为了提高IBM AIX的安全性,使系统基本达到安全基线标准,需要进行安全设置操作。为了减少工作量,减少重复操作,减少人为错误,提高工作的效率,特编辑了安全设置批量处理脚本,与相关安全配置文件一起,实现自动安全升级的目标。具体的安全配置步骤如下:
一. 下载tcp wrapper安装程序(netsec.options),生成.toc文件
二.编辑配置文件ftpusers,hosts.allow,hosts.deny,inetd.conf
三.编辑脚本文件secure.sh
四.将安全设置目录打包,用于进行批量AIX安全设置
五.使用安全配置包,在新的aix中进行安全设置操作
六. 检查安全设置的结果
注: 安全配置文件、相关安全安装文件、安全设置脚本文件都存放在/setup目录下
本文主要描述的是aix 5.3版本.
[@more@]一. 下载tcp wrapper安装程序(netsec.options),生成.toc文件
关于tcp_wrapper安装文件(netsec.options)的下载的一些信息:
Network security options TCP Wrapper 1.1.0.0
TCP Wrapper is a simple open source tool to monitor and control incoming network traffic. The TCP Wrapper home page is located at:
ftp://ftp.porcupine.org/pub/security/index.html
TCP Wrapper is added to the netsec.options package on the AIX 5.3 Expansion Pack.
如果手头上有aix 5.3 expansion pack盘的话,搜索netsec.options文件.
#cd /setup
#ls -lt netsec.options
-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options
#inutoc .
生成netsec.options安装脚本文件(.toc),用于后面secure.sh文件自动执行install_p时使用.
# ls -lt .toc
-rw-r--r-- 1 root system 1881 Aug 18 09:50 .toc
二. 编辑配置文件ftpusers,hosts.allow,hosts.deny,inetd.conf
AIX 的环境设置范本及相关配置文件内容如下:
# cd /setup
# ls
.toc ftpusers hosts.allow hosts.deny inetd.conf netsec.options secure.sh
# ls -lt
total 888
-rwxr--r-- 1 root system 1162 Aug 18 08:53 secure.sh
-rw-r--r-- 1 root system 5 Aug 17 17:09 ftpusers
-rw-r--r-- 1 root system 1881 Aug 17 16:42 .toc
-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options
-rw-r--r-- 1 root system 5137 Aug 17 16:21 inetd.conf
-rw-r--r-- 1 root system 787 Aug 17 16:20 hosts.allow
-rw-r--r-- 1 root system 126 Aug 17 16:20 hosts.deny
# more ftpusers
root
注:不允许使用root用户ftp登录到本机
# more hosts.allow
……
ftpd:30.216.18.128:allow
ftpd:30.216.18.128:allow
sshd:30.216.18.1268:allow
sshd:30.216.18.128:allow
注:
因为在inetd.conf文件中禁止了telnet服务,所以这里只需要设置ftp和ssh的访问权限.
关于如何在aix中关闭telnet,安装升级ssh的操作,请参看我的博客文章:http://djb1008.itpub.net/post/42280/502007.
这里设置能够访问的IP清单.只有清单的这些计算机才可以ftp和ssh到本机.
