提高AIX的安全性研究

为了提高IBM AIX的安全性,使系统基本达到安全基线标准,需要进行安全设置操作。为了减少工作量,减少重复操作,减少人为错误,提高工作的效率,特编辑了安全设置批量处理脚本,与相关安全配置文件一起,实现自动安全升级的目标。具体的安全配置步骤如下:

. 下载tcp wrapper安装程序(netsec.options),生成.toc文件

.编辑配置文件ftpusers,hosts.allow,hosts.deny,inetd.conf

.编辑脚本文件secure.sh

.将安全设置目录打包,用于进行批量AIX安全设置

.使用安全配置包,在新的aix中进行安全设置操作

. 检查安全设置的结果

: 安全配置文件、相关安全安装文件、安全设置脚本文件都存放在/setup目录下

本文主要描述的是aix 5.3版本.

[@more@]

. 下载tcp wrapper安装程序(netsec.options),生成.toc文件

关于tcp_wrapper安装文件(netsec.options)的下载的一些信息:

Network security options TCP Wrapper 1.1.0.0

TCP Wrapper is a simple open source tool to monitor and control incoming network traffic. The TCP Wrapper home page is located at:

ftp://ftp.porcupine.org/pub/security/index.html

TCP Wrapper is added to the netsec.options package on the AIX 5.3 Expansion Pack.

源文档 <http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.resources/RELNOTES/5305_exp_relnotes.htm>

如果手头上有aix 5.3 expansion pack盘的话,搜索netsec.options文件.

#cd /setup

#ls -lt netsec.options

-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options

#inutoc .

生成netsec.options安装脚本文件(.toc),用于后面secure.sh文件自动执行install_p时使用.

# ls -lt .toc

-rw-r--r-- 1 root system 1881 Aug 18 09:50 .toc

. 编辑配置文件ftpusers,hosts.allow,hosts.deny,inetd.conf

AIX 的环境设置范本及相关配置文件内容如下:

# cd /setup

# ls

.toc ftpusers hosts.allow hosts.deny inetd.conf netsec.options secure.sh

# ls -lt

total 888

-rwxr--r-- 1 root system 1162 Aug 18 08:53 secure.sh

-rw-r--r-- 1 root system 5 Aug 17 17:09 ftpusers

-rw-r--r-- 1 root system 1881 Aug 17 16:42 .toc

-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options

-rw-r--r-- 1 root system 5137 Aug 17 16:21 inetd.conf

-rw-r--r-- 1 root system 787 Aug 17 16:20 hosts.allow

-rw-r--r-- 1 root system 126 Aug 17 16:20 hosts.deny

# more ftpusers

root

:不允许使用root用户ftp登录到本机

# more hosts.allow

……

ftpd:30.216.18.128:allow

ftpd:30.216.18.128:allow

sshd:30.216.18.1268:allow

sshd:30.216.18.128:allow

:

因为在inetd.conf文件中禁止了telnet服务,所以这里只需要设置ftpssh的访问权限.

关于如何在aix中关闭telnet,安装升级ssh的操作,请参看我的博客文章:http://djb1008.itpub.net/post/42280/502007.

这里设置能够访问的IP清单.只有清单的这些计算机才可以ftpssh到本机.

