活动公告

系统通知
通知:关于部分勋章领取条件及购买价格调整的通知
05-18 21:22
系统通知
通知:本站资源由网友上传分享,如有违规等问题请到版务模块进行投诉,资源失效请在帖子内回复要求补档,会尽快处理!
10-23 09:31
>社区 > 科技 > 经验交流 >帖子
本版发帖返回

深入浅出CentOS安全优化方案 从基础配置到高级技巧全面保障服务器安全

这是个蓝孩子 当前离线 威震华夏关云长
SunJu_FaceMall

3万

主题

2860

科技点

3万

积分

白金月票

碾压王

积分
32872

塔罗立华奏
<font color=白金月票" /> 发表于 2025-9-17 00:10:19 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?立即注册

x
引言

在当今数字化时代,服务器安全已成为企业和个人不可忽视的重要议题。CentOS作为企业级Linux发行版,以其稳定性和安全性广受欢迎,但默认安装并不能提供足够的安全保障。本文将从基础配置到高级技巧,全面介绍CentOS服务器的安全优化方案,帮助系统管理员构建一个更加安全可靠的服务器环境。

一、基础安全配置

1. 系统更新与补丁管理

保持系统最新是安全的第一道防线。及时更新系统可以修复已知的安全漏洞,防止被攻击者利用。
  2. # 检查系统版本
  3. cat /etc/redhat-release
  5. # 更新系统软件包
  6. yum update -y
  8. # 设置自动更新
  9. yum install -y yum-cron
  10. systemctl enable yum-cron
  11. systemctl start yum-cron
  13. # 配置yum-cron自动应用安全更新
  14. vi /etc/yum/yum-cron.conf
  15. # 修改以下配置
  16. apply_updates = yes
  17. update_cmd = minimal-security
复制代码

2. 账户安全配置

账户安全是系统安全的基础,合理的账户管理可以大大提高系统的安全性。
  2. # 禁用root远程登录
  3. vi /etc/ssh/sshd_config
  4. # 修改或添加以下行
  5. PermitRootLogin no
  7. # 创建普通用户并设置sudo权限
  8. useradd admin
  9. passwd admin  # 设置强密码
  10. usermod -aG wheel admin  # 添加到wheel组获得sudo权限
  12. # 禁用不必要账户
  13. for user in adm lp sync shutdown halt mail news uucp operator games gopher; do
  14.     userdel -r $user 2>/dev/null
  15. done
  17. # 设置密码策略
  18. vi /etc/login.defs
  19. # 修改以下配置
  20. PASS_MAX_DAYS   90
  21. PASS_MIN_DAYS   7
  22. PASS_WARN_AGE   14
  24. # 安装并配置PAM模块进行密码强度检查
  25. yum install -y libpwquality
  26. vi /etc/security/pwquality.conf
  27. # 设置以下参数
  28. minlen = 12
  29. minclass = 4
  30. dcredit = -1
  31. ucredit = -1
  32. lcredit = -1
  33. ocredit = -1
复制代码

3. SSH安全配置

SSH是远程管理服务器的常用工具,加强SSH配置可以有效防止未授权访问。
  2. # 备份原始SSH配置
  3. cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
  5. # 修改SSH配置
  6. vi /etc/ssh/sshd_config
  7. # 修改或添加以下行
  8. Port 2222  # 更改默认端口
  9. PermitRootLogin no
  10. MaxAuthTries 3
  11. MaxSessions 3
  12. PasswordAuthentication no  # 禁用密码认证,使用密钥认证
  13. PubkeyAuthentication yes
  14. AuthorizedKeysFile .ssh/authorized_keys
  15. PermitEmptyPasswords no
  16. ClientAliveInterval 300
  17. ClientAliveCountMax 2
  18. AllowUsers admin  # 只允许特定用户登录
  20. # 重启SSH服务
  21. systemctl restart sshd
  23. # 为用户设置SSH密钥认证
  24. su - admin
  25. mkdir -p ~/.ssh
  26. chmod 700 ~/.ssh
  27. echo "your_public_key" > ~/.ssh/authorized_keys
  28. chmod 600 ~/.ssh/authorized_keys
复制代码

4. 防火墙基础设置

防火墙是网络安全的第一道屏障,正确配置防火墙规则可以阻止不必要的网络访问。
  2. # 安装并启用firewalld
  3. yum install -y firewalld
  4. systemctl enable firewalld
  5. systemctl start firewalld
  7. # 查看默认区域
  8. firewall-cmd --get-default-zone
  10. # 设置默认区域为public
  11. firewall-cmd --set-default-zone=public
  13. # 开放必要端口(示例:SSH端口2222)
  14. firewall-cmd --permanent --add-port=2222/tcp
  16. # 开放HTTP和HTTPS服务(如果需要)
  17. firewall-cmd --permanent --add-service=http
  18. firewall-cmd --permanent --add-service=https
  20. # 阻止Ping请求
  21. firewall-cmd --permanent --add-protocol=icmp --add-rich-rule='rule protocol value=icmp drop'
  23. # 重新加载防火墙配置
  24. firewall-cmd --reload
  26. # 查看防火墙规则
  27. firewall-cmd --list-all
复制代码

二、中级安全优化

1. 文件系统安全

文件系统安全是保护数据不被未授权访问的关键。
  2. # 设置关键文件权限
  3. chmod 600 /etc/passwd-
  4. chmod 600 /etc/shadow-
  5. chmod 600 /etc/group-
  6. chmod 600 /etc/gshadow-
  7. chmod 750 /etc/sudoers
  8. chmod 750 /etc/sudoers.d
  10. # 查找并设置SUID/SGID文件
  11. find / -type f \( -perm -4000 -o -perm -2000 \) -ls
  12. # 移除不必要的SUID/SGID权限
  13. chmod a-s /path/to/file
  15. # 查找并设置全局可写文件
  16. find / -type f -perm -o+w -ls
  17. # 移除不必要的全局写权限
  18. chmod o-w /path/to/file
  20. # 查找并设置无主文件
  21. find / -nouser -o -nogroup -ls
  22. # 为无主文件分配所有者或删除
  24. # 配置/etc/fstab增加安全选项
  25. vi /etc/fstab
  26. # 为/、/boot、/home分区添加nodev、nosuid、noexec选项(根据需要)
  27. /dev/sda1   /   ext4    defaults,nodev,nosuid   1   1
  28. /dev/sda2   /boot ext4   defaults,nodev,nosuid,noexec   1   2
  30. # 重新挂载分区
  31. mount -o remount /
  32. mount -o remount /boot
复制代码

