\u5728\u4e92\u8054\u7f51\u5b89\u5168\u4e8b\u6545\u9891\u53d1\u7684\u4eca\u5929,\u670d\u52a1\u5668\u5b89\u5168\u5df2\u7ecf\u6210\u4e3a\u6bcf\u4f4d\u8fd0\u7ef4\u5de5\u7a0b\u5e08\u5fc5\u987b\u9762\u5bf9\u7684\u5934\u7b49\u5927\u4e8b\u3002\u524d\u51e0\u5929\u521a\u63a5\u624b\u4e00\u6279\u65b0\u670d\u52a1\u5668,\u60f3\u5230\u5f88\u591a\u670b\u53cb\u7ecf\u5e38\u95ee\u6211:"\u65b0\u670d\u52a1\u5668\u5e94\u8be5\u5982\u4f55\u8fdb\u884c\u5b89\u5168\u52a0\u56fa?"\u4eca\u5929\u5c31\u501f\u8fd9\u4e2a\u673a\u4f1a,\u548c\u5927\u5bb6\u5206\u4eab\u4e00\u4e0b\u6211\u5341\u591a\u5e74\u8fd0\u7ef4\u751f\u6daf\u4e2d\u603b\u7ed3\u7684\u670d\u52a1\u5668\u5b89\u5168\u52a0\u56fa\u5b9e\u6218\u7ecf\u9a8c\u3002\u65e0\u8bba\u4f60\u662f\u521a\u5165\u884c\u7684\u65b0\u624b,\u8fd8\u662f\u6709\u7ecf\u9a8c\u7684\u8fd0\u7ef4\u4eba\u5458,\u8fd9\u7bc7\u6587\u7ae0\u90fd\u80fd\u5e2e\u4f60\u6784\u5efa\u4e00\u4e2a\u66f4\u52a0\u5b89\u5168\u7684\u670d\u52a1\u5668\u73af\u5883\u3002<\/p>\n
\u7cfb\u7edf\u6f0f\u6d1e\u662f\u9ed1\u5ba2\u5165\u4fb5\u7684\u9996\u9009\u76ee\u6807\u3002\u8bb0\u5f97\u53bb\u5e74\u67d0\u91d1\u878d\u5ba2\u6237\u56e0\u4e3a\u6ca1\u53ca\u65f6\u6253\u8865\u4e01,\u7ed3\u679c\u88ab\u52d2\u7d22\u8f6f\u4ef6\u653b\u51fb,\u635f\u5931\u60e8\u91cd\u3002\u6240\u4ee5,\u62ff\u5230\u65b0\u670d\u52a1\u5668\u7684\u7b2c\u4e00\u4ef6\u4e8b\u5c31\u662f\u66f4\u65b0\u7cfb\u7edf:<\/p>\n
CentOS\/RHEL\u7cfb\u7edf:<\/p>\n
# \u67e5\u770b\u53ef\u66f4\u65b0\u7684\u5305<\/span> # \u66f4\u65b0\u6240\u6709\u5305<\/span> # \u53ea\u66f4\u65b0\u5b89\u5168\u8865\u4e01<\/span> Ubuntu\/Debian\u7cfb\u7edf:<\/p>\n # \u66f4\u65b0\u8f6f\u4ef6\u5305\u5217\u8868<\/span> # \u5347\u7ea7\u6240\u6709\u5df2\u5b89\u88c5\u7684\u5305<\/span> # \u667a\u80fd\u5347\u7ea7(\u5904\u7406\u4f9d\u8d56\u5173\u7cfb)<\/span> \u522b\u5fd8\u4e86\u8bbe\u7f6e\u81ea\u52a8\u66f4\u65b0,\u4f46\u8981\u6ce8\u610f\u751f\u4ea7\u73af\u5883\u4e2d\u5148\u5728\u6d4b\u8bd5\u73af\u5883\u9a8c\u8bc1\u8865\u4e01\u7684\u7a33\u5b9a\u6027\u3002<\/p>\n \u4e0a\u4e2a\u6708\u5e2e\u4e00\u4e2a\u5ba2\u6237\u6392\u67e5\u5b89\u5168\u95ee\u9898\u65f6,\u53d1\u73b0\u4ed6\u4eec\u670d\u52a1\u5668\u4e0a\u88c5\u4e86\u4e00\u5806\u7528\u4e0d\u5230\u7684\u670d\u52a1,\u6bcf\u4e00\u4e2a\u90fd\u662f\u6f5c\u5728\u7684\u5b89\u5168\u98ce\u9669\u3002\u8bb0\u4f4f:\u4e0d\u9700\u8981\u7684\u670d\u52a1\u5c31\u662f\u98ce\u9669\u3002<\/p>\n # \u5217\u51fa\u6240\u6709\u5df2\u5b89\u88c5\u7684\u5305<\/span> # \u5220\u9664\u4e0d\u5fc5\u8981\u7684\u670d\u52a1<\/span> \u5e38\u89c1\u53ef\u79fb\u9664\u7684\u670d\u52a1:<\/p>\n # \u5217\u51fa\u6240\u6709\u542f\u52a8\u7684\u670d\u52a1<\/span> # \u7981\u7528\u4e0d\u9700\u8981\u7684\u670d\u52a1<\/span> root\u8d26\u6237\u662f\u9ed1\u5ba2\u7684\u9996\u8981\u653b\u51fb\u76ee\u6807\u3002\u524d\u6bb5\u65f6\u95f4\u4e00\u4e2a\u670b\u53cb\u7684\u670d\u52a1\u5668\u88ab\u5165\u4fb5,\u5c31\u662f\u56e0\u4e3aroot\u5bc6\u7801\u592a\u7b80\u5355\u88ab\u66b4\u529b\u7834\u89e3\u3002<\/p>\n # \u8bbe\u7f6e\u5f3a\u5bc6\u7801<\/span> # \u7981\u6b62root\u8fdc\u7a0b\u767b\u5f55(\u7f16\u8f91\/etc\/ssh\/sshd_config)<\/span> # \u91cd\u542fSSH\u670d\u52a1<\/span> # \u521b\u5efa\u7ba1\u7406\u5458\u7528\u6237<\/span> # \u8d4b\u4e88sudo\u6743\u9650<\/span> \u5728\/etc\/login.defs\u548c\/etc\/security\/pwquality.conf\u4e2d\u8bbe\u7f6e\u5bc6\u7801\u590d\u6742\u5ea6\u8981\u6c42:<\/p>\n PASS_MAX_DAYS 90 # \u5bc6\u7801\u6700\u957f\u6709\u6548\u671f # \u5bc6\u7801\u590d\u6742\u5ea6 \u522b\u5fd8\u4e86\u914d\u7f6ePAM\u6a21\u5757\u5f3a\u5236\u6267\u884c\u8fd9\u4e9b\u7b56\u7565:<\/p>\n # \u7f16\u8f91\/etc\/pam.d\/system-auth(CentOS)\u6216\/etc\/pam.d\/common-password(Ubuntu)<\/span> SSH\u662f\u8fd0\u7ef4\u4eba\u5458\u7684\u5fc5\u5907\u5de5\u5177,\u4f46\u4e5f\u662f\u9ed1\u5ba2\u91cd\u70b9\u653b\u51fb\u7684\u670d\u52a1\u4e4b\u4e00\u3002<\/p>\n # \u7f16\u8f91\/etc\/ssh\/sshd_config<\/span> # \u5982\u679c\u4f7f\u7528SELinux,\u9700\u8981\u8bbe\u7f6e<\/span> # \u5ba2\u6237\u7aef\u751f\u6210\u5bc6\u94a5\u5bf9<\/span> # \u4e0a\u4f20\u516c\u94a5\u5230\u670d\u52a1\u5668<\/span> # \u7981\u7528\u5bc6\u7801\u8ba4\u8bc1(\u7f16\u8f91\/etc\/ssh\/sshd_config)<\/span> \u7f16\u8f91\/etc\/ssh\/sshd_config:<\/p>\n Protocol 2 # \u53ea\u4f7f\u7528SSH v2\u534f\u8bae \u91cd\u542fSSH\u670d\u52a1\u751f\u6548:<\/p>\n systemctl restart sshd<\/p>\n # \u4f7f\u7528firewalld(CentOS 7+\/RHEL 7+)<\/span> # \u53ea\u5f00\u653e\u5fc5\u8981\u7aef\u53e3<\/span> \u6216\u8005\u4f7f\u7528\u4f20\u7edfiptables:<\/p>\n # \u57fa\u672ciptables\u89c4\u5219<\/span> # \u4fdd\u5b58\u89c4\u5219<\/span> # \u9650\u5236SYN\u6d2a\u6c34<\/span> # \u9650\u5236ICMP\u8bf7\u6c42<\/span> \u5408\u7406\u7684\u5206\u533a\u7b56\u7565\u53ef\u4ee5\u6709\u6548\u9632\u6b62\u67d0\u4e9b\u653b\u51fb\u3002\u53bb\u5e74\u4e00\u4e2a\u5ba2\u6237\u56e0\u4e3a\/tmp\u76ee\u5f55\u548c\u6839\u76ee\u5f55\u5728\u540c\u4e00\u5206\u533a,\u88ab\u9ed1\u5ba2\u5229\u7528\u586b\u6ee1\u78c1\u76d8\u5bfc\u81f4\u7cfb\u7edf\u5d29\u6e83\u3002\u5728\/etc\/fstab\u4e2d\u6dfb\u52a0\u5b89\u5168\u6302\u8f7d\u9009\u9879:<\/p>\n \/dev\/sda1 \/boot ext4 defaults,nosuid,nodev,noexec 1 2 \u8fd9\u4e9b\u9009\u9879\u7684\u4f5c\u7528:<\/p>\n # \u8bbe\u7f6e\u5173\u952e\u6587\u4ef6\u7684\u6b63\u786e\u6743\u9650<\/span> # \u67e5\u627e\u5e76\u4fee\u590d\u5371\u9669\u7684SUID\/SGID\u6587\u4ef6<\/span> # \u67e5\u627e\u4e16\u754c\u53ef\u5199\u6587\u4ef6<\/span> \u5b89\u88c5AIDE(Advanced Intrusion Detection Environment)\u8fdb\u884c\u6587\u4ef6\u5b8c\u6574\u6027\u76d1\u63a7:<\/p>\n # \u5b89\u88c5AIDE<\/span> # \u521d\u59cb\u5316\u6570\u636e\u5e93<\/span> # \u8bbe\u7f6e\u5b9a\u671f\u68c0\u67e5<\/span> \u6700\u8fd1\u4e00\u4e2a\u5ba2\u6237\u56e0\u4e3a\u6ca1\u6709\u4fdd\u5b58\u8db3\u591f\u7684\u65e5\u5fd7,\u9ed1\u5ba2\u5165\u4fb5\u540e\u65e0\u6cd5\u8ffd\u6eaf\u653b\u51fb\u8def\u5f84\u3002\u914d\u7f6ersyslog\u5c06\u65e5\u5fd7\u53d1\u9001\u5230\u96c6\u4e2d\u670d\u52a1\u5668:<\/p>\n # \u7f16\u8f91\/etc\/rsyslog.conf<\/span> # \u91cd\u542f\u670d\u52a1<\/span> # \u5b89\u88c5auditd<\/span> # \u542f\u7528\u5e76\u914d\u7f6e<\/span> # \u7f16\u8f91\/etc\/audit\/auditd.conf<\/span> \u6dfb\u52a0\u5173\u952e\u5ba1\u8ba1\u89c4\u5219(\/etc\/audit\/rules.d\/audit.rules):<\/p>\n # \u76d1\u63a7\/etc\u76ee\u5f55\u53d8\u66f4 # \u76d1\u63a7\u7528\u6237\/\u7ec4\u53d8\u66f4 # \u76d1\u63a7sudo\u4f7f\u7528 # \u76d1\u63a7\u5931\u8d25\u7684\u8bbf\u95ee\u5c1d\u8bd5 \u914d\u7f6elogrotate\u786e\u4fdd\u65e5\u5fd7\u4e0d\u4f1a\u5360\u6ee1\u78c1\u76d8:<\/p>\n # \u7f16\u8f91\/etc\/logrotate.conf Fail2ban\u53ef\u4ee5\u81ea\u52a8\u5c01\u7981\u5c1d\u8bd5\u66b4\u529b\u7834\u89e3\u7684IP:<\/p>\n # \u5b89\u88c5Fail2ban<\/span> # \u914d\u7f6eSSH\u9632\u62a4<\/span> # \u542f\u52a8\u670d\u52a1<\/span> # \u5b89\u88c5rkhunter<\/span> # \u66f4\u65b0\u6570\u636e\u5e93<\/span> # \u8bbe\u7f6e\u5b9a\u671f\u626b\u63cf<\/span> \u4f7f\u7528osquery\u8fdb\u884c\u9ad8\u7ea7\u76d1\u63a7:<\/p>\n # \u5b89\u88c5osquery<\/span> # \u914d\u7f6e\u6587\u4ef6\u76d1\u63a7<\/span> # \u542f\u52a8\u670d\u52a1<\/span> \u7f16\u8f91\/etc\/sysctl.conf:<\/p>\n # \u9632\u6b62IP\u6b3a\u9a97 # \u7981\u6b62IP\u6e90\u8def\u7531 # \u9632\u6b62SYN\u6d2a\u6c34\u653b\u51fb # \u7981\u7528ICMP\u91cd\u5b9a\u5411 # \u542f\u7528\u53cd\u5411\u8def\u5f84\u8fc7\u6ee4 # \u8bb0\u5f55\u53ef\u7591\u5305 \u5e94\u7528\u914d\u7f6e:<\/p>\n sysctl -p<\/p>\n \u5bf9\u4e8eWeb\u670d\u52a1\u5668,\u914d\u7f6eTLS\/SSL:<\/p>\n # \u751f\u6210\u5f3a\u5bc6\u94a5\u548cCSR<\/span> # \u5728Nginx\u4e2d\u914d\u7f6e\u5b89\u5168\u53c2\u6570<\/span> \u4f7f\u7528TCP Wrappers\u9650\u5236\u670d\u52a1\u8bbf\u95ee:<\/p>\n # \u7f16\u8f91\/etc\/hosts.allow<\/span> # \u7f16\u8f91\/etc\/hosts.deny<\/span>
\nyum check-update<\/p>\n
