1、/etc/login.defs
/etc/login.defs 是设置用户帐号限制的文件。该文件里的配置对root用户无效。
如果/etc/shadow文件里有相同的选项,则以/etc/shadow里的设置为准,也就是说/etc/shadow的配置优先级高于/etc/login.defs
[root@VM_0_11_centos boot]# cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999 #密码最大有效期
PASS_MIN_DAYS 0 #密码最小有效期
PASS_MIN_LEN 8 #密码最小长度
PASS_WARN_AGE 7 #密码过期前多少天开始提示
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD MD5
MD5_CRYPT_ENAB yes #用MD5加密密码
[root@VM_0_11_centos boot]#
2、root用户
root用户可以执行任何操作,获取用户不想执行这个命令,结果误操作导致严重的问题。因此,尽量不要切换到root用户执行相关的操作,用户可以使用sudo命令执行特权命令。
3、/etc/expots
用户可以把需要共享的文件系统直接编辑到/etc/exports文件中,这样当NFS服务器重新启动时系统就会自动读取/etc/exports 文件,从而告诉内核要输出的文件系统和相关的存取权限。尽量使访问权限严格,不要用通配符,不允许对根目录有写权限,而且尽可能只给只读权限。
4、/etc/hosts.deny、/etc/hosts.allow
/etc/hosts.allow和/etc/hosts.deny这两个文件是tcpd服务器的配置文件,tcpd服务器可以控制外部IP对本机服务的访问。/etc/hosts.allow控制可以访问本机的IP地址,/etc/hosts.deny控制禁止访问本机的IP。如果两个文件的配置有冲突,以/etc/hosts.deny为准。一个IP请求连入,linux的检查策略是先看/etc/hosts.allow中是否允许,如果允许直接放行;如果没有,则再看/etc/hosts.deny中是否禁止,如果禁止那么就禁止连入。
5、关闭不需要的服务
6、/etc/issue、/etc/issue.net、/etc/motd
/etc/issue 和 /etc/issue.net :这2个文件是你在登录之前显示的,区别一个负责本地登录前显示,一个负责网络登录前显示。也即 /etc/issue 是显示在TTY控制台登录前(非图形界面),而 /etc/issue.net 是显示在 Telnet (SSH默认不开启,请看文章最后面说明)远程登录前,另外 /etc/issue.net 不支持转义字符。/etc/motd :这个文件是在你登录之后显示的,不管你是 TTY 还是 PTS 登录,也不管是 Telnet 或 SSH 都显示这个文件里面的信息。
因此,尽量在这几个文件中不要存在敏感信息,用户密码等tesh特殊信息。
7、/etc/securetty
/etc/securetty文件允许你规定root用户可以从那个TTY设备登录。登录程序(通常是“/bin/login”)需要读取/etc/securetty文件。
[root@VM_0_11_centos etc]# cat securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
8、资源限制
linux资源限制配置文件是/etc/security/limits.conf;限制用户进程的数量对于linux系统的稳定性非常重要。limits.conf文件限制着用户可以使用的最大文件数,最大线程,最大内存等资源使用量。限制用户使用的资源使用,可以避免拒绝服务。
[root@VM_0_11_centos etc]# cat ./security/limits.conf
# /etc/security/limits.conf
#
#This file sets the resource limits for the users logged in via PAM.
#It does not affect resource limits of the system services.
#
#Also note that configuration files in /etc/security/limits.d directory,
#which are read in alphabetical order, override the settings in this
#file in case the domain is the same or more specific.
#That means for example that setting a limit for wildcard domain here
#can be overriden with a wildcard setting in a config file in the
#subdirectory, but a user specific setting here can be overriden only
#with a user specific setting in the subdirectory.
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - a user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open file descriptors
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
9、把rpm命令转移到一个安全的地方
把rpm命令转移到一个安全的 地方,这样当黑客入侵到系统中的时候,就不能使用rpm命令安装有害的程序了,当再次使用rpm的时候再回复rpm命令。
10、/etc/profile
每个用户在家目录下都有.bash_history文件,~/.bash_history,该文件中存在用户曾经输入的命令,可能存在这样的情况,用户在不该输入密码的地方,输入了密码,存在风险。
/etc/profile文件中的HISTFILESIZE与HISTSIZE决定记录用户输入的命令数量,可以将这两个值改小一些。
11、/etc/shadow
该文件存放用户名以及用户密码,该文件中的所有用户均需要密码保护,而且密码应该是密文而不能是明文。检查该文件是否存在没有密码保护的用户。
12、/etc/passwd
该文件存放所有的用户,系统中有且只能有一个root用户,root用户uid=0,检查该文件除了root用户有没有其他用户uid=0。