互联网企业安全指南(二):系统安全加固指南

TL;DR - 系统安全加固指南,模块独立,可移植到其他平台。
Ubuntu 14.04 LTS Server Security hardening (系统安全加固)
Revision History 修正历史
	Current version: 0.1.10
	draft (as of 2017-03-08)

Platforms 适用平台
	Ubuntu 14.04 LTS Server

需求级别定义:
A.必须  # 必须执行
B.可选  # 非必须,有多种方案选择
C.需要评估 # 性能和是否可行评估
D.后期执行  # 后期完善
E.必须但需要评估  # 必须执行但是需要先评估,确保没问题再执行
Table of Contents 目录

	1.Patching and Software Updates 软件更新
	1.1)软件包更新	A
	1.2)自动安装安全更新	C

	2.Disk Partitioning 磁盘分区	A

	3.Software Integrity Checking 文件系统完整性检查
	3.1)debsums	A
	3.2)Audit	A
	3.3)Lynis	A
	3.4)AIDE	C
	3.5)Monit	C

	4.File Permissions and Masks 文件权限和权限masks,System jobs(Cron)	A

	5.内核安全控制&TCP/IP协议栈安全(Via sysctl)	A

	6.Password policy 密码策略	A

	7.Console Security 控制台安全	A

	8.Disable IPv6 禁用IPv6	E

	9.SSH Settings SSH配置	A

	10.iptables 配置	A

	11.高级主题	C/E

	12.待完善

	13.参考资料
1.Patching and Software Updates 软件更新
1.1)软件包更新
apt-get update && apt-get -y upgrade

1.2)自动安装安全更新
apt-get install unattended-upgrades
vi /etc/apt/apt.conf.d/10periodic 
vi /etc/apt/apt.conf.d/50unattended-upgrades

ToDo:
把不能和不需要的软件加入黑名单,避免被自动更新。

参考:
https://help.ubuntu.com/14.04/serverguide/automatic-updates.html
2.Disk Partitioning 磁盘分区
1.1)/tmp 使用独立分区
解释:临时文件、全局可写

1.2)/var/log 使用独立分区
解释:日志文件,备份、取证等
3.Software Integrity Checking 文件系统完整性检查
3.1)debsums 已安装软件包完整性检查
apt-get install debsums
使用示例:debsums openssh-client
3.2)Audit 安全审计
详见配置文件:
Cyqz_OS_Security_Checklist_auditd.md
3.3)Lynis Security auditing/Vulnerability detection and scanning/System hardening
3.3.1)安装
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C80E383C3DE9F082E01391A0366C67DE91CA5D5F
echo "deb https://packages.cisofy.com/community/lynis/deb/ trusty main" > /etc/apt/sources.list.d/cisofy-lynis.list
apt-get update && apt-get install lynis
3.3.2)使用
lynis --checkall audit system
lynis --pentest audit system
3.4)AIDE - 文件、目录完整性检查
https://help.ubuntu.com/community/FileIntegrityAIDE
3.5)Monit 关键文件监控
详见配置文件:
Cyqz_OS_Security_Checklist_monit.md
参考:
lynis
https://cisofy.com/lynis/
monit
https://mmonit.com/monit/
入侵检测Checklist
https://www.sans.org/media/score/checklists/ID-Linux.pdf
4.File Permissions and Masks 文件权限和权限masks,System jobs(Cron)
详见配置文件:
Cyqz_OS_Security_Checklist_files_Permissions.md

权限检查命令:
查找全局可写目录
find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
文件权限检查
http://people.redhat.com/sgrubb/files/stig-2011/stig-file-test.sh
查找隐藏可执行文件
http://people.redhat.com/sgrubb/security/find-hidden-exec
5.内核安全控制&TCP/IP协议栈安全(Via sysctl)
详见配置文件:
Cyqz_OS_Security_Checklist_sysctl.md

需要考虑LVS相关设置,
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Load_Balancer_Administration/s1-lvs-direct-VSA.html
http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP

参考:
https://klaver.it/linux/sysctl.conf
http://pastebin.com/YRz1qiKE
6.Password policy 密码策略
6.1)安装PAM模块pam_cracklib
apt-get install libpam-cracklib
6.2)配置(修改对应行为以下内容)
vi /etc/pam.d/common-password
# Prevent Reusing Old Passwords
password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
# Set Password Complexity
password     requisite     pam_cracklib.so retry=3 minlen=24 dcredit=-2 ucredit=-2 ocredit=-2 lcredit=-2

# Set Password Expiration Period
vi /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   0
PASS_WARN_AGE   10
参考:
http://xmodulo.com/set-password-policy-linux.html
7.Console Security 控制台安全
Disable Ctrl+Alt+Delete # 禁用Ctrl+Alt+Delete
vi /etc/init/control-alt-delete.conf
#exec shutdown -r now "Control-Alt-Delete pressed"
8.Disable IPv6 禁用IPv6
vi /etc/sysctl.conf
# IPv6 disabled
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
9.SSH Settings SSH配置
# vi /etc/ssh/sshd_config

# What ports, IPs and protocols we listen for
Port 10022

Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
PasswordAuthentication no
ChallengeResponseAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
MaxAuthTries 4
PermitEmptyPasswords no
PermitUserEnvironment no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no

# similar for protocol version 2
HostbasedAuthentication no

# Disable X11 Forward
X11Forwarding no

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# File Transfer
Subsystem sftp /usr/lib/openssh/sftp-server

# Idle Log Out Timeout Interval 
ClientAliveInterval 600
ClientAliveCountMax 0

# Banner
Banner /etc/issue

# use PAM
UsePAM yes
# chown root:root /etc/ssh/sshd_config
# chmod 600 /etc/ssh/sshd_config

# chmod 644 /etc/motd
# chmod 644 /etc/issue
# chmod 644 /etc/issue.net
参考:
https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
10.iptables 配置
详见配置文件:
Cyqz_OS_Security_Checklist_iptables.md

保存iptables规则
apt-get install iptables-persistent
11.高级主题
11.1)Kernel Grsecurity/PaX补丁,MAC(SELinux/AppArmor)
11.2) Kernel Livepatch(OS内核安全Patch,无需重启)
12.待完善
PAM/sudo/mount
13.参考资料
https://wiki.ubuntu.com/Security/Features
https://wiki.ubuntu.com/Security/Features/Historical
https://help.ubuntu.com/14.04/serverguide/security.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/index.html
https://benchmarks.cisecurity.org/tools2/linux/CIS_Ubuntu_14.04_LTS_Server_Benchmark_v1.0.0.pdf
https://github.com/GovReady/ubuntu-lts/blob/master/hardening.md
14.本文提到的所有配置文件下载地址:
https://github.com/Zer0d0y/advanced-enterprise-security
comments powered by Disqus

作者:Zer0d0y
微信关注:Zer0d0y
本文出处:https://www.zer0d0y.info/post/advanced-enterprise-security-guidelines-for-internet-companies-part2/
本站评论使用Disqus,如果长时间无法加载,请切换至“自由”互联网。
文章版权归本人所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。