Linux 安全配置杂文
SSH 配置
vim /etc/ssh/sshd_config <<VIM > /dev/null 2>&1
:s/#LoginGraceTime 2m/LoginGraceTime 2m/
:s/#PermitRootLogin yes/PermitRootLogin no/
:s/#MaxAuthTries 6/MaxAuthTries 3/
:%s$#AuthorizedKeysFile$AuthorizedKeysFile?/dev/null$
:%s/GSSAPIAuthentication yes/GSSAPIAuthentication no/
:%s/GSSAPICleanupCredentials yes/GSSAPICleanupCredentials no/
:wq
?
VIM
禁止证书登陆 AuthorizedKeysFile /dev/null
http://netkiller.github.com/
锁定用户禁止登陆
?
passwd -l bin
passwd -l daemon
passwd -l adm
passwd -l lp
passwd -l sync
passwd -l shutdown
passwd -l halt
passwd -l mail
passwd -l uucp
passwd -l operator
passwd -l games
passwd -l gopher
passwd -l ftp
passwd -l nobody
passwd -l vcsa
passwd -l saslauth
?
passwd -l postfix
?
检查可以登陆的用户与有密码的用户
?
?http://netkiller.github.com/
?
例?55.1.?/etc/pam.d/sshd
例?55.2.?/etc/pam.d/sshd - pam_listfile.so
# cat /etc/pam.d/sshd#%PAM-1.0auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=failauth required pam_tally2.so deny=3 onerr=fail unlock_time=300auth requiredpam_sepermit.soauth include password-authaccount required pam_nologin.soaccount include password-authpassword include password-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession optional pam_keyinit.so force revokesession include password-auth?
sense=allow 白名单方式, sense=deny 黑名单方式
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail?
?
延伸阅读:http://netkiller.github.com/