2. 服务安全加固

关闭不必要的服务并加固必要服务是提高系统安全性的重要步骤。
  2. # 查看已启用的服务
  3. systemctl list-unit-files | grep enabled
  5. # 停止并禁用不必要的服务
  6. systemctl stop telnet.socket
  7. systemctl disable telnet.socket
  8. systemctl stop rsh.socket
  9. systemctl disable rsh.socket
  10. systemctl stop ypbind
  11. systemctl disable ypbind
  12. systemctl stop tftp.socket
  13. systemctl disable tftp.socket
  14. systemctl stop xinetd
  15. systemctl disable xinetd
  17. # 禁用IPv6(如果不需要)
  18. vi /etc/sysctl.conf
  19. # 添加以下行
  20. net.ipv6.conf.all.disable_ipv6 = 1
  21. net.ipv6.conf.default.disable_ipv6 = 1
  23. # 应用sysctl设置
  24. sysctl -p
  26. # 加固网络服务(以Nginx为例)
  27. vi /etc/nginx/nginx.conf
  28. # 修改以下配置
  29. user nginx;
  30. worker_processes auto;
  31. error_log /var/log/nginx/error.log crit;
  32. pid /run/nginx.pid;
  34. # 隐藏Nginx版本号
  35. server_tokens off;
  37. # 限制HTTP方法
  38. if ($request_method !~ ^(GET|HEAD|POST)$ ) {
  39.     return 405;
  40. }
  42. # 重启Nginx服务
  43. systemctl restart nginx
复制代码

3. 安全审计与日志管理

日志是安全事件调查的重要依据,合理的日志管理可以帮助及时发现安全问题。
  2. # 安装并配置auditd
  3. yum install -y audit
  4. systemctl enable auditd
  5. systemctl start auditd
  7. # 配置审计规则
  8. vi /etc/audit/rules.d/audit.rules
  9. # 添加以下规则
  10. # 监控文件删除
  11. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
  12. # 监控文件权限变更
  13. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
  14. # 监控sudo使用
  15. -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
  16. # 监控登录失败
  17. -w /var/log/faillog -p wa -k logins
  18. -w /var/log/lastlog -p wa -k logins
  20. # 重载audit规则
  21. augenrules --load
  23. # 配置日志轮转
  24. vi /etc/logrotate.d/syslog
  25. # 添加或修改以下配置
  26. /var/log/cron
  27. /var/log/maillog
  28. /var/log/messages
  29. /var/log/secure
  30. /var/log/spooler
  31. {
  32.     sharedscripts
  33.     postrotate
  34.         /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
  35.     endscript
  36.     daily
  37.     rotate 90
  38.     compress
  39.     delaycompress
  40.     missingok
  41.     notifempty
  42.     create 640 root root
  43. }
  45. # 安装并配置logwatch进行日志分析
  46. yum install -y logwatch
  47. vi /etc/logwatch/conf/logwatch.conf
  48. # 修改以下配置
  49. Output = mail
  50. Format = html
  51. MailTo = admin@example.com
  52. Range = yesterday
  53. Detail = High
  55. # 设置每日日志报告
  56. echo "0 0 * * * /usr/sbin/logwatch" > /etc/cron.daily/00logwatch
  57. chmod +x /etc/cron.daily/00logwatch
复制代码

4. 入侵检测系统配置

入侵检测系统(IDS)可以帮助及时发现潜在的入侵行为。
  2. # 安装AIDE(高级入侵检测环境)
  3. yum install -y aide
  5. # 初始化AIDE数据库
  6. aide --init
  8. # 移动数据库到标准位置
  9. mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
  11. # 配置AIDE
  12. vi /etc/aide.conf
  13. # 根据需要修改检查规则
  15. # 创建每日AIDE检查脚本
  16. vi /etc/cron.daily/aide
  17. #!/bin/bash
  18. /usr/sbin/aide --check
  19. exit 0
  21. # 设置脚本可执行权限
  22. chmod +x /etc/cron.daily/aide
  24. # 安装OSSEC(开源主机入侵检测系统)
  25. yum install -y ossec-hids-server
  27. # 配置OSSEC
  28. vi /var/ossec/etc/ossec.conf
  29. # 配置邮件通知、系统监控、文件完整性检查等
  31. # 启动OSSEC
  32. /var/ossec/bin/ossec-control start
  34. # 安装并配置Fail2ban防止暴力破解
  35. yum install -y epel-release
  36. yum install -y fail2ban
  38. # 创建Fail2ban配置文件
  39. cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  41. # 配置SSH保护
  42. vi /etc/fail2ban/jail.local
  43. [sshd]
  44. enabled = true
  45. port = 2222
  46. filter = sshd
  47. logpath = /var/log/secure
  48. maxretry = 3
  49. bantime = 3600
  50. findtime = 600
  52. # 启动Fail2ban
  53. systemctl enable fail2ban
  54. systemctl start fail2ban
  56. # 查看被禁止的IP
  57. fail2ban-client status sshd
复制代码

三、高级安全技巧

1. SELinux高级配置

SELinux是Linux内核中的强制访问控制(MAC)系统,可以提供比传统权限更细粒度的访问控制。
  2. # 检查SELinux状态
  3. sestatus
  5. # 设置SELinux为强制模式
  6. setenforce 1
  7. vi /etc/selinux/config
  8. # 修改以下行
  9. SELINUX=enforcing
  11. # 查看SELinux布尔值
  12. getsebool -a
  14. # 设置SELinux布尔值(示例:允许HTTP连接网络)
  15. setsebool -P httpd_can_network_connect on
  17. # 查看文件的安全上下文
  18. ls -Z /path/to/file
  20. # 修改文件的安全上下文
  21. chcon -t httpd_sys_content_t /path/to/file
  23. # 恢复文件默认安全上下文
  24. restorecon -v /path/to/file
  26. # 创建自定义SELinux策略模块
  27. # 示例:允许Nginx连接外部网络
  28. ausearch -m avc -ts recent | grep nginx
  29. # 根据审计日志创建策略模块
  30. audit2allow -M nginx_connect
  31. semodule -i nginx_connect.pp
  33. # 查看已加载的SELinux策略模块
  34. semodule -l
复制代码

