网安等保-国产Linux操作系统银河麒麟KylinOS-V10SP3常规配置、系统优化与安全加固基线实践文档
<center>[ 点击 👉 关注「 全栈工程师修炼指南」公众号]
<p>设为「⭐️ <strong>星标</strong>」带你从<strong>基础入门</strong> 到 <strong>全栈实践</strong> 再到 <strong>放弃学习</strong>!<br>
涉及 <strong>网络安全运维、应用开发、物联网IOT、学习路径 、个人感悟</strong> 等知识分享。</p>
<p>希望各位看友多多支持【关注、点赞、评论、收藏、投币】,助力每一个梦想。</p>
</center>
<p>【<strong>WeiyiGeek Blog's - 花开堪折直须折,莫待无花空折枝</strong> 】<br>
作者主页: 【 https://weiyigeek.top 】<br>
博客地址: 【 https://blog.weiyigeek.top 】<br>
作者答疑学习交流群:欢迎各位志同道合的朋友一起学习交流【点击 👉 加入交流群】, 或者关注公众号回复【学习交流群】。</p>
<hr>
<p></p><div class="toc"><div class="toc-container-header">目录</div><ul><li>0x00 前言简述</li><li>0x01 常规配置<ul><li>1.主机IP地址与网关设置</li><li>2.主机DNS配置</li><li>3.镜像源配置</li><li>4.常规运维工具安装及系统升级</li><li>5.系统时间时区同步配置</li></ul></li><li>0x02 系统优化<ul><li>1.创建swap系统分区配置</li><li>2.系统资源句柄数优化配置</li><li>3.系统常规内核参数优化配置</li><li>4.系统服务优化配置</li></ul></li><li>0x03 安全加固<ul><li>1.远程登录主机提示信息</li><li>2.远程登录主机系统信息</li></ul></li></ul></div><p></p>
<ul>
<li>3.远程登录sshd服务安全策略配置</li>
<li>4.系统账户安全策略配置</li>
<li>5.系统账户密码更改及过期策略配置</li>
<li>6.系统用户密码复杂性策略配置</li>
<li>7.系统用户登录失败策略配置</li>
<li>8.系统用户su/sudo权限策略配置</li>
<li>8.系统文件权限策略配置</li>
<li>9.系统grub引导安全策略配置</li>
<li>10.系统用户历史命令记录策略配置</li>
<li>11.系统安全日志事件记录策略配置</li>
<li>12.系统审计规则安全策略配置</li>
<li>13.配置禁用系统非必须别名策略</li>
<li>14.配置禁用桌面系统策略</li>
<li>15.配置禁用Ctrl+Alt+Del重启系统</li>
<li>16.配置rm删除回收站策略</li>
<li>17.配置清除临时文件策略</li>
<li>18.配置系统防火墙策略</li>
<li>19.配置重启服务器策略</li>
</ul>
<hr>
<h2 id="0x00-前言简述">0x00 前言简述</h2>
<p>描述: 随着国家要求各政府部门及事企业单位服务器系统国产化,越来越多的的企业单位逐步引进国产化Linux操作系统(<code>大趋势</code>),在众多国产操作系统中<code>银河麒麟(KylinOS)、中科方德、统信UOS</code>,此三家持续版本迭代超15年的其生态市场及占有率最高, 除此之外红旗Linux、共创Linux、凝思磐石、新支点、深度Linux、Start OS、思普操作系统、云针OS、鸿蒙OS、YunOS、OpenCloudOS等国产操作系统。</p>
<p><img src="https://img2023.cnblogs.com/blog/2176087/202304/2176087-20230428103102799-954551451.jpg" alt="" loading="lazy"></p>
<p>此处由于我们企业中是试用的银河麒麟(KylinOS)V10 SP3 版本的国产系统,为了试用该系统是否可以承载现有业务,以及满足网络安全等保2.0主机安全配置要求,遂针对该系统进行安全加固及常规初始化操作,设置安全基线镜像,以保证基础业务运行环境安全。</p>
<p>这里作者就不在针对银河麒麟(KylinOS)的国产系统进行详细介绍与下载安装讲解,有兴趣的朋友可以参照【<strong>1.国产银河麒麟V10服务器操作系统基础知识与安装实践</strong>】( https://blog.weiyigeek.top/2023/3-21-725.html ) 此文。</p>
<p>好的废话不多说,此处我将其分为三个章节,第一个章节是初始化运维常规配置,第二个章节是系统内核优化,第三个章节安全加固,此处我已经将其写成shell脚本可以直接运行加固大大的节省了我们运维人的时间,最后我会将安全加固shell脚本(<strong>部分适用于CentOS7操作系统</strong>)放在文章末尾, 以供各位看友使用实践参考,若有错误欢迎在【<strong>全栈工程师修炼指南</strong>】公众号留言。</p>
<p>若需观看视频实践演示,请在【<code>全栈工程师修炼指南</code>】公众号中回复【<code>kylinos安全加固</code>】或【<code>10002</code>】关键字获得脚本下载链接。</p>
<p>温馨提示: 在进行操作时请注意备份操作文件,以便于异常时及时回退。</p>
<p>温馨提示: <strong>此处为了防止伸手党,以及尊重作者编写脚本及实践成果,象征性的设置为收费文章,希望大家理解支持!</strong></p>
<p>首发地址: https://mp.weixin.qq.com/s/eBF_Q-WkiZHKGdEG1MODNQ</p>
<hr>
<h2 id="0x01-常规配置">0x01 常规配置</h2>
