使用Bastille保护CentOS完美设置

使用Bastille狱保护CentOS完美设置

本文介绍如何使用psad，Bastille和其他一些调整来保护CentOS服务器。 psad是一种帮助检测端口扫描和其他可疑流量的工具，而Bastille加固程序会锁定操作系统，主动配置系统以提高安全性并降低其易受损害性。

为系统管理创建一个额外的帐户

“adduser”命令将创建一个帐户。

adduser service

“passwd”命令将设置“服务”帐户的密码。

passwd service

创建下载目录。

这将创建一个目录来下载RPMs和其他文件。

mkdir /downloads
cd /downloads

安装PSAD

psad是在Linux机器上运行的三个轻量级系统守护程序（两个主要守护程序和一个帮助守护程序）的集合 ，并分析Netfilter日志消息以检测端口扫描和其他可疑流量。 更多信息，请点击这里 。

wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm
rpm -Uvh psad-1.4.6-1.i386.rpm

安装Bastille狱

Bastille Hardening程序“锁定”操作系统，主动配置系统以提高安全性并降低其易受损害性。 Bastille狱也可以评估系统目前的加固状态，并对每个安全设置进行细致的报告。 更多信息，请点击这里 。

wget http://easynews.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.0.9-1.0.noarch.rpm
 wget ftp://ftp.icm.edu.pl/vol/rzm4/linux-dag/redhat/el4/en/i386/RPMS.dag/perl-Curses-1.12-1.2.el4.rf.i386.rpm

rpm -ivh Bastille-3.0.9-1.0.noarch.rpm 
rpm -Uvh perl-Curses-1.12-1.2.el4.rf.i386.rpm

运行Bastille狱

这将启动交互式提示。

/usr/sbin/bastille -c

交互式提示响应

这些设置是Perfect Setup安装的建议。 如果已安装其他软件或软件包，则可能需要更改certian值。

accept

<ENTER>

 Would you like to set more restrictive permissions on the administration utilities? -> YES

 <ENTER>

 Would you like to disable SUID status for mount/umount? -> YES
 Would you like to disable SUID status for ping? -> YES
 Would you like to disable SUID status for at? -> YES
 Would you like to disable the r-tools? -> YES
 Would you like to disable SUID status for usernetctl? -> YES
 Would you like to disable SUID status for traceroute? -> YES
 Should Bastille disable clear-text r-protocols that use IP-based authentication? -> YES
 Would you like to enforce password aging? -> YES
 Do you want to set the default umask? -> YES 
 What umask would you like to set for users on the system? -> 007
 Should we disallow root login on tty's 1-6? -> NO
 Should Bastille ask you for extraneous accounts to delete? -> NO
 Would you like to password-protect the GRUB prompt? -> NO
 Would you like to disable CTRL-ALT-DELETE rebooting? -> YES
 Would you like to password protect single-user mode? -> NO
 Would you like to set a default-deny on TCP Wrappers and xinetd? -> NO
 Would you like to display "Authorized Use" messages at log-in time? -> YES
 Who is responsible for granting authorization to use this machine? -> YOUR COMPANY NAME
 Would you like to put limits on system resource usage? -> YES

 <ENTER>

 Should we restrict console access to a small group of user accounts? -> YES
 Which accounts should be able to login at console? -> root
 Would you like to set up process accounting? -> NO

 <ENTER>

 Would you like to disable acpid and/or apmd? -> YES
 Would you like to disable PCMCIA services? -> YES
 Would you like to disable GPM? -> YES
 Would you like to deactivate the HP OfficeJet (hpoj) script on this machine? -> YES
 Would you like to deactivate the ISDN script on this machine? -> YES
 Would you like to deactivate kudzu's run at boot? -> YES
 Do you want to stop sendmail from running in daemon mode? -> YES
 Would you like to deactivate named, at least for now? -> NO
 Would you like to deactivate the Apache web server? -> NO
 Would you like to bind the Web server to listen only to the localhost? -> NO
 Would you like to bind the web server to a particular interface? -> NO

 <ENTER>

 Would you like to deactivate the following of symbolic links? -> YES
 Would you like to disable printing? -> YES
 Would you like to install TMPDIR/TMP scripts? -> NO
 Would you like to run the packet filtering script? -> YES

 <ENTER>

 Do you need the advanced networking options? -> NO
 DNS Servers: [0.0.0.0/0] -> **LEAVE DEFAULT**
 Public interfaces: -> eth+
 TCP services to audit: -> telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
 UDP services to audit: -> 31337
 ICMP services to audit: -> **BLANK**
 TCP service names or port numbers to allow on public interfaces: -> 21 22 25 53 80 110 111 143 443 631 953 993 995 3306
 UDP service names or port numbers to allow on public interfaces: -> **BLANK**
 Force passive mode? -> YES
 TCP services to block: -> 2049 2065:2090 6000:6020 7100
 UDP services to block: -> 2049 6770
 ICMP allowed types: -> destination-unreachable echo-reply time-exceeded
 Enable source address verification? -> YES
 Reject method: -> DENY
 Interfaces for DHCP queries: -> **BLANK**
 NTP servers to query: -> **BLANK**
 ICMP types to disallow outbound: -> destination-unreachable time-exceeded
 Should Bastille run the firewall and enable it at boot time? -> YES
 Would you like to setup psad? -> YES
 psad check interval: -> 15
 Port range scan threshold: -> 1
 Enable scan persistence? -> NO
 Scan timeout: -> 3600
 Show all scan signatures? -> NO
 Danger Levels: -> 5 50 1000 5000 10000
 Email addresses: -> root@localhost
 Email alert danger level: -> 1
 Alert on all new packets? -> YES
 Enable automatic blocking of scanning IPs? -> NO
 Should Bastille enable psad at boot time? -> YES
 Are you finished answering the questions, i.e. may we make the changes? -> YES

 <TAB>

编辑SSH配置

这将需要额外的一步来保护SSH。 以下设置将：

• 确保使用SSHv2
• root用户无法通过SSH直接登录
• 不允许没有密码的帐户登录
• 将显示一个登录横幅。

vi /etc/ssh/sshd_config

编辑以下行并删除备注。 不要忘记保存退出。

#Protocol 2,1 -> Protocol 2
 #PermitRootLogin yes -> PermitRootLogin no
 #PermitEmptyPasswords no -> PermitEmptyPasswords no
 #Banner /some/path -> Banner /etc/issue

重启系统

请重新启动系统作为最后检查。 确保一切正常开始。

reboot