\nyum update -y<\/p>\n
\nyum update –security<\/p>\n
\napt<\/span> update<\/p>\n
\napt<\/span> upgrade -y<\/p>\n
\napt<\/span> dist-upgrade -y<\/p>\n2. \u6700\u5c0f\u5316\u5b89\u88c5\u539f\u5219<\/h4>\n
\nrpm<\/span> -qa # RHEL\/CentOS<\/span>
\ndpkg -l # Debian\/Ubuntu<\/span><\/p>\n
\nyum remove <<\/span>package_name><\/span> # RHEL\/CentOS<\/span>
\napt<\/span> purge <<\/span>package_name><\/span> # Debian\/Ubuntu<\/span><\/p>\n\n
3. \u7981\u7528\u4e0d\u5fc5\u8981\u7684\u542f\u52a8\u670d\u52a1<\/h4>\n
\nsystemctl list-unit-files –state=<\/span>enabled<\/p>\n
\nsystemctl disable <<\/span>service_name><\/span>
\nsystemctl mask <<\/span>service_name><\/span> # \u5f7b\u5e95\u7981\u7528<\/span><\/p>\n\u4e8c\u3001\u7528\u6237\u8d26\u6237\u5b89\u5168<\/h3>\n
1. \u52a0\u56faroot\u8d26\u6237<\/h4>\n
\npasswd<\/span> root<\/p>\n
\nPermitRootLogin no<\/p>\n
\nsystemctl restart sshd<\/p>\n2. \u521b\u5efa\u7ba1\u7406\u5458\u8d26\u6237<\/h4>\n
\nuseradd<\/span> -m admin
\npasswd<\/span> admin<\/p>\n
\nusermod<\/span> -aG wheel admin # CentOS\/RHEL<\/span>
\nusermod<\/span> -aG sudo<\/span> admin # Ubuntu\/Debian<\/span><\/p>\n3. \u5bc6\u7801\u7b56\u7565\u52a0\u56fa<\/h4>\n
\nPASS_MIN_DAYS 7 # \u4e24\u6b21\u4fee\u6539\u5bc6\u7801\u7684\u6700\u5c0f\u95f4\u9694
\nPASS_MIN_LEN 12 # \u6700\u5c0f\u5bc6\u7801\u957f\u5ea6
\nPASS_WARN_AGE 7 # \u8fc7\u671f\u524d\u8b66\u544a\u5929\u6570<\/p>\n
\nminlen = 12
\nminclass = 3
\nmaxrepeat = 3<\/p>\n
\npassword requisite pam_pwquality.so retry<\/span>=<\/span>3<\/span><\/p>\n\u4e09\u3001SSH\u5b89\u5168\u52a0\u56fa<\/h3>\n
1. \u4fee\u6539\u9ed8\u8ba4\u7aef\u53e3<\/h4>\n
\nPort 2222<\/span> # \u4f7f\u7528\u975e\u6807\u51c6\u7aef\u53e3<\/span><\/p>\n
\nsemanage port -a -t ssh_port_t -p tcp 2222<\/span><\/p>\n2. \u5bc6\u94a5\u8ba4\u8bc1\u66ff\u4ee3\u5bc6\u7801<\/h4>\n
\nssh-keygen -t ed25519 -C "admin@example.com"<\/span><\/p>\n
\nssh-copy-id -i ~\/.ssh\/id_ed25519.pub admin@server_ip<\/p>\n
\nPasswordAuthentication no
\nChallengeResponseAuthentication no<\/p>\n3. \u5176\u4ed6SSH\u52a0\u56fa\u63aa\u65bd<\/h4>\n
\nMaxAuthTries 3 # \u6700\u5927\u8ba4\u8bc1\u5c1d\u8bd5\u6b21\u6570
\nMaxSessions 5 # \u6700\u5927\u4f1a\u8bdd\u6570
\nLoginGraceTime 60 # \u767b\u5f55\u8d85\u65f6\u65f6\u95f4
