Linux Hardening

Linux系统加固

Secure Linux servers following CIS benchmarks and security best practices.

遵循CIS基准和安全最佳实践加固Linux服务器。

When to Use This Skill

何时使用该技能

Use this skill when:

Hardening production servers
Meeting compliance requirements
Implementing security baselines
Configuring secure SSH access

在以下场景使用此技能：

加固生产服务器
满足合规要求
实施安全基线
配置安全的SSH访问

SSH Hardening

SSH加固

bash

undefined

bash

undefined

/etc/ssh/sshd_config

PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes MaxAuthTries 3 ClientAliveInterval 300 ClientAliveCountMax 2 AllowUsers deploy admin Protocol 2

undefined

PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes MaxAuthTries 3 ClientAliveInterval 300 ClientAliveCountMax 2 AllowUsers deploy admin Protocol 2

undefined

User Security

用户安全

bash

undefined

bash

undefined

Password policy

密码策略

sudo apt install libpam-pwquality

/etc/security/pwquality.conf

minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1

Lock inactive accounts

锁定非活跃账户

useradd -D -f 30

Audit sudo usage

审计sudo使用情况

echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers

undefined

echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers

undefined

Firewall Configuration

防火墙配置

bash

undefined

bash

undefined

UFW setup

UFW 设置

ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow 443/tcp ufw enable

Or iptables

或使用iptables

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT

undefined

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT

undefined

Kernel Hardening

内核加固

bash

undefined

bash

undefined

/etc/sysctl.d/99-security.conf

net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 kernel.randomize_va_space = 2 fs.suid_dumpable = 0

Apply

应用配置

sysctl -p

undefined

sysctl -p

undefined

File Permissions

文件权限

bash

undefined

bash

undefined

Critical files

关键文件

chmod 600 /etc/shadow chmod 644 /etc/passwd chmod 700 /root chmod 600 /etc/ssh/sshd_config

Find world-writable files

查找全局可写文件

find / -type f -perm -0002 -ls

Find SUID files

查找SUID文件

find / -perm -4000 -type f -ls

undefined

find / -perm -4000 -type f -ls

undefined

Audit Configuration

审计配置

bash

undefined

bash

undefined

Install auditd

安装auditd

apt install auditd

/etc/audit/rules.d/audit.rules

-w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k actions -a always,exit -F arch=b64 -S execve -k exec

undefined

-w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k actions -a always,exit -F arch=b64 -S execve -k exec

undefined

Best Practices

最佳实践

Disable unused services
Keep system updated
Use fail2ban for intrusion prevention
Enable SELinux/AppArmor
Regular security audits
Monitor log files
Implement least privilege

禁用未使用的服务
保持系统更新
使用fail2ban进行入侵防护
启用SELinux/AppArmor
定期安全审计
监控日志文件
实施最小权限原则

linux-hardening

Original

Translation

Linux Hardening

Linux系统加固

When to Use This Skill

何时使用该技能

SSH Hardening

SSH加固

/etc/ssh/sshd_config

/etc/ssh/sshd_config

User Security

用户安全

Password policy

密码策略

/etc/security/pwquality.conf

/etc/security/pwquality.conf

Lock inactive accounts

锁定非活跃账户

Audit sudo usage

审计sudo使用情况

Firewall Configuration

防火墙配置

UFW setup

UFW 设置

Or iptables

或使用iptables

Kernel Hardening

内核加固

/etc/sysctl.d/99-security.conf

/etc/sysctl.d/99-security.conf

Apply

应用配置

File Permissions

文件权限

Critical files

关键文件

Find world-writable files

查找全局可写文件

Find SUID files

查找SUID文件

Audit Configuration

审计配置

Install auditd

安装auditd

/etc/audit/rules.d/audit.rules

/etc/audit/rules.d/audit.rules

Best Practices

最佳实践

Related Skills

相关技能