<h3 id="1主机ip地址与网关设置">1.主机IP地址与网关设置</h3>
<p>描述: 一台新安装的主机必须配置IP地址才能方便我们通过远程连接,所以第一步肯定是把网络打通,主要根据配置的IP地址与网络地址环境变量进行对应设置,例如下述部分脚本片段。</p>
<pre><code class="language-bash"># Modify the IP/MASK and Gateway
VAR_NETINTERFACE=ens192
VAR_IP=192.168.4.201/24
VAR_GATEWAY=192.168.4.1
if [ ! -f /opt/init/ ];then
mkdir -vp /opt/init/
sudo tee /opt/init/network.sh <<'EOF'
#!/bin/bash
# @Author: WeiyiGeek
# @Description: Configure KylinOS / CentOS Linux Server Network
# @E-mail: master@weiyigeek.top
# @Blog: https://www.weiyigeek.top
if [[ $# -lt 4 ]];then
echo "Usage: $0 NetInterface IP/NETMASK GATEWAY DNS"
echo "Example: $0 ens192 192.168.12.12/24 192.168.12.1 223.6.6.6"
echo "@Author: WeiyiGeek"
echo "@Blog: https://blog.weiyigeek.top"
exit
fi
echo "Setting Network interface card: ${1}, IP: ${2} , GATEWAY: ${3}"
CURRENT_IP=$(hostname -I | cut -f 1 -d " ")
CURRENT_GATEWAY=$(hostname -I | cut -f 1,2,3,4 -d ".")
CURRENT_FILE=/etc/sysconfig/network-scripts/ifcfg-${1}
CONFIG_IP=${2%%/*}
CONFIG_PREFIX=${2##*/}
echo "Original Network info: IP: ${CURRENT_IP} , GATEWAY: ${CURRENT_GATEWAY}"
echo "Setting Network interface card: ${1}, IP/NETMASK: ${2} , GATEWAY: ${3}, DNS: ${4}"
if [[ -f ${CURRENT_FILE} ]];then
# 已存在网卡配置文件的情况下
egrep -q "^\s*ONBOOT=.*$" ${CURRENT_FILE} && sed -ri "s/^\s*ONBOOT=.*$/ONBOOT=yes/" ${CURRENT_FILE}|| echo "ONBOOT=yes" >> ${CURRENT_FILE}
egrep -q "^\s*BOOTPROTO=.*$" ${CURRENT_FILE} && sed -ri "s/^\s*BOOTPROTO=.*$/BOOTPROTO=static/" ${CURRENT_FILE}|| echo "BOOTPROTO=static" >> ${CURRENT_FILE}
egrep -q "^\s*IPADDR=.*$" ${CURRENT_FILE} && sed -ri "s/^\s*IPADDR=.*$/IPADDR=${CONFIG_IP}/" ${CURRENT_FILE}|| echo "IPADDR=${CONFIG_IP}" >> ${CURRENT_FILE}
egrep -q "^\s*PREFIX=.*$" ${CURRENT_FILE} && sed -ri "s/^\s*PREFIX=.*$/PREFIX=${CONFIG_PREFIX}/" ${CURRENT_FILE}|| echo "PREFIX=${CONFIG_PREFIX}" >> ${CURRENT_FILE}
egrep -q "^\s*GATEWAY=.*$" ${CURRENT_FILE} && sed -ri "s/^\s*GATEWAY=.*$/GATEWAY=${3}/" ${CURRENT_FILE}|| echo "GATEWAY=${3}" >> ${CURRENT_FILE}
egrep -q "^\s*DNS1=.*$" ${CURRENT_FILE} && sed -ri "s/^\s*DNS1=.*$/DNS1=${4}/" ${CURRENT_FILE}|| echo "DNS1=${4}" >> ${CURRENT_FILE}
else
nmcli dev show ${1}
nmcli conn add connection.id ${1}-staic connection.interface-name ${1} connection.autoconnect yes type Ethernet ifname ${1} ipv4.method manual ipv4.address ${2} ipv4.gateway ${3} ipv4.dns ${4} ipv4.ignore-auto-dns true
fi
sudo nmcli c reload
read -t 5 -p "Heavy load network card, It is recommended to enter N during initialization (Y/N): " VERTIFY
if [[ ${VERIFY:="N"} == "Y" || ${VERIFY:="N"} == "y" ]]; then
sudo nmcli c up ${1}
sudo nmcli d reapply ${1}
else
echo "Please reload the network card manually, run sudo nmcli d reapply ${1}."
