security.xml

<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id$ -->
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V5.0//EN"
	"http://www.oasis-open.org/docbook/xml/5.0b5/dtd/docbook.dtd" [
	<!ENTITY article.author.xml 		SYSTEM "../common/article.author.xml">
	<!ENTITY book.info.legalnotice.xml 	SYSTEM "../common/book.info.legalnotice.xml">
	<!ENTITY book.info.abstract.xml		SYSTEM "../common/book.info.abstract.xml">
]>
<article xml:base="http://netkiller.sourceforge.net/article/" xmlns="http://docbook.org/ns/docbook" xml:lang="zh-cn">
	<articleinfo>
		<title>Linux 系统安全与优化配置</title>
		<subtitle>http://netkiller.github.io/journal/security.html</subtitle>
		&article.author.xml;
		&book.info.legalnotice.xml;
		<abstract>
			<para>Linux 系统安全问题</para>
			<para>2013-07-25 首发</para>
			<para>2016-11-16 更新</para>
		</abstract>
		&book.info.abstract.xml;
		<keywordset>
			<keyword>linux</keyword>
			<keyword>mysql</keyword>
			<keyword>security</keyword>
		</keywordset>
	</articleinfo>

	<section id="openssh">
		<title>Openssh 安全配置</title>
		<para>这节主要讲与SSH有关的安全配置</para>
		<section>
			<title>禁止root用户登录</title>
			<para>只允许普通用户登陆，然后通过su命令切换到root用过。后面还会将怎样限制su命令</para>
			<screen>
			<![CDATA[
PermitRootLogin no
			]]>
			</screen>
		</section>
		<section>
			<title>限制SSH验证重试次数</title>
			<para>超过3次socket连接会断开，效果不明显，有一点点用。</para>
			<screen>
			<![CDATA[
MaxAuthTries 3
			]]>
			</screen>
		</section>
		<section>
			<title>禁止证书登陆</title>
			<para>证书登陆非常安全，但是很有可能正常用户在你不知道情况下，给你安装了一个证书，他随时都可能进入你的系统</para>
			<para>任何一个有权限的用户都能很方便的植入一个证书到 .ssh/authorized_keys 文件中</para>
			<screen>
			<![CDATA[
PubkeyAuthentication no
AuthorizedKeysFile /dev/null
			]]>
			</screen>
		</section>
		<section>
			<title>使用证书替代密码认证</title>
			<para>是不是自相矛盾？ 这个跟上面讲的正好相反，这里只允许使用key文件登陆。</para>
			<screen>
			<![CDATA[
PasswordAuthentication no
			]]>
			</screen>
			<para>这种方式比起密码要安全的多，唯一要注意的地方就是证书被拷贝 ，建议你给证书加上 passphrase。</para>
			<para>证书的 passphrase 是可以通过openssl工具将其剥离的，SSH证书我没有试过，但是原理都差不多。</para>
		</section>
		<section>
			<title>图形窗口客户端记忆密码的问题</title>
			<para>当你使用XShell, Xftp, WinSCP, SecureCRT, SecureFX ......等等软件登录时，该软件都提供记住密码的功能，使你下次再登陆的时候无须输入密码就可以进入系统。这样做的确非常方便，</para>
			<para>但是你是否想过你的电脑一旦丢失或者被其他人进入，那有多么危险。我之前每天背着笔记本电脑上班，上面安装着XShell并且密码全部记忆在里面。这使我意识到一点电脑丢失，有多么可怕。</para>
			<para>禁止SSH客户端记住密码，你不要要求别人那么做。你也无法控制，最终我找到了一种解决方案。</para>
			<screen>
			<![CDATA[
ChallengeResponseAuthentication yes
			]]>
			</screen>
			<para>每次登陆都回提示你输入密码。密码保存也无效。</para>
		</section>
		<section>
			<title>关闭 GSSAPI</title>
			<screen>
			<![CDATA[
GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
			]]>
			</screen>
		</section>
		<section>
			<title>禁止SSH端口映射</title>
			<para>禁止使用SSH映射Socks5翻墙等等</para>
			<screen>
			<![CDATA[
AllowTcpForwarding no
			]]>
			</screen>
		</section>
		<section>
			<title>IP地址限制</title>
			<para>只允许通过192.168.2.1,192.168.2.2 访问本机</para>
			<screen>
			<![CDATA[
# vim /etc/hosts.allow
sshd:192.168.2.1,192.168.2.2
			]]>
			</screen>
			<para>禁止所有人访问本机</para>
			<screen>
			<![CDATA[
# vim /etc/hosts.deny
sshd:ALL
			]]>
			</screen>
			<para>上面使白名单策略，你也可以采用黑名单策略。</para>
		</section>
		<section>
			<title>禁止SSH密码穷举</title>
			<para>骇客常常使用骇客字典穷举你的SSH密码，使用下面脚本可以封杀频繁链接的IP地址</para>
			<screen>
			<![CDATA[
#!/bin/bash
########################################
# Homepage: http://netkiller.github.io
# Author: neo <netkiller@msn.com>
########################################
PIPE=/var/tmp/pipe
pidfile=/var/tmp/$0.pid
BLACKLIST=/var/tmp/black.lst
WHITELIST=/var/tmp/white.lst

