系统加固及应用环境安装说明(Ubuntu 12.04)
- author: YuanXing
- CREATE DATE: 2011/12/19
- Rework Date: 2012/05/03
系统加固及设置
相关准备工作
# 添加语言信息到/etc/environment,解决locale settings问题(需重新登录生效) cat >> /etc/environment <<EOF LC_ALL="en_US.UTF-8" LANG="en_US.UTF-8" EOF cat /etc/environment # 解决vim无法查看中文问题 #start cat > /var/lib/locales/supported.d/local <<EOF en_US.UTF-8 UTF-8 zh_CN.UTF-8 UTF-8 zh_CN.GBK GBK zh_CN.GB2312 GB2312 EOF cat /var/lib/locales/supported.d/local #locale-gen --purge dpkg-reconfigure --force locales cat >> /etc/vim/vimrc <<EOF set fileencodings=utf-8,gb2312,gbk,gb18030 set termencoding=utf-8 set fileformats=unix "set encoding=prc set encoding=utf-8 EOF #end # 卸载ufw包 yes|apt-get purge ufw && sh /root/stand_iptables.sh
-
修改DNS(接入商DNS+备用DNS)
cat > /etc/resolv.conf <<EOF nameserver 61.139.2.69 nameserver 8.8.8.8 EOF cat /etc/resolv.conf
配置备份
#Start if [ ! -d "/bak" ];then mkdir -p "/data/bak"; ln -sf "/data/bak" "/bak";fi \ && bakdir=/bak/backups/confbak/default_`date +'%Y%m%d_%H%M%S'` \ && mkdir -p $bakdir && cd $bakdir \ && dpkg -l >dpkg_list iptables -L -v -n >showiptables ls -la /etc/init.d >init.d_list.txt ls -la /etc/rc2.d >rc2.d_list.txt cp -R /etc/init.d/ . cp -R /etc/rc2.d/ . cp \ /etc/network/interfaces \ /etc/passwd \ /etc/group \ /etc/ssh/sshd_config \ /etc/rc.local \ /etc/sysctl.conf \ /etc/security/limits.conf \ /etc/securetty \ /etc/profile \ /etc/apt/sources.list \ . #End
系统补丁更新
-
确定版本名称
# 查看Release、Codename项 # precise(12.04) # Natty (11.04) # Maverick (10.10) # Lucid (10.04) # Karmic (9.10) # Jaunty (9.04) # Intrepid (8.10) # Hardy (8.04) # Dapper (6.06) lsb_release -a
-
确定源站点、生成源站点设置方式
# Official Archive Mirrors for Ubuntu: # https://launchpad.net/ubuntu/+archivemirrors # # deb http://mirrors.sohu.com/ubuntu/ YOUR_UBUNTU_VERSION_HERE main restricted # deb-src http://mirrors.sohu.com/ubuntu/ YOUR_UBUNTU_VERSION_HERE main restricted # 备份原配置、修改源配置 cp /etc/apt/sources.list /etc/apt/sources.list.default # 中国:ubuntu.cn99.com,mirrors.163.com # 越南:mirror-fpt-telecom.fpt.net--有问题! # 官方:archive.ubuntu.com # 马来西亚: mirror.oscc.org.my MIRROR="mirrors.163.com" \ Release="precise" \ && cat > /etc/apt/sources.list << EOF deb http://$MIRROR/ubuntu/ ${Release} main restricted deb-src http://$MIRROR/ubuntu/ ${Release} main restricted deb http://$MIRROR/ubuntu/ ${Release}-updates main restricted deb-src http://$MIRROR/ubuntu/ ${Release}-updates main restricted deb http://$MIRROR/ubuntu/ ${Release} universe deb-src http://$MIRROR/ubuntu/ ${Release} universe deb http://$MIRROR/ubuntu/ ${Release}-updates universe deb-src http://$MIRROR/ubuntu/ ${Release}-updates universe deb http://$MIRROR/ubuntu/ ${Release} multiverse deb-src http://$MIRROR/ubuntu/ ${Release} multiverse deb http://$MIRROR/ubuntu/ ${Release}-updates multiverse deb-src http://$MIRROR/ubuntu/ ${Release}-updates multiverse deb http://$MIRROR/ubuntu/ ${Release}-backports main restricted universe multiverse deb-src http://$MIRROR/ubuntu/ ${Release}-backports main restricted universe multiverse deb http://$MIRROR/ubuntu ${Release}-security main restricted deb-src http://$MIRROR/ubuntu ${Release}-security main restricted deb http://$MIRROR/ubuntu ${Release}-security universe deb-src http://$MIRROR/ubuntu ${Release}-security universe deb http://$MIRROR/ubuntu ${Release}-security multiverse deb-src http://$MIRROR/ubuntu ${Release}-security multiverse # EOF -
更新系统
