系统加固及应用环境安装说明(Ubuntu 10.04)

系统加固及设置

相关装备工作

# 添加语言信息到/etc/environment,解决locale settings问题
cat >> /etc/environment <<EOF
#LC_ALL=C
LANG="en_US.UTF-8"
LANGUAGE="en_US:en"
LC_MESSAGES="en_US.UTF-8"
LC_CTYPE="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
EOF
cat /etc/environment
# 完成后需重新登录,使用配置生效后才进行后面的安装步骤。
# 解决vim无法查看中文问题
#start
cat > /var/lib/locales/supported.d/local <<EOF
en_US.UTF-8 UTF-8
zh_CN.UTF-8 UTF-8
zh_CN.GBK GBK
zh_CN.GB2312 GB2312
EOF
cat /var/lib/locales/supported.d/local

sudo dpkg-reconfigure --force locales

cat >> /etc/vim/vimrc <<EOF
set fileencodings=utf-8,gb2312,gbk,gb18030
set termencoding=utf-8
set fileformats=unix
"set encoding=prc
set encoding=utf-8
EOF
#end

# 卸载ufw包
yes|apt-get purge ufw && yes|/root/iptables/set.iptables.sh load

# 修改DNS(接入商DNS+备用DNS)
cat > /etc/resolv.conf <<EOF
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF
cat /etc/resolv.conf

配置文件备份

#Start
if [ ! -d "/bak" ];then mkdir -p "/data/bak"; ln -sf "/data/bak" "/bak";fi \
&& bakdir=/bak/backups/confbak/default_`date +'%Y%m%d_%H%M%S'` \
&& mkdir -p $bakdir && cd $bakdir \
&& dpkg -l >dpkg_list
iptables -L -v -n >showiptables
ls -la /etc/init.d >init.d_list.txt
ls -la /etc/rc2.d >rc2.d_list.txt
cp -R /etc/init.d/ .
cp -R /etc/rc2.d/ .

cp \
/etc/network/interfaces \
/etc/passwd \
/etc/group \
/etc/ssh/sshd_config \
/etc/rc.local \
/etc/sysctl.conf \
/etc/security/limits.conf \
/etc/securetty \
/etc/profile \
/etc/apt/sources.list \
.
#End

源设置及系统补丁更新

管理及备份用户设置

# 新建用户(新系统暂只建myga、dfbak两个用户,并只对myga生成sshkey):
useradd -c comment -G admin -m dfjsb -s /bin/bash
passwd dfjsb

# 创建sshkey:
#TAG=`ifconfig eth0| sed -n '2s/^[^:]*:\([0-9.]\{7,15\}\) .*/\1/p'`
TAG=`hostname`
su - yuanxing -c "ssh-keygen -b 1024 -t dsa -f ~/.ssh/id_dsa && TAG=$TAG && cd ~/.ssh && rm -f authorized_keys && cat id_dsa.pub > authorized_keys && chmod 400 * && mv {id_,${TAG}_\`whoami\`_}dsa &&  mv {id_,${TAG}_\`whoami\`_}dsa.pub"

mv /home/yuanxing/.ssh/$TAG* /home/dfjsb
cd /home/dfjsb && chown dfjsb. $TAG* && ls -la

# scp将sshkey文件(/home/<>/.ssh/<ServerIP>*)复制回本地,删除服务器上保留的key文件。

# 修改初始帐户密码、锁定root用户密码
passwd -l root
passwd dfjsb

# 删除无用帐户
# userdel -r <username>

# 建立异地备份用户、设置异地备份目录
useradd -c remotebackup -m dfbak -s /bin/bash
passwd -l dfbak

if [ ! -d "/bak" ];then mkdir -p "/data/bak"; ln -sf "/data/bak" "/bak";fi
install -m 750 -o root -g dfbak -d /bak/backups
install -m 755 -o dfbak -g dfbak -d /data/rsync
su - dfbak -c "ln -sfT /bak/backups ~/backups"

禁用econet协议

# CVE-2010-4258 bug
echo -e '#econet bug\nblacklist econet' >> /etc/modprobe.d/blacklist.conf && cat /etc/modprobe.d/blacklist.conf|grep econet
lsmod|grep econet && modprobe -r econet && lsmod|grep econet

sshd设置

# 注意:需先对管理用户开ssh证书。
sed -i.bak \
-e 's/^Port 22/#&/g' \
-e 's/^UsePAM/#&/g' \
-e 's/^ServerKeyBits/#&/g' \
-e 's/^UseDNS/#&/g' \
-e 's/^PrintMotd/#&/g' \
-e 's/^RSAAuthentication/#&/g' \
-e 's/^GSSAPIAuthentication/#&/g' \
-e 's/^PasswordAuthentication/#&/g' \
-e 's/^PermitRootLogin/#&/g' \
/etc/ssh/sshd_config

cat >> /etc/ssh/sshd_config <<EOF
Port 2222
UsePAM yes
ServerKeyBits 1024
UseDNS no
PrintMotd no
RSAAuthentication no
GSSAPIAuthentication no
PasswordAuthentication no
PermitRootLogin no