2. 安全内核参数调优

通过调整内核参数,可以增强系统的网络安全性。
  2. # 配置sysctl安全参数
  3. vi /etc/sysctl.d/security.conf
  4. # 添加以下参数
  6. # 防止IP欺骗
  7. net.ipv4.conf.all.rp_filter = 1
  8. net.ipv4.conf.default.rp_filter = 1
  10. # 忽略ICMP重定向
  11. net.ipv4.conf.all.accept_redirects = 0
  12. net.ipv4.conf.default.accept_redirects = 0
  13. net.ipv4.conf.all.secure_redirects = 0
  14. net.ipv4.conf.default.secure_redirects = 0
  16. # 忽略发送ICMP重定向
  17. net.ipv4.conf.all.send_redirects = 0
  18. net.ipv4.conf.default.send_redirects = 0
  20. # 不接受源路由包
  21. net.ipv4.conf.all.accept_source_route = 0
  22. net.ipv4.conf.default.accept_source_route = 0
  24. # 启用TCP SYN Cookie保护
  25. net.ipv4.tcp_syncookies = 1
  27. # 防止TCP SYN洪水攻击
  28. net.ipv4.tcp_max_syn_backlog = 2048
  29. net.ipv4.tcp_synack_retries = 2
  30. net.ipv4.tcp_syn_retries = 5
  32. # 记录可疑数据包
  33. net.ipv4.conf.all.log_martians = 1
  34. net.ipv4.conf.default.log_martians = 1
  36. # 防止IP地址欺骗
  37. net.ipv4.ip_forward = 0
  38. net.ipv4.conf.all.send_redirects = 0
  39. net.ipv4.conf.default.send_redirects = 0
  41. # 增加文件描述符限制
  42. fs.file-max = 65535
  44. # 应用sysctl设置
  45. sysctl -p /etc/sysctl.d/security.conf
  47. # 设置进程限制
  48. vi /etc/security/limits.conf
  49. # 添加以下配置
  50. * soft nofile 65535
  51. * hard nofile 65535
  52. * soft nproc 4096
  53. * hard nproc 4096
  55. # 配置PAM模块
  56. vi /etc/pam.d/system-auth
  57. # 添加以下行
  58. session required pam_limits.so
复制代码

3. 系统监控与异常检测

实时监控系统状态和异常行为是及时发现安全问题的关键。
  2. # 安装并配置Zabbix监控系统
  3. yum install -y zabbix-server-mysql zabbix-web-mysql zabbix-agent
  5. # 创建Zabbix数据库
  6. mysql -u root -p
  7. CREATE DATABASE zabbix CHARACTER SET utf8 COLLATE utf8_bin;
  8. GRANT ALL PRIVILEGES ON zabbix.* TO zabbix@localhost IDENTIFIED BY 'password';
  9. FLUSH PRIVILEGES;
  10. EXIT;
  12. # 导入初始数据
  13. zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix
  15. # 配置Zabbix服务器
  16. vi /etc/zabbix/zabbix_server.conf
  17. DBHost=localhost
  18. DBName=zabbix
  19. DBUser=zabbix
  20. DBPassword=password
  22. # 启动Zabbix服务
  23. systemctl enable zabbix-server zabbix-agent httpd
  24. systemctl start zabbix-server zabbix-agent httpd
  26. # 安装并配置Osquery进行系统监控
  27. yum install -y https://osquery-packages.s3.amazonaws.com/centos7/noarch/osquery-3.3.2-1.linux.x86_64.rpm
  29. # 配置Osquery
  30. vi /etc/osquery/osquery.conf
  31. {
  32.   "options": {
  33.     "config_plugin": "filesystem",
  34.     "logger_plugin": "filesystem",
  35.     "logger_path": "/var/log/osquery",
  36.     "schedule_splay_percent": 10
  37.   },
  38.   "schedule": {
  39.     "system_info": {
  40.       "query": "SELECT * FROM system_info;",
  41.       "interval": 3600
  42.     },
  43.     "listening_ports": {
  44.       "query": "SELECT pid, port, protocol, address FROM listening_ports;",
  45.       "interval": 300
  46.     },
  47.     "processes": {
  48.       "query": "SELECT name, pid, path, cmdline FROM processes;",
  49.       "interval": 300
  50.     },
  51.     "suspicious_processes": {
  52.       "query": "SELECT name, pid, path, cmdline FROM processes WHERE name LIKE '%crypto%' OR name LIKE '%miner%' OR name LIKE '%xmr%';",
  53.       "interval": 600
  54.     },
  55.     "crontab": {
  56.       "query": "SELECT * FROM crontab;",
  57.       "interval": 3600
  58.     }
  59.   }
  60. }
  62. # 启动Osquery
  63. systemctl enable osqueryd
  64. systemctl start osqueryd
  66. # 安装Wazuh(开源安全监控平台)
  67. yum install -y wazuh-server wazuh-agent wazuh-api
  69. # 配置Wazuh
  70. vi /var/ossec/etc/ossec.conf
  71. # 配置文件完整性监控、rootkit检测、日志监控等
  73. # 启动Wazuh
  74. systemctl enable wazuh-server
  75. systemctl enable wazuh-agent
  76. systemctl enable wazuh-api
  77. systemctl start wazuh-server
  78. systemctl start wazuh-agent
  79. systemctl start wazuh-api
复制代码