# more hosts.deny

ALL : ALL : severity auth.info

# more inetd.conf

## service socket protocol wait/ user server server program

## name type nowait program arguments

##

ftp stream tcp6 nowait root /usr/sbin/tcpd ftpd

#telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd -a

shell stream tcp6 nowait root /usr/sbin/rshd rshd

#kshell stream tcp nowait root /usr/sbin/krshd krshd

login stream tcp6 nowait root /usr/sbin/rlogind rlogind

#klogin stream tcp nowait root /usr/sbin/krlogind krlogind

exec stream tcp6 nowait root /usr/sbin/rexecd rexecd

#comsat dgram udp wait root /usr/sbin/comsat comsat

#uucp stream tcp nowait root /usr/sbin/uucpd uucpd

#bootps dgram udp wait root /usr/sbin/bootpd bootpd /etc/bootptab

##

## Finger, systat and netstat give out user information which may be

## valuable to potential "system crackers." Many sites choose to disable

## some or all of these services to improve security.

##

#finger stream tcp nowait nobody /usr/sbin/fingerd fingerd

#systat stream tcp nowait nobody /usr/bin/ps ps -ef

#netstat stream tcp nowait nobody /usr/bin/netstat netstat -f inet

#

#tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n

#talk dgram udp wait root /usr/sbin/talkd talkd

#ntalk dgram udp wait root /usr/sbin/talkd talkd

#

# rexd uses very minimal authentication and many sites choose to disable

# this service to improve security.

#

#rquotad sunrpc_udp udp wait root /usr/sbin/rpc.rquotad rquotad 100011 1

#rexd sunrpc_tcp tcp wait root /usr/sbin/rpc.rexd rexd 100017 1

#rstatd sunrpc_udp udp wait root /usr/sbin/rpc.rstatd rstatd 100001 1-3

#rusersd sunrpc_udp udp wait root /usr/lib/netsvc/rusers/rpc.rusersd rusersd 100002 1-2

#rwalld sunrpc_udp udp wait root /usr/lib/netsvc/rwall/rpc.rwalld rwalld 100008 1

#sprayd sunrpc_udp udp wait root /usr/lib/netsvc/spray/rpc.sprayd sprayd 100012 1

#pcnfsd sunrpc_udp udp wait root /usr/sbin/rpc.pcnfsd pcnfsd 150001 1-2

#echo stream tcp nowait root internal

#discard stream tcp nowait root internal

#chargen stream tcp nowait root internal

#daytime stream tcp nowait root internal

#time stream tcp nowait root internal

#echo dgram udp wait root internal

#discard dgram udp wait root internal

#chargen dgram udp wait root internal

#daytime dgram udp wait root internal

#time dgram udp wait root internal

## The following line is for installing over the network.

#instsrv stream tcp nowait netinst /u/netinst/bin/instsrv instsrv -r /tmp/netinstalllog /u/netinst/scripts

#imap2 stream tcp nowait root /usr/sbin/imapd imapd

#pop3 stream tcp nowait root /usr/sbin/pop3d pop3d

ttdbserver sunrpc_tcp tcp wait root /usr/dt/bin/rpc.ttdbserver rpc.ttdbserver 100083 1

cmsd sunrpc_udp udp wait root /usr/dt/bin/rpc.cmsd cmsd 100068 2-5

wsmserver stream tcp nowait root /usr/websm/bin/wsmserver wsmserver -start

xmquery dgram udp wait root /usr/bin/xmtopas xmtopas -p3

#example of the use of tcpwrapper with telnet

#telnet stream tcp6 nowait root /usr/sbin/tcpd telnetd -a

#auth stream tcp6 nowait root /usr/sbin/authd authd

:停止了大部分不必须的服务: finger,telnet,ftp,sendmail,time,echo,discard,daytime,chargen,comsat,klogin,kshell,ntalk,talk,tftp,uucp,dtspc

停止的方法很简单,就是在相应服务的行头加上#

# more secure.sh

#install tcp_wrapper

/usr/lib/instl/sm_inst installp_cmd -a -Q -d '.' -f '_all_latest' '-c' '-N' '-g' '-X' '-G' '-Y'

#backup some configure files

mv /etc/hosts.deny /etc/hosts.deny.bak

mv /etc/hosts.allow /etc/hosts.allow.bak

mv /etc/inetd.conf /etc/inetd.conf.bak

mv /etc/ftpusers /etc/ftpusers.bak

cp /etc/profile /etc/profile.bak

cp /etc/security/user /etc/security/user.bak

#update new configure files to /etc

cp /setup/hosts.deny /etc

cp /setup/hosts.allow /etc

cp /setup/inetd.conf /etc

cp /setup/ftpusers /etc

#remove some users

rmuser -p lp

rmuser -p uucp

rmuser -p nuucp

rmuser -p lpd

rmuser -p invscout

#change some users ,lock and disable login

chuser account_locked=true login=false imnadm

chuser account_locked=true login=false ldap

chuser account_locked=true login=false snapp

#change some users,disable login

chuser login=false daemon

chuser login=false bin

chuser login=false sys

chuser login=false adm

#change /etc/security/user file,update some password policy.

chsec -f /etc/security/user -s default -a "minalpha = 4" -a "minother = 1" -a "maxage = 52" -a "minlen = 8" -a "minage = 1" -a "hissize = 10" -a "mindiff = 2"

#refresh inetd service

refresh -s inetd

#stop sendmail service,config sendmail service not start on next reboot.