\nClientAliveInterval 300 # \u5ba2\u6237\u7aef\u6d3b\u8dc3\u68c0\u6d4b\u95f4\u9694
\nClientAliveCountMax 2 # \u5ba2\u6237\u7aef\u6d3b\u8dc3\u68c0\u6d4b\u6b21\u6570
\nAllowUsers admin # \u53ea\u5141\u8bb8\u7279\u5b9a\u7528\u6237\u767b\u5f55<\/p>\n\u56db\u3001\u9632\u706b\u5899\u914d\u7f6e<\/h3>\n
1. \u914d\u7f6eiptables\/firewalld<\/h4>\n
\nsystemctl enable<\/span> firewalld
\nsystemctl start firewalld<\/p>\n
\nfirewall-cmd –permanent –add-port=<\/span>2222<\/span>\/tcp # SSH<\/span>
\nfirewall-cmd –permanent –add-port=<\/span>80<\/span>\/tcp # HTTP<\/span>
\nfirewall-cmd –permanent –add-port=<\/span>443<\/span>\/tcp # HTTPS<\/span>
\nfirewall-cmd –reload<\/p>\n
\niptables -F
\niptables -P INPUT DROP
\niptables -P FORWARD DROP
\niptables -P OUTPUT ACCEPT
\niptables -A INPUT -i lo -j ACCEPT
\niptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
\niptables -A INPUT -p tcp –dport 2222<\/span> -j ACCEPT
\niptables -A INPUT -p tcp –dport 80<\/span> -j ACCEPT
\niptables -A INPUT -p tcp –dport 443<\/span> -j ACCEPT<\/p>\n
\nservice<\/span> iptables save<\/p>\n2. \u9632DDoS\u914d\u7f6e<\/h4>\n
\niptables -A INPUT -p tcp –syn -m limit –limit 1<\/span>\/s –limit-burst 3<\/span> -j ACCEPT
\niptables -A INPUT -p tcp –syn -j DROP<\/p>\n
\niptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1<\/span>\/s –limit-burst 4<\/span> -j ACCEPT
\niptables -A INPUT -p icmp –icmp-type echo-request -j DROP<\/p>\n\u4e94\u3001\u6587\u4ef6\u7cfb\u7edf\u5b89\u5168<\/h3>\n
1. \u5206\u533a\u4e0e\u6302\u8f7d\u9009\u9879<\/h4>\n
\n\/dev\/sda2 \/tmp ext4 defaults,nosuid,nodev,noexec 1 2
\n\/dev\/sda3 \/var ext4 defaults,nosuid 1 2
\n\/home \/home ext4 defaults,nosuid,nodev 1 2<\/p>\n\n
2. \u6587\u4ef6\u6743\u9650\u5ba1\u8ba1\u4e0e\u4fee\u590d<\/h4>\n
\nchmod<\/span> 644<\/span> \/etc\/passwd
\nchmod<\/span> 000 \/etc\/shadow
\nchmod<\/span> 644<\/span> \/etc\/group
\nchmod<\/span> 600<\/span> \/etc\/gshadow<\/p>\n
\nfind<\/span> \/ -type f \\\\<\/span>(<\/span> -perm -4000 -o -perm -2000 \\\\<\/span>)<\/span> -exec ls<\/span> -l {<\/span>}<\/span> \\\\<\/span>;<\/span><\/p>\n
\nfind<\/span> \/ -type f -perm -o+w -not -path "\/proc\/*"<\/span> -not -path "\/sys\/*"<\/span> -exec ls<\/span> -l {<\/span>}<\/span> \\\\<\/span>;<\/span><\/p>\n3. \u6587\u4ef6\u5b8c\u6574\u6027\u68c0\u67e5<\/h4>\n
\nyum install<\/span> aide # CentOS\/RHEL<\/span>
\napt<\/span> install<\/span> aide # Ubuntu\/Debian<\/span><\/p>\n
\naide –init