4. 安全应急响应

建立完善的安全应急响应机制,可以在发生安全事件时快速有效地应对。
  2. # 创建安全应急响应脚本目录
  3. mkdir -p /opt/security-tools
  4. cd /opt/security-tools
  6. # 创建系统快照脚本
  7. vi system_snapshot.sh
  8. #!/bin/bash
  9. DATE=$(date +%Y%m%d_%H%M%S)
  10. mkdir -p /opt/security-logs/$DATE
  12. # 收集系统信息
  13. echo "Collecting system information..."
  14. uname -a > /opt/security-logs/$DATE/system_info.txt
  15. df -h >> /opt/security-logs/$DATE/system_info.txt
  16. free -m >> /opt/security-logs/$DATE/system_info.txt
  17. ps auxf > /opt/security-logs/$DATE/processes.txt
  18. netstat -tulnp > /opt/security-logs/$DATE/network_connections.txt
  19. last > /opt/security-logs/$DATE/last_logins.txt
  20. lastb > /opt/security-logs/$DATE/failed_logins.txt
  22. # 收集关键日志
  23. echo "Collecting critical logs..."
  24. cp /var/log/secure /opt/security-logs/$DATE/
  25. cp /var/log/messages /opt/security-logs/$DATE/
  26. cp /var/log/cron /opt/security-logs/$DATE/
  27. cp /var/log/maillog /opt/security-logs/$DATE/
  29. # 收集用户和认证信息
  30. echo "Collecting user and authentication information..."
  31. cp /etc/passwd /opt/security-logs/$DATE/
  32. cp /etc/shadow /opt/security-logs/$DATE/
  33. cp /etc/group /opt/security-logs/$DATE/
  34. cp /etc/sudoers /opt/security-logs/$DATE/
  36. # 收集网络配置
  37. echo "Collecting network configuration..."
  38. cp /etc/sysconfig/network-scripts/ifcfg-* /opt/security-logs/$DATE/
  39. cp /etc/hosts /opt/security-logs/$DATE/
  40. cp /etc/resolv.conf /opt/security-logs/$DATE/
  42. # 收集计划任务
  43. echo "Collecting scheduled tasks..."
  44. crontab -l > /opt/security-logs/$DATE/crontab_root.txt 2>/dev/null
  45. for user in $(cut -d: -f1 /etc/passwd); do
  46.   crontab -u $user -l > /opt/security-logs/$DATE/crontab_$user.txt 2>/dev/null
  47. done
  49. # 收集RPM包信息
  50. echo "Collecting RPM package information..."
  51. rpm -qa > /opt/security-logs/$DATE/rpm_packages.txt
  53. # 收集服务状态
  54. echo "Collecting service status..."
  55. systemctl list-units --type=service > /opt/security-logs/$DATE/services.txt
  57. echo "System snapshot completed. Results saved in /opt/security-logs/$DATE/"
  58. exit 0
  60. # 设置脚本可执行权限
  61. chmod +x system_snapshot.sh
  63. # 创建系统入侵检测脚本
  64. vi intrusion_detection.sh
  65. #!/bin/bash
  66. DATE=$(date +%Y%m%d_%H%M%S)
  67. LOG_FILE="/opt/security-logs/intrusion_detection_$DATE.log"
  68. ALERT_COUNT=0
  70. echo "Starting intrusion detection at $(date)" > $LOG_FILE
  72. # 检测异常登录
  73. echo "Checking for abnormal logins..." >> $LOG_FILE
  74. last | grep -v "reboot" | grep -v "wtmp" | awk '{print $1, $3, $4, $5, $6}' | sort | uniq -c | sort -nr | head -10 >> $LOG_FILE
  76. # 检测异常进程
  77. echo "Checking for suspicious processes..." >> $LOG_FILE
  78. ps auxf | grep -E "(crypto|miner|xmr|bitcoin)" | grep -v grep >> $LOG_FILE
  79. if [ $? -eq 0 ]; then
  80.   echo "ALERT: Suspicious processes found!" >> $LOG_FILE
  81.   ((ALERT_COUNT++))
  82. fi
  84. # 检测异常网络连接
  85. echo "Checking for suspicious network connections..." >> $LOG_FILE
  86. netstat -tulnp | grep -E ":([0-9]{4,5})" | grep -v -E "(22|80|443)" >> $LOG_FILE
  88. # 检测异常文件权限
  89. echo "Checking for abnormal file permissions..." >> $LOG_FILE
  90. find / -type f \( -perm -4000 -o -perm -2000 \) -ls | head -20 >> $LOG_FILE
  92. # 检测异常用户
  93. echo "Checking for abnormal user accounts..." >> $LOG_FILE
  94. awk -F: '($3 == 0) { print $1 }' /etc/passwd | grep -v root >> $LOG_FILE
  95. if [ $? -eq 0 ]; then
  96.   echo "ALERT: Non-root user with UID 0 found!" >> $LOG_FILE
  97.   ((ALERT_COUNT++))
  98. fi
  100. # 检测空密码账户
  101. echo "Checking for accounts with empty passwords..." >> $LOG_FILE
  102. awk -F: '($2 == "") { print $1 }' /etc/shadow >> $LOG_FILE
  103. if [ $? -eq 0 ]; then
  104.   echo "ALERT: Accounts with empty passwords found!" >> $LOG_FILE
  105.   ((ALERT_COUNT++))
  106. fi
  108. # 检测异常sudo配置
  109. echo "Checking for abnormal sudo configurations..." >> $LOG_FILE
  110. grep -v "^#" /etc/sudoers | grep -v "^$" >> $LOG_FILE
  112. # 检测异常cron任务
  113. echo "Checking for suspicious cron jobs..." >> $LOG_FILE
  114. for user in $(cut -d: -f1 /etc/passwd); do
  115.   crontab -u $user -l 2>/dev/null | grep -v "^#" | grep -v "^$" >> $LOG_FILE
  116. done
  118. echo "Intrusion detection completed at $(date)" >> $LOG_FILE
  119. echo "Total alerts: $ALERT_COUNT" >> $LOG_FILE
  121. if [ $ALERT_COUNT -gt 0 ]; then
  122.   echo "Security alerts detected! Check $LOG_FILE for details."
  123.   # 发送邮件通知
  124.   echo "Security alerts detected on $(hostname). Check $LOG_FILE for details." | mail -s "Security Alert: Intrusion Detection" admin@example.com
  125. fi
  127. exit 0
  129. # 设置脚本可执行权限
  130. chmod +x intrusion_detection.sh
  132. # 创建定期任务
  133. echo "0 2 * * * /opt/security-tools/system_snapshot.sh" > /etc/cron.daily/security_snapshot
  134. echo "0 */6 * * * /opt/security-tools/intrusion_detection.sh" > /etc/cron.d/intrusion_detection
  135. chmod +x /etc/cron.daily/security_snapshot
  136. chmod +x /etc/cron.d/intrusion_detection
复制代码

