安全命令集(CentOS7.5)
cat -n /etc/ssh/sshd_config |sed -n '17p;38p;43p;65p;79p;115p'
17 Port 22221
38 PermitRootLogin yes
43 PubkeyAuthentication yes
47 AuthorizedKeysFile .ssh/authorized_keys
65 PasswordAuthentication no
79 GSSAPIAuthentication no
115 UseDNS no
ssh-keygen -t dsa -f ~/.ssh/id_dsa -P ""
useradd why1
sz -E .ssh/id_dsa
cd /home/why1/
mkdir .ssh
chmod 700 .ssh
chown why1.why1 .ssh/
cat ~/.ssh/id_dsa.pub > .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
chown why1.why1 .ssh/authorized_keys
visudo
93 why1 ALL=(ALL) NOPASSWD:ALL
vim /etc/ssh/sshd_config
17 Port 22221
38 PermitRootLogin yes
43 PubkeyAuthentication yes
47 AuthorizedKeysFile .ssh/authorized_keys
65 PasswordAuthentication no
79 GSSAPIAuthentication no
115 UseDNS no
systemctl reload sshd
#开启sudo日志
cho "local2.debug /var/log/sudo.log" >> /etc/rsyslog.conf
echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers
ystemctl restart rsyslog
#以上完成 下面使用,以及查看
[why1@localhost ~]$ sudo -l
User why1 may run the following commands on localhost:
(ALL) NOPASSWD: ALL
[why1@localhost ~]$ su -
Password:
[why1@localhost ~]$ sudo su -
###安全详解(CentOS7.5)
[root@localhost ~]# cat -n /etc/ssh/sshd_config |sed -n '17p;38p;43p;65p;79p;115p'
17 #Port 22 #修改ssh连接端口
38 #PermitRootLogin yes #是否允许root账号远程登陆
43 #PubkeyAuthentication yes #是否开启公钥连接认证
47 AuthorizedKeysFile .ssh/authorized_keys #公钥文件的放置位置
65 PasswordAuthentication yes #是否开启密码验证登陆
79 GSSAPIAuthentication yes #是否关闭GSSAPI认证
115 #UseDNS yes #是否关闭DNS反向解析
[root@localhost ~]# cat -n /etc/ssh/sshd_config |sed -n '17p;38p;43p;65p;79p;115p'
17 Port 22221 #工作中需要设定到1万以上端口,避免被扫描出来
38 PermitRootLogin yes #如果不是超大规模的服务器,为了方便可以暂时开启root远程登陆
43 PubkeyAuthentication yes #开启公钥认证模式
47 AuthorizedKeysFile .ssh/authorized_keys #公钥放置位置
65 PasswordAuthentication no #为了安全,我们关闭服务器的密码认证方式
79 GSSAPIAuthentication no #关闭GSSAPI认证,极大提高ssh链接速度
115 UseDNS no #关闭DNS反向解析,极大提高ssh连接速度
#重启服务
[root@localhost ~]#systemctl reload sshd
#做账户安全
[root@localhost ~]# ssh-keygen -t dsa -f ~/.ssh/id_dsa -P "" #生成密钥对
[root@localhost ~]# useradd why1 #创建新用户
[root@localhost ~]# sz -E .ssh/id_dsa #私钥放到宿主机上
[root@localhost ~]# cd /home/why1/ #切换用户家目录
[root@localhost why1]# mkdir .ssh #创建.ssh隐藏目录
[root@localhost why1]# chmod 700 .ssh #权限700
[root@localhost why1]# chown why1.why1 .ssh/ #属主属组 why1
[root@localhost why1]# cat ~/.ssh/id_dsa.pub > .ssh/authorized_keys #生成公钥
[root@localhost why1]# chmod 600 .ssh/authorized_keys #权限600
[root@localhost why1]# chown why1.why1 .ssh/authorized_keys #属主属组 why1
[root@localhost .ssh]# ll -a
total 4
drwx------ 2 why1 why1 29 Mar 11 18:23 .
drwx------ 3 why1 why1 74 Mar 11 18:19 ..
-rw------- 1 why1 why1 616 Mar 11 18:23 authorized_keys
[root@localhost .ssh]# visudo #root给why1提所有权限
93 why1 ALL=(ALL) NOPASSWD:ALL
[root@localhost .ssh]# vim /etc/ssh/sshd_config #编辑里面内容
17 Port 22221
38 PermitRootLogin yes
43 PubkeyAuthentication yes
47 AuthorizedKeysFile .ssh/authorized_keys
65 PasswordAuthentication no
79 GSSAPIAuthentication no
115 UseDNS no
[root@localhost .ssh]# systemctl reload sshd
[why1@localhost ~]$ sudo -l #查看权限
User why1 may run the following commands on localhost:
(ALL) NOPASSWD: ALL
[why1@localhost ~]$ su - #直接切换 需要密码
Password:
[why1@localhost ~]$ sudo su - #提权切换
Last login: Mon Mar 11 18:11:08 CST 2019 from 192.168.200.1 on pts/1
[root@localhost ~]# #root账号了
#这就是 工作中 老大怎么远程登陆root账户 全程不允许输入密码
#开启sudo日志
[root@localhost ~]# echo "local2.debug /var/log/sudo.log" >> /etc/rsyslog.conf
[root@localhost ~]# echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers
[root@localhost ~]# systemctl restart rsyslog
#查看
[root@localhost ~]# cat /var/log/sudo.log
Mar 11 18:53:51 : why1 : TTY=pts/2 ; PWD=/home/why1 ; USER=root ;
COMMAND=/bin/su -
##备注
/etc/crontab 这个文件需要加i锁,黑客最爱攻击这个地方,这个里面写定时任务,crontab -l 查不到
chattr +i /etc/crontab
映射文件也应该在做完配置以后,修改权限,变成600