系统加固及应用环境安装说明(Ubuntu 10.04)
- author: YuanXing
- CREATE DATE: 2011/12/19
- Rework Date: 2012/05/03
系统加固及设置
相关装备工作
# 添加语言信息到/etc/environment,解决locale settings问题 cat >> /etc/environment <<EOF #LC_ALL=C LANG="en_US.UTF-8" LANGUAGE="en_US:en" LC_MESSAGES="en_US.UTF-8" LC_CTYPE="en_US.UTF-8" LC_COLLATE="en_US.UTF-8" EOF cat /etc/environment # 完成后需重新登录,使用配置生效后才进行后面的安装步骤。 # 解决vim无法查看中文问题 #start cat > /var/lib/locales/supported.d/local <<EOF en_US.UTF-8 UTF-8 zh_CN.UTF-8 UTF-8 zh_CN.GBK GBK zh_CN.GB2312 GB2312 EOF cat /var/lib/locales/supported.d/local sudo dpkg-reconfigure --force locales cat >> /etc/vim/vimrc <<EOF set fileencodings=utf-8,gb2312,gbk,gb18030 set termencoding=utf-8 set fileformats=unix "set encoding=prc set encoding=utf-8 EOF #end # 卸载ufw包 yes|apt-get purge ufw && yes|/root/iptables/set.iptables.sh load # 修改DNS(接入商DNS+备用DNS) cat > /etc/resolv.conf <<EOF nameserver 8.8.8.8 nameserver 8.8.4.4 EOF cat /etc/resolv.conf
配置文件备份
#Start if [ ! -d "/bak" ];then mkdir -p "/data/bak"; ln -sf "/data/bak" "/bak";fi \ && bakdir=/bak/backups/confbak/default_`date +'%Y%m%d_%H%M%S'` \ && mkdir -p $bakdir && cd $bakdir \ && dpkg -l >dpkg_list iptables -L -v -n >showiptables ls -la /etc/init.d >init.d_list.txt ls -la /etc/rc2.d >rc2.d_list.txt cp -R /etc/init.d/ . cp -R /etc/rc2.d/ . cp \ /etc/network/interfaces \ /etc/passwd \ /etc/group \ /etc/ssh/sshd_config \ /etc/rc.local \ /etc/sysctl.conf \ /etc/security/limits.conf \ /etc/securetty \ /etc/profile \ /etc/apt/sources.list \ . #End
源设置及系统补丁更新
-
确定版本名称:查看Release、Codename项
# precise(12.04) # Natty (11.04) # Maverick (10.10) # Lucid (10.04) # Karmic (9.10) # Jaunty (9.04) # Intrepid (8.10) # Hardy (8.04) # Dapper (6.06) lsb_release -a
-
确定源站点、生成源站点设置方式
# Official Archive Mirrors for Ubuntu: # https://launchpad.net/ubuntu/+archivemirrors # # deb http://mirrors.sohu.com/ubuntu/ YOUR_UBUNTU_VERSION_HERE main restricted # deb-src http://mirrors.sohu.com/ubuntu/ YOUR_UBUNTU_VERSION_HERE main restricted # 备份原配置、修改源配置 cp /etc/apt/sources.list /etc/apt/sources.list.default # 中国:ubuntu.cn99.com,mirrors.163.com # 越南:mirror-fpt-telecom.fpt.net--有问题! # 官方:archive.ubuntu.com MIRROR="mirrors.163.com" \ Release="lucid" \ && cat > /etc/apt/sources.list << EOF deb http://$MIRROR/ubuntu/ ${Release} main restricted deb-src http://$MIRROR/ubuntu/ ${Release} main restricted deb http://$MIRROR/ubuntu/ ${Release}-updates main restricted deb-src http://$MIRROR/ubuntu/ ${Release}-updates main restricted deb http://$MIRROR/ubuntu/ ${Release} universe deb-src http://$MIRROR/ubuntu/ ${Release} universe deb http://$MIRROR/ubuntu/ ${Release}-updates