四、综合安全策略

1. 安全基线建设

建立安全基线是确保系统安全的基础,它定义了系统必须满足的最低安全要求。
  2. # 创建安全基线检查脚本
  3. vi security_baseline.sh
  4. #!/bin/bash
  5. LOG_FILE="/opt/security-logs/baseline_check_$(date +%Y%m%d_%H%M%S).log"
  6. COMPLIANCE_COUNT=0
  7. TOTAL_CHECKS=0
  9. echo "Starting security baseline check at $(date)" > $LOG_FILE
  11. # 检查系统更新
  12. echo "1. Checking for system updates..." >> $LOG_FILE
  13. ((TOTAL_CHECKS++))
  14. if yum check-update | grep -q "No packages marked for update"; then
  15.   echo "PASS: System is up to date." >> $LOG_FILE
  16.   ((COMPLIANCE_COUNT++))
  17. else
  18.   echo "FAIL: System updates are available." >> $LOG_FILE
  19. fi
  21. # 检查SELinux状态
  22. echo "2. Checking SELinux status..." >> $LOG_FILE
  23. ((TOTAL_CHECKS++))
  24. if getenforce | grep -q "Enforcing"; then
  25.   echo "PASS: SELinux is in enforcing mode." >> $LOG_FILE
  26.   ((COMPLIANCE_COUNT++))
  27. else
  28.   echo "FAIL: SELinux is not in enforcing mode." >> $LOG_FILE
  29. fi
  31. # 检查防火墙状态
  32. echo "3. Checking firewall status..." >> $LOG_FILE
  33. ((TOTAL_CHECKS++))
  34. if systemctl is-active firewalld | grep -q "active"; then
  35.   echo "PASS: Firewall is active." >> $LOG_FILE
  36.   ((COMPLIANCE_COUNT++))
  37. else
  38.   echo "FAIL: Firewall is not active." >> $LOG_FILE
  39. fi
  41. # 检查root远程登录
  42. echo "4. Checking root remote login..." >> $LOG_FILE
  43. ((TOTAL_CHECKS++))
  44. if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config; then
  45.   echo "PASS: Root remote login is disabled." >> $LOG_FILE
  46.   ((COMPLIANCE_COUNT++))
  47. else
  48.   echo "FAIL: Root remote login is enabled." >> $LOG_FILE
  49. fi
  51. # 检查密码策略
  52. echo "5. Checking password policy..." >> $LOG_FILE
  53. ((TOTAL_CHECKS++))
  54. if grep -q "^PASS_MAX_DAYS.*90" /etc/login.defs; then
  55.   echo "PASS: Password policy is compliant." >> $LOG_FILE
  56.   ((COMPLIANCE_COUNT++))
  57. else
  58.   echo "FAIL: Password policy is not compliant." >> $LOG_FILE
  59. fi
  61. # 检查AIDE状态
  62. echo "6. Checking AIDE status..." >> $LOG_FILE
  63. ((TOTAL_CHECKS++))
  64. if systemctl is-active aide | grep -q "active"; then
  65.   echo "PASS: AIDE is active." >> $LOG_FILE
  66.   ((COMPLIANCE_COUNT++))
  67. else
  68.   echo "FAIL: AIDE is not active." >> $LOG_FILE
  69. fi
  71. # 检查auditd状态
  72. echo "7. Checking auditd status..." >> $LOG_FILE
  73. ((TOTAL_CHECKS++))
  74. if systemctl is-active auditd | grep -q "active"; then
  75.   echo "PASS: Auditd is active." >> $LOG_FILE
  76.   ((COMPLIANCE_COUNT++))
  77. else
  78.   echo "FAIL: Auditd is not active." >> $LOG_FILE
  79. fi
  81. # 检查Fail2ban状态
  82. echo "8. Checking Fail2ban status..." >> $LOG_FILE
  83. ((TOTAL_CHECKS++))
  84. if systemctl is-active fail2ban | grep -q "active"; then
  85.   echo "PASS: Fail2ban is active." >> $LOG_FILE
  86.   ((COMPLIANCE_COUNT++))
  87. else
  88.   echo "FAIL: Fail2ban is not active." >> $LOG_FILE
  89. fi
  91. # 检查系统日志
  92. echo "9. Checking system logging..." >> $LOG_FILE
  93. ((TOTAL_CHECKS++))
  94. if systemctl is-active rsyslog | grep -q "active"; then
  95.   echo "PASS: System logging is active." >> $LOG_FILE
  96.   ((COMPLIANCE_COUNT++))
  97. else
  98.   echo "FAIL: System logging is not active." >> $LOG_FILE
  99. fi
  101. # 检查时间同步
  102. echo "10. Checking time synchronization..." >> $LOG_FILE
  103. ((TOTAL_CHECKS++))
  104. if systemctl is-active chronyd | grep -q "active"; then
  105.   echo "PASS: Time synchronization is active." >> $LOG_FILE
  106.   ((COMPLIANCE_COUNT++))
  107. else
  108.   echo "FAIL: Time synchronization is not active." >> $LOG_FILE
  109. fi
  111. # 计算合规百分比
  112. COMPLIANCE_PERCENT=$((COMPLIANCE_COUNT * 100 / TOTAL_CHECKS))
  114. echo "Baseline check completed at $(date)" >> $LOG_FILE
  115. echo "Compliance: $COMPLIANCE_COUNT/$TOTAL_CHECKS ($COMPLIANCE_PERCENT%)" >> $LOG_FILE
  117. if [ $COMPLIANCE_PERCENT -lt 100 ]; then
  118.   echo "WARNING: System is not fully compliant with security baseline. Check $LOG_FILE for details."
  119.   # 发送邮件通知
  120.   echo "Security baseline check failed on $(hostname). Compliance: $COMPLIANCE_PERCENT%. Check $LOG_FILE for details." | mail -s "Security Alert: Baseline Check Failed" admin@example.com
  121. else
  122.   echo "System is fully compliant with security baseline."
  123. fi
  125. exit 0
  127. # 设置脚本可执行权限
  128. chmod +x security_baseline.sh
  130. # 创建定期基线检查任务
  131. echo "0 3 * * 0 /opt/security-tools/security_baseline.sh" > /etc/cron.weekly/security_baseline
  132. chmod +x /etc/cron.weekly/security_baseline
复制代码

