23 Ndụmọdụ nchekwa nchekwa nke sava CentOS - Nkebi 2


N'ịga n'ihu nkuzi gara aga na Otu esi echekwa na Harden CentOS nkesa, n'isiokwu a, anyị ga-atụle ndụmọdụ nchekwa ndị ọzọ nke a ga-ewepụta na ndepụta n'okpuru.

  1. 20 Ndụmọdụ nchekwa nchekwa ike nke sava CentOS – Akụkụ 1

21. Gbanyụọ SUID na-abaghị uru na iwu SGID

Ọ bụrụ na edobere setuid na setgid bits na mmemme ọnụọgụ abụọ, iwu ndị a nwere ike iji ikike onye ọrụ ma ọ bụ otu ndị ọzọ rụọ ọrụ, dị ka ikike mgbọrọgwụ nke nwere ike ikpughe nsogbu nchekwa siri ike.

Ọtụtụ mgbe, mbuso agha karịrị akarị nwere ike iji ụdị ọnụọgụ abụọ ndị a na-arụ ọrụ iji mee koodu na-enwetaghị ikike site na ikike nke onye ọrụ ike.

# find /  -path /proc -prune -o -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

Ka ịtọghe setuid bit mebie iwu dị n'okpuru:

# chmod u-s /path/to/binary_file

Ka ịtọghe setgid bit, mee iwu n'okpuru:

# chmod g-s /path/to/binary_file

22. Lelee maka faịlụ na akwụkwọ ndekọ aha enweghị

A ga-ehichapụrịrị ma ọ bụ kenye faịlụ ma ọ bụ akwụkwọ ndekọ aha nke ezigbo akaụntụ nwere ikike site n'aka onye ọrụ na otu.

Nye iwu dị n'okpuru ka ịdepụta faịlụ ma ọ bụ akwụkwọ ndekọ aha na-enweghị onye ọrụ na otu.

# find / -nouser -o -nogroup -exec ls -l {} \;

23. Depụta faịlụ a na-ede n'ụwa

Idobe faịlụ ederede ụwa na sistemụ nwere ike ịdị ize ndụ n'ihi na onye ọ bụla nwere ike gbanwee ha. Mezue iwu dị n'okpuru iji gosipụta faịlụ ederede ederede, ewezuga Symlinks, nke a na-edekarị ụwa.

# find / -path /proc -prune -o -perm -2 ! -type l –ls

24. Mepụta okwuntughe siri ike

Mepụta paswọọdụ opekempe nke mkpụrụedemede asatọ. Okwuntughe ga-enwerịrị ọnụọgụ, mkpụrụedemede pụrụ iche na mkpụrụedemede ukwu. Jiri pwmake mepụta okwuntughe nke 128 bits site na faịlụ /dev/urandom.

# pwmake 128

25. Tinye Amụma okwuntughe siri ike

Manye sistemụ ka ọ jiri okwuntughe siri ike site na ịgbakwunye ahịrị dị n'okpuru na faịlụ /etc/pam.d/passwd.

password required pam_pwquality.so retry=3

Na-agbakwunye ahịrị dị n'elu, paswọọdụ etinyere enweghị ike ịnwe karịa mkpụrụedemede 3 n'usoro monotonic, dị ka abcd, yana ihe karịrị mkpụrụedemede atọ yiri 1111.

Iji manye ndị ọrụ ka ha jiri okwuntughe nwere opekata mpe mkpụrụedemede 8, gụnyere klaasị niile nke mkpụrụedemede, nyocha ike maka usoro agwa na mkpụrụedemede na-esochi tinye ahịrị ndị a na faịlụ /etc/security/pwquality.conf.

minlen = 8
minclass = 4
maxsequence = 3
maxrepeat = 3

26. Jiri paswọọdụ ịka nká

Enwere ike iji iwu chage maka ịka nká paswọọdụ onye ọrụ. Ka ịtọọ paswọọdụ onye ọrụ ka ọ kubie ume n'ime ụbọchị 45, jiri iwu a:

# chage -M 45 username

Iji gbanyụọ oge njedebe okwuntughe jiri iwu a:

# chage -M -1 username

Manye njedebe okwuntughe ozugbo (onye ọrụ ga-agbanwe paswọọdụ na nbanye ọzọ) site na ịme iwu a:

# chage -d 0 username

27. Mkpọchi Akaụntụ

Enwere ike igbachi akaụntụ onye ọrụ site na ịmepe iwu passwd ma ọ bụ usermod:

# passwd -l username
# usermod -L username

Iji kpọghee akaụntụ jiri nhọrọ -u maka iwu passwd yana nhọrọ -U maka usermod.