fi
EOF
# 权限赋予
sudo chmod +x /opt/init/network.sh
/opt/init/network.sh ${VAR_NETINTERFACE} ${VAR_IP} ${VAR_GATEWAY} ${VAR_DNS_SERVER}
</code></pre>
<br>
<h3 id="2主机dns配置">2.主机DNS配置</h3>
<p>描述: 完成IP地址的配置后,我便需要为主机配置私有DNS或者公共的DNS,以便可以解析外部域名。</p>
<pre><code class="language-bash"># ShowScript Execute result (Y/N)
VAR_VERIFY_RESULT=Y
# Modify the DNS server
# DNSPod: 119.29.29.29 Alidns: 223.5.5.5 223.6.6.6
# Google: 8.8.8.8 8.8.4.4 Cloudflare: 1.1.1.1 1.0.0.1
# Baidu: 114.114.114.114
# Internal : Your intranet domain name resolution server
VAR_DNS_SERVER=( "223.5.5.5" "114.114.114.114""192.168.4.254")
local flag
# 此处配置的是百度IPV4 DNS与阿里云IPV6 DNS
sed -i -e "s/^#FallbackDNS=.*/FallbackDNS=114.114.114.114 2400:3200::1 2400:3200:baba::1/" -e "s/^#DNSSEC=.*/DNSSEC=allow-downgrade/" -e "s/^#DNSOverTLS=.*/DNSOverTLS=opportunistic/" /etc/systemd/resolved.conf
for dns in ${VAR_DNS_SERVER[@]};do
grep -q "${dns}" /etc/systemd/resolved.conf
if [ $? != 0 ];then
echo "nameserver ${dns}"
sed -i "/#DNS=/i DNS=${dns}" /etc/systemd/resolved.conf;
fi
done
systemctl restart systemd-resolved && systemctl enable systemd-resolved
find /etc/resolv.conf -delete
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
if [[ ${VERIFY:="N"} == "Y" || ${VERIFY:="N"} == "y" ]]; then
grep -Ev '^#|^$' /etc/resolv.conf | uniq
echo
grep -Ev '^#|^$' /etc/systemd/resolved.conf | uniq
fi
</code></pre>
<br>
<h3 id="3镜像源配置">3.镜像源配置</h3>
<p>描述: 使用国外的操作系统,例如<code>CentOS、Ubuntu、Debian、Alpine</code>等操作系统,通常为了加快Linux系统中下载安装软件的速度,我们是需要配置软件镜像源,此处由于我们是国产操作系统,其软件更新源也肯定是在国内,所以通常无需调整。</p>
<p>但此处为了防止小伙伴们更改过该镜像源,我也将各发行版镜像源配置罗列出来。</p>
<pre><code class="language-bash"> local release
cp /etc/yum.repos.d/kylin_x86_64.repo ${BACKUPDIR}
# 1.根据主机发行版设置
# (Tercel) 版本是 麒麟 V10 SP1 版本,
# (Sword)版本是 麒麟 V10 SP2 版本,
# (Lance)版本是 麒麟 V10 SP3 版本,
release=$(grep -e "^VERSION=" /etc/os-release | cut -f 2 -d "=" | tr -d '[:punct:][:space:]')
if [ ${release} == "V10Lance" ];then
sudo tee /etc/yum.repos.d/kylin_x86_64.repo <<'EOF'
### Kylin Linux Advanced Server 10 (SP3) - os repo ###
name = Kylin Linux Advanced Server 10 - Os
baseurl = https://update.cs2c.com.cn/NS/V10/V10SP3/os/adv/lic/base/$basearch/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 1
name = Kylin Linux Advanced Server 10 - Updates
baseurl = https://update.cs2c.com.cn/NS/V10/V10SP3/os/adv/lic/updates/$basearch/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 1
name = Kylin Linux Advanced Server 10 - Addons
baseurl = https://update.cs2c.com.cn/NS/V10/V10SP3/os/adv/lic/addons/$basearch/
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 0
EOF
# echo "7" > /etc/yum/vars/centos_version
# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
elif [ ${release} == "V10Sword" ];then
echo "暂未使用麒麟 V10 Sword SP2 版本,请自行百度搜索,镜像源!"
elif [ ${release} == "V10Tercel" ];then
echo "暂未使用麒麟 V10 Tercel SP1 版本,请自行百度搜索,镜像源!"
else
echo "暂未使用麒麟除 V10 以外的系统版本,请自行百度搜索,镜像源!"