2. 安全合规性检查

对于需要符合特定安全标准(如PCI-DSS、HIPAA、GDPR等)的系统,定期进行合规性检查是必要的。
  2. # 安装OpenSCAP进行安全合规性检查
  3. yum install -y openscap-scanner scap-security-guide
  5. # 下载最新的安全基准
  6. yum update -y scap-security-guide
  8. # 运行系统扫描
  9. oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --results-arf arf-pci-dss.xml --report pci-dss-report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
  11. # 查看扫描结果
  12. cat pci-dss-report.html
  14. # 根据扫描结果修复问题
  15. # 示例:修复密码策略
  16. vi /etc/login.defs
  17. # 修改以下行
  18. PASS_MAX_DAYS   90
  19. PASS_MIN_DAYS   7
  20. PASS_WARN_AGE   14
  22. # 示例:修复SSH配置
  23. vi /etc/ssh/sshd_config
  24. # 修改或添加以下行
  25. PermitRootLogin no
  26. MaxAuthTries 3
  27. ClientAliveInterval 300
  28. ClientAliveCountMax 2
  30. # 重启SSH服务
  31. systemctl restart sshd
  33. # 创建自定义合规性检查脚本
  34. vi compliance_check.sh
  35. #!/bin/bash
  36. LOG_FILE="/opt/security-logs/compliance_check_$(date +%Y%m%d_%H%M%S).log"
  37. COMPLIANCE_COUNT=0
  38. TOTAL_CHECKS=0
  40. echo "Starting compliance check at $(date)" > $LOG_FILE
  42. # PCI-DSS合规性检查
  43. echo "PCI-DSS Compliance Check" >> $LOG_FILE
  45. # 检查防火墙配置
  46. echo "1. Checking firewall configuration..." >> $LOG_FILE
  47. ((TOTAL_CHECKS++))
  48. if firewall-cmd --list-all | grep -q "services:"; then
  49.   echo "PASS: Firewall is configured with allowed services." >> $LOG_FILE
  50.   ((COMPLIANCE_COUNT++))
  51. else
  52.   echo "FAIL: Firewall is not properly configured." >> $LOG_FILE
  53. fi
  55. # 检查密码复杂度
  56. echo "2. Checking password complexity..." >> $LOG_FILE
  57. ((TOTAL_CHECKS++))
  58. if grep -q "^minlen = 12" /etc/security/pwquality.conf; then
  59.   echo "PASS: Password complexity is configured." >> $LOG_FILE
  60.   ((COMPLIANCE_COUNT++))
  61. else
  62.   echo "FAIL: Password complexity is not configured." >> $LOG_FILE
  63. fi
  65. # 检查SSH配置
  66. echo "3. Checking SSH configuration..." >> $LOG_FILE
  67. ((TOTAL_CHECKS++))
  68. if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config && grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config; then
  69.   echo "PASS: SSH is properly configured." >> $LOG_FILE
  70.   ((COMPLIANCE_COUNT++))
  71. else
  72.   echo "FAIL: SSH is not properly configured." >> $LOG_FILE
  73. fi
  75. # 检查日志记录
  76. echo "4. Checking logging configuration..." >> $LOG_FILE
  77. ((TOTAL_CHECKS++))
  78. if grep -q "^*.info;mail.none;authpriv.none;cron.none" /etc/rsyslog.conf; then
  79.   echo "PASS: Logging is properly configured." >> $LOG_FILE
  80.   ((COMPLIANCE_COUNT++))
  81. else
  82.   echo "FAIL: Logging is not properly configured." >> $LOG_FILE
  83. fi
  85. # 检查文件完整性监控
  86. echo "5. Checking file integrity monitoring..." >> $LOG_FILE
  87. ((TOTAL_CHECKS++))
  88. if systemctl is-active aide | grep -q "active"; then
  89.   echo "PASS: File integrity monitoring is active." >> $LOG_FILE
  90.   ((COMPLIANCE_COUNT++))
  91. else
  92.   echo "FAIL: File integrity monitoring is not active." >> $LOG_FILE
  93. fi
  95. # HIPAA合规性检查
  96. echo -e "\nHIPAA Compliance Check" >> $LOG_FILE
  98. # 检查数据加密
  99. echo "6. Checking data encryption..." >> $LOG_FILE
  100. ((TOTAL_CHECKS++))
  101. if lsblk | grep -q "crypt"; then
  102.   echo "PASS: Disk encryption is configured." >> $LOG_FILE
  103.   ((COMPLIANCE_COUNT++))
  104. else
  105.   echo "FAIL: Disk encryption is not configured." >> $LOG_FILE
  106. fi
  108. # 检查访问控制
  109. echo "7. Checking access control..." >> $LOG_FILE
  110. ((TOTAL_CHECKS++))
  111. if grep -q "^auth.*required.*pam_wheel.so use_uid" /etc/pam.d/su; then
  112.   echo "PASS: Access control is configured." >> $LOG_FILE
  113.   ((COMPLIANCE_COUNT++))
  114. else
  115.   echo "FAIL: Access control is not configured." >> $LOG_FILE
  116. fi
  118. # 检查审计日志
  119. echo "8. Checking audit logs..." >> $LOG_FILE
  120. ((TOTAL_CHECKS++))
  121. if grep -q "action.*acct" /etc/audit/rules.d/audit.rules; then
  122.   echo "PASS: Audit logs are configured." >> $LOG_FILE
  123.   ((COMPLIANCE_COUNT++))
  124. else
  125.   echo "FAIL: Audit logs are not configured." >> $LOG_FILE
  126. fi
  128. # GDPR合规性检查
  129. echo -e "\nGDPR Compliance Check" >> $LOG_FILE
  131. # 检查数据保护
  132. echo "9. Checking data protection..." >> $LOG_FILE
  133. ((TOTAL_CHECKS++))
  134. if grep -q "^umask 077" /etc/bashrc; then
  135.   echo "PASS: Data protection is configured." >> $LOG_FILE
  136.   ((COMPLIANCE_COUNT++))
  137. else
  138.   echo "FAIL: Data protection is not configured." >> $LOG_FILE
  139. fi
  141. # 检查数据保留策略
  142. echo "10. Checking data retention policy..." >> $LOG_FILE
  143. ((TOTAL_CHECKS++))
  144. if grep -q "^rotate 90" /etc/logrotate.conf; then
  145.   echo "PASS: Data retention policy is configured." >> $LOG_FILE
  146.   ((COMPLIANCE_COUNT++))
  147. else
  148.   echo "FAIL: Data retention policy is not configured." >> $LOG_FILE
  149. fi
  151. # 计算合规百分比
  152. COMPLIANCE_PERCENT=$((COMPLIANCE_COUNT * 100 / TOTAL_CHECKS))
  154. echo "Compliance check completed at $(date)" >> $LOG_FILE
  155. echo "Compliance: $COMPLIANCE_COUNT/$TOTAL_CHECKS ($COMPLIANCE_PERCENT%)" >> $LOG_FILE
  157. if [ $COMPLIANCE_PERCENT -lt 100 ]; then
  158.   echo "WARNING: System is not fully compliant. Check $LOG_FILE for details."
  159.   # 发送邮件通知
  160.   echo "Compliance check failed on $(hostname). Compliance: $COMPLIANCE_PERCENT%. Check $LOG_FILE for details." | mail -s "Security Alert: Compliance Check Failed" admin@example.com
  161. else
  162.   echo "System is fully compliant."
  163. fi
  165. exit 0
  167. # 设置脚本可执行权限
  168. chmod +x compliance_check.sh
  170. # 创建定期合规性检查任务
  171. echo "0 4 * * 1 /opt/security-tools/compliance_check.sh" > /etc/cron.weekly/compliance_check
  172. chmod +x /etc/cron.weekly/compliance_check
复制代码