# more hosts.deny
ALL : ALL : severity auth.info
# more inetd.conf
## service socket protocol wait/ user server server program
## name type nowait program arguments
##
ftp stream tcp6 nowait root /usr/sbin/tcpd ftpd
#telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd -a
shell stream tcp6 nowait root /usr/sbin/rshd rshd
#kshell stream tcp nowait root /usr/sbin/krshd krshd
login stream tcp6 nowait root /usr/sbin/rlogind rlogind
#klogin stream tcp nowait root /usr/sbin/krlogind krlogind
exec stream tcp6 nowait root /usr/sbin/rexecd rexecd
#comsat dgram udp wait root /usr/sbin/comsat comsat
#uucp stream tcp nowait root /usr/sbin/uucpd uucpd
#bootps dgram udp wait root /usr/sbin/bootpd bootpd /etc/bootptab
##
## Finger, systat and netstat give out user information which may be
## valuable to potential "system crackers." Many sites choose to disable
## some or all of these services to improve security.
##
#finger stream tcp nowait nobody /usr/sbin/fingerd fingerd
#systat stream tcp nowait nobody /usr/bin/ps ps -ef
#netstat stream tcp nowait nobody /usr/bin/netstat netstat -f inet
#
#tftp dgram udp6 SRC nobody /usr/sbin/tftpd tftpd -n
#talk dgram udp wait root /usr/sbin/talkd talkd
#ntalk dgram udp wait root /usr/sbin/talkd talkd
#
# rexd uses very minimal authentication and many sites choose to disable
# this service to improve security.
#
#rquotad sunrpc_udp udp wait root /usr/sbin/rpc.rquotad rquotad 100011 1
#rexd sunrpc_tcp tcp wait root /usr/sbin/rpc.rexd rexd 100017 1
#rstatd sunrpc_udp udp wait root /usr/sbin/rpc.rstatd rstatd 100001 1-3
#rusersd sunrpc_udp udp wait root /usr/lib/netsvc/rusers/rpc.rusersd rusersd 100002 1-2
#rwalld sunrpc_udp udp wait root /usr/lib/netsvc/rwall/rpc.rwalld rwalld 100008 1
#sprayd sunrpc_udp udp wait root /usr/lib/netsvc/spray/rpc.sprayd sprayd 100012 1
#pcnfsd sunrpc_udp udp wait root /usr/sbin/rpc.pcnfsd pcnfsd 150001 1-2
#echo stream tcp nowait root internal
#discard stream tcp nowait root internal
#chargen stream tcp nowait root internal
#daytime stream tcp nowait root internal
#time stream tcp nowait root internal
#echo dgram udp wait root internal
#discard dgram udp wait root internal
#chargen dgram udp wait root internal
#daytime dgram udp wait root internal
#time dgram udp wait root internal
## The following line is for installing over the network.
#instsrv stream tcp nowait netinst /u/netinst/bin/instsrv instsrv -r /tmp/netinstalllog /u/netinst/scripts
#imap2 stream tcp nowait root /usr/sbin/imapd imapd
#pop3 stream tcp nowait root /usr/sbin/pop3d pop3d
ttdbserver sunrpc_tcp tcp wait root /usr/dt/bin/rpc.ttdbserver rpc.ttdbserver 100083 1
cmsd sunrpc_udp udp wait root /usr/dt/bin/rpc.cmsd cmsd 100068 2-5
wsmserver stream tcp nowait root /usr/websm/bin/wsmserver wsmserver -start
xmquery dgram udp wait root /usr/bin/xmtopas xmtopas -p3
#example of the use of tcpwrapper with telnet
#telnet stream tcp6 nowait root /usr/sbin/tcpd telnetd -a
#auth stream tcp6 nowait root /usr/sbin/authd authd
注:停止了大部分不必须的服务: finger,telnet,ftp,sendmail,time,echo,discard,daytime,chargen,comsat,klogin,kshell,ntalk,talk,tftp,uucp,dtspc
停止的方法很简单,就是在相应服务的行头加上#
# more secure.sh
#install tcp_wrapper
/usr/lib/instl/sm_inst installp_cmd -a -Q -d '.' -f '_all_latest' '-c' '-N' '-g' '-X' '-G' '-Y'
#backup some configure files
mv /etc/hosts.deny /etc/hosts.deny.bak
mv /etc/hosts.allow /etc/hosts.allow.bak
mv /etc/inetd.conf /etc/inetd.conf.bak
mv /etc/ftpusers /etc/ftpusers.bak
cp /etc/profile /etc/profile.bak
cp /etc/security/user /etc/security/user.bak
#update new configure files to /etc
cp /setup/hosts.deny /etc
cp /setup/hosts.allow /etc
cp /setup/inetd.conf /etc
cp /setup/ftpusers /etc
#remove some users
rmuser -p lp
rmuser -p uucp
rmuser -p nuucp
rmuser -p lpd
rmuser -p invscout
#change some users ,lock and disable login
chuser account_locked=true login=false imnadm
chuser account_locked=true login=false ldap
chuser account_locked=true login=false snapp
#change some users,disable login
chuser login=false daemon
chuser login=false bin
chuser login=false sys
chuser login=false adm
#change /etc/security/user file,update some password policy.
chsec -f /etc/security/user -s default -a "minalpha = 4" -a "minother = 1" -a "maxage = 52" -a "minlen = 8" -a "minage = 1" -a "hissize = 10" -a "mindiff = 2"
#refresh inetd service
refresh -s inetd
#stop sendmail service,config sendmail service not start on next reboot.