fi
sudo yum clean all -y && sudo yum makecache
read -t ${VAR_VERIFY_TIMEOUT} -p "Please input, Perform system software update and upgrade. (Y/N) : " VERIFY
if [[ ${VERIFY:="N"} == "Y" || ${VERIFY:="N"} == "y" ]]; then
sudo yum update -y && sudo yum upgrade -y
fi
</code></pre>
<p>PS: 虽然银河麒麟(KylinOS)V10 SP3 系统中可以使用CentOS7的镜像源,但是并不建议这样否则在镜像软件更新安装时,将会出现莫名错误。</p>
<br>
<h3 id="4常规运维工具安装及系统升级">4.常规运维工具安装及系统升级</h3>
<p>描述: 完成软件镜像源配置后我们便可进行系统更新以及,常规的运维工具安装了。</p>
<pre><code class="language-bash"># 1.系统更新
echo "[-] 系统软件源更新."
sudo yum update && sudo yum upgrade -y && dnf repolist
# 2.安装系统所需的常规软件
echo "[-] 安装系统所需的常规软件."
sudo dnf install -y gcc make
sudo dnf install -y nano vim git unzip unrar ftp wget ntpdate dos2unix net-tools tree htop sysstat psmisc bash-completion jq rpcbind dialog nfs-utils
# 补充:代理方式进行更新
# echo "proxy=http://127.0.0.1:8080/" >> /etc/yum.conf
# sudo yum clean all -y && sudo yum update -y && sudo yum upgrade -y
# sudo yum install -y 软件包
</code></pre>
<br>
<h3 id="5系统时间时区同步配置">5.系统时间时区同步配置</h3>
<p>描述: 更新系统及对应工具后,我们需要针对系统时间时区做同步配置,此步骤非常重要往往会影响应用程序时间,建议在服务器中必须进行配置。</p>
<pre><code class="language-bash"># ShowScript Execute result (Y/N)
VAR_VERIFY_RESULT=Y
# Modify the NTP server
# PS: "192.168.4.254" 为内部NTP服务器,若需要搭建NTP服务器请参考,此篇文章: https://blog.weiyigeek.top/2020/1-29-112.html
VAR_NTP_SERVER=( "ntp.aliyun.com" "ntp.tencent.com""192.168.10.254")
# 安装配置 chrony 时间同步服务器
# 方式1.安装 Chrony 客户端配置
if [[ $(rpm -qa | grep -c "chrony") -eq 0 ]];then
dnf install -y chrony
fi
cp /etc/chrony.conf ${BACKUPDIR}
grep -E -q "^server" /etc/chrony.conf | sed -i 's/^server/# server/g' /etc/chrony.conf
grep -E -q "^pool" /etc/chrony.conf | sed -i 's/^pool/# pool/g' /etc/chrony.conf
for ntp in ${VAR_NTP_SERVER[@]};do
echo "ntp server => ${ntp}"
if [[ ${ntp} =~ "ntp" ]];then
echo "pool ${ntp} iburst maxsources 4" >> /etc/chrony.conf;
else
echo "pool ${ntp} iburst maxsources 1" >> /etc/chrony.conf;
fi
done
systemctl enable chronyd.service && systemctl restart chronyd.service
# chrony.conf 配置示例
# sudo tee /etc/chrony.conf <<'EOF'
# confdir /etc/conf.d
# server ntp.aliyun.com iburst maxsources 4
# server ntp.tencent.com iburst maxsources 4
# pool 192.168.10.254 iburst maxsources 1
# pool 192.168.12.254 iburst maxsources 2
# pool 192.168.4.254 iburst maxsources 3
# sourcedir /run/chrony-dhcp
# sourcedir /etc/sources.d
# keyfile /etc/chrony.keys
# driftfile /var/lib/chrony/chrony.drift
# ntsdumpdir /var/lib/chrony
# logdir /var/log/chrony
# maxupdateskew 100.0
# rtcsync
# makestep 1 3
# leapsectz right/UTC
# EOF
# 方式2.使用 ntpdate 工具定时同步
# sudo ntpdate 192.168.10.254 || sudo ntpdate 192.168.12.254 || sudo ntpdate ntp1.aliyun.com
# 方式3.使用系统 systemd-timesyncd
# echo 'NTP=192.168.10.254 192.168.4.254' >> /etc/systemd/timesyncd.conf
# echo 'FallbackNTP=ntp.aliyun.com' >> /etc/systemd/timesyncd.conf
# systemctl restart systemd-timesyncd.service
if [[ ${VAR_VERIFY_RESULT} == "Y" ]];then systemctl status chronyd.service -l --no-pager;fi
