使用Bastille保护CentOS完美设置

使用Bastille狱保护CentOS完美设置

本文介绍如何使用psad,Bastille和其他一些调整来保护CentOS服务器。 psad是一种帮助检测端口扫描和其他可疑流量的工具,而Bastille加固程序会锁定操作系统,主动配置系统以提高安全性并降低其易受损害性。

为系统管理创建一个额外的帐户

“adduser”命令将创建一个帐户。

adduser service

“passwd”命令将设置“服务”帐户的密码。

passwd service

创建下载目录。

这将创建一个目录来下载RPMs和其他文件。

mkdir /downloads
cd /downloads

安装PSAD

psad是在Linux机器上运行的三个轻量级系统守护程序(两个主要守护程序和一个帮助守护程序)的集合 ,并分析Netfilter日志消息以检测端口扫描和其他可疑流量。 更多信息,请点击这里

wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm
rpm -Uvh psad-1.4.6-1.i386.rpm

安装Bastille狱

Bastille Hardening程序“锁定”操作系统,主动配置系统以提高安全性并降低其易受损害性。 Bastille狱也可以评估系统目前的加固状态,并对每个安全设置进行细致的报告。 更多信息,请点击这里

wget http://easynews.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.0.9-1.0.noarch.rpm
wget ftp://ftp.icm.edu.pl/vol/rzm4/linux-dag/redhat/el4/en/i386/RPMS.dag/perl-Curses-1.12-1.2.el4.rf.i386.rpm

rpm -ivh Bastille-3.0.9-1.0.noarch.rpm
rpm -Uvh perl-Curses-1.12-1.2.el4.rf.i386.rpm

运行Bastille狱

这将启动交互式提示。

/usr/sbin/bastille -c

交互式提示响应

这些设置是Perfect Setup安装的建议。 如果已安装其他软件或软件包,则可能需要更改certian值。

accept

<ENTER>

Would you like to set more restrictive permissions on the administration utilities? -> YES

<ENTER>

Would you like to disable SUID status for mount/umount? -> YES
Would you like to disable SUID status for ping? -> YES
Would you like to disable SUID status for at? -> YES
Would you like to disable the r-tools? -> YES
Would you like to disable SUID status for usernetctl? -> YES
Would you like to disable SUID status for traceroute? -> YES
Should Bastille disable clear-text r-protocols that use IP-based authentication? -> YES
Would you like to enforce password aging? -> YES
Do you want to set the default umask? -> YES
What umask would you like to set for users on the system? -> 007
Should we disallow root login on tty's 1-6? -> NO
Should Bastille ask you for extraneous accounts to delete? -> NO
Would you like to password-protect the GRUB prompt? -> NO
Would you like to disable CTRL-ALT-DELETE rebooting? -> YES
Would you like to password protect single-user mode? -> NO
Would you like to set a default-deny on TCP Wrappers and xinetd? -> NO
Would you like to display "Authorized Use" messages at log-in time? -> YES
Who is responsible for granting authorization to use this machine? -> YOUR COMPANY NAME
Would you like to put limits on system resource usage? -> YES

<ENTER>

Should we restrict console access to a small group of user accounts? -> YES
Which accounts should be able to login at console? -> root
Would you like to set up process accounting? -> NO

<ENTER>

Would you like to disable acpid and/or apmd? -> YES
Would you like to disable PCMCIA services? -> YES
Would you like to disable GPM? -> YES
Would you like to deactivate the HP OfficeJet (hpoj) script on this machine? -> YES
Would you like to deactivate the ISDN script on this machine? -> YES
Would you like to deactivate kudzu's run at boot? -> YES
Do you want to stop sendmail from running in daemon mode? -> YES
Would you like to deactivate named, at least for now? -> NO
Would you like to deactivate the Apache web server? -> NO
Would you like to bind the Web server to listen only to the localhost? -> NO
Would you like to bind the web server to a particular interface? -> NO

<ENTER>

Would you like to deactivate the following of symbolic links? -> YES
Would you like to disable printing? -> YES
Would you like to install TMPDIR/TMP scripts? -> NO
Would you like to run the packet filtering script? -> YES

<ENTER>

Do you need the advanced networking options? -> NO
DNS Servers: [0.0.0.0/0] -> **LEAVE DEFAULT**
Public interfaces: -> eth+
TCP services to audit: -> telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
UDP services to audit: -> 31337
ICMP services to audit: -> **BLANK**
TCP service names or port numbers to allow on public interfaces: -> 21 22 25 53 80 110 111 143 443 631 953 993 995 3306
UDP service names or port numbers to allow on public interfaces: -> **BLANK**
Force passive mode? -> YES
TCP services to block: -> 2049 2065:2090 6000:6020 7100
UDP services to block: -> 2049 6770
ICMP allowed types: -> destination-unreachable echo-reply time-exceeded
Enable source address verification? -> YES
Reject method: -> DENY
Interfaces for DHCP queries: -> **BLANK**
NTP servers to query: -> **BLANK**
ICMP types to disallow outbound: -> destination-unreachable time-exceeded
Should Bastille run the firewall and enable it at boot time? -> YES
Would you like to setup psad? -> YES
psad check interval: -> 15
Port range scan threshold: -> 1
Enable scan persistence? -> NO
Scan timeout: -> 3600
Show all scan signatures? -> NO
Danger Levels: -> 5 50 1000 5000 10000
Email addresses: -> root@localhost
Email alert danger level: -> 1
Alert on all new packets? -> YES
Enable automatic blocking of scanning IPs? -> NO
Should Bastille enable psad at boot time? -> YES
Are you finished answering the questions, i.e. may we make the changes? -> YES

<TAB>

编辑SSH配置

这将需要额外的一步来保护SSH。 以下设置将:

  • 确保使用SSHv2
  • root用户无法通过SSH直接登录
  • 不允许没有密码的帐户登录
  • 将显示一个登录横幅。
vi /etc/ssh/sshd_config

编辑以下行并删除备注。 不要忘记保存退出。

#Protocol 2,1 -> Protocol 2
#PermitRootLogin yes -> PermitRootLogin no
#PermitEmptyPasswords no -> PermitEmptyPasswords no
#Banner /some/path -> Banner /etc/issue

重启系统

请重新启动系统作为最后检查。 确保一切正常开始。

reboot

赞(52) 打赏
未经允许不得转载:优客志 » 系统运维
分享到:

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