Ubuntu-Server最佳方案24

第24章UbuntuServer系统安全24.1系统安全更新24.1.1订阅安全列表$sudoapt-getupdate&&apt-getupgrade24.1.2自动更新$sudonano/etc/apt/apt.conf.d/10periodicAPT::Periodic::Update-Package-Lists1;APT::Periodic::Download-Upgradeable-Packages1;APT::Periodic::AutocleanInterval0;APT::Periodic::Unattended-Upgrade1;$sudonano/etc/apt/apt.conf.d/50unattended-upgradesUnattended-Upgrade::Allowed-Origins{ubuntuhardy-security;};24.2控制台安全$sudonano/etc/event.d/control-alt-delete[...]#exec/sbin/shutdown-rnowControl-Alt-Deletepressed24.3用户、密码管理24.3.1关于root用户$sudopasswd[sudo]passwordforhiweed:--你当前用户的密码EnternewUNIXpassword:--root的密码最佳方案372RetypenewUNIXpassword:--再输入一遍root的密码passwd:passwordupdatedsuccessfully$sudopasswd-lrootPasswordchanged.24.3.3关于/etc/sudoers用户名主机名=[(目的用户)][NOPASSWD:]命令列表$mansudoers1．指定运行命令的身份hiweedubox=(operator)/bin/ls,/bin/kill,/usr/bin/lprm$sudo-uoperator/bin/lshiweedubox=(operator)/bin/ls,(root)/bin/kill,/usr/bin/lprmhiweedubox=(:dailer)/usr/bin/tip,/usr/bin/cu2．有密码/无密码hiweedubox=NOPASSWD:/bin/ls,/bin/kill,/usr/bin/lprmhiweedubox=NOPASSWD:/bin/ls,PASSWD:/bin/kill,/usr/bin/lprmhiweedubox=NOPASSWD:ALL第24章UbuntuServer系统安全37324.3.4密码策略1．密码长度设置$sudonano/etc/pam.d/common-passwordpasswordrequisitepam_unix.sonullokobscuremd5passwordrequisitepam_unix.sonullokobscuremd5min=82．密码有效期$sudochage-lhiweedLastpasswordchange:Mar14,2009Passwordexpires:neverPasswordinactive:neverAccountexpires:neverMinimumnumberofdaysbetweenpasswordchange:0Maximumnumberofdaysbetweenpasswordchange:99999Numberofdaysofwarningbeforepasswordexpires:7$sudochagehiweedChangingtheaginginformationforhiweedEnterthenewvalue,orpressENTERforthedefaultMinimumPasswordAge[0]:--最短有效期MaximumPasswordAge[99999]:--最长有效期LastPasswordChange(YYYY-MM-DD)[2009-03-14]:--密码最后修改日期PasswordExpirationWarning[7]:--密码过期提前警告期PasswordInactive[-1]:--过期后密码是否锁定AccountExpirationDate(YYYY-MM-DD)[1969-12-31]:--账号过期日$sudochage-M90-W14-I5hiweed$sudochage-E2010-12-31hiweed最佳方案37424.4ufw防火墙24.4.1启用、禁用ufw$sudoufwstatusFirewallnotloaded$sudoenableufwFirewallstartedandenabledonsystemstartup$sudoufwstatusFirewallloaded$sudoufwdisableFirewallstoppedanddisabledonsystemstartup要启用ufw日志，运行命令：$sudoufwloggingonLoggingenabled$sudoufwloggingoffLoggingdisabled24.4.2基本规则设置1．开放端口$sudoufwallow53$sudoufwallow53/tcp$sudoufwallow53/udp第24章UbuntuServer系统安全3752．关闭端口$sudoufwdeny53$sudoufwdeny53/tcp$sudoufwdeny53/udp3．以服务名代替端口号$sudoufwdenyssh$sudoufwallowssh$less/etc/services4．删除规则$sudoufwdeny53/udp$sudoufwdeletedeny53/udp24.4.3常用规则设置1．允许某个IP访问$sudoufwallowfrom10.10.100.1002．