apt-get update && apt-get dist-upgrade
管理用户
# 新建备用用户(新系统暂只建myga、dfbak两个用户,并只对myga生成sshkey): useradd -c comment -G "sudo" -m dfjsb -s /bin/bash passwd dfjsb # 锁定root用户密码、修改初始帐户用户组及密码 passwd -l root usermod -a -G root dfjsb passwd dfjsb # 删除无用帐户 # userdel -r <username> # 建立异地备份用户、设置异地备份目录 useradd -c remotebackup -m dfbak -s /bin/bash passwd -l dfbak if [ ! -d "/bak" ];then mkdir -p "/data/bak"; ln -sf "/data/bak" "/bak";fi install -m 750 -o root -g dfbak -d /bak/backups install -m 755 -o dfbak -g dfbak -d /data/rsync su - dfbak -c "ln -sfT /bak/backups ~/backups"
ssh_key生成
# 本地生成sshkey文件
user="dfjsb" && keyfile="./${user}_`date +%Y%m%d`_dsa" && ssh-keygen -b 1024 -t dsa -f "$keyfile"
user="myga" && keyfile="./${user}_`date +%Y%m%d`_dsa" && ssh-keygen -b 1024 -t dsa -f "$keyfile"
user="root" && keyfile="./${user}_`date +%Y%m%d`_dsa" && ssh-keygen -b 1024 -t dsa -f "$keyfile"
# 将公钥放至服务器对应帐号~/.ssh/authorized_keys
禁用econet协议
# 禁用econet协议(CVE-2010-4258 bug) echo -e '#econet bug\nblacklist econet' >> /etc/modprobe.d/blacklist.conf \ && cat /etc/modprobe.d/blacklist.conf|grep econet lsmod|grep econet && modprobe -r econet && lsmod|grep econet
sshd设置
# 注意:需先对管理用户开ssh证书。 sed -i.bak \ -e 's/^Port 22/#&/g' \ -e 's/^UsePAM/#&/g' \ -e 's/^ServerKeyBits/#&/g' \ -e 's/^UseDNS/#&/g' \ -e 's/^PrintMotd/#&/g' \ -e 's/^RSAAuthentication/#&/g' \ -e 's/^GSSAPIAuthentication/#&/g' \ -e 's/^PasswordAuthentication/#&/g' \ -e 's/^PermitRootLogin/#&/g' \ /etc/ssh/sshd_config cat >> /etc/ssh/sshd_config <<EOF Port 2222 UsePAM yes ServerKeyBits 1024 UseDNS no PrintMotd no RSAAuthentication no GSSAPIAuthentication no PasswordAuthentication no PermitRootLogin no EOF # 重启ssh服务,使用设置生效 /etc/init.d/ssh restart
限制su
# 限制使用su的用户、清除登录提示 echo "auth required pam_wheel.so" | sudo tee -a /etc/pam.d/su cp /etc/securetty /etc/securetty.old && echo "console" | sudo tee /etc/securetty cp /etc/issue /etc/issue.bak && echo "" | sudo tee /etc/issue cp /etc/issue.net /etc/issue.net.bak && echo "" | sudo tee /etc/issue.net
sysctl.conf设置
cp /etc/sysctl.conf /etc/sysctl.conf.bak cat >> /etc/sysctl.conf <<EOF # Add net.ipv4.tcp_max_syn_backlog = 65536 net.core.netdev_max_backlog = 32768 net.core.somaxconn = 32768 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_tw_recycle = 1 #net.ipv4.tcp_tw_len = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_max_orphans = 3276800 #net.ipv4.tcp_fin_timeout = 30 #net.ipv4.tcp_keepalive_time = 120 net.ipv4.ip_local_port_range = 1024 65535 EOF # 使用更改生效: sysctl -p
系统limits参数
cat >> /etc/security/limits.conf <<EOF # Add * soft nproc 20480 * hard nproc 20480 * soft nofile 20480 * hard nofile 20480 # EOF
时区及时间同步
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime ntpdate cn.pool.ntp.org && hwclock -w # 修改/etc/crontab,添加以时间同步任务(注意:末行保留一个#注释的空行,避免任务无效) vi /etc/crontab #NTP update(cn.pool.ntp.org,time.stdtime.gov.tw) 30 4,16 * * * root (/usr/sbin/ntpdate cn.pool.ntp.org;/sbin/hwclock -w;) >> /var/log/ntpdate_$(date +\%Y\%m) 2>&1 # # 越南 ln -sf /usr/share/zoneinfo/Asia/Vientiane /etc/localtime ntpdate vn.pool.ntp.org && hwclock -w #NTP update(cn.pool.ntp.org,time.stdtime.gov.tw) 30 4,16 * * * root (/usr/sbin/ntpdate vn.pool.ntp.org;/sbin/hwclock -w;) >> /var/log/ntpdate_$(date +\%Y\%m) 2>&1 #
