Linux 系统配置
1.1 禁止 root 远程登录
vi /etc/ssh/sshd_config
添加PermitRootLogin no
保存后,重启 ssh 服务
service ssh restart
1.2 配置密码策略
vi /etc/login.defs 修改如下参数
PASS_MAX_DAYS 90
PASS_MIN_DAYS 2
PASS_MIN_len 12
PASS_WARN_AGE 7
vi /etc/default/useradd 修改如下参数
INACTIVE=7
EXPIRE=
1.3 对已存在的用户使用命令
chage username 应用上述参数
1.4 设置系统非法登录锁定次数,添加如下参数:
vi /etc/pam.d/system-auth
password required pam_cracklib.so try_first_pass retry=3 minlen=12
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
auth required /lib/security/pam_tally.so deny=3 no_magic_root reset
2. 系统安全审计
service auditd start
chkconfig auditd on
ls -l /var/log/audit/audit.log
3. 停止如下服务
检查如下服务的状态,如果有 On 的全部 Off 掉
chkconfig --list cups
chkconfig --list cups-config-daemon
chkconfig --list gpm
chkconfig --list iiim
chkconfig --list ip6tables
chkconfig --list iptables
chkconfig --list isdn
chkconfig --list mdmonitor
chkconfig --list pomcia
chkconfig --list rhnsd
chkconfig --list sendmail
chkconfig --list smartd
chkconfig --list portmap
停止服务脚本
service cups stop
service cups-config-daemon stop
service gpm stop
service iiim stop
service ip6tables stop
service iptables stop
service isdn stop
service mdmonitor stop
service pcmcia stop
service sendmail stop
service smartd stop
service portmap stop
配置重启后不在启动脚本:
chkconfig cups off
chkconfig cups-config-daemon off
chkconfig gpm off
chkconfig iiim off
chkconfig ip6tables off
chkconfig iptables off
chkconfig isdn off
chkconfig mdmonitor off
chkconfig pomcia off
chkconfig rhnsd off
chkconfig sendmail off
chkconfig smartd off
chkconfig portmap off
4. 设置终端登录超时
vi /etc/profile 添加如下参数
TMOUT=600
1.1 禁止 root 远程登录
vi /etc/ssh/sshd_config
添加PermitRootLogin no
保存后,重启 ssh 服务
service ssh restart
1.2 配置密码策略
vi /etc/login.defs 修改如下参数
PASS_MAX_DAYS 90
PASS_MIN_DAYS 2
PASS_MIN_len 12
PASS_WARN_AGE 7
vi /etc/default/useradd 修改如下参数
INACTIVE=7
EXPIRE=
1.3 对已存在的用户使用命令
chage username 应用上述参数
1.4 设置系统非法登录锁定次数,添加如下参数:
vi /etc/pam.d/system-auth
password required pam_cracklib.so try_first_pass retry=3 minlen=12
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
auth required /lib/security/pam_tally.so deny=3 no_magic_root reset
2. 系统安全审计
service auditd start
chkconfig auditd on
ls -l /var/log/audit/audit.log
3. 停止如下服务
检查如下服务的状态,如果有 On 的全部 Off 掉
chkconfig --list cups
chkconfig --list cups-config-daemon
chkconfig --list gpm
chkconfig --list iiim
chkconfig --list ip6tables
chkconfig --list iptables
chkconfig --list isdn
chkconfig --list mdmonitor
chkconfig --list pomcia
chkconfig --list rhnsd
chkconfig --list sendmail
chkconfig --list smartd
chkconfig --list portmap
停止服务脚本
service cups stop
service cups-config-daemon stop
service gpm stop
service iiim stop
service ip6tables stop
service iptables stop
service isdn stop
service mdmonitor stop
service pcmcia stop
service sendmail stop
service smartd stop
service portmap stop
配置重启后不在启动脚本:
chkconfig cups off
chkconfig cups-config-daemon off
chkconfig gpm off
chkconfig iiim off
chkconfig ip6tables off
chkconfig iptables off
chkconfig isdn off
chkconfig mdmonitor off
chkconfig pomcia off
chkconfig rhnsd off
chkconfig sendmail off
chkconfig smartd off
chkconfig portmap off
4. 设置终端登录超时
vi /etc/profile 添加如下参数
TMOUT=600
转载于:https://blog.51cto.com/bjiokn/1092153