</code></pre>
<p>主机时间同步校准与时区设置</p>
<pre><code class="language-bash"># Modify the timezone
VAR_TIMEZONE=Asia/Shanghai
# 1.时区设置
sudo timedatectl set-timezone ${VAR_TIMEZONE}
# sudo dpkg-reconfigure tzdata# 修改确认
# sudo bash -c "echo 'Asia/Shanghai' > /etc/timezone" # 与上一条命令一样
# 2.将当前的 UTC 时间写入硬件时钟 (硬件时间默认为UTC)
sudo timedatectl set-local-rtc 0
# 3.启用NTP时间同步:
sudo timedatectl set-ntp yes
# 4.校准时间服务器-时间同步(推荐使用chronyc进行平滑同步)
sudo chronyc tracking
# 5.手动校准-强制更新时间
# chronyc -a makestep
# 6.系统时钟同步硬件时钟
# sudo hwclock --systohc
sudo hwclock -w
echo "设置时间同步与时区后: $(date)"
# 7.重启依赖于系统时间的服务
sudo systemctl restart rsyslog.service crond.service
</code></pre>
<p>脚本执行效果:</p>
<p><img src="https://img.weiyigeek.top/2023/1/20230427153210.png" alt="WeiyiGeek.主机时间同步校准与时区设图" loading="lazy"></p>
<hr>
<h2 id="0x02-系统优化">0x02 系统优化</h2>
<h3 id="1创建swap系统分区配置">1.创建swap系统分区配置</h3>
<p>描述: 当服务器系统内存过小时,我们可以划分一块磁盘空间作为swap交换分区以补充内存过小,无法运行某些程序,通常情况下会出现在VPS上,针对于企业中的服务器基本都是在64G以上,请根据业务需求划分,我们由于使用了K8S云原生通常情况下需要禁用SWAP交换分区,不过此处作者还是将方法其罗列出来以供需要的朋友使用。</p>
<pre><code class="language-bash"># ShowScript Execute result (Y/N)
VAR_VERIFY_RESULT=Y
# Modify Script vertify timeout (unit s)
VAR_VERIFY_TIMEOUT=8
echo "[${COUNT}] Create system swap partition."
read -t ${VAR_VERIFY_TIMEOUT} -p "Please input, Create swap partition. (Y/N) : " VERIFY
if [[ ${VERIFY:="N"} == "Y" || ${VERIFY:="N"} == "y" ]]; then
# 1.验证当前内存大小
MEM=$(free -m | awk '/Mem:/{print $2}')
if [ "$MEM" -le 1280 ]; then
MEM_LEVEL=1G
elif [ "$MEM" -gt 1280 ] && [ "$MEM" -le 2500 ]; then
MEM_LEVEL=2G
elif [ "$MEM" -gt 2500 ] && [ "$MEM" -le 3500 ]; then
MEM_LEVEL=3G
elif [ "$MEM" -gt 3500 ] && [ "$MEM" -le 4500 ]; then
MEM_LEVEL=4G
elif [ "$MEM" -gt 4500 ] && [ "$MEM" -le8000 ]; then
MEM_LEVEL=6G
elif [ "$MEM" -gt 8000 ]; then
MEM_LEVEL=8G
fi
# 2.根据内存大小划分对应的swap分区并自动挂载
if [ "$(free -m | awk '/Swap:/{print $2}')" == '0' ]; then
fallocate -l "${MEM_LEVEL}" /swapfile
chmod 600 /swapfile
mkswap /swapfile >/dev/null 2>&1
swapon /swapfile
sed -i "/swap/d" /etc/fstab
echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
fi
# 3.swap分区内核参数调整
egrep -q "^\s*vm.swappiness.*$" /etc/sysctl.conf && sed -ri "s/^\s*vm.swappiness.*$/vm.swappiness = 10/" /etc/sysctl.conf || echo "vm.swappiness = 10" >> /etc/sysctl.conf
egrep -q "^\s*vm.vfs_cache_pressure.*$" /etc/sysctl.conf && sed -ri "s/^\s*vm.vfs_cache_pressure.*$/vm.vfs_cache_pressure = 501/" /etc/sysctl.conf || echo "vm.vfs_cache_pressure = 50" >> /etc/sysctl.conf
sysctl -p >/dev/null 2>&1
if [[ $VAR_VERIFY_RESULT == "Y" ]]; then
swapon --show
echo .
free -h
echo .
grep -Ev '^#|^$' /etc/fstab | uniq
fi
fi
</code></pre>
<br>
<h3 id="2系统资源句柄数优化配置">2.系统资源句柄数优化配置</h3>
<p>描述: 为了提高系统的高并发以及防止程序报 Too many open file 错误,通常需要针对系统资源句柄数进行优化配置。</p>
<pre><code class="language-bash">echo "[-] Linux 系统的最大进程数和最大文件打开数限制."