LOGFILE=/var/log/secure
DAY=5
########################################

if [ -z "$( egrep "CentOS|7." /etc/centos-release)" ]; then
	echo 'Only for CentOS 7.x'
	exit
fi

if [ -f $BLACKLIST ]; then
	find $BLACKLIST -type f -mtime +${DAY} -delete
fi

if [ ! -f ${BLACKLIST} ]; then
    touch ${BLACKLIST}
fi

if [ ! -f ${WHITELIST} ]; then
    touch ${WHITELIST}
fi

for ipaddr in $(grep rhost ${LOGFILE} | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq -c | sort -r -n | head -n 10| awk '{print $2}')
do

    if [ $(grep -c $ipaddr ${WHITELIST}) -gt 0 ]; then
		continue
    fi

    if [ $(grep -c $ipaddr ${BLACKLIST}) -eq 0 ] ; then
		echo $ipaddr >> ${BLACKLIST}
        iptables -I INPUT -p tcp --dport 22 -s $ipaddr -j DROP
        #iptables -I INPUT -s $ipaddr -j DROP
    fi
done			
			]]>			
			</screen>
		</section>
	</section>

	<section id="shell">
		<title>Shell 安全</title>
		<section>
			<title>.history 文件</title>
			<para>SA的操作记录问题</para>
			<para>通过~/.bash_history文件记录系统管理员的操作记录，定制.bash_history格式</para>
			<screen>
			<![CDATA[
HISTSIZE=1000
HISTFILESIZE=2000
HISTTIMEFORMAT="%Y-%m-%d-%H:%M:%S "
export HISTTIMEFORMAT
			]]>
			</screen>
			<para>看看实际效果</para>
			<screen>
			<![CDATA[
$ history | head
    1  2012-02-27-09:10:45 do-release-upgrade
    2  2012-02-27-09:10:45 vim /etc/network/interfaces
    3  2012-02-27-09:10:45 vi /etc/network/interfaces
    4  2012-02-27-09:10:45 ping www.163.com
			]]>
			</screen>
		</section>

		<section>
			<title>sudo 安全问题</title>
			<para>/etc/sudoers</para>
			<screen>
			<![CDATA[
Cmnd_Alias WEBMASTER = /srv/nginx/sbin/nginx, /srv/php/sbin/php-fpm, !/srv/mysql/bin/*
www localhost = NETWORKING, SERVICES, DELEGATING, PROCESSES, WEBMASTER

Cmnd_Alias Database = /usr/bin/mysqldump, /srv/mysql/bin/mysql, /u01/oracle/10.x.x/bin/sqlplus
mysql localhost = NETWORKING, SERVICES, DELEGATING, PROCESSES, WEBMASTER, Database
			]]>
			</screen>
			<para>使用www用户测试登录，无误后修改SSH配置文件，禁止root登录。</para>
			<screen>
			<![CDATA[
vim /etc/ssh/sshd_config
PermitRootLogin no
			]]>
			</screen>
			<para>然后在测试从www sudo 执行命令, 可能成功启动nginx 与 php-fpm</para>
		</section>
		<section>
			<title>临时文件安全</title>
			<para>临时文件不应该有执行权限</para>
			<para>/tmp</para>
			<screen>
			<![CDATA[
/dev/sda3 /tmp ext4 nosuid，noexec，nodev，rw 0 0
			]]>
			</screen>
			<para>同时使用符号连接将/var/tmp 指向 /tmp</para>
			<para>/dev/shm</para>
			<screen>
			<![CDATA[
none /dev/shm tmpfs defaults，nosuid，noexec，rw 0 0
			]]>
			</screen>
		</section>
		<section>
			<title>执行权限 </title>
			<para>以数据库为例,从安全角度考虑我们需要如下更改</para>
			<screen>
			<![CDATA[
chown mysql:mysql /usr/bin/mysql*
chmod 700 /usr/bin/mysql*
			]]>
			</screen>
			<para>mysql用户是DBA专用用户, 其他用户将不能执行mysql等命令。</para>
		</section>