stopsrc -s sendmail

chrctcp -d sendmail

#config timeout time to 600 seconds,user umask to 022

chmod u+w /etc/profile

cat /etc/profile|grep -v TMOUT>>/etc/profile

echo 'TMOUT=600'>>/etc/profile

cat /etc/profile|grep -v umask>>/etc/profile

echo 'umask 022'>>/etc/profile

chmod u-w /etc/profile

. 将安全设置目录打包,用于进行批量AIX安全设置

#cd /setup

#ls -lt

total 888

-rw-r--r-- 1 root system 1881 Aug 18 09:50 .toc

-rw-r--r-- 1 root system 6 Aug 18 09:00 ftpusers

-rwxr--r-- 1 root system 1162 Aug 18 08:53 secure.sh

-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options

-rw-r--r-- 1 root system 5137 Aug 17 16:21 inetd.conf

-rw-r--r-- 1 root system 787 Aug 17 16:20 hosts.allow

-rw-r--r-- 1 root system 126 Aug 17 16:20 hosts.deny

#tar -cvf /tmp/secure.tar /setup

. 使用安全配置包,在新的aix中进行安全设置操作

:将secure.tar 复制或者ftp到新的aix主机的/tmp目录下,以下的操作是在新的AIX下完成

#mkdir /setup

#tar -xvf /tmp/secure.tar /setup

# tar -xvf /tmp/secure.tar /setup

x /setup

x /setup/hosts.allow, 787 bytes, 2 media blocks.

x /setup/hosts.deny, 126 bytes, 1 media blocks.

x /setup/ftpusers, 6 bytes, 1 media blocks.

x /setup/inetd.conf, 5137 bytes, 11 media blocks.

x /setup/secure.sh, 1162 bytes, 3 media blocks.

x /setup/netsec.options, 422912 bytes, 826 media blocks.

x /setup/.toc, 1881 bytes, 4 media blocks.

# cd /setup

# ls -lt

total 888

-rw-r--r-- 1 root system 1881 Aug 18 09:50 .toc

-rw-r--r-- 1 root system 6 Aug 18 09:00 ftpusers

-rwxr--r-- 1 root system 1162 Aug 18 08:53 secure.sh

-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options

-rw-r--r-- 1 root system 5137 Aug 17 16:21 inetd.conf

-rw-r--r-- 1 root system 787 Aug 17 16:20 hosts.allow

-rw-r--r-- 1 root system 126 Aug 17 16:20 hosts.deny

#./secure.sh

. 检查安全设置的结果

# lssrc -l -s inetd

Subsystem Group PID Status

inetd tcpip 245912 active

……

Service Command Description Status

xmquery /usr/bin/xmtopas xmtopas -p3 active

wsmserver /usr/websm/bin/wsmserver wsmserver -start active

cmsd /usr/dt/bin/rpc.cmsd cmsd 100068 2-5 active

ttdbserver /usr/dt/bin/rpc.ttdbserver rpc.ttdbserver 100083 1 active

exec /usr/sbin/rexecd rexecd active

login /usr/sbin/rlogind rlogind active

shell /usr/sbin/rshd rshd active

ftp /usr/sbin/tcpd ftpd active

: finger,telnet,ftp,sendmail,time,echo,discard,daytime,chargen,comsat,klogin,kshell,ntalk,talk,tftp,uucp,dtspc等子服务都被停止了.

另外,如果用户的口令没有符合安全设置的话,登录时将要求您修改口令,新的可令也必须符合口令策略.本次安装设置的口令策略是:

口令中至少有4个字母,1个非字符数字字符,口令最大周期为52,最小长度为8,最小使用周期为1,口令不重复的次数为10,至少有2个字符与旧口令不同,具体的设置chsec -f /etc/security/user -s default -a "minalpha = 4" -a "minother = 1" -a "maxage = 52" -a "minlen = 8" -a "minage = 1" -a "histsize = 10" -a "mindiff = 2"命令如下:

设置后只有/etc/hosts.allow文件里的计算机才可以通过ssh来访问本主机.

如果安装了netbacup备份系统文件,需要重新启动一下netback client程序

#/etc/rc.client.netbackup

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/32980/viewspace-1037007/,如需转载,请注明出处,否则将追究法律责任。

转载于:http://blog.itpub.net/32980/viewspace-1037007/

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值