cp -a /etc/security/limits.conf ${BACKUPDIR}
egrep -q "^\s*ulimit -HSn\s+\w+.*$" /etc/profile && sed -ri "s/^\s*ulimit -HSn\s+\w+.*$/ulimit -HSn 655350/" /etc/profile || echo "ulimit -HSn 655350" >> /etc/profile
egrep -q "^\s*ulimit -HSu\s+\w+.*$" /etc/profile && sed -ri "s/^\s*ulimit -HSu\s+\w+.*$/ulimit -HSu 655350/" /etc/profile || echo "ulimit -HSu 655350" >> /etc/profile
if ! grep -qi "# OS Resources Limits Config" /etc/security/limits.conf; then
sed -i 's/^# End of file*//' /etc/security/limits.conf
{
echo '# OS Resources Limits Config'
echo '* soft nofile 655350'
echo '* hard nofile 655350'
echo '* soft nprocunlimited'
echo '* hard nprocunlimited'
echo '* soft core unlimited'
echo '* hard core unlimited'
echo '# End of file'
} >> /etc/security/limits.conf
fi
if [[ $VAR_VERIFY_RESULT == "Y" ]]; then grep -Ev '^#|^$' /etc/security/limits.conf | uniq;fi
</code></pre>
<br>
<h3 id="3系统常规内核参数优化配置">3.系统常规内核参数优化配置</h3>
<p>描述: 服务器内核参数的优化有助于系统以及应用程序提供更好的性能,但是通常需要针对应用程序特点以及应用场景进行相应配置,下述只是常规配置有侧重点的朋友们,可根据实际情况进行调整。</p>
<pre><code class="language-bash"># ShowScript Execute result (Y/N)
VAR_VERIFY_RESULT=Y
# Modify Script vertify timeout (unit s)
VAR_VERIFY_TIMEOUT=8
# 1.系统内核参数的配置文件/etc/sysctl.conf
echo "[-] 系统内核参数的优化配置 /etc/sysctl.conf"
# 启用IPV4数据包转发(业务需要)
egrep -q "^(#)?net.ipv4.ip_forward.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv4.ip_forward.*|net.ipv4.ip_forward = 1|g"/etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# egrep -q "^(#)?net.bridge.bridge-nf-call-ip6tables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-ip6tables.*|net.bridge.bridge-nf-call-ip6tables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
# egrep -q "^(#)?net.bridge.bridge-nf-call-iptables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-iptables.*|net.bridge.bridge-nf-call-iptables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
egrep -q "^(#)?net.ipv6.conf.all.disable_ipv6.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.all.disable_ipv6.*|net.ipv6.conf.all.disable_ipv6 = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
egrep -q "^(#)?net.ipv6.conf.default.disable_ipv6.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.default.disable_ipv6.*|net.ipv6.conf.default.disable_ipv6 = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
egrep -q "^(#)?net.ipv6.conf.lo.disable_ipv6.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.lo.disable_ipv6.*|net.ipv6.conf.lo.disable_ipv6 = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf
egrep -q "^(#)?net.ipv6.conf.all.forwarding.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.all.forwarding.*|net.ipv6.conf.all.forwarding = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.all.forwarding = 1">> /etc/sysctl.conf
# 2.系统内核参数扩展优化配置
if ! grep -qi "# OS Resources Limits Config" /etc/sysctl.conf; then
tee -a /etc/sysctl.conf <<'EOF'
# Configuration of system kernel parameters
# 禁止 icmp 重定向报文
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# 忽略 icmp echo 请求广播
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 禁止 icmp 源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 禁止发送重定向 (若非必须建议设置 0)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 禁止对主机进行 IP 伪装
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 限制一个进程可以拥有的VMA(虚拟内存区域)的数量
vm.max_map_count = 262144
# 设置内存分配策略,使用0表示内核将检查是否有足够的可用内存。
vm.overcommit_memory = 0
# 调整提升服务器负载能力之外,还能够防御小流量的Dos、CC和SYN攻击
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
# net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 60
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_fastopen = 3
# 优化TCP的可使用端口范围及提升服务器并发能力(注意一般流量小的服务器上没必要设置如下参数)
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 16384
net.ipv4.ip_local_port_range = 1024 65535
# 优化核套接字TCP的缓存区
net.core.netdev_max_backlog = 8192
net.core.somaxconn = 32768
net.core.rmem_max = 12582912
net.core.rmem_default = 6291456
net.core.wmem_max = 12582912
net.core.wmem_default = 6291456
# 内存缓存IO优化
vm.dirty_background_ratio = 5
vm.dirty_ratio = 10
EOF
fi
if [[ ${VAR_VERIFY_RESULT} == "Y" ]];then sysctl -p;fi
</code></pre>
<br>
<h3 id="4系统服务优化配置">4.系统服务优化配置</h3>
<p>描述: 针对我们新安装的KylinOS服务器中往往存在许多非必须服务,此处我们可以根据需求禁用相关服务。</p>
<pre><code class="language-bash"># 1.用于关闭与禁用某些服务端口
echo "[-] 用于关闭与禁用某些服务端口。."
