << 'EOF'
# AIDE配置文件
# 数据库定义
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# 数据库位置
database=file:@@{DBDIR}/aide.db.gz
database_out=file:@@{DBDIR}/aide.db.new.gz
# 日志文件
gzip_dbout=yes
verbose=5
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
# 监控的目录和文件
/etc p+i+u+g+acl+selinux+xattrs
/bin p+i+u+g+acl+selinux+xattrs
/sbin p+i+u+g+acl+selinux+xattrs
/usr/bin p+i+u+g+acl+selinux+xattrs
/usr/sbin p+i+u+g+acl+selinux+xattrs
/boot p+i+u+g+acl+selinux+xattrs
/lib p+i+u+g+acl+selinux+xattrs
/lib64 p+i+u+g+acl+selinux+xattrs
/opt p+i+u+g+acl+selinux+xattrs
/root p+i+u+g+acl+selinux+xattrs
/var/log p+i+u+g+acl+selinux+xattrs
/var/spool p+i+u+g+acl+selinux+xattrs
# 监控关键配置文件
!/etc/.*~
!/etc/ssl/.*
!/etc/aide/.*
!/etc/udev/.*
!/etc/mtab
!/etc/fstab
!/etc/.*.orig
!/etc/.*.bak
!/etc/.*.old
# 规则定义
ALLXTRAHASHES = sha1+sha256+sha512+rmd160+tiger
EVERYTHING = R+ALLXTRAHASHES
NORMAL = sha256
DIR = p+i+u+g+acl+selinux+xattrs
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+sha512+rmd160+tiger
LOG = p+i+u+g+acl+selinux+xattrs
# 默认规则
/etc/aide/aide.conf NORMAL
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr/bin NORMAL
/usr/sbin NORMAL
/root NORMAL
/var/log LOG
/var/spool LOG
EOF
# 更新AIDE数据库
aide --update
# 配置每日AIDE检查
cat > /etc/cron.daily/aide-check << 'EOF'
#!/bin/bash
# AIDE每日检查脚本
/usr/bin/aide --check
if [ $? -ne 0 ]; then
/usr/bin/logger -t aide "AIDE检测到文件完整性变化"
# 发送邮件通知(需要配置邮件系统)
# mail -s "AIDE Alert on $(hostname)" root < /var/log/aide/aide.log
fi
# 更新数据库(每周一次)
if [ $(date +%u) -eq 1 ]; then
/usr/bin/aide --update
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
fi
EOF
chmod +x /etc/cron.daily/aide-check
echo "AIDE文件完整性检查配置完成!"
10. 安全监控和告警
10.1 配置日志监控和告警
创建日志监控脚本:configure_log_monitoring.sh
#!/bin/bash
# 日志监控配置脚本
echo "=== 配置安全日志监控 ==="
# 安装必要的工具
if command -v apt-get &> /dev/null; then
apt-get install -y logwatch fail2ban
elif command -v yum &> /dev/null; then
yum install -y logwatch fail2ban
elif command -v dnf &> /dev/null; then
dnf install -y logwatch fail2ban
fi
# 配置fail2ban
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
# 禁止时间(秒)
bantime = 3600
# 查找时间(秒)
findtime = 600
# 最大重试次数
maxretry = 5
# 监控日志文件
logpath = /var/log/auth.log
backend = auto
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
[sshd-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
EOF
# 启用fail2ban服务
systemctl enable fail2ban
systemctl start fail2ban
# 配置logwatch
cat > /etc/cron.daily/00logwatch << 'EOF'
#!/bin/bash
# Logwatch每日报告
/usr/sbin/logwatch --output mail --mailto root --detail high
EOF
chmod +x /etc/cron.daily/00logwatch
# 创建自定义安全监控脚本
cat > /usr/local/bin/security_monitor.sh << 'EOF'
#!/bin/bash
# 安全监控脚本
LOG_FILE="/var/log/security_monitor.log"
ALERT_EMAIL="root"
# 记录函数
log_message() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> $LOG_FILE
}
# 检查失败登录
check_failed_logins() {
local failed_count=$(grep "Failed password" /var/log/auth.log | wc -l)
if [ $failed_count -gt 10 ]; then
log_message "警告: 检测到大量失败登录尝试: $failed_count"
return 1
fi
return 0
}
# 检查SSH暴力破解
check_ssh_bruteforce() {
local ssh_attempts=$(grep "Failed password for root" /var/log/auth.log | wc -l)
if [ $ssh_attempts -gt 5 ]; then
log_message "严重: 检测到SSH root暴力破解尝试: $ssh_attempts"
return 1
fi
return 0
}
# 检查可疑进程
check_suspicious_processes() {
local suspicious_procs=("miner" "backdoor" "botnet" "malware")
for proc in "${suspicious_procs[@]}"; do
if pgrep -f "$proc" > /dev/null; then
log_message "严重: 检测到可疑进程: $proc"
return 1
fi
done
return 0
}
# 检查端口扫描
check_port_scans() {
local scan_attempts=$(grep "PORT SCAN" /var/log/auth.log | wc -l)
if [ $scan_attempts -gt 5 ]; then
log_message "警告: 检测到端口扫描尝试: $scan_attempts"
return 1
fi
return 0
}
# 检查磁盘使用率
check_disk_usage() {
local usage=$(df / | awk 'NR==2 {print $5}' | sed 's/%//')
if [ $usage -gt 90 ]; then
log_message "警告: 根分区磁盘使用率超过90%: ${usage}%"
return 1
fi
return 0
}
# 主监控函数
main() {
log_message "开始安全检查"
check_failed_logins
check_ssh_bruteforce
check_suspicious_processes
check_port_scans
check_disk_usage
log_message "安全检查完成"
}
# 执行主函数
main
EOF
chmod +x /usr/local/bin/security_monitor.sh
# 添加到cron定时任务
(crontab -l 2>/dev/null; echo "*/30 * * * * /usr/local/bin/security_monitor.sh") | crontab -
echo "安全监控配置完成!"
安全加固流程图
graph TD
A[开始安全加固] --> B[系统更新和补丁管理]
B --> C[用户账户和密码策略]
C --> D[SSH服务安全配置]
D --> E[防火墙配置]
E --> F[文件系统和权限加固]
F --> G[服务管理和加固]
G --> H[系统审计和日志配置]
H --> I[内核安全参数加固]
I --> J[入侵检测和文件完整性检查]
J --> K[安全监控和告警]
K --> L[安全加固完成]
style A fill:#2E8B57,color:white
style B fill:#4169E1,color:white
style C fill:#4169E1,color:white
style D fill:#4169E1,color:white
style E fill:#4169E1,color:white
style F fill:#4169E1,color:white
style G fill:#4169E1,color:white
style H fill:#4169E1,color:white
style I fill:#4169E1,color:white
style J fill:#4169E1,color:white
style K fill:#4169E1,color:white
style L fill:#2E8B57,color:white
总结
本文详细介绍了Linux系统安全加固的十大关键配置项,每个配置项都提供了完整的脚本和详细说明。通过执行这些配置,您可以显著提高系统的安全性,防止常见的安全威胁。
重要提醒:
- 测试环境验证:在生产环境应用前,请在测试环境充分验证所有配置
- 备份重要数据:执行任何系统级更改前,请确保有完整的备份
- 逐步实施:建议逐个配置项实施,确保每个步骤都正常工作
- 监控系统:加固后密切监控系统日志和性能指标
- 定期审查:安全配置需要定期审查和更新
通过系统性的安全加固,可以构建一个更加安全可靠的Linux系统环境。