	</section>
	<section id="firewall">
		<title>防火墙</title>
		<para>开启防火墙</para>
		<screen>
		<![CDATA[
lokkit --enabled
		]]>
		</screen>
		<section>
			<title>策略</title>
			<para>默认INPUT，FORWARD，OUTPUT 三个都是ACCEPT</para>
			<screen>
			<![CDATA[
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
			]]>
			</screen>
			<para>从安全的角度出发，INPUT，FORWARD，OUTPUT 三个都是DROP最安全，但配置的时候会给你带来非常多的不可预料的麻烦。</para>
			<screen>
			<![CDATA[
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
			]]>
			</screen>
			<para>折中的方案，也是打多少硬件防火墙厂商所采用的方案，他们都是采用INPUT默认禁用所有，OUTPUT默认允许所有，你只要关注INPUT规则即可。</para>
			<screen>
			<![CDATA[
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
			]]>
			</screen>
		</section>
		<section>
			<title>防止成为跳板机 </title>
			<para>跳板机就是用户首先登陆任意一台服务器后，由该服务器在登陆另外一台服务器。</para>
			<para>封锁22等端口，避免相互跳转</para>
			<screen>
			<![CDATA[
iptables -A OUTPUT -p tcp -m multiport --dports 22,21,873 -j REJECT
/etc/init.d/iptables save
iptables -L -n
			]]>
			</screen>
			<para>web 服务器禁止使用ssh，作为跳板机</para>
			<para>用户将不能使用ssh命令登陆到其他电脑</para>
		</section>
		<section>
			<title>端口安全</title>
			<para>有一种情况，例如你的服务器被植入了木马，木马将开启一个Socket端口给远程骇客接入进来，通常会启动一个类似telnet服务器,怎样防止未经允许的程序监听一个端口呢？ </para>
			<screen>
			<![CDATA[
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -m state --state INVALID,NEW -j DROP
			]]>
			</screen>
			<para>用法</para>
			<orderedlist>
				<listitem>
					<para>systemctl stop iptables</para>
				</listitem>
				<listitem>
					<para>启动 httpd / nginx</para>
				</listitem>
				<listitem>
					<para>systemctl start iptables</para>
				</listitem>
			</orderedlist>
			<para>注意必须按照上面的步骤，如果你试图如下尝试将失败</para>
			<orderedlist>
				<listitem>
					<para>systemctl start iptables</para>
				</listitem>
				<listitem>
					<para>启动 httpd / nginx</para>
				</listitem>
			</orderedlist>
			<para>80端口将无法对外提供服务，因为当 -A INPUT -m state --state INVALID,NEW -j DROP 运行以后，任何试图监听端口的程序将被拒绝。</para>
		</section>
		<section>
			<title>封锁特定字符串</title>
			<para>下面的例子是拒绝爬虫</para>
			<screen>
			<![CDATA[
# iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string "Spider" -j DROP
# iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string "Baidu" -j DROP
# iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string "Robat" -j DROP
			]]>
			</screen>
		</section>
	</section>

	<section>
		<title>Linux 系统资源调配</title>
		<section>
			<title>/etc/security/limits.conf</title>
			<para>很多资料上是这么写的</para>
			<screen>
			<![CDATA[
* soft nofile 65535
* hard nofile 65535
 			]]>
 			</screen>
			<para>这样做是偷懒，会带来很多问题，如果你的服务器被攻击，由于你的设置，系统将耗光你的资源，直到没有任何响应为止，你可能键盘输入都成问题，你不得不重启服务器，但你会发现重启只能维持短暂几分钟，又会陷入无响应状态。</para>
			<screen>
			<![CDATA[
nobody soft nofile 4096
nobody hard nofile 8192
			]]>
			</screen>
			<para>为什么会设置为nobody用户呢？因为root用户启动系统后web 服务器会使用nobody用户创建子进程，socket连接实际上是nobody用户在处理。root 仅仅是守护父进程。</para>
			<screen>
			<![CDATA[
mysql soft nofile 2048
mysql hard nofile 2048
			]]>
			</screen>
			<para>针对 mysql 做限制</para>
			<tip>
				<para>关于 nofile 即打开文件数，这个跟socket有非常紧密的关系，在linux系统中任何设备都被看做是一个文件（字符设备），你连接一个鼠标，键盘，摄像头，硬盘等等都被看作打开一个设备文件，所以默认1024是远远不够的。</para>
			</tip>
		</section>


		<section>
			<title>关闭写磁盘I/O功能</title>
			<para>对于某些文件没必要记录文件的访问时间，由其是在高并发的IO密集操作的环境下，通过两个参数可以实现noatime,nodiratime减少不必要的系统IO资源。</para>
			<para>编辑/etc/fstab 添加 noatime,nodiratime 参数</para>
			<screen>
			<![CDATA[
/dev/sdb1    /www          ext4    noatime,nodiratime        0 0
			]]>
			</screen>
		</section>