\nmv<\/span> \/var\/lib\/aide\/aide.db.new.gz \/var\/lib\/aide\/aide.db.gz<\/p>\n
\necho<\/span> "0 4 * * * root \/usr\/sbin\/aide –check | mail -s 'AIDE\u68c0\u67e5\u62a5\u544a' admin@example.com"<\/span> ><\/span> \/etc\/cron.d\/aide<\/p>\n\u516d\u3001\u7cfb\u7edf\u5ba1\u8ba1\u4e0e\u65e5\u5fd7<\/h3>\n
1. \u914d\u7f6e\u96c6\u4e2d\u65e5\u5fd7<\/h4>\n
\n*.* @logserver.example.com:514 # UDP<\/span>
\n*.* @@logserver.example.com:514 # TCP+TLS<\/span><\/p>\n
\nsystemctl restart rsyslog<\/p>\n2. \u914d\u7f6eAuditd\u5ba1\u8ba1\u7cfb\u7edf<\/h4>\n
\nyum install<\/span> audit # CentOS\/RHEL<\/span>
\napt<\/span> install<\/span> auditd # Ubuntu\/Debian<\/span><\/p>\n
\nsystemctl enable<\/span> auditd
\nsystemctl start auditd<\/p>\n
\nmax_log_file =<\/span> 50<\/span>
\nmax_log_file_action =<\/span> rotate
\nnum_logs =<\/span> 10<\/span>
\nspace_left_action =<\/span> email
\naction_mail_acct =<\/span> root
\nadmin_space_left_action =<\/span> halt<\/span><\/p>\n
\n-w \/etc\/ -p wa -k etc_changes<\/p>\n
\n-w \/etc\/passwd -p wa -k user_modification
\n-w \/etc\/shadow -p wa -k user_modification
\n-w \/etc\/group -p wa -k user_modification
\n-w \/etc\/gshadow -p wa -k user_modification<\/p>\n
\n-w \/usr\/bin\/sudo -p x -k sudo_usage<\/p>\n
\n-a always,exit -F arch=b64 -S open -F exit=-EACCES -k file_access
\n-a always,exit -F arch=b64 -S open -F exit=-EPERM -k file_access<\/p>\n3. \u65e5\u5fd7\u8f6e\u8f6c\u4e0e\u4fdd\u7559<\/h4>\n
\nrotate 90 # \u4fdd\u755990\u5929
\ndaily # \u6bcf\u5929\u8f6e\u8f6c
\ncompress # \u538b\u7f29\u65e7\u65e5\u5fd7
\ndateext # \u4f7f\u7528\u65e5\u671f\u6269\u5c55\u540d<\/p>\n\u4e03\u3001\u5165\u4fb5\u68c0\u6d4b\u4e0e\u9632\u5fa1<\/h3>\n
1. \u5b89\u88c5\u914d\u7f6eFail2ban<\/h4>\n
\nyum install<\/span> epel-release &&<\/span> yum install<\/span> fail2ban # CentOS\/RHEL<\/span>
\napt<\/span> install<\/span> fail2ban # Ubuntu\/Debian<\/span><\/p>\n
\ncat<\/span> ><\/span> \/etc\/fail2ban\/jail.local <<<\/span> EOF
\n[sshd]
\nenabled = true
\nport = 2222
\nfilter = sshd
\nlogpath = \/var\/log\/auth.log
\nmaxretry = 3
\nbantime = 3600
\nfindtime = 600
\nEOF<\/span><\/p>\n
\nsystemctl enable<\/span> fail2ban
\nsystemctl start fail2ban<\/p>\n2. \u5b89\u88c5\u914d\u7f6erootkit\u68c0\u6d4b\u5de5\u5177<\/h4>\n
\nyum install<\/span> rkhunter # CentOS\/RHEL<\/span>
\napt<\/span> install<\/span> rkhunter # Ubuntu\/Debian<\/span><\/p>\n
\nrkhunter –update
\nrkhunter –propupd<\/p>\n
