本文共 5382 字,大约阅读时间需要 17 分钟。
首先确保所使用的linux系统中的所有软件都已经安装到最新版本。
linux下的漏洞或者叫做不规范大致如下几点:
用户登录,openssl, CA证书,GRUB加密,SMB密码永不过期,无任何所属用户用户组的文件,文件权限为777的,所使用到的软件严重滞后,tcp timstamp, 数据库的open access, ICMP redirection, ip forward,
umask值的默认设置,磁盘分区的weakness
1. 使用root用户在终端登录。
sed -i '/^tty[0-9]$/d' /etc/securetty
sed -i '/^vc\/[0-9]$/d' /etc/securetty
2. 使用ssh协议的root登录
sed -i 's/#PermitRootLogin\ yes/PermitRootLogin\ no/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin\ without-password/PermitRootLogin\ no/' /etc/ssh/sshd_config
3. ICMP redirection 问题
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
4. 数据库的open access
使用iptables来加强数据库的访问认证。受信任的主机访问,通过设置数据库中的用户主机名称不使用%来匹配所有主机。
5. ssl使用的证书协议
不使用泛域名证书,使用至少2048bit以上的证书
The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server.
Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.
There is no server-side mitigation available against the BEAST attack. The only option is to disable the affected protocols (SSLv3 and TLS 1.0). The only fully safe configuration is to use Authenticated Encryption with Associated Data (AEAD), e.g. AES-GCM, AES-CCM in TLS 1.2.
Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.
Configure the server to disable support for 3DES suite.
6. TCP timestamp responses的问题
net.ipv4.tcp_timestamps=0
7. IP Source Routing
The host is configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.
Disable IP source routing
For Linux systems ensure the following sysctl value is set:
net.ipv4.conf.all.accept_source_route=0
It is also advised that packet forwarding be disabled, unless there is a legitimate reason not to, by setting the following sysctl values:
net.ipv4.conf.all.forwarding=0
net.ipv6.conf.all.forwarding=0
net.ipv4.conf.all.mc_forwarding=0
net.ipv6.conf.all.mc_forwarding=0
More Linux information can be found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html
8. 设置grub密码
Enable GRUB password
Configuration remediation steps
Set a password in the GRUB configuration file. This is often located in one of several locations, but can really be anywhere:
/etc/grub.conf
/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lstFor all files mentioned above ensure that a password is set or that the files do not exist.
To set a plain-text password, edit your GRUB configuration file and add the following line before the first uncommented line:
password <password>
To set an encrypted password, run grub-md5-crypt and use its output when adding the following line before the first uncommented line:
password --md5 <encryptedpassword>
For either approach, choose an appropriately strong password.
9. 磁盘分区的挂载方式添加nodev参数
Partition Mounting Weakness
Configuration remediation steps
The specific way to modify the partition mount options varies from system to system. Consult your operating system's manual or mount man page.
The following issues were discovered:
/boot partition does not have 'nodev' option set. /data partition does not have 'nodev' option set.10. 内核参数的一般优化
net.core.rmem_default = 2569600
net.core.rmem_max = 2569600
net.core.wmem_default = 2569600
net.core.wmem_max = 2569600
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_keepalive_time = 600
kernel.sem = 500 64000 200 256
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.tcp_timestamps=0
11. iptables 防攻击
-A FORWARD -p tcp --syn -m limit --limit 1de>de >/sde> de >--limit-burst 5 -j ACCEPT 限制每秒5个新连接de>
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1de>de >/sde> de >-j ACCEPT 防端口扫描de>
-A FORWARD -p icmp --icmp-de>de >typede> de >echode>de >-request -m limit --limit 1de>de >/sde> de >-j ACCEPT de>防止洪水攻击