28. Gbochie ịnweta Shell Akaụntụ

Iji gbochie akaụntụ sistemụ (akaụntụ nkịtị ma ọ bụ akaụntụ ọrụ) iji nweta shei bash, gbanwee shei mgbọrọgwụ ka /usr/sbin/nologin ma ọ bụ/bin/ụgha na faịlụ /etc/passwd site n'inye iwu dị n'okpuru:

# usermod -s /bin/false username

Ka ịgbanwee shei mgbe ị na-eke onye ọrụ ọhụrụ na-enye iwu ndị a:

# useradd -s /usr/sbin/nologin username

29. Mkpọchi Virtual User Console na vlock

vlock bụ mmemme eji akpọchi otu nnọkọ na njikwa Linux. Wụnye mmemme wee malite igbachi nnọkọ ọnụ gị site na ịme iwu ndị a:

# yum install vlock
# vlock

30. Jiri Centralized Sistemu jikwaa Akaụntụ na Nyocha

Iji usoro nyocha etiti nwere ike ime ka njikwa na njikwa akaụntụ dị mfe. Ọrụ ndị nwere ike ịnye ụdị njikwa akaụntụ a bụ IPA Server, LDAP, Kerberos, Microsoft Active Directory, Nis, Samba ADS ma ọ bụ Winbind.

A na-echekwa ụfọdụ ọrụ ndị a na ndabara nke ukwuu site na iji ụkpụrụ cryptographic na cryptography igodo symmetric, dị ka Kerberos.

31. Na-amanye na-agụ naanị mgbasa ozi USB

Iji blockdev utility ị nwere ike ịmanye mgbasa ozi mbughari ka etinyere ya dị ka naanị ọgụgụ. Dịka ọmụmaatụ, mepụta faịlụ nhazi udev ọhụrụ aha ya bụ 80-readonly-usb.rules na /etc/udev/rules.d/ directory nwere ọdịnaya ndị a:

SUBSYSTEM=="block",ATTRS{removable}=="1",RUN{program}="/sbin/blockdev --setro %N"

Mgbe ahụ, tinye iwu na iwu dị n'okpuru:

# udevadm control -reload

32. Ịkwụsị ịnweta mgbọrọgwụ site na TTY

Iji gbochie akaụntụ mgbọrọgwụ ime nbanye sistemụ site na ngwaọrụ njikwa niile (TTY), hichapụ ọdịnaya nke faịlụ nchekwa site na ịpị akara iwu na-esote ozugbo dị ka mgbọrọgwụ.

# cp /etc/securetty /etc/securetty.bak
# cat /dev/null > /etc/securetty

Cheta na iwu a anaghị emetụta oge nbanye SSH
Iji gbochie nbanye mgbọrọgwụ site na SSH dezie faịlụ /etc/ssh/sshd_config wee gbakwunye ahịrị dị n'okpuru:

PermitRootLogin no

33. Jiri POSIX ACLs gbasaa ikike sistemụ

Ndepụta njikwa ohere nwere ike ịkọwa ikike ịnweta karịa naanị otu onye ọrụ ma ọ bụ otu ma nwee ike ịkọwapụta ikike maka mmemme, usoro, faịlụ na akwụkwọ ndekọ aha. Ọ bụrụ na ịtọọ ACL na ndekọ aha, ụmụ ya ga-eketa otu ikike ahụ na-akpaghị aka.

Ọmụmaatụ,

# setfacl -m u:user:rw file
# getfacl file

34. Tọọ SELinux na ọnọdụ mmanye

Nkwalite SELinux na kernel Linux na-emejuputa atumatu ikike njikwa ikike (MAC), na-enye ndị ọrụ ohere ịkọwa amụma nchekwa nke na-enye ikike granular maka ndị ọrụ niile, mmemme, usoro, faịlụ na ngwaọrụ.

Mkpebi njikwa ịnweta kernel dabere na ọnọdụ niile metụtara nchekwa ọ bụghị na njirimara onye ọrụ.

Iji nweta ọkwa Selinux na ịmanye iwu gbasoro iwu ndị a:

# getenforce
# setenforce 1
# sestatus

35. Wụnye ihe mgbakwunye SELinux

Wụnye ngwugwu policycoreutils-python nke na-enye akụrụngwa Python agbakwunyere maka ịrụ ọrụ SELinux: audit2allow, audit2why, chcat, na semanage.

Iji gosi ụkpụrụ boolean niile yana nkọwa dị nkenke, jiri iwu a:

# semanage boolean -l

Dịka ọmụmaatụ, iji gosipụta ma tọọ uru httpd_enable_ftp_server, mee iwu dị n'okpuru:

# getsebool httpd_enable_ftp_server

Iji mee ka uru nke boolean na-aga n'ihu n'ofe nrụpụta, ezipụta nhọrọ -P ka ịtọsebool, dị ka egosiri na ihe atụ na-esonụ:

# setsebool -P httpd_enable_ftp_server on

36. Jiri Centralized Log Server

Hazie rsyslog daemon ka izipu ozi ndekọ ihe mkpa dị mkpa na sava log ahaziri iche. Ọzọkwa, nyochaa faịlụ ndekọ site na enyemaka nke logwatch utility.

