歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux基礎 >> 關於Linux

Linux安全配置雜文

Linux安全配置雜文   SSH 配置 vim /etc/ssh/sshd_config <<VIM > /dev/null 2>&1 :s/#LoginGraceTime 2m/LoginGraceTime 2m/ :s/#PermitRootLogin yes/PermitRootLogin no/ :s/#MaxAuthTries 6/MaxAuthTries 3/ :%s$#AuthorizedKeysFile$AuthorizedKeysFile /dev/null$ :%s/GSSAPIAuthentication yes/GSSAPIAuthentication no/ :%s/GSSAPICleanupCredentials yes/GSSAPICleanupCredentials no/ :wq   VIM   禁止證書登陸 AuthorizedKeysFile /dev/null   鎖定用戶禁止登陸   passwd -l bin passwd -l daemon passwd -l adm passwd -l lp passwd -l sync passwd -l shutdown passwd -l halt passwd -l mail passwd -l uucp passwd -l operator passwd -l games passwd -l gopher passwd -l ftp passwd -l nobody passwd -l vcsa passwd -l saslauth   passwd -l postfix   檢查可以登陸的用戶與有密碼的用戶   Java代碼   #!/bin/bash      function section(){       local title=$1       echo "=================================================="       echo " $title "       echo "=================================================="   }      section "Check login user"   grep -v nologin /etc/passwd      section "Check login password"   grep '\$' /etc/shadow      section "Check SSH authorized_keys file"   for key in $(ls -1 /home)    do        if [ -e $key/.ssh/authorized_keys ]; then            echo "$key : $key/.ssh/authorized_keys"       else           echo "$key : "       fi   done     55.2.1. pam_tally2.so 此模塊的功能是,登陸錯誤輸入密碼3次,5分鐘後自動解禁,在未解禁期間輸入正確密碼也無法登陸。 在配置文件 /etc/pam.d/sshd 頂端加入 auth required pam_tally2.so deny=3 onerr=fail unlock_time=300   查看失敗次數 # pam_tally2 Login           Failures Latest failure     From root               14    07/12/13 15:44:37  192.168.6.2 neo                 8    07/12/13 15:45:36  192.168.6.2   重置計數器 # pam_tally2 -r -u root Login           Failures Latest failure     From root               14    07/12/13 15:44:37  192.168.6.2   # pam_tally2 -r -u neo Login           Failures Latest failure     From neo                 8    07/12/13 15:45:36  192.168.6.2   pam_tally2 計數器日志保存在 /var/log/tallylog 注意,這是二進制格式的文件 例 55.1. /etc/pam.d/sshd # cat  /etc/pam.d/sshd #%PAM-1.0 auth required pam_tally2.so deny=3 onerr=fail unlock_time=300   auth   required pam_sepermit.so auth       include      password-auth account    required     pam_nologin.so account    include      password-auth password   include      password-auth # pam_selinux.so close should be the first session rule session    required     pam_selinux.so close session    required     pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session    required     pam_selinux.so open env_params session    optional     pam_keyinit.so force revoke session    include      password-auth   以上配置root用戶不受限制, 如果需要限制root用戶,參考下面   auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800   55.2.2. pam_listfile.so 用戶登陸限制 將下面一行添加到 /etc/pam.d/sshd 中,這裡采用白名單方式,你也可以采用黑名單方式 auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail   將允許登陸的用戶添加到 /etc/ssh/whitelist,除此之外的用戶將不能通過ssh登陸到你的系統 # cat /etc/ssh/whitelist neo www   例 55.2. /etc/pam.d/sshd - pam_listfile.so # cat /etc/pam.d/sshd #%PAM-1.0 auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail auth       required     pam_tally2.so deny=3 onerr=fail unlock_time=300   auth   required pam_sepermit.so auth       include      password-auth account    required     pam_nologin.so account    include      password-auth password   include      password-auth # pam_selinux.so close should be the first session rule session    required     pam_selinux.so close session    required     pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session    required     pam_selinux.so open env_params session    optional     pam_keyinit.so force revoke session    include      password-auth     sense=allow 白名單方式, sense=deny 黑名單方式 auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail  
Copyright © Linux教程網 All Rights Reserved