一、账号
1. 密码策略
$ vim /etc/login.defs
# Password aging controls:
#
# PASS_MAX_DAYS 密码最长有效期
# PASS_MIN_DAYS 密码修改之间最小天数
# PASS_MIN_LEN 密码最小长度
# PASS_WARN_AGE 密码过期前多少天开始提示
# PASS_MAX_DAYS 90 PASS_MIN_DAYS 20 PASS_MIN_LEN 10 PASS_WARN_AGE 7
$ vim /etc/pam.d/system-auth
修改为至少包含一个数字、一个小写字母、一个大写字母、一个特殊字符、且密码长度>=10:
password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10
2. SSH
$ vim /etc/ssh/sshd_config
# 更换端口
Port 22022
# 关闭root登陆
PermitRootLogin no
# 设置能登陆的用户
AllowUsers user1 user2
3. 限制登陆IP
$ vim /etc/hosts.deny
# 禁止10.10.10.20访问服务器SSHD服务
sshd: 10.10.10.20
4. 限制登陆次数(有坑)如果攻击持续时间足够长。。。
$ vim /etc/pam.d/sshd
# 锁定所有用户(包括root)2次密码错误后锁定2分钟
# 在 #%PAM-1.0 下
auth required pam_tally2.so deny=2 unlock_time=120 even_deny_root root_unlock_time=120
# -auth 段下 添加
account required pam_tally2.so
############ 完整例子 Start ############
$ cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_tally2.so deny=2 unlock_time=120 even_deny_root root_unlock_time=120 ## 添加
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_tally2.so ######## 添加
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
############ 完整例子 END ############
pam_tally2.so [file=/path/to/counter] [onerr=[fail|succeed]] [magic_root] [even_deny_root] [deny=n] [lock_time=n] [unlock_time=n]
[root_unlock_time=n] [serialize] [audit] [silent] [no_log_info]
锁定用户管理
pam_tally2 查看被锁定的用户
pam_tally2 --reset -u username 将被锁定的用户解锁
5. 审计日志
$ vim /etc/syslog.conf 或者 /etc/rsyslog.conf
*.err;kern.debug;daemon.notice /var/log/messages
# 如果你有日志服务器可以开启这
*.* @10.10.2.127:514
# 重启
$ service rsyslog restart
转自52bug.me: http://www.52bug.me/topic/b57e0b948a8.html