universe deb-src http://$MIRROR/ubuntu/ ${Release}-updates universe deb http://$MIRROR/ubuntu/ ${Release} multiverse deb-src http://$MIRROR/ubuntu/ ${Release} multiverse deb http://$MIRROR/ubuntu/ ${Release}-updates multiverse deb-src http://$MIRROR/ubuntu/ ${Release}-updates multiverse deb http://$MIRROR/ubuntu/ ${Release}-backports main restricted universe multiverse deb-src http://$MIRROR/ubuntu/ ${Release}-backports main restricted universe multiverse deb http://$MIRROR/ubuntu ${Release}-security main restricted deb-src http://$MIRROR/ubuntu ${Release}-security main restricted deb http://$MIRROR/ubuntu ${Release}-security universe deb-src http://$MIRROR/ubuntu ${Release}-security universe deb http://$MIRROR/ubuntu ${Release}-security multiverse deb-src http://$MIRROR/ubuntu ${Release}-security multiverse # EOF -
更新系统、并重启动
apt-get update && apt-get dist-upgrade
管理及备份用户设置
# 新建用户(新系统暂只建myga、dfbak两个用户,并只对myga生成sshkey):
useradd -c comment -G admin -m dfjsb -s /bin/bash
passwd dfjsb
# 创建sshkey:
#TAG=`ifconfig eth0| sed -n '2s/^[^:]*:\([0-9.]\{7,15\}\) .*/\1/p'`
TAG=`hostname`
su - yuanxing -c "ssh-keygen -b 1024 -t dsa -f ~/.ssh/id_dsa && TAG=$TAG && cd ~/.ssh && rm -f authorized_keys && cat id_dsa.pub > authorized_keys && chmod 400 * && mv {id_,${TAG}_\`whoami\`_}dsa && mv {id_,${TAG}_\`whoami\`_}dsa.pub"
mv /home/yuanxing/.ssh/$TAG* /home/dfjsb
cd /home/dfjsb && chown dfjsb. $TAG* && ls -la
# scp将sshkey文件(/home/<>/.ssh/<ServerIP>*)复制回本地,删除服务器上保留的key文件。
# 修改初始帐户密码、锁定root用户密码
passwd -l root
passwd dfjsb
# 删除无用帐户
# userdel -r <username>
# 建立异地备份用户、设置异地备份目录
useradd -c remotebackup -m dfbak -s /bin/bash
passwd -l dfbak
if [ ! -d "/bak" ];then mkdir -p "/data/bak"; ln -sf "/data/bak" "/bak";fi
install -m 750 -o root -g dfbak -d /bak/backups
install -m 755 -o dfbak -g dfbak -d /data/rsync
su - dfbak -c "ln -sfT /bak/backups ~/backups"
禁用econet协议
# CVE-2010-4258 bug echo -e '#econet bug\nblacklist econet' >> /etc/modprobe.d/blacklist.conf && cat /etc/modprobe.d/blacklist.conf|grep econet lsmod|grep econet && modprobe -r econet && lsmod|grep econet
sshd设置
# 注意:需先对管理用户开ssh证书。 sed -i.bak \ -e 's/^Port 22/#&/g' \ -e 's/^UsePAM/#&/g' \ -e 's/^ServerKeyBits/#&/g' \ -e 's/^UseDNS/#&/g' \ -e 's/^PrintMotd/#&/g' \ -e 's/^RSAAuthentication/#&/g' \ -e 's/^GSSAPIAuthentication/#&/g' \ -e 's/^PasswordAuthentication/#&/g' \ -e 's/^PermitRootLogin/#&/g' \ /etc/ssh/sshd_config cat >> /etc/ssh/sshd_config <<EOF Port 2222 UsePAM yes ServerKeyBits 1024 UseDNS no PrintMotd no RSAAuthentication no GSSAPIAuthentication no PasswordAuthentication no PermitRootLogin no EOF # 重启ssh服务,使用设置生效 /etc/init.d/ssh restart
限制使用su的用户