local VAR_APP_SERVICE VAR_SYSTEM_SERVICE
VAR_APP_SERVICE="telnet.socket printer sendmail nfs kshell lpd tftp ident time ntalk bootps klogin ypbind daytime nfslock echo discard chargen debug-shell.service"
VAR_SYSTEM_SERVICE="chargen-dgram daytime-stream echo-streamklogin tcpmux-server chargen-stream discard-dgram eklogin krb5-telnet tftp cvs discard-stream ekrb5-telnet kshell time-dgram daytime-dgram echo-dgram gssftp rsync time-stream"
for i in ${VAR_APP_SERVICE};do
echo "Status and Disable APP ${i} Service!"
# systemctl status ${i}
systemctl stop ${i};systemctl disable ${i};
done
for i in ${VAR_SYSTEM_SERVICE};do
echo "Status and Disable System ${i} Service!"
# systemctl status ${i}
systemctl stop ${i};systemctl disable ${i};
done
# 2.禁用烦人的apport错误报告
if [ -f /etc/default/apport ]; then
cp /etc/default/apport ${BACKUPDIR}
sed -i 's/enabled=.*/enabled=0/' /etc/default/apport
systemctl stop apport.service
systemctl disable apport.service
systemctl mask apport.service >/dev/null 2>&1
fi
read -t ${VAR_VERIFY_TIMEOUT} -p "Please input, is service verificating (Y/N) : " VERIFY
if [[ ${VERIFY:="N"} == "Y" || ${VERIFY:="N"} == "y" ]]; then
systemctl status apport.service --no-pager
else
log::success "[${COUNT}] This operation is completed!"
fi
# 3.非云的环境下禁用或者卸载多余的cloud-init软件及其服务
sudo systemctl stop cloud-init.target cloud-init.service cloud-config.service cloud-init-local.service cloud-final.service
sudo systemctl disable cloud-init.target cloud-init.service cloud-config.service cloud-init-local.service cloud-final.service
sudo systemctl mask cloud-init.service cloud-config.service cloud-init-local.service cloud-final.service >/dev/null 2>&1
# 禁用 Ubuntu 中的 cloud-init, 在 /etc/cloud 目录下创建 cloud-init.disable 文件(重启后生效)
if [ ! -f /etc/cloud/cloud-init.disable ];then sudo touch /etc/cloud/cloud-init.disable;fi
read -t ${VAR_VERIFY_TIMEOUT} -p "Please input, is Remove cloud-init related files and their directories (Y/N) : " VERIFY
if [[ ${VERIFY:="N"} == "Y" || ${VERIFY:="N"} == "y" ]]; then
sudo apt purge cloud-init -y
sudo rm -rf /etc/cloud && sudo rm -rf /var/lib/cloud/
fi
sudo systemctl daemon-reload
# 4.在系统启动时禁用debug-shell服务
systemctl stop debug-shell.service
systemctl mask debug-shell.service >/dev/null 2>&1
if [[ $VAR_VERIFY_RESULT == "Y" ]]; then
systemctl status debug-shell.service --no-pager
fi
</code></pre>
<hr>
<h2 id="0x03-安全加固">0x03 安全加固</h2>
<h3 id="1远程登录主机提示信息">1.远程登录主机提示信息</h3>
<p>描述: 配置提示信息可以提示运维人员以及恶意人员,在非权限授权时禁止访问。</p>
<pre><code class="language-bash"># 1.设置SSH登录前警告Banner提示
egrep -q "^\s*(banner|Banner)\s+\W+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*(banner|Banner)\s+\W+.*$/Banner \/etc\/issue.net/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config
sudo tee /etc/issue <<'EOF'
************************* [ 安全登陆 (Security Login) ] ************************
Authorized users only. All activity will be monitored and reported.By WeiyiGeek Security Center.
Author: WeiyiGeek
blog: https://blog.weiyigeek.top
EOF
sudo tee /etc/issue.net <<'EOF'
************************* [ 安全登陆 (Security Login) ] *************************
Authorized users only. All activity will be monitored and reported.By WeiyiGeek Security Center.
Author: WeiyiGeek
blog: https://blog.weiyigeek.top
EOF
# 2.本地控制台与SSH登录后提示自定义提示信息
tee /etc/motd <<'EOF'
Welcome to KylinOS Private Cloud Computer Service!
If the server is abnormal, please add WX weiyigeeker (WeiyiGeek-Security-Center)
_ooOoo_
o8888888o
88" . "88
(| -_- |)
O\=/O
____/`---'\____
.'\\| |//`.
