hardening
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese系统加固
系统加固
概述
概述
系统加固、基线配置、CIS 标准技能。
系统加固、基线配置、CIS 标准技能。
SSH 加固
SSH 加固
配置优化
配置优化
bash
undefinedbash
undefined/etc/ssh/sshd_config
/etc/ssh/sshd_config
禁用 root 登录
禁用 root 登录
PermitRootLogin no
PermitRootLogin no
禁用密码认证
禁用密码认证
PasswordAuthentication no
PubkeyAuthentication yes
PasswordAuthentication no
PubkeyAuthentication yes
限制用户
限制用户
AllowUsers admin deploy
AllowGroups sshusers
AllowUsers admin deploy
AllowGroups sshusers
修改端口
修改端口
Port 2222
Port 2222
超时设置
超时设置
ClientAliveInterval 300
ClientAliveCountMax 2
ClientAliveInterval 300
ClientAliveCountMax 2
禁用空密码
禁用空密码
PermitEmptyPasswords no
PermitEmptyPasswords no
协议版本
协议版本
Protocol 2
Protocol 2
日志级别
日志级别
LogLevel VERBOSE
undefinedLogLevel VERBOSE
undefined应用配置
应用配置
bash
undefinedbash
undefined检查配置
检查配置
sshd -t
sshd -t
重启服务
重启服务
systemctl restart sshd
undefinedsystemctl restart sshd
undefined内核参数加固
内核参数加固
sysctl 配置
sysctl 配置
bash
undefinedbash
undefined/etc/sysctl.d/99-security.conf
/etc/sysctl.d/99-security.conf
禁用 IP 转发
禁用 IP 转发
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 0
禁用 ICMP 重定向
禁用 ICMP 重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
启用 SYN Cookie
启用 SYN Cookie
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syncookies = 1
忽略 ICMP 广播
忽略 ICMP 广播
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
禁用源路由
禁用源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
启用反向路径过滤
启用反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
记录可疑包
记录可疑包
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.log_martians = 1
禁用 IPv6(如不需要)
禁用 IPv6(如不需要)
net.ipv6.conf.all.disable_ipv6 = 1
undefinednet.ipv6.conf.all.disable_ipv6 = 1
undefined应用配置
应用配置
bash
sysctl -p /etc/sysctl.d/99-security.confbash
sysctl -p /etc/sysctl.d/99-security.conf用户安全
用户安全
密码策略
密码策略
bash
undefinedbash
undefined/etc/login.defs
/etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 12
PASS_WARN_AGE 14
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 12
PASS_WARN_AGE 14
/etc/security/pwquality.conf
/etc/security/pwquality.conf
minlen = 12
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
undefinedminlen = 12
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
undefined账户锁定
账户锁定
bash
undefinedbash
undefined/etc/pam.d/common-auth (Debian)
/etc/pam.d/common-auth (Debian)
auth required pam_tally2.so deny=5 unlock_time=900
auth required pam_tally2.so deny=5 unlock_time=900
/etc/pam.d/system-auth (RHEL)
/etc/pam.d/system-auth (RHEL)
auth required pam_faillock.so preauth deny=5 unlock_time=900
auth required pam_faillock.so authfail deny=5 unlock_time=900
undefinedauth required pam_faillock.so preauth deny=5 unlock_time=900
auth required pam_faillock.so authfail deny=5 unlock_time=900
undefined清理无用账户
清理无用账户
bash
undefinedbash
undefined锁定账户
锁定账户
usermod -L username
passwd -l username
usermod -L username
passwd -l username
禁用 shell
禁用 shell
usermod -s /sbin/nologin username
usermod -s /sbin/nologin username
查找无密码账户
查找无密码账户
awk -F: '($2 == "") {print $1}' /etc/shadow
undefinedawk -F: '($2 == "") {print $1}' /etc/shadow
undefined文件权限
文件权限
关键文件
关键文件
bash
undefinedbash
undefined设置权限
设置权限
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 600 /etc/gshadow