EOF
# 重启ssh服务,使用设置生效
/etc/init.d/ssh restart

限制使用su的用户

echo "auth required pam_wheel.so group=admin" | sudo tee -a /etc/pam.d/su
cp /etc/securetty /etc/securetty.old && echo "console" | sudo tee /etc/securetty

sysctl.conf参数设置

cp /etc/sysctl.conf /etc/sysctl.conf.bak
cat >> /etc/sysctl.conf <<EOF
# Add
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog =  32768
net.core.somaxconn = 32768

net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800

#net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535
EOF
#   使用更改生效:
sysctl -p

系统limits设置

cat >> /etc/security/limits.conf <<EOF
# Add
* soft nproc 20480
* hard nproc 20480
* soft nofile 20480
* hard nofile 20480
#
EOF

清除登录提示

cp /etc/issue /etc/issue.bak && echo "" | sudo tee /etc/issue
cp /etc/issue.net /etc/issue.net.bak && echo "" | sudo tee /etc/issue.net

时区及时间同步

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpdate cn.pool.ntp.org && hwclock -w

#   修改/etc/crontab,添加以时间同步任务(注意:末行保留一个#注释的空行,避免任务无效)
vi /etc/crontab

#NTP update(cn.pool.ntp.org,time.stdtime.gov.tw)
30 4,16 * * * root (/usr/sbin/ntpdate cn.pool.ntp.org;/sbin/hwclock -w;) >> /var/log/ntpdate_$(date +\%Y\%m) 2>&1
#

安装其它工具

安装设置snmpd、sysstat及常用工具

apt-get install snmpd sysstat tree

#   修改snmpd.conf,增加readonly行
vi /etc/snmp/snmpd.conf
    com2sec readonly  default         Leemai8a


#   修改/etc/default/snmpd,去除SNMPDOPTS行最后的127.0.0.1:
vi /etc/default/snmpd
    SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'

#   启用sysstat(修改ENABLED="true")
sed -i -e 's/^ENABLED="false"/ENABLED="true"/g' /etc/default/sysstat

#   重启snmpd、sysstat服务
/etc/init.d/snmpd restart
/etc/init.d/sysstat restart

安全检查及审核

apt-get install rkhunter
rkhunter --check

应用环境安装

apt包安装

#   python2.6-dev,python-twisted,memcached
#   mysql5.1,libmysqlclient16-dev #libmysqlclient15-dev
#   python-django后续使用手工安装定制版本
apt-get install python2.6-dev python-twisted python-twisted-web memcached mysql-server-5.1 \
        libmysqlclient16-dev python-imaging python-setuptools python-libxml2 python-libxslt1

python2.7编译

# 安装编译环境、相关开发包
sudo apt-get install build-essential autoconf automake libreadline-dev libsqlite3-dev \
        libbz2-dev libssl-dev

# 下载python2.7源代码、编译安装python2.7
#   --enable-ipv6
#   make altinstall的作用与make install类似,但是它不会生成名为python的软连接,也不会生成man文件,这样就避免了覆盖python2.6的相应文件

mkdir -p /data/packages/ \
&& cd /data/packages/ \
&& wget http://www.python.org/ftp/python/2.7.2/Python-2.7.2.tar.bz2 \
&& tar jxvf Python-2.7.2.tar.bz2 \
&& cd Python-2.7.2 \
&& ./configure --prefix=/usr --enable-unicode=ucs4 --with-dbmliborder=bdb \
--with-system-expat --with-system-ffi \
&& make && make altinstall

easy_install-2.7

cd /data/packages/ \
&& wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz#md5=7df2a529a074f613b509fb44feefe74e \
&& tar zxvf setuptools-0.6c11.tar.gz \
&& cd setuptools-0.6c11 \
&& python2.7 setup.py install

python支持包

easy_install-2.7 -Z python-memcached MySQL_python sqlalchemy simplejson pyamf blinker Twisted pycrypto pyzmq txzmq tornado

memcached自启动

# 关闭memcached自启动
/etc/init.d/memcached stop
sed -i 's/\(ENABLE_MEMCACHED=\).*$/\1no/g' /etc/default/memcached

应用环境部署

获取pkgs

# 将pkgs上传至/data/rsync/tools/目录
svn co svn://x.x.x.x/tools /data/rsync/tools

配置iptables

# 复制策略配置脚本
pkgsDir="/data/rsync/tools" && cp -R "$pkgsDir/scripts/iptables" /root/

# 检查参数设置(GMIP地址等)
vi /root/iptables/set.iptables.sh.info

# 启用策略、并检查策略是否正确
/root/iptables/set.iptables.sh load

建立基本工作目录

install -m 755 -o www-data -g root -d /var/log/game
install -m 750 -o root -g www-data -d /data/www
install -m 750 -o root -g dfbak -d /bak/backups

配置mysqld服务

pkgsDir="/data/rsync/tools" \
&& usrsbinmysqld="$pkgsDir/conf/usr.sbin.mysqld" \
&& mycnf="$pkgsDir/conf/my.cnf" \
&& install -m 700 -o mysql -g mysql -d /data/mysql \
&& install -m 644 -o root -g root $usrsbinmysqld /etc/apparmor.d/ \
&& /etc/init.d/apparmor reload \
&& mv /etc/mysql/my.cnf /etc/mysql/my.cnf.default \
&& install -m 644 -o root -g root $mycnf /etc/mysql/ \
&& /etc/init.d/mysql restart

其它