3. 定期安全评估

定期进行安全评估可以发现潜在的安全问题,并及时采取措施加以解决。
  2. # 安装安全评估工具
  3. yum install -y lynis nmap nikto
  5. # 运行Lynis安全审计
  6. lynis audit system
  8. # 查看Lynis报告
  9. cat /var/log/lynis-report.dat
  11. # 创建综合安全评估脚本
  12. vi security_assessment.sh
  13. #!/bin/bash
  14. LOG_DIR="/opt/security-logs/assessment_$(date +%Y%m%d_%H%M%S)"
  15. mkdir -p $LOG_DIR
  16. LOG_FILE="$LOG_DIR/assessment_report.txt"
  17. HTML_REPORT="$LOG_DIR/assessment_report.html"
  19. echo "Starting comprehensive security assessment at $(date)" > $LOG_FILE
  21. # 1. 系统信息收集
  22. echo "1. Collecting system information..." >> $LOG_FILE
  23. uname -a > $LOG_DIR/system_info.txt
  24. df -h >> $LOG_DIR/system_info.txt
  25. free -m >> $LOG_DIR/system_info.txt
  26. cat /etc/redhat-release >> $LOG_DIR/system_info.txt
  28. # 2. 网络安全评估
  29. echo "2. Performing network security assessment..." >> $LOG_FILE
  30. # 扫描开放端口
  31. nmap -sS -O localhost > $LOG_DIR/nmap_scan.txt
  32. # 检查网络连接
  33. netstat -tulnp > $LOG_DIR/network_connections.txt
  34. # 检查路由表
  35. netstat -rn > $LOG_DIR/routing_table.txt
  37. # 3. 文件系统安全评估
  38. echo "3. Performing file system security assessment..." >> $LOG_FILE
  39. # 查找SUID/SGID文件
  40. find / -type f \( -perm -4000 -o -perm -2000 \) -ls > $LOG_DIR/suid_sgid_files.txt
  41. # 查找全局可写文件
  42. find / -type f -perm -o+w -ls > $LOG_DIR/world_writable_files.txt
  43. # 查找无主文件
  44. find / -nouser -o -nogroup -ls > $LOG_DIR/unowned_files.txt
  46. # 4. 用户和认证安全评估
  47. echo "4. Performing user and authentication security assessment..." >> $LOG_FILE
  48. # 检查用户账户
  49. awk -F: '($3 == 0) { print $1 }' /etc/passwd > $LOG_DIR/root_accounts.txt
  50. # 检查空密码账户
  51. awk -F: '($2 == "") { print $1 }' /etc/shadow > $LOG_DIR/empty_passwords.txt
  52. # 检查密码策略
  53. grep -E "PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE" /etc/login.defs > $LOG_DIR/password_policy.txt
  55. # 5. 服务安全评估
  56. echo "5. Performing service security assessment..." >> $LOG_FILE
  57. # 检查运行的服务
  58. systemctl list-units --type=service --state=running > $LOG_DIR/running_services.txt
  59. # 检查启动服务
  60. systemctl list-unit-files | grep enabled > $LOG_DIR/enabled_services.txt
  62. # 6. 日志和审计评估
  63. echo "6. Performing log and audit assessment..." >> $LOG_FILE
  64. # 检查日志配置
  65. ls -la /var/log/ > $LOG_DIR/log_files.txt
  66. # 检查审计规则
  67. auditctl -l > $LOG_DIR/audit_rules.txt
  69. # 7. 运行Lynis安全审计
  70. echo "7. Running Lynis security audit..." >> $LOG_FILE
  71. lynis audit system --quiet > $LOG_DIR/lynis_output.txt
  72. cp /var/log/lynis-report.dat $LOG_DIR/
  74. # 8. 生成HTML报告
  75. echo "8. Generating HTML report..." >> $LOG_FILE
  76. cat > $HTML_REPORT << EOF
  77. <!DOCTYPE html>
  78. <html>
  79. <head>
  80.     <title>Security Assessment Report - $(date +%Y-%m-%d)</title>
  81.     <style>
  82.         body { font-family: Arial, sans-serif; margin: 20px; }
  83.         h1 { color: #333366; }
  84.         h2 { color: #4444aa; }
  85.         pre { background-color: #f5f5f5; padding: 10px; border-radius: 5px; overflow-x: auto; }
  86.         .section { margin-bottom: 30px; }
  87.         .warning { color: #ff6600; }
  88.         .success { color: #009900; }
  89.     </style>
  90. </head>
  91. <body>
  92.     <h1>Security Assessment Report</h1>
  93.     <p><strong>Date:</strong> $(date)</p>
  94.     <p><strong>Hostname:</strong> $(hostname)</p>
  95.    
  96.     <div class="section">
  97.         <h2>Executive Summary</h2>
  98.         <p>This security assessment was performed on $(date) for the system $(hostname). The assessment includes system information review, network security evaluation, file system security check, user and authentication assessment, service security review, and log and audit evaluation.</p>
