Linux 保险配置杂文

Linux 安全配置杂文

SSH 配置

vim /etc/ssh/sshd_config <<VIM > /dev/null 2>&1

:s/#LoginGraceTime 2m/LoginGraceTime 2m/

:s/#PermitRootLogin yes/PermitRootLogin no/

:s/#MaxAuthTries 6/MaxAuthTries 3/

:%s$#AuthorizedKeysFile$AuthorizedKeysFile?/dev/null$

:%s/GSSAPIAuthentication yes/GSSAPIAuthentication no/

:%s/GSSAPICleanupCredentials yes/GSSAPICleanupCredentials no/

:wq

VIM

禁止证书登陆 AuthorizedKeysFile /dev/null

http://netkiller.github.com/

锁定用户禁止登陆

passwd -l bin

passwd -l daemon

passwd -l adm

passwd -l lp

passwd -l sync

passwd -l shutdown

passwd -l halt

passwd -l mail

passwd -l uucp

passwd -l operator

passwd -l games

passwd -l gopher

passwd -l ftp

passwd -l nobody

passwd -l vcsa

passwd -l saslauth

passwd -l postfix

检查可以登陆的用户与有密码的用户

?http://netkiller.github.com/

例?55.1.?/etc/pam.d/sshd

例?55.2.?/etc/pam.d/sshd - pam_listfile.so

# cat /etc/pam.d/sshd#%PAM-1.0auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=failauth       required     pam_tally2.so deny=3 onerr=fail unlock_time=300auth   requiredpam_sepermit.soauth       include      password-authaccount    required     pam_nologin.soaccount    include      password-authpassword   include      password-auth# pam_selinux.so close should be the first session rulesession    required     pam_selinux.so closesession    required     pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession    required     pam_selinux.so open env_paramssession    optional     pam_keyinit.so force revokesession    include      password-auth

sense=allow 白名单方式, sense=deny 黑名单方式

auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail

延伸阅读：http://netkiller.github.com/

Linux 保险配置杂文

例?55.1.?/etc/pam.d/sshd

热点推荐