等保测评-服务器整改
<p>[TOC]</p>
<h2>1. 创建新账号:</h2>
<p><code>useradd -d /home/risen -m risen</code>
两个risen都为用户名,保持一致
创建成功之后查看:<code>cat /etc/passwd</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/d1ecaf0d60b5753b9537d3839b207c16" alt="" />
结尾为/bin/bash,如不一样则改成图片所示
删除用户:<code>userdel risen</code></p>
<h2>2. 修改用户密码:</h2>
<p>passwd risen
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/864ebdd6b2cc623be7dfa47e95708ba9" alt="" /></p>
<h2>3. 设置用户密码有效期:</h2>
<p><code>chage -l risen</code>
<code>chage -M 90 risen</code></p>
<p>chage的参数注释:</p>
<pre><code>-m 密码可更改的最小天数。为零时代表任何时候都可以更改密码
-M 密码保持有效的最大天数
-W 用户密码到期前,提前收到警告信息的天数
-E 帐号到期的日期。过了这天,此帐号将不可用
-d 上一次更改的日期
-i 停滞时期。如果一个密码已过期这些天,那么此帐号将不可用
-l 例出当前的设置。由非特权用户来确定他们的密码或帐号何时过期</code></pre>
<h2>4. 配置登录失败次数及锁定时间(root用户也在内):</h2>
<ul>
<li>
<p>1) 检查是否有pam_tally2.so模块:<code>find / -name &quot;pam_tally2.so&quot;</code></p>
</li>
<li>
<p>2) 备份相关ssh远程文件避免编辑出错:
<code>cp /etc/pam.d/sshd /etc/pam.d/sshd.bak</code>
<code>cp /etc/pam.d/login /etc/pam.d/login.bak</code></p>
</li>
<li>
<p>3) CentOS、Fedora、RHEL、kylin系统(备份system-auth)
Kylin
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/e70ffb5055ee26ee4bae35126e709e52" alt="" />
centos
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/59dcb8a4bdf2045a9f945e4abb858314" alt="" />
<code>cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak</code></p>
</li>
<li>
<p>4) Debian、Ubuntu 或 Linux Mint 系统(备份common-password)
Ubuntu
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/82a9259a7e3829a17b9ddf21f1fb90ea" alt="" />
Debian
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/e15477d412c9f37fff89e6b9270f2057" alt="" />
<code>cp /etc/pam.d/common-password /etc/pam.d/common-password.bak</code></p>
</li>
<li>
<p>5) 设置服务器终端失败处理策略
<code>vi /etc/pam.d/system-auth</code>
在第一行下面添加如下内容:
<code>auth required pam_tally2.so onerr=fail deny=5 unlock_time=300 even_deny_root root_unlock_time=300</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/c266d2befd77e866726d8800c1da1bd8" alt="" />
参数注释:</p>
<pre><code>-deny:设置普通用户和root用户连续错误登陆的最大次数,超过最大次数,则锁定该用户
-unlock_time:设定普通用户锁定后,多少时间后解锁,单位是秒
-even_deny_root: 此策略对root用户也生效
-root_unlock_time:设定root用户锁定后,多少时间后解锁,单位是秒</code></pre>
<p>验证效果如下
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/89b3df6a6d79dd9b27066d6954ff5b38" alt="" /></p>
</li>
<li>
<p>6) 设置ssh远程登录失败处理策略
<code>vi /etc/pam.d/sshd</code>
同样的在第一行下面添加如下内容:
<code>auth required pam_tally2.so deny=6 unlock_time=300 even_deny_root root_unlock_time=300</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/8664740aa547cfd945d03e4b844dd231" alt="" />
<code>vi /etc/pam.d/login</code>
第一行下面添加如下内容:
<code>auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/7754ba9d68819322663f7ddb015f047a" alt="" />
验证方式:先输入错误密码达到限制次数后,再输入正确密码也会提示拒绝连接
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/505eec2f8f38b6ff809105bf32a1f088" alt="" />
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/1589044ae4a1e9bcb0f12d6ca940fbc8" alt="" /></p>
</li>
<li>
<p>7) 查看用户登录失败的次数
<code>pam_tally2 -u test</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/1b7702eb1d538763ca6f79e422104285" alt="" /></p>
</li>
<li>8) 解锁指定用户
<code>pam_tally2 -u test -r</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/771b3af8030f8e59389253b74d15e040" alt="" />
<h2>5. 用户无操作达到时间自动退出终端:</h2>
<p>只针对单个用户生效:
例如risen用户,修改如下文件
<code>su - risen</code>
<code>vi /home/risen/.bashrc</code>
在最后一行添加如下参数
TMOUT=1800 #超时单位默认为秒
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/5ae7d8cd1d2a721a964d692d0467efb2" alt="" />
使配置生效
<code>source /home/risen/.bashrc</code>
验证效果如下(验证效果时间可设置为20,确认之后再改成30分钟)
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/f705837c1c64f6b09758508b2e3779ea" alt="" /></p></li>
</ul>
<h2>6. 开通服务器审计功能:</h2>
<p>kylin和centos默认安装了此套件,uos和ubuntu需要手动安装</p>
<ul>
<li>
<p>1) 检查服务器是否安装audit
<code>systemctl status auditd.service</code>
如图所示审计功能未安装
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/5d3b58df56da404508af87307fed90cf" alt="" />
服务器如果<code>通外网</code>执行以下安装命令
uos和ubuntu系统:<code>sudo apt-get install auditd</code>
kylin和centos系统:<code>yum -y install audit*</code></p>