/\\|||:|||//\
/_||||| -:- |||||-\
| | \\\-/// | |
| \_|''\---/''| |
\.-\__`-`___/-. /
___`. .'/--.--\`. . __
."" '<`.___\_<|>_/___.'>'"".
| | :`- \`.;`\ _ /`;.`/ - ` : | |
\\ `-. \_ __\ /__ _/ .-` //
======`-.____`-.___\_____/___.-`____.-'======
`=---='
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
佛祖保佑 永不死机
心外无法 法外无心
EOF
</code></pre>
<p>脚本执行效果:</p>
<p><img src="https://img.weiyigeek.top/2023/1/20230427153316.png" alt="WeiyiGeek.本地控制台与SSH登录后提示自定义提示信息图" loading="lazy"></p>
<br>
<h3 id="2远程登录主机系统信息">2.远程登录主机系统信息</h3>
<p>描述: 在登录到系统后及时的显示服务器系统相关信息,包括但不限于系统资源信息、登录时间、失败信息,以及各分区磁盘使用率。</p>
<p><img src="https://img.weiyigeek.top/2023/1/20230427153351.png" alt="WeiyiGeek.主机资源信息图" loading="lazy"></p>
<p>后续完整文章请访问获取,https://mp.weixin.qq.com/s/eBF_Q-WkiZHKGdEG1MODNQ</p>
<p>温馨提示: <strong>此处为了防止伸手党,以及尊重作者编写脚本及实践成果,象征性的设置为收费文章,希望大家理解支持!</strong></p>
<p>后续作者也会更新 CentOS 安全加固的脚本及其实践视频。</p>
<hr>
<p><strong>原文地址</strong>: https://blog.weiyigeek.top/2023/4-25-734.html</p>
<p>本文至此完毕,更多技术文章,尽情期待下一章节!</p>
<hr>
<center>
<p>专栏书写不易,如果您觉得这个专栏还不错的,请给这篇专栏 <strong>【点个赞、投个币、收个藏、关个注,转个发,留个言】(人间六大情)</strong>,这将对我的肯定,谢谢!。</p>
<p> 点击 👉 关注「 全栈工程师修炼指南」公众号 <br>
微信沟通交流: weiyigeeker (点击添加)<br>
交流沟通群:629184198 或 关注公众号回复【学习交流群】</p>
<p>温馨提示: 由于作者水平有限,本章错漏缺点在所难免,希望读者批评指正,并请在文章末尾留下您宝贵的经验知识,联系邮箱地址 master@weiyigeek.top 或者关注公众号 <strong>WeiyiGeek</strong> 联系我。</p>
<p><img src="https://img2022.cnblogs.com/blog/2176087/202207/2176087-20220725152944616-1919009969.jpg" alt="帅哥(靓仔)、美女,点个关注后续不迷路" loading="lazy"></p>
</center>
</div>
<div id="MySignature" role="contentinfo">
<hr>
<div align="center">
<p>本文来自博客园,作者:全栈工程师修炼指南,转载请注明原文链接:https://www.cnblogs.com/WeiyiGeek/p/17361163.html。
<br/> 欢迎关注博主【WeiyiGeek】公众号以及【极客全栈修炼】小程序
<br/> <br/>
<img src="https://images.cnblogs.com/cnblogs_com/WeiyiGeek/2162774/o_230217074101_%E8%87%AA%E5%AA%92%E4%BD%93%E7%9F%A9%E9%98%B5-%E5%BE%AE%E4%BF%A1%E4%BA%8C%E7%BB%B4%E7%A0%81.jpg" style="text-align: center;border: white 1px solid;" alt="微信公众号【WeiyiGeek】">
</p>
</div><br><br>
来源:https://www.cnblogs.com/WeiyiGeek/p/17361163.html 各位看友大家好!
看了这篇关于银河麒麟KylinOS V10SP3安全加固的干货文章,确实非常全面和实用![强]
个人几点建议和补充:
[*]关于镜像源:文中提到的官方镜像源确实很稳定,不过如果遇到访问慢的情况,可以尝试添加国内镜像加速,比如华为云、网易等镜像站,之前测试过速度还不错。
[*]关于安全加固脚本:建议大家在生产环境执行前,一定要先在测试环境验证,并且做好完整备份。作者提到的收费机制也可以理解,毕竟写了这么多实用的脚本。
[*]关于SWAP分区:如果跑Kubernetes的话,作者也提到了需要禁用SWAP,这个非常重要!之前有朋友忘记禁用导致Pod调度出问题。
[*]关于防火墙:文中提到了防火墙策略配置,这里提醒下,配置防火墙规则时一定要先开放SSH端口,否则可能造成远程无法连接的问题!
[*]关于时间同步:生产环境建议使用内部NTP服务器,特别是金融、医疗等对时间要求严格的行业。
另外想问下作者:
有没有考虑把脚本开源到GitHub上?这样方便大家协作维护和反馈问题,也能帮助更多需要的人。
最后感谢作者的分享,国产系统确实需要更多这样的实践教程!
支持原创,点赞+收藏!
頁:
[1]