Izipu ozi ndekọ na sava dịpụrụ adịpụ na-emesi obi ike na ozugbo sistemụ ahụ mebiri emebi, ndị ọrụ obi ọjọọ enweghị ike izochi ọrụ ha kpamkpam, na-ahapụ oge niile na faịlụ ndekọ ndekọ.

37. Kwado usoro ndekọ ego

Kwado usoro ndekọ ego site na ịwụnye psacct utility ma jiri lastcomm iwu na-egosiputa ozi gbasara mbụ e gburu iwu dị ka e dekọrọ na usoro ndekọ faịlụ na sa ichikota ozi gbasara mbụ gburu iwu dị ka e dekọrọ na usoro ndekọ faịlụ.

38. Ịgba ume /etc/sysctl.conf

Jiri iwu kernel paramita ndị a iji chebe sistemu:

net.ipv4.conf.all.accept_source_route=0
ipv4.conf.all.forwarding=0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Gbanyụọ nnabata na izipu ngwugwu ibugharị ICMP ọ gwụla ma achọrọ ya.

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.rp_filter=2

Ileghara arịrịọ echo ICMP niile anya (tụnyere 1 ka ọ mee)

net.ipv4.icmp_echo_ignore_all = 0

39. Jiri VPN ọrụ iji nweta ogige gị n'elu netwọk ọha na-enweghị nchebe

Jiri ọrụ VPN mgbe niile maka ndị na-ebu ibu ka ị nweta ụlọ LAN n'ime ime na ịntanetị. Enwere ike ịhazi ụdị ọrụ ndị a site na iji ihe ngwọta mepere emepe n'efu, dị ka Epel Repositories).

40. Mee Mpụga Sistemụ nyocha

Nyochaa nchekwa sistemụ gị maka adịghị ike site n'iji ngwaọrụ ndị dị ka nyochaa sistemụ ahụ site na ebe dịpụrụ adịpụ na LAN gị:

  1. Nmap – nyocha netwọkụ 29 Ọmụmaatụ Nmap Command
  2. Nessus – nyocha nchekwa
  3. OpenVAS – eji enyocha maka adịghị ike yana maka njikwa adịghị ike zuru oke.
  4. Nikto – ezigbo ihe nyocha ihe nleba anya ọnụ ụzọ ámá (CGI) script Scan Web Vulnerability na Linux

41. Chebe Sistemu n'ime

Jiri nchedo sistemu ime ime megide nje, rootkits, malware, na, dị ka ezigbo omume, wụnye sistemu nchọpụta intrusion nke nwere ike ịchọpụta ọrụ na-enwetaghị ikike (mwakpo DDOS, nyocha ọdụ ụgbọ mmiri), dị ka:

  1. AIDE – Gburugburu Nchọpụta Intrusion dị elu – http://aide.sourceforge.net/
  2. ClamAV – Antivirus Scanner https://www.clamav.net
  3. Rkhunter – Rootkit Scanner
  4. Lynis – Ngwaọrụ nyocha na nyocha maka Linux
  5. Tripwire – Nchekwa na data iguzosi ike n’ezi ihe http://www.tripwire.com/
  6. Fail2Ban – Mgbochi netwọk mbubata
  7. OSSEC – (HIDS) Sistemụ Nchọpụta Mbanye nke ndị ọbịa dabere na http://ossec.github.io/
  8. Mod_Security – Chedo Brute Force ma ọ bụ Mmegide DDoS

42. Gbanwee mgbanwe gburugburu onye ọrụ

Tinye ụbọchị na usoro oge iji chekwaa mmezu iwu site n'inye iwu dị n'okpuru:

# echo 'HISTTIMEFORMAT="%d/%m/%y  %T  "' >> .bashrc'

Na-amanye ka ịdekọ HISTFILE ozugbo ọ bụla edere iwu (kama ịpụpụ):

# echo ‘PROMPT_COMMAND="history -a"’ >> .bashrc

Machie oge nbanye nbanye. Kwatuo shea ahụ na-akpaghị aka mgbe a na-emeghị ihe ọ bụla n'oge oge na-adịghị. Ọ bara ezigbo uru iji kwụpụ oge SSH ozugbo.

# echo ‘TMOUT=120’ >> .bashrc

Tinye iwu niile site n'ime:

# source .bashrc

43. Ndabere data

Jiri snapshots LVM, wdg iji chekwaa otu sistemụ gị, ọkacha mma na saịtị, ma ọ bụrụ na ọdịda sistemụ dara.

Ọ bụrụ na sistemụ ahụ mebiri emebi, ịnwere ike iweghachi data site na nkwado ndabere gara aga.

N'ikpeazụ, echefula na n'agbanyeghị usoro nchekwa na ihe mgbochi ole ị na-eme iji chekwaa sistemụ gị, ị gaghị enwe nchekwa 100% kpamkpam ma ọ bụrụhaala na etinyere igwe gị ma gbanye ya.