	</section>

	<section id="pam">
		<title>PAM 插件认证加固配置</title>
		<para>配置文件</para>
		<screen>
		<![CDATA[
ls  /etc/pam.d/
chfn         crond                login    passwd            remote    runuser-l          smtp          ssh-keycat  sudo-i       system-auth-ac
chsh         fingerprint-auth     newrole  password-auth     run_init  smartcard-auth     smtp.postfix  su          su-l
config-util  fingerprint-auth-ac  other    password-auth-ac  runuser   smartcard-auth-ac  sshd          sudo        system-auth
		]]>
		</screen>
		<para>认证插件</para>
		<screen>
		<![CDATA[
ls /lib64/security/
		]]>
		</screen>
		<section id="pam_tally2.so">
			<title>pam_tally2.so</title>
			<para>此模块的功能是，登陆错误输入密码3次，5分钟后自动解禁，在未解禁期间输入正确密码也无法登陆。</para>
			<para>在配置文件 /etc/pam.d/sshd 顶端加入</para>
			<screen>
			<![CDATA[
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
			]]>
			</screen>
			<para>查看失败次数</para>
			<screen>
			<![CDATA[
# pam_tally2
Login           Failures Latest failure     From
root               14    07/12/13 15:44:37  192.168.6.2
neo                 8    07/12/13 15:45:36  192.168.6.2
			]]>
			</screen>
			<para>重置计数器</para>
			<screen>
			<![CDATA[
# pam_tally2 -r -u root
Login           Failures Latest failure     From
root               14    07/12/13 15:44:37  192.168.6.2

# pam_tally2 -r -u neo
Login           Failures Latest failure     From
neo                 8    07/12/13 15:45:36  192.168.6.2
			]]>
			</screen>
			<para>pam_tally2 计数器日志保存在 /var/log/tallylog 注意，这是二进制格式的文件</para>
			<example>
				<title>/etc/pam.d/sshd - pam_tally2.so</title>
				<screen>
				<![CDATA[
# cat  /etc/pam.d/sshd
#%PAM-1.0
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300

auth	   required	pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
				]]>
				</screen>
			</example>
			<para>以上配置root用户不受限制, 如果需要限制root用户，参考下面</para>
			<screen><![CDATA[
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800
			]]></screen>
		</section>
		<section id="pam_listfile.so">
			<title>pam_listfile.so</title>
			<subtitle>用户登陆限制</subtitle>
			<para>将下面一行添加到 /etc/pam.d/sshd 中，这里采用白名单方式，你也可以采用黑名单方式</para>
			<screen><![CDATA[
auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
			]]></screen>
			<para>将允许登陆的用户添加到 /etc/ssh/whitelist，除此之外的用户将不能通过ssh登陆到你的系统</para>
			<screen><![CDATA[
# cat /etc/ssh/whitelist
neo
www
			]]></screen>
			<example>
				<title>/etc/pam.d/sshd - pam_listfile.so</title>
				<screen><![CDATA[
# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail
auth       required     pam_tally2.so deny=3 onerr=fail unlock_time=300

auth	   required	pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
				]]></screen>
			</example>
			<para>sense=allow 白名单方式, sense=deny 黑名单方式</para>
			<screen><![CDATA[
auth       required     pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail
			]]></screen>
			<para>更多细节请查看手册 $ man pam_listfile</para>
		</section>

		<section id="pam_access.so">
			<title>pam_access.so</title>
			<para>编辑 /etc/pam.d/sshd 文件，加入下面一行</para>
			<screen><![CDATA[
account required pam_access.so
			]]></screen>
			<para>保存后重启sshd进程</para>
			<para>编辑 /etc/security/access.conf 文件</para>
			<screen>
			<![CDATA[
cat >>  /etc/security/access.conf << EOF

- : root : ALL EXCEPT 192.168.6.1
EOF
			]]>
			</screen>
			<para>只能通过 192.168.6.1 登陆, 添加多个IP地址</para>
			<screen><![CDATA[
- : root : ALL EXCEPT 192.168.6.1 192.168.6.2
			]]></screen>
			<para>测试是否生效</para>
		</section>
		<section id="pam_wheel.so">
			<title>pam_wheel.so</title>
			<para>限制普通用户通过su命令提升权限至root. 只有属于wheel组的用户允许通过su切换到root用户</para>
			<para>编辑 /etc/pam.d/su 文件，去掉下面的注释</para>
			<screen><![CDATA[
auth		required	pam_wheel.so use_uid
			]]></screen>
			<para>修改用户组别，添加到wheel组</para>
			<screen><![CDATA[
# usermod -G wheel www

# id www
uid=501(www) gid=501(www) groups=501(www),10(wheel)
			]]></screen>
			<para>没有加入到wheel组的用户使用su时会提示密码不正确。</para>
			<screen><![CDATA[
$ su - root
Password:
su: incorrect password
			]]></screen>
		</section>
	</section>
</article>