# linux系统安全标准规范

+关注继续查看

linux下的漏洞或者叫做不规范大致如下几点：

1. 使用root用户在终端登录。

sed -i '/^tty[0-9]$/d' /etc/securetty sed -i '/^vc\/[0-9]$/d' /etc/securetty

2. 使用ssh协议的root登录

3.  ICMP redirection 问题

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

4. 数据库的open access

5. ssl使用的证书协议

The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server.

Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.

There is no server-side mitigation available against the BEAST attack. The only option is to disable the affected protocols (SSLv3 and TLS 1.0). The only fully safe configuration is to use Authenticated Encryption with Associated Data (AEAD), e.g. AES-GCM, AES-CCM in TLS 1.2.

Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.

Configure the server to disable support for 3DES suite.

6. TCP timestamp responses的问题

net.ipv4.tcp_timestamps=0

7. IP Source Routing

The host is configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.

Disable IP source routing

For Linux systems ensure the following sysctl value is set:

net.ipv4.conf.all.accept_source_route=0

It is also advised that packet forwarding be disabled, unless there is a legitimate reason not to, by setting the following sysctl values:

net.ipv4.conf.all.forwarding=0

net.ipv6.conf.all.forwarding=0

net.ipv4.conf.all.mc_forwarding=0

net.ipv6.conf.all.mc_forwarding=0

More Linux information can be found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html

8. 设置grub密码

Configuration remediation steps

Set a password in the GRUB configuration file. This is often located in one of several locations, but can really be anywhere:

/etc/grub.conf
/boot/grub/grub.conf
/boot/grub/grub.cfg

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file and add the following line before the first uncommented line:

To set an encrypted password, run grub-md5-crypt and use its output when adding the following line before the first uncommented line:

For either approach, choose an appropriately strong password.

9. 磁盘分区的挂载方式添加nodev参数

Partition Mounting Weakness

Configuration remediation steps

The specific way to modify the partition mount options varies from system to system. Consult your operating system's manual or mount man page.

The following issues were discovered:
/boot partition does not have 'nodev' option set.
/data partition does not have 'nodev' option set.

10. 内核参数的一般优化

net.core.rmem_default = 2569600

net.core.rmem_max = 2569600

net.core.wmem_default = 2569600

net.core.wmem_max = 2569600

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_keepalive_time = 600

kernel.sem = 500 64000 200 256

fs.file-max = 65536

net.ipv4.ip_local_port_range = 1024 65000

net.ipv4.ip_forward = 0

net.ipv4.conf.default.rp_filter = 1

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_max_syn_backlog = 2048

net.ipv4.tcp_synack_retries = 2

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects=0

net.ipv4.conf.default.secure_redirects=0

net.ipv4.tcp_timestamps=0

11. iptables 防攻击

-A FORWARD -p tcp --syn -m limit --limit 1de>de >/sde> de >--limit-burst 5 -j ACCEPT 限制每秒5个新连接de>

-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1de>de >/sde> de >-j ACCEPT  防端口扫描de>

-A FORWARD -p icmp --icmp-de>de >typede> de >echode>de >-request -m limit --limit 1de>de >/sde> de >-j ACCEPT  de>防止洪水攻击

Linux磁盘分区，目录树，文件系统的关系(转)
研究了很久，自始至终不能够从三者的区别和联系中找到一个大脑与这些概念之间合适的相处方式。对于基本概念和理论理解不到位，在工作之中会走很多弯路和犯很多错误。今天花一天的时间，终于对三者的区别和联系有了更进一步的理解，特此记录并分享之，供大家探讨交流。
1031 0

754 0
linux系统samba服务器安装及安全设置
Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件，由服务器及客户端程序构成。 SMB（Server Messages Block，信息服务块）是一种在局域网上共享文件和打印机的一种通信协议，它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。
2610 0
+关注
10146

0

《2021云上架构与运维峰会演讲合集》

《零基础CSS入门教程》

《零基础HTML入门教程》