一、禁ping
echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
sysctl -p
二、关闭ICMP_TIMESTAMP
应答
iptables -I INPUT -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP
iptables -I INPUT -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP
三、锁定系统关键文件
#防止被篡改
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
四、ssh加固
4.1 限制root
用户直接登录
sed -i "s#PermitRootLogin yes#PermitRootLogin no#g" /etc/ssh/sshd_config
systemctl restart sshd
4.2 修改允许密码错误次数
sed -i "/MaxAuthTries/d" /etc/ssh/sshd_config
echo "MaxAuthTries 3" >> /etc/ssh/sshd_config
systemctl restart sshd
4.3 关闭AgentForwarding
和TcpForwarding
sed -i "/AgentForwarding/d" /etc/ssh/sshd_config
sed -i "/TcpForwarding/d" /etc/ssh/sshd_config
echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
systemctl restart sshd
4.4 关闭UseDNS
sed -i "/UseDNS/d" /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
systemctl restart sshd
五、升级sudo版本
rpm -Uvh sudo-1.9.7-3.el7.x86_64.rpm
验证
sudo -V
六、设置会话超时(5分钟)
将值设置为readonly
防止用户更改
echo "export TMOUT=300" >>/etc/profile
echo "readonly TMOUT" >>/etc/profile
. /etc/profile
七、隐藏系统版本信息
mv /etc/issue /etc/issue.bak
mv /etc/issue.net /etc/issue.net.bak
八、禁止Control-Alt-Delete 键盘重启系统命令
rm -rf /usr/lib/systemd/system/ctrl-alt-del.target
九、密码加固
PASS_MAX_DAYS=`grep -e ^PASS_MAX_DAYS /etc/login.defs |awk '{print $2}'`
if [ $PASS_MAX_DAYS -gt 90 ];then
echo "密码最长保留期限为:$PASS_MAX_DAYS, 更改为90天"
sed -i "/^PASS_MAX_DAYS/d" /etc/login.defs
echo "PASS_MAX_DAYS 90" >> /etc/login.defs
fi
PASS_MIN_DAYS=`grep -e ^PASS_MIN_DAYS /etc/login.defs |awk '{print $2}'`
if [ $PASS_MIN_DAYS -ne 1 ];then
echo "密码最段保留期限为:$PASS_MIN_DAYS, 更改为1天"
sed -i "/^PASS_MIN_DAYS/d" /etc/login.defs
echo "PASS_MIN_DAYS 1" >> /etc/login.defs
fi
PASS_MIN_LEN=`grep -e ^PASS_MIN_LEN /etc/login.defs |awk '{print $2}'`
if [ $PASS_MIN_LEN -lt 8 ];then
echo "密码最少字符为:$PASS_MIN_LEN, 更改为8"
sed -i "/^PASS_MIN_LEN/d" /etc/login.defs
echo "PASS_MIN_LEN 8" >> /etc/login.defs
fi
PASS_WARN_AGE=`grep -e ^PASS_WARN_AGE /etc/login.defs |awk '{print $2}'`
if [ $PASS_WARN_AGE -ne 7 ];then
echo "密码到期前$PASS_MIN_LEN天提醒, 更改为7"
sed -i "/^PASS_WARN_AGE/d" /etc/login.defs
echo "PASS_WARN_AGE 7" >> /etc/login.defs
fi