linux系统安全标准规范-阿里云开发者社区

开发者社区> 技术小甜> 正文

linux系统安全标准规范

简介:
+关注继续查看

首先确保所使用的linux系统中的所有软件都已经安装到最新版本。

linux下的漏洞或者叫做不规范大致如下几点:

用户登录,openssl, CA证书,GRUB加密,SMB密码永不过期,无任何所属用户用户组的文件,文件权限为777的,所使用到的软件严重滞后,tcp timstamp, 数据库的open access, ICMP redirection, ip forward, 

umask值的默认设置,磁盘分区的weakness

1. 使用root用户在终端登录。

sed -i '/^tty[0-9]$/d' /etc/securetty

sed -i '/^vc\/[0-9]$/d' /etc/securetty

2. 使用ssh协议的root登录

sed -i 's/#PermitRootLogin\ yes/PermitRootLogin\ no/' /etc/ssh/sshd_config

sed -i 's/#PermitRootLogin\ without-password/PermitRootLogin\ no/' /etc/ssh/sshd_config

3.  ICMP redirection 问题

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

4. 数据库的open access

使用iptables来加强数据库的访问认证。受信任的主机访问,通过设置数据库中的用户主机名称不使用%来匹配所有主机。

5. ssl使用的证书协议

不使用泛域名证书,使用至少2048bit以上的证书

The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server.

Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.

There is no server-side mitigation available against the BEAST attack. The only option is to disable the affected protocols (SSLv3 and TLS 1.0). The only fully safe configuration is to use Authenticated Encryption with Associated Data (AEAD), e.g. AES-GCM, AES-CCM in TLS 1.2.

Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.

Configure the server to disable support for 3DES suite.




6. TCP timestamp responses的问题

net.ipv4.tcp_timestamps=0

7. IP Source Routing

The host is configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.

Disable IP source routing

For Linux systems ensure the following sysctl value is set:

net.ipv4.conf.all.accept_source_route=0

It is also advised that packet forwarding be disabled, unless there is a legitimate reason not to, by setting the following sysctl values:

net.ipv4.conf.all.forwarding=0

net.ipv6.conf.all.forwarding=0

net.ipv4.conf.all.mc_forwarding=0

net.ipv6.conf.all.mc_forwarding=0

More Linux information can be found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html

8. 设置grub密码

Enable GRUB password

Configuration remediation steps



Set a password in the GRUB configuration file. This is often located in one of several locations, but can really be anywhere:

         /etc/grub.conf
         /boot/grub/grub.conf
         /boot/grub/grub.cfg
         /boot/grub/menu.lst        

For all files mentioned above ensure that a password is set or that the files do not exist.

To set a plain-text password, edit your GRUB configuration file and add the following line before the first uncommented line:

  password <password>

To set an encrypted password, run grub-md5-crypt and use its output when adding the following line before the first uncommented line:

  password --md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

9. 磁盘分区的挂载方式添加nodev参数

Partition Mounting Weakness

Configuration remediation steps



The specific way to modify the partition mount options varies from system to system. Consult your operating system's manual or mount man page.

The following issues were discovered: 
/boot partition does not have 'nodev' option set.
/data partition does not have 'nodev' option set.


10. 内核参数的一般优化

net.core.rmem_default = 2569600                                                    

net.core.rmem_max = 2569600                                                        

net.core.wmem_default = 2569600                                                    

net.core.wmem_max = 2569600                                                        

net.ipv4.tcp_timestamps = 0                                                        

net.ipv4.tcp_sack = 1                                                              

net.ipv4.tcp_window_scaling = 1                                                    

net.ipv4.tcp_keepalive_time = 600                                                  

kernel.sem = 500 64000 200 256                                                     

fs.file-max = 65536                                                                

net.ipv4.ip_local_port_range = 1024 65000                                          

net.ipv4.ip_forward = 0                                                            

net.ipv4.conf.default.rp_filter = 1                                                

kernel.sysrq = 0                                                                   

kernel.core_uses_pid = 1                                                           

net.ipv4.tcp_syncookies = 1                                                        

net.ipv4.tcp_max_syn_backlog = 2048                                                

net.ipv4.tcp_synack_retries = 2                                                    

net.ipv4.conf.all.accept_source_route = 0                                          

net.ipv4.conf.lo.accept_source_route = 0                                           

net.ipv4.conf.default.accept_source_route = 0                                      

net.ipv4.conf.all.rp_filter = 1                                                    

net.ipv4.conf.lo.rp_filter = 1                                                     

net.ipv4.conf.default.rp_filter = 1                                                

net.ipv4.conf.all.accept_redirects = 0                                             

net.ipv4.conf.lo.accept_redirects = 0                                              

net.ipv4.conf.default.accept_redirects = 0                                         

net.ipv4.conf.all.secure_redirects=0                                               

net.ipv4.conf.default.secure_redirects=0                                           

net.ipv4.tcp_timestamps=0


11. iptables 防攻击

-A FORWARD -p tcp --syn -m limit --limit 1de>de >/sde> de >--limit-burst 5 -j ACCEPT 限制每秒5个新连接de>

-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1de>de >/sde> de >-j ACCEPT  防端口扫描de>

-A FORWARD -p icmp --icmp-de>de >typede> de >echode>de >-request -m limit --limit 1de>de >/sde> de >-j ACCEPT  de>防止洪水攻击















本文转自ting2junshui51CTO博客,原文链接:http://blog.51cto.com/ting2junshui/2063045 ,如需转载请自行联系原作者



版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
Linux磁盘分区,目录树,文件系统的关系(转)
  研究了很久,自始至终不能够从三者的区别和联系中找到一个大脑与这些概念之间合适的相处方式。对于基本概念和理论理解不到位,在工作之中会走很多弯路和犯很多错误。今天花一天的时间,终于对三者的区别和联系有了更进一步的理解,特此记录并分享之,供大家探讨交流。
1031 0
全面了解安装使用Linux下的日志文件系统
文件系统是用来管理和组织保存在磁盘驱动器上的数据的系统软件,其实现了数据完整性的保证,也就是保证写入磁盘的数据和随后读出的内容的一致性。除了保存以文件方式存储的数据以外,一个文件系统同样存储和管理关于文件和文件系统自身的一些重要信息(例如:日期时间、属主、访问权限、文件大小和存储位置等等)。
754 0
linux系统samba服务器安装及安全设置
Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成。 SMB(Server Messages Block,信息服务块)是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务。
2610 0
+关注
10146
文章
0
问答
文章排行榜
最热
最新
相关电子书
更多
《2021云上架构与运维峰会演讲合集》
立即下载
《零基础CSS入门教程》
立即下载
《零基础HTML入门教程》
立即下载