</li>
<li>
<p>2) 再次检查服务状态
<code>systemctl status auditd.service</code>
如图所示审计功能已安装,但是未启动
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/3103dc063ee35ebd6a6bf276b1fa1164" alt="" /></p>
</li>
<li>
<p>3) 启动审计功能
<code>systemctl start auditd.service</code>
查看状态
<code>systemctl status auditd.service</code>
如图所示启动成功
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/b3e65256c9f2d7c93a2d553bcc36ca83" alt="" />
设置开机启动
<code>systemctl enable auditd.service</code></p>
</li>
<li>
<p>4) 修改审计功能配置文件
<code>vim /etc/audit/auditd.conf</code>
修改参数未以下值:
<code>freq = 50</code> #意思是当有50条记录时才同步到日志文件
<code>max_log_file = 10</code> #设置日志文件的大小,单位为M
<code>max_log_file_action = ROTATE</code> #当max_log_file设置的大小达到后,deamon程序将执行的动作,这里为循环式地记录
<code>num_logs = 99</code> #设置日志文件的最多数量</p>
</li>
<li>
<p>5) 添加审计规则(可根据需求进行规则调整,自行调研)
<code>auditctl -w /etc/passwd -p wa -k passwd_changes</code>
<code>auditctl -w /etc/selinux/ -p wa -k selinux_changes</code>
<code>auditctl -w /bin/rm -p x -k removefile</code>
<code>auditctl -w /risen/soft/nginx/sbin/nginx -p x -k nginx_changes</code>
<code>auditctl -w /risen/soft/nginx/conf/nginx.conf -p rwa -k nginxfile_changes</code></p>
</li>
<li>6) 重启审计生效
<code>service auditd restart</code>
<code>auditctl -l</code> 查看定义的规则
<code>auditctl -D</code> 清空定义的规则</li>
</ul>
<h2>7. 限制root账户远程登录方法:</h2>
<p>修改<code>/etc/ssh/sshd_config</code>文件,找到<code>PermitRootLogin</code>参数</p>
<ul>
<li>
<p>1) 允许root远程登录
<code>vim /etc/ssh/sshd_config</code>
<code>PermitRootLogin</code>设置为<code>yes</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/a7440b54822e946b3a9a874f0a54779c" alt="" /></p>
</li>
<li>2) 禁止root远程登录(此操作会影响到异地备份功能)
<code>vim /etc/ssh/sshd_config</code>
<code>PermitRootLogin</code>设置为<code>no</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/ad90ae284a547514c08188abf934c78a" alt="" />
配置参数重启生效
<code>systemctl restart sshd.service</code></li>
</ul>
<h2>8. 服务器密码复杂程度策略:</h2>
<p>查看操作系统:<code>cat /proc/version</code>,根据查询到的结果选择相应步骤
设置的密码复杂程度:</p>
<pre><code>-retry尝试次数:3
-difok新旧密码最少不同字符:3
-minlen最小密码长度:10
-ucredit最少大写字母:1
-lcredit最少小写字母:2
-dcredit最少数字:1
-ocredit最少标点符号:1</code></pre>
<ul>
<li>
<p>1) Debian、Ubuntu 或 Linux Mint 系统(需安装libpam-cracklib依赖)
Ubuntu
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/82a9259a7e3829a17b9ddf21f1fb90ea" alt="" />
Debian
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/e15477d412c9f37fff89e6b9270f2057" alt="" />
① 方法一(选择一种):服务器通互联网执行如下命令即可:
<code>apt-get install libpam-cracklib</code>
② 方法二(选择一种):服务器不通网安装如下依赖包:
[点击下载有依赖:cracklib.zip](<a href="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/872a6b947659a4dbea46a0236221b3c9">http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/872a6b947659a4dbea46a0236221b3c9</a> "[cracklib.zip")
将依赖包上传到服务器/risen/soft/下解压:<code>unzip cracklib.zip</code>
进入解压好的文件夹cd /risen/soft/cracklib,安装依赖:<code>dpkg -i *.deb</code>
③ 验证是否安装成功
<code>find / -name pam_cracklib.so</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/6afd57d6a1381c3c13fc0677bcf40581" alt="" />
再编辑<code>vim /etc/pam.d/common-password</code>文件
添加密码策略(加到最后一行):
<code>password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/e78fdf345667f23b64d5bdb7ec8be9e8" alt="" /></p>
</li>
<li>
<p>2) CentOS、Fedora、RHEL、kylin系统(自带libpam-cracklib依赖)
Kylin
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/e70ffb5055ee26ee4bae35126e709e52" alt="" />
centos
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/59dcb8a4bdf2045a9f945e4abb858314" alt="" />
验证依赖是否存在:find / -name pam_cracklib.so
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/808e83a628c6f661c51438c58102c13e" alt="" />
编辑 <code>vim /etc/pam.d/system-auth</code> 文件
添加密码策略(加入到如图所示位置):
<code>password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1</code>
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/abd9eeb45e595cf1a9b6594331c954f2" alt="" /></p>
</li>
<li>3) 验证方法
切换到普通用户:<code>su - risen</code>
修改当前用户密码:<code>passwd</code>
输入新密码验证策略是否生效(如图所示)
<img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/36a7990a0f30b97815d8bed9d5487786" alt="" /></li>
</ul>