  99.     </div>
  100.    
  101.     <div class="section">
  102.         <h2>System Information</h2>
  103.         <pre>$(cat $LOG_DIR/system_info.txt)</pre>
  104.     </div>
  105.    
  106.     <div class="section">
  107.         <h2>Network Security</h2>
  108.         <h3>Open Ports</h3>
  109.         <pre>$(cat $LOG_DIR/nmap_scan.txt)</pre>
  110.         <h3>Network Connections</h3>
  111.         <pre>$(cat $LOG_DIR/network_connections.txt)</pre>
  112.     </div>
  113.    
  114.     <div class="section">
  115.         <h2>File System Security</h2>
  116.         <h3>SUID/SGID Files</h3>
  117.         <pre>$(cat $LOG_DIR/suid_sgid_files.txt)</pre>
  118.         <h3>World Writable Files</h3>
  119.         <pre>$(cat $LOG_DIR/world_writable_files.txt)</pre>
  120.     </div>
  121.    
  122.     <div class="section">
  123.         <h2>User and Authentication Security</h2>
  124.         <h3>Root Accounts</h3>
  125.         <pre>$(cat $LOG_DIR/root_accounts.txt)</pre>
  126.         <h3>Password Policy</h3>
  127.         <pre>$(cat $LOG_DIR/password_policy.txt)</pre>
  128.     </div>
  129.    
  130.     <div class="section">
  131.         <h2>Service Security</h2>
  132.         <h3>Running Services</h3>
  133.         <pre>$(cat $LOG_DIR/running_services.txt)</pre>
  134.         <h3>Enabled Services</h3>
  135.         <pre>$(cat $LOG_DIR/enabled_services.txt)</pre>
  136.     </div>
  137.    
  138.     <div class="section">
  139.         <h2>Recommendations</h2>
  140.         <ul>
  141.             <li>Review and remove unnecessary SUID/SGID files</li>
  142.             <li>Restrict access to world writable files</li>
  143.             <li>Ensure only authorized users have root access</li>
  144.             <li>Disable unnecessary services</li>
  145.             <li>Implement strong password policies</li>
  146.             <li>Regularly review system logs for suspicious activities</li>
  147.         </ul>
  148.     </div>
  149. </body>
  150. </html>
  151. EOF
  153. # 9. 汇总评估结果
  154. echo "9. Summarizing assessment results..." >> $LOG_FILE
  155. echo "Assessment completed at $(date)" >> $LOG_FILE
  156. echo "Detailed results saved in $LOG_DIR" >> $LOG_FILE
  157. echo "HTML report generated: $HTML_REPORT" >> $LOG_FILE
  159. # 发送邮件通知
  160. echo "Security assessment completed for $(hostname). Detailed results saved in $LOG_DIR. HTML report: $HTML_REPORT" | mail -s "Security Assessment Report - $(hostname)" admin@example.com
  162. exit 0
  164. # 设置脚本可执行权限
  165. chmod +x security_assessment.sh
  167. # 创建定期安全评估任务
  168. echo "0 5 1 * * /opt/security-tools/security_assessment.sh" > /etc/cron.monthly/security_assessment
  169. chmod +x /etc/cron.monthly/security_assessment
复制代码

五、总结与最佳实践

CentOS服务器的安全优化是一个持续的过程,需要系统管理员不断学习和适应新的安全威胁。通过本文介绍的基础配置、中级优化和高级技巧,您可以构建一个更加安全可靠的服务器环境。

最佳实践总结:

1. 保持系统更新:定期应用安全补丁,确保系统免受已知漏洞的威胁。
2. 最小权限原则:为用户和服务分配最小必要权限,减少潜在的安全风险。
3. 深度防御:采用多层次的安全措施,包括防火墙、SELinux、入侵检测系统等。
4. 定期监控与审计:实施全面的日志记录和监控,及时发现异常活动。
5. 安全基线与合规性:建立安全基线,定期进行合规性检查,确保系统符合安全标准。
6. 应急响应计划:制定并测试安全事件应急响应计划,确保在发生安全事件时能够快速有效地应对。
7. 安全意识培训:对系统管理员和用户进行安全意识培训,提高整体安全水平。

保持系统更新:定期应用安全补丁,确保系统免受已知漏洞的威胁。

最小权限原则:为用户和服务分配最小必要权限,减少潜在的安全风险。

深度防御:采用多层次的安全措施,包括防火墙、SELinux、入侵检测系统等。

定期监控与审计:实施全面的日志记录和监控,及时发现异常活动。

安全基线与合规性:建立安全基线,定期进行合规性检查,确保系统符合安全标准。

应急响应计划:制定并测试安全事件应急响应计划,确保在发生安全事件时能够快速有效地应对。

安全意识培训:对系统管理员和用户进行安全意识培训,提高整体安全水平。

通过实施这些最佳实践,您可以显著提高CentOS服务器的安全性,保护关键数据和系统资源免受各种安全威胁。记住,安全是一个持续的过程,需要不断地评估、改进和适应新的安全挑战。
企业级, 系统管理员, 安全更新
「七転び八起き(ななころびやおき)」
回复

使用道具 举报

返回列表 发新帖
您需要登录后才可以回帖 登录 | 立即注册
高级模式
B Color Image Link Quote Code Smilies

本版积分规则