禁止某个IP访问$sudoufwdenyfrom10.10.100.1003．允许某个网段访问$sudoufwallowfrom10.10.100.0/244．禁止某个网段访问$sudoufwdenyfrom10.10.100.0/24最佳方案3765．允许某IP访问某个端口$sudoufwallowfrom192.168.1.4toanyport226．禁止某IP访问某个端口$sudoufwdenyfrom192.168.1.4toanyport227．禁止ping$sudonano/etc/ufw/before.rules-Aufw-before-input-picmp--icmp-typeecho-request-jACCEPT-Aufw-before-input-picmp--icmp-typeecho-request-jDROP$sudo/etc/init.d/ufwforce-reload*Stoppingfirewall:ufw...[OK]*Startingfirewall:ufw...[OK]24.4.4高级规则设置1．挡掉某个IP地址$sudoufwallow80$sudoufwdeny111.222.33.44$sudonano/etc/ufw/before.rules[...]#dropINVALIDpackets#uncommenttologINVALIDpackets#-Aufw-before-input-mconntrack--ctstateINVALID-jLOG--log-prefix[UFWBLOCKINVALID]:-Aufw-before-input-mconntrack--ctstateINVALID-jDROP#BlockIPs-Aufw-before-input-s111.222.33.44-jDROP[...]第24章UbuntuServer系统安全3772．控制子网中的个别主机（1）$sudoufwdenyfrom192.168.1.1toanyport22Ruleadded$sudoufwdenyfrom192.168.1.20toanyport22Ruleadded$sudoufwallowfrom192.168.1.0/24toanyport22Ruleadded$sudoufwstatusFirewallloadedToActionFrom------------22:tcpDENY192.168.1.122:udpDENY192.168.1.122:tcpDENY192.168.1.2022:udpDENY192.168.1.2022:tcpALLOW192.168.1.0/2422:udpALLOW192.168.1.0/243．控制子网中的个别主机（2）$sudoufwdeleteallowfrom192.168.1.0/24toanyport22Ruledeleted$sudoufwstatusFirewallloadedToActionFrom------------53:tcpALLOWAnywhere53:udpALLOWAnywhere22:tcpDENY192.168.1.122:udpDENY192.168.1.122:tcpDENY192.168.1.2022:udpDENY192.168.1.20$sudoufwdenyfrom192.168.1.9toanyport22Ruleadded$sudoufwallowfrom192.168.1.0/24toanyport22最佳方案378Ruleadded$sudoufwstatusFirewallloadedToActionFrom------------53:tcpALLOWAnywhere53:udpALLOWAnywhere22:tcpDENY192.168.1.122:udpDENY192.168.1.122:tcpDENY192.168.1.2022:udpDENY192.168.1.2022:tcpDENY192.168.1.922:udpDENY192.168.1.922:tcpALLOW192.168.1.0/2422:udpALLOW192.168.1.0/2424.4.5IP伪装1．启用包转发$sudonano/etc/default/ufwDEFAULT_FORWARD_POLICY=DROPDEFAULT_FORWARD_POLICY=ACCEPT$sudonano/etc/ufw/sysctl.confnet/ipv4/ip_forward=1net/ipv6/conf/default/forwarding=12．添加规则$sudonano/etc/ufw/before.rules#nat规则*nat:POSTROUTINGACCEPT[0:0]#将来自eth1的数据包转发给eth0第24章UbuntuServer系统安全379-APOSTROUTING-s192.168.0.0/24-oeth0-jMASQUERADE#不要删掉该COMMIT行，否则nat规则不会生效COMMIT$sudo/etc/init.d/ufwrestart*Stoppingfirewall:ufw...[OK]*Startingfirewall:ufw...[OK]最佳方案38024.5入侵检测24.5.1安装LAMP$sudoapt-getinstallmysql-serverlibapache2-mod-php5php5-mysqllibphp-adodb24.5.2安装、配置Snort1．安装Snort$sudoapt-getinstallsnort-mysqlSettingupsnort-mysql(2.7.0-14)...*StoppingNetworkIntrusionDetectionSystemsnort*Norunningsnortinstancefound*Star