其它工具
-
安装设置snmpd、sysstat及常用工具
apt-get install snmpd sysstat tree # 修改snmpd.conf,增加readonly行 vi /etc/snmp/snmpd.conf com2sec readonly default Leemai8a # 修改/etc/default/snmpd,去除SNMPDOPTS行最后的127.0.0.1: vi /etc/default/snmpd SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid' # 启用sysstat(修改ENABLED="true") sed -i -e 's/^ENABLED="false"/ENABLED="true"/g' /etc/default/sysstat # 重启snmpd、sysstat服务 /etc/init.d/snmpd restart /etc/init.d/sysstat restart -
安全检查及审核
apt-get install rkhunter tree rkhunter --check
应用环境安装
apt包安装
apt-get install memcached mysql-server libmysqlclient-dev libcurl4-gnutls-dev \
python2.7-dev python-pip python-imaging python-libxml2 python-libxslt1 python-memcache python-pycurl python-m2crypto
python支持包
easy_install -U distribute mkdir -p /data/packages && cd /data/packages \ && pip install MySQL_python sqlalchemy simplejson pyamf blinker Twisted pycrypto tornado pyzmq txzmq #需先编译安装zeromq pip install pyzmq txzmq
-
安装检查工具(可在后续步骤中用syschk.sh检查)
/data/rsync/tools/scripts/pythonchk.py
memcached自启动
# 关闭memcached自启动 /etc/init.d/memcached stop sed -i 's/\(ENABLE_MEMCACHED=\).*$/\1no/g' /etc/default/memcached
应用环境部署
获取tools
# 将tools上传至/data/rsync/tools/目录 svn co svn://x.x.x.x/tools /data/rsync/tools
配置iptables
# 复制策略配置脚本 pkgsDir="/data/rsync/tools" && cp -R "$pkgsDir/scripts/iptables" /root/ # 检查参数设置(GMIP地址等) vi /root/iptables/set.iptables.sh.info # 启用策略、并检查策略是否正确 /root/iptables/set.iptables.sh load # yuenan pkgsDir="/data/rsync/tools" && cp -R "$pkgsDir/scripts/iptables" /root/ cd /root/iptables/ && cp set.iptables.sh.info.yue set.iptables.sh.info \ && /root/iptables/set.iptables.sh load
建立工作目录
install -m 750 -o root -g www-data -d /data/www install -m 750 -o root -g dfbak -d /bak/backups install -m 755 -o www-data -g root -d /var/log/game # 平台及ceo网关 install -m 755 -o www-data -g root -d /var/log/passport install -m 755 -o www-data -g root -d /var/log/ceogw
配置mysqld服务
pkgsDir="/data/rsync/tools" \ && usrsbinmysqld="$pkgsDir/conf/usr.sbin.mysqld.5.5.local" \ && mycnf="$pkgsDir/conf/my.cnf" \ && install -m 700 -o mysql -g mysql -d /data/mysql \ && install -m 644 -o root -g root $usrsbinmysqld /etc/apparmor.d/local/usr.sbin.mysqld \ && /etc/init.d/apparmor reload \ && mv /etc/mysql/my.cnf /etc/mysql/my.cnf.default \ && install -m 644 -o root -g root $mycnf /etc/mysql/ \ && /etc/init.d/mysql restart #越南服务器需修改my.cnf中默认时区设置 default-time-zone = +7:00
其它
-
配置备份
#Start bakdir=/bak/backups/confbak/complete_`date +'%Y%m%d_%H%M%S'` && mkdir -p $bakdir \ && cd $bakdir && dpkg -l >dpkg_list iptables -L -v -n >showiptables ls -la /etc/init.d >init.d_list.txt ls -la /etc/rc2.d >rc2.d_list.txt cp -R /etc/init.d/ . cp -R /etc/rc2.d/ . cp \ /etc/network/interfaces \ /etc/passwd \ /etc/group \ /etc/ssh/sshd_config \ /etc/rc.local \ /etc/sysctl.conf \ /etc/security/limits.conf \ /etc/securetty \ /etc/profile \ /etc/apt/sources.list \ . #End # 与安装前生成的缺省配置文件备份目录进行diff比较。 # cd /bak/backups/confbak/ && diff -r default_* complete_*
-
执行检查脚本(访问控制、系统用户、启动服务端口、组件版本等)
/data/rsync/tools/scripts/syschk.sh|more
- 补丁更新、crontab核查
- 应用配置参数设置核查(mysql)
- 安全扫描
-
备份及异地备份部署
- nginx日志截断、压缩及过期日志删除
- mysql数据自动备份及过期备份包删除
- 异地备份抓取、性能状态采集
- Web日志分析设置
- 监控告警设置