\necho<\/span> "0 3 * * * root \/usr\/bin\/rkhunter –check –skip-keypress –report-warnings-only"<\/span> ><\/span> \/etc\/cron.d\/rkhunter<\/p>\n3. \u914d\u7f6e\u6587\u4ef6\u76d1\u63a7<\/h4>\n
\n# \u4ece\u5b98\u7f51\u4e0b\u8f7d\u5e76\u5b89\u88c5\u5bf9\u5e94\u7cfb\u7edf\u7684\u5305<\/span><\/p>\n
\ncat<\/span> ><\/span> \/etc\/osquery\/osquery.conf <<<\/span> EOF
\n{
\n "schedule": {
\n "file_events": {
\n "query": "SELECT * FROM file_events;",
\n "interval": 60
\n },
\n "process_events": {
\n "query": "SELECT * FROM process_events;",
\n "interval": 60
\n }
\n },
\n "file_paths": {
\n "etc": ["\/etc\/%%"],
\n "bin": ["\/bin\/%%", "\/sbin\/%%", "\/usr\/bin\/%%", "\/usr\/sbin\/%%"]
\n }
\n}
\nEOF<\/span><\/p>\n
\nsystemctl enable<\/span> osqueryd
\nsystemctl start osqueryd<\/p>\n\u516b\u3001\u7f51\u7edc\u5b89\u5168\u52a0\u56fa<\/h3>\n
1. \u5185\u6838\u53c2\u6570\u4f18\u5316<\/h4>\n
\nnet.ipv4.conf.all.rp_filter = 1
\nnet.ipv4.conf.default.rp_filter = 1<\/p>\n
\nnet.ipv4.conf.all.accept_source_route = 0
\nnet.ipv4.conf.default.accept_source_route = 0<\/p>\n
\nnet.ipv4.tcp_syncookies = 1
\nnet.ipv4.tcp_max_syn_backlog = 2048
\nnet.ipv4.tcp_synack_retries = 2
\nnet.ipv4.tcp_syn_retries = 5<\/p>\n
\nnet.ipv4.conf.all.accept_redirects = 0
\nnet.ipv4.conf.default.accept_redirects = 0
\nnet.ipv4.conf.all.secure_redirects = 0
\nnet.ipv4.conf.default.secure_redirects = 0
\nnet.ipv4.conf.all.send_redirects = 0
\nnet.ipv4.conf.default.send_redirects = 0<\/p>\n
\nnet.ipv4.conf.all.rp_filter = 1
\nnet.ipv4.conf.default.rp_filter = 1<\/p>\n
\nnet.ipv4.conf.all.log_martians = 1
\nnet.ipv4.conf.default.log_martians = 1<\/p>\n2. \u7f51\u7edc\u670d\u52a1\u52a0\u56fa<\/h4>\n
\nopenssl req -new -newkey rsa:4096 -nodes -keyout server.key -out server.csr<\/p>\n
\nserver {<\/span>
\n listen 443<\/span> ssl http2;<\/span>
\n ssl_certificate \/etc\/ssl\/certs\/server.crt;<\/span>
\n ssl_certificate_key \/etc\/ssl\/private\/server.key;<\/span>
\n ssl_protocols TLSv1.2 TLSv1.3;<\/span>
\n ssl_prefer_server_ciphers on;<\/span>
\n ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305'<\/span>;<\/span>
\n ssl_session_timeout 1d;<\/span>
\n ssl_session_cache shared:SSL:50m;<\/span>
\n ssl_session_tickets off;<\/span>
\n ssl_stapling on;<\/span>
\n ssl_stapling_verify on;<\/span>
\n add_header Strict-Transport-Security "max-age=63072000"<\/span> always;<\/span>
\n}<\/span><\/p>\n3. \u914d\u7f6e\u7f51\u7edc\u8bbf\u95ee\u63a7\u5236<\/h4>\n
\nsshd: 192.168<\/span>.1.0\/24 10.0<\/span>.0.0\/8<\/p>\n