stopsrc -s sendmail
chrctcp -d sendmail
#config timeout time to 600 seconds,user umask to 022
chmod u+w /etc/profile
cat /etc/profile|grep -v TMOUT>>/etc/profile
echo 'TMOUT=600'>>/etc/profile
cat /etc/profile|grep -v umask>>/etc/profile
echo 'umask 022'>>/etc/profile
chmod u-w /etc/profile
四. 将安全设置目录打包,用于进行批量AIX安全设置
#cd /setup
#ls -lt
total 888
-rw-r--r-- 1 root system 1881 Aug 18 09:50 .toc
-rw-r--r-- 1 root system 6 Aug 18 09:00 ftpusers
-rwxr--r-- 1 root system 1162 Aug 18 08:53 secure.sh
-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options
-rw-r--r-- 1 root system 5137 Aug 17 16:21 inetd.conf
-rw-r--r-- 1 root system 787 Aug 17 16:20 hosts.allow
-rw-r--r-- 1 root system 126 Aug 17 16:20 hosts.deny
#tar -cvf /tmp/secure.tar /setup
五. 使用安全配置包,在新的aix中进行安全设置操作
注:将secure.tar 复制或者ftp到新的aix主机的/tmp目录下,以下的操作是在新的AIX下完成
#mkdir /setup
#tar -xvf /tmp/secure.tar /setup
# tar -xvf /tmp/secure.tar /setup
x /setup
x /setup/hosts.allow, 787 bytes, 2 media blocks.
x /setup/hosts.deny, 126 bytes, 1 media blocks.
x /setup/ftpusers, 6 bytes, 1 media blocks.
x /setup/inetd.conf, 5137 bytes, 11 media blocks.
x /setup/secure.sh, 1162 bytes, 3 media blocks.
x /setup/netsec.options, 422912 bytes, 826 media blocks.
x /setup/.toc, 1881 bytes, 4 media blocks.
# cd /setup
# ls -lt
total 888
-rw-r--r-- 1 root system 1881 Aug 18 09:50 .toc
-rw-r--r-- 1 root system 6 Aug 18 09:00 ftpusers
-rwxr--r-- 1 root system 1162 Aug 18 08:53 secure.sh
-rw-r----- 1 root system 422912 Aug 17 16:42 netsec.options
-rw-r--r-- 1 root system 5137 Aug 17 16:21 inetd.conf
-rw-r--r-- 1 root system 787 Aug 17 16:20 hosts.allow
-rw-r--r-- 1 root system 126 Aug 17 16:20 hosts.deny
#./secure.sh
六. 检查安全设置的结果
# lssrc -l -s inetd
Subsystem Group PID Status
inetd tcpip 245912 active
……
Service Command Description Status
xmquery /usr/bin/xmtopas xmtopas -p3 active
wsmserver /usr/websm/bin/wsmserver wsmserver -start active
cmsd /usr/dt/bin/rpc.cmsd cmsd 100068 2-5 active
ttdbserver /usr/dt/bin/rpc.ttdbserver rpc.ttdbserver 100083 1 active
exec /usr/sbin/rexecd rexecd active
login /usr/sbin/rlogind rlogind active
shell /usr/sbin/rshd rshd active
ftp /usr/sbin/tcpd ftpd active
注: finger,telnet,ftp,sendmail,time,echo,discard,daytime,chargen,comsat,klogin,kshell,ntalk,talk,tftp,uucp,dtspc等子服务都被停止了.
另外,如果用户的口令没有符合安全设置的话,登录时将要求您修改口令,新的可令也必须符合口令策略.本次安装设置的口令策略是:
口令中至少有4个字母,1个非字符数字字符,口令最大周期为52周,最小长度为8位,最小使用周期为1周,口令不重复的次数为10次,至少有2个字符与旧口令不同,具体的设置chsec -f /etc/security/user -s default -a "minalpha = 4" -a "minother = 1" -a "maxage = 52" -a "minlen = 8" -a "minage = 1" -a "histsize = 10" -a "mindiff = 2"命令如下:
设置后只有/etc/hosts.allow文件里的计算机才可以通过ssh来访问本主机.
如果安装了netbacup备份系统文件,需要重新启动一下netback client程序
#/etc/rc.client.netbackup
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/32980/viewspace-1037007/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/32980/viewspace-1037007/