chmod 644 /etc/group
chmod 700 /root
chmod 600 /boot/grub/grub.cfg
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 600 /etc/gshadow
chmod 644 /etc/group
chmod 700 /root
chmod 600 /boot/grub/grub.cfg
设置属性
设置属性
chattr +i /etc/passwd
chattr +i /etc/shadow
undefinedchattr +i /etc/passwd
chattr +i /etc/shadow
undefined查找问题文件
查找问题文件
bash
undefinedbash
undefined查找 SUID/SGID 文件
查找 SUID/SGID 文件
find / -perm /4000 -type f 2>/dev/null
find / -perm /2000 -type f 2>/dev/null
find / -perm /4000 -type f 2>/dev/null
find / -perm /2000 -type f 2>/dev/null
查找无主文件
查找无主文件
find / -nouser -o -nogroup 2>/dev/null
find / -nouser -o -nogroup 2>/dev/null
查找全局可写文件
查找全局可写文件
find / -perm -002 -type f 2>/dev/null
undefinedfind / -perm -002 -type f 2>/dev/null
undefined服务加固
服务加固
禁用不必要服务
禁用不必要服务
bash
undefinedbash
undefined查看服务
查看服务
systemctl list-unit-files --type=service
systemctl list-unit-files --type=service
禁用服务
禁用服务
systemctl disable telnet
systemctl disable rsh
systemctl disable rlogin
systemctl disable vsftpd
systemctl disable telnet
systemctl disable rsh
systemctl disable rlogin
systemctl disable vsftpd
停止服务
停止服务
systemctl stop telnet
undefinedsystemctl stop telnet
undefined限制 cron
限制 cron
bash
undefinedbash
undefined只允许特定用户
只允许特定用户
echo "root" > /etc/cron.allow
chmod 600 /etc/cron.allow
rm -f /etc/cron.deny
undefinedecho "root" > /etc/cron.allow
chmod 600 /etc/cron.allow
rm -f /etc/cron.deny
undefined常见场景
常见场景
场景 1:快速加固脚本
场景 1:快速加固脚本
bash
#!/bin/bash
echo "=== 系统加固 ==="bash
#!/bin/bash
echo "=== 系统加固 ==="SSH 加固
SSH 加固
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
内核参数
内核参数
cat >> /etc/sysctl.d/99-security.conf << EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
EOF
sysctl -p /etc/sysctl.d/99-security.conf
cat >> /etc/sysctl.d/99-security.conf << EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
EOF
sysctl -p /etc/sysctl.d/99-security.conf
文件权限
文件权限
chmod 600 /etc/shadow
chmod 644 /etc/passwd
echo "加固完成"
undefinedchmod 600 /etc/shadow
chmod 644 /etc/passwd
echo "加固完成"
undefined场景 2:CIS 基线检查
场景 2:CIS 基线检查
bash
#!/bin/bash
echo "=== CIS 基线检查 ==="bash
#!/bin/bash
echo "=== CIS 基线检查 ==="检查 SSH 配置
检查 SSH 配置
echo "SSH PermitRootLogin:"
grep "^PermitRootLogin" /etc/ssh/sshd_config
echo "SSH PermitRootLogin:"
grep "^PermitRootLogin" /etc/ssh/sshd_config
检查密码策略
检查密码策略
echo "密码最大有效期:"
grep "^PASS_MAX_DAYS" /etc/login.defs
echo "密码最大有效期:"
grep "^PASS_MAX_DAYS" /etc/login.defs
检查内核参数
检查内核参数
echo "TCP SYN Cookie:"
sysctl net.ipv4.tcp_syncookies
undefinedecho "TCP SYN Cookie:"
sysctl net.ipv4.tcp_syncookies
undefined加固检查清单
加固检查清单
| 项目 | 检查内容 |
|---|---|
| SSH | 禁用 root、密钥认证 |
| 密码 | 复杂度、有效期 |
| 内核 | sysctl 安全参数 |
| 服务 | 禁用不必要服务 |
| 权限 | 关键文件权限 |
| 日志 | 审计日志启用 |
| 项目 | 检查内容 |
|---|---|
| SSH | 禁用 root、密钥认证 |
| 密码 | 复杂度、有效期 |
| 内核 | sysctl 安全参数 |
| 服务 | 禁用不必要服务 |
| 权限 | 关键文件权限 |
| 日志 | 审计日志启用 |
故障排查
故障排查
bash
undefinedbash
undefinedSSH 无法登录
SSH 无法登录
journalctl -u sshd -f
tail -f /var/log/auth.log
journalctl -u sshd -f
tail -f /var/log/auth.log
检查 PAM 配置
检查 PAM 配置
cat /etc/pam.d/sshd
cat /etc/pam.d/sshd
检查 SELinux
检查 SELinux
getenforce
ausearch -m avc -ts recent
undefinedgetenforce
ausearch -m avc -ts recent
undefined