麒麟系统V10系统安全加固

爱看篮球的峰叔

一、安装clamav杀毒软件

1.在clamav官网下载：https://www.clamav.net/downloads

也可以在github上下载早一点的版本：https://github.com/Cisco-Talos/clamav/releases

我这里安装clamav-1.1.2

rpm -ivh clamav-1.1.2.linux.x86_64.rpm

2.下载病毒库：

https://database.clamav.net/main.cvd

https://database.clamav.net/daily.cvd

https://database.clamav.net/bytecode.cvd

将三个病毒库放在目录中，然后使用nginx代理，

server {
        listen       80;
        server_name  localhost;
        root /project/clamav-mirror;
        index index.html;
        location / {
          autoindex on;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}

#/project/clamav-mirror/下就是三个病毒库文件

 把/usr/local/etc/下的clamd.conf.sample和freshclam.conf.sample  复制为clamd.conf和freshclam.conf

修改以下内容：

egrep -v "^#|^$" /usr/local/etc/clamd.conf
DatabaseDirectory /var/lib/clamav                    #病毒库存放目录
TCPSocket 3310
TCPAddr 0.0.0.0

修改以下内容：

[root@web1 etc]# egrep -v "^#|^$" /usr/local/etc/freshclam.conf
DatabaseDirectory /var/lib/clamav
DatabaseOwner root
DatabaseMirror 10.110.55.11         #本地病毒库地址，就是上面配置的nginx地址
ScriptedUpdates yes
PrivateMirror 10.110.55.11           #本地病毒库地址，就是上面配置的nginx地址
 Checks 12

 

执行：/usr/local/bin/freshclam 加载病毒库

[root@web1 etc]# /usr/local/bin/freshclam
ClamAV update process started at Thu Mar 20 16:16:29 2025
WARNING: DNS Update Info disabled. Falling back to HTTP mode.
Trying to retrieve CVD header from http://10.110.55.11/daily.cld
Time:    0.0s, ETA:    0.0s [========================>]       146B/146B
WARNING: remote_cvdhead: file not found: http://10.110.55.11/daily.cld
Trying to retrieve CVD header from http://10.110.55.11/daily.cvd
Time:    0.0s, ETA:    0.0s [========================>]       512B/512B
OK
daily.cvd database is up-to-date (version: 27580, sigs: 2073246, f-level: 90, builder: raynman)
Trying to retrieve CVD header from http://10.110.55.11/main.cld
Time:    0.0s, ETA:    0.0s [========================>]       146B/146B
WARNING: remote_cvdhead: file not found: http://10.110.55.11/main.cld
Trying to retrieve CVD header from http://10.110.55.11/main.cvd
Time:    0.0s, ETA:    0.0s [========================>]       512B/512B
OK
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Trying to retrieve CVD header from http://10.110.55.11/bytecode.cld
Time:    0.0s, ETA:    0.0s [========================>]       146B/146B
WARNING: remote_cvdhead: file not found: http://10.110.55.11/bytecode.cld
Trying to retrieve CVD header from http://10.110.55.11/bytecode.cvd
Time:    0.0s, ETA:    0.0s [========================>]       512B/512B
OK
bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)

启动病毒库：clamd --config-file=/usr/local/etc/clamd.conf      #服务端口为3310

 

扫描/project/nginx/conf/Virtaul/目录：

[root@web1 etc]# /usr/local/bin/clamscan -r -i /project/nginx/conf/Virtaul/

----------- SCAN SUMMARY -----------
Known viruses: 8705025
Engine version: 1.1.2
Scanned directories: 1
Scanned files: 3
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.00 MB (ratio 2.00:1)
Time: 55.487 sec (0 m 55 s)
Start Date: 2025:03:20 16:17:06
End Date:   2025:03:20 16:18:02

 

二、配置rsyslog服务
1.在日志服务器开启监听514端口，且配置不同客户端主机日志存放路径

添加：
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
if ($fromhost-ip == '10.110.55.106') then /project/client_logs/10.110.55.106.log              #指定10.110.55.106这台主机发过来额日志，存放路径，需要先创建日志所在的目录

/project/client_logs/

。 & stop if ($fromhost-ip == '10.110.55.105') then /project/client_logs/10.110.55.105.log #同上 & stop if ($fromhost-ip == '10.110.55.104') then /project/client_logs/10.110.55.104.log & stop

2.在客户端服务器上的/etc/rsyslog.conf中添加：

*.* @10.110.55.38:514
*.* @@10.110.55.38:514

3.然后重启systemctl restart rsyslog

 三、修改用户登录策略。

1./etc/security/limits.conf
添加：最大登录两个用户

cat >>/etc/security/limits.conf <<EOF
* hard maxlogins 4
* hard maxsyslogins 2
root hard maxsyslogins 2
root hard maxlogins 2
EOF

2./etc/profile
添加： 不操作超时退出，以及umask改为077

cat >> /etc/profile << EOF
TMOUT=900
export TMOUT
umask 077
EOF

3./etc/pam.d/sshd.pam
添加：
cat >> /etc/pam.d/sshd.pam << EOF
auth required pam_limits.so
EOF

4./etc/ssh/sshd_config

sed -i "/^#UsePAM yes/s/#UsePAM yes/UsePAM yes/g" /etc/ssh/sshd_config

5./etc/pam.d/login
cat >> /etc/pam.d/login << EOF
account required pam_limits.so
EOF

 

6./etc/login.defs          #密码过期时间为90天，最小密码长度为16位
修改为：
sed -i "/^PASS_MAX_DAYS/s/99999/90/g" /etc/login.defs
sed -i "/^PASS_MIN_DAYS/s/0/1/g" /etc/login.defs
sed -i "/^PASS_MIN_LEN/s/5/16/g" /etc/login.defs

7./etc/pam.d/sshd               #如果系统/etc/pam.d/sshd中有以下配置，则不添加，如果没有，添加下面配置。

cat >> /etc/pam.d/sshd << EOF
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
EOF

10./etc/security/pwquality.conf    #密码复杂度，必须包含大小写，数字，特殊字符，且最小长度为16位
修改密码策略：
sed -i "/^minlen =/s/minlen = 8/minlen = 16/g" /etc/security/pwquality.conf
sed -i "/^dcredit =/s/dcredit = 0/dcredit = -1/g" /etc/security/pwquality.conf
sed -i "/^ucredit =/s/ucredit = 0/ucredit = -1/g" /etc/security/pwquality.conf
sed -i "/^lcredit =/s/lcredit = 0/lcredit = -1/g" /etc/security/pwquality.conf
sed -i "/^ocredit =/s/ocredit = 0/ocredit = -1/g" /etc/security/pwquality.conf

修改：
sed -i "/^password requisite/s/password requisite pam_pwquality.so try_first_pass local_users_only/password requisite pam_pwquality.so try_first_pass local_users_only retry=3/g" /etc/pam.d/system-auth
sed -i "/^password requisite/s/password requisite pam_pwquality.so try_first_pass local_users_only/password requisite pam_pwquality.so try_first_pass local_users_only retry=3/g" /etc/pam.d/password-auth

11./etc/ssh/sshd_config
设置最大连接用户数为2个，且最大错误认证次数为3：
cat >>/etc/ssh/sshd_config << EOF

MaxSessions 2
MaxStartups 2:30:2
MaxAuthTries 3
UsePAM yes

EOF

四、三员分类

1.创建三权账号
#新建管理员
useradd sysadmin
echo Clouddeep@admin8890 |passwd --stdin sysadmin

#新建操作员
useradd sysoperator
echo Clouddeep@operator8890 |passwd --stdin sysoperator

#新建审计员
useradd