echo "auth required pam_wheel.so group=admin" | sudo tee -a /etc/pam.d/su cp /etc/securetty /etc/securetty.old && echo "console" | sudo tee /etc/securetty
sysctl.conf参数设置
cp /etc/sysctl.conf /etc/sysctl.conf.bak cat >> /etc/sysctl.conf <<EOF # Add net.ipv4.tcp_max_syn_backlog = 65536 net.core.netdev_max_backlog = 32768 net.core.somaxconn = 32768 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_tw_recycle = 1 #net.ipv4.tcp_tw_len = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_max_orphans = 3276800 #net.ipv4.tcp_fin_timeout = 30 #net.ipv4.tcp_keepalive_time = 120 net.ipv4.ip_local_port_range = 1024 65535 EOF # 使用更改生效: sysctl -p
系统limits设置
cat >> /etc/security/limits.conf <<EOF # Add * soft nproc 20480 * hard nproc 20480 * soft nofile 20480 * hard nofile 20480 # EOF
清除登录提示
cp /etc/issue /etc/issue.bak && echo "" | sudo tee /etc/issue cp /etc/issue.net /etc/issue.net.bak && echo "" | sudo tee /etc/issue.net
时区及时间同步
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime ntpdate cn.pool.ntp.org && hwclock -w # 修改/etc/crontab,添加以时间同步任务(注意:末行保留一个#注释的空行,避免任务无效) vi /etc/crontab #NTP update(cn.pool.ntp.org,time.stdtime.gov.tw) 30 4,16 * * * root (/usr/sbin/ntpdate cn.pool.ntp.org;/sbin/hwclock -w;) >> /var/log/ntpdate_$(date +\%Y\%m) 2>&1 #
安装其它工具
安装设置snmpd、sysstat及常用工具
apt-get install snmpd sysstat tree
# 修改snmpd.conf,增加readonly行
vi /etc/snmp/snmpd.conf
com2sec readonly default Leemai8a
# 修改/etc/default/snmpd,去除SNMPDOPTS行最后的127.0.0.1:
vi /etc/default/snmpd
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'
# 启用sysstat(修改ENABLED="true")
sed -i -e 's/^ENABLED="false"/ENABLED="true"/g' /etc/default/sysstat
# 重启snmpd、sysstat服务
/etc/init.d/snmpd restart
/etc/init.d/sysstat restart
安全检查及审核
apt-get install rkhunter rkhunter --check
应用环境安装
apt包安装
# python2.6-dev,python-twisted,memcached
# mysql5.1,libmysqlclient16-dev #libmysqlclient15-dev
# python-django后续使用手工安装定制版本
apt-get install python2.6-dev python-twisted python-twisted-web memcached mysql-server-5.1 \
libmysqlclient16-dev python-imaging python-setuptools python-libxml2 python-libxslt1
python2.7编译
# 安装编译环境、相关开发包
sudo apt-get install build-essential autoconf automake libreadline-dev libsqlite3-dev \
libbz2-dev libssl-dev
# 下载python2.7源代码、编译安装python2.7
# --enable-ipv6
# make altinstall的作用与make install类似,但是它不会生成名为python的软连接,也不会生成man文件,这样就避免了覆盖python2.6的相应文件
mkdir -p /data/packages/ \
&& cd /data/packages/ \
&& wget http://www.python.org/ftp/python/2.7.2/Python-2.7.2.tar.bz2 \
&& tar jxvf Python-2.7.2.tar.bz2 \
&& cd Python-2.7.2 \
&& ./configure --prefix=/usr --enable-unicode=ucs4 --with-dbmliborder=bdb \
--with-system-expat --with-system-ffi \
&& make && make altinstall
easy_install-2.7
cd /data/packages/ \ && wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz#md5=7df2a529a074f613b509fb44feefe74e \ && tar zxvf setuptools-0.6c11.tar.gz \ && cd setuptools-0.6c11 \ && python2.7 setup.py install
python支持包
easy_install-2.7 -Z python-memcached MySQL_python sqlalchemy simplejson pyamf blinker Twisted pycrypto pyzmq txzmq tornado
-
安装检查工具(可在后续步骤中用syschk.sh检查)
/data/rsync/tools/scripts/pythonchk.py
-
说明
- 使用easy_install安装包时,增加-Z(--always-unzip)参数,避免安装成压缩包方式。
- 已安装包的清单:/usr/local/lib/python2.6/dist-packages/easy-install.pth
- 所有安装过的egg包均在:/usr/local/lib/python2.x/dist-packages(使用apt-get安装的包在/usr/share/python-support/目录)
- 安装完成后,分别使用root、www-data权限运行探针脚本,检查有无错误。(执行/data/rsync/tools/scripts/pythonchk.py)
memcached自启动
# 关闭memcached自启动 /etc/init.d/memcached stop sed -i 's/\(ENABLE_MEMCACHED=\).*$/\1no/g' /etc/default/memcached
应用环境部署
获取pkgs
# 将pkgs上传至/data/rsync/tools/目录 svn co svn://x.x.x.x/tools /data/rsync/tools
配置iptables
# 复制策略配置脚本 pkgsDir="/data/rsync/tools" && cp -R "$pkgsDir/scripts/iptables" /root/ # 检查参数设置(GMIP地址等) vi /root/iptables/set.iptables.sh.info # 启用策略、并检查策略是否正确 /root/iptables/set.iptables.sh load
建立基本工作目录
install -m 755 -o www-data -g root -d /var/log/game install -m 750 -o root -g www-data -d /data/www install -m 750 -o root -g dfbak -d /bak/backups
配置mysqld服务
pkgsDir="/data/rsync/tools" \ && usrsbinmysqld="$pkgsDir/conf/usr.sbin.mysqld" \ && mycnf="$pkgsDir/conf/my.cnf" \ && install -m 700 -o mysql -g mysql -d /data/mysql \ && install -m 644 -o root -g root $usrsbinmysqld /etc/apparmor.d/ \ && /etc/init.d/apparmor reload \ && mv /etc/mysql/my.cnf /etc/mysql/my.cnf.default \ && install -m 644 -o root -g root $mycnf /etc/mysql/ \ && /etc/init.d/mysql restart
其它
-
配置备份及比对
#Start bakdir=/bak/backups/confbak/complete_`date +'%Y%m%d_%H%M%S'` && mkdir -p $bakdir \ && cd $bakdir && dpkg -l >dpkg_list iptables -L -v -n >showiptables ls -la /etc/init.d >init.d_list.txt ls -la /etc/rc2.d >rc2.d_list.txt cp -R /etc/init.d/ . cp -R /etc/rc2.d/ . cp \ /etc/network/interfaces \ /etc/passwd \ /etc/group \ /etc/ssh/sshd_config \ /etc/rc.local \ /etc/sysctl.conf \ /etc/security/limits.conf \ /etc/securetty \ /etc/profile \ /etc/apt/sources.list \ . #End # 与安装前生成的缺省配置文件备份目录进行diff比较。 cd /bak/backups/confbak/ && diff -r default_* complete_*
-
执行检查脚本
# 检查访问控制、系统用户、启动服务端口、组件版本等 /data/rsync/tools/scripts/syschk.sh|more
- 补丁更新
- crontab核查
- 应用配置参数设置核查(mysql)
- 安全扫描
-
备份及异地备份部署
- nginx日志截断、压缩及过期日志删除
- mysql数据自动备份及过期备份包删除
- 异地备份抓取、性能状态采集
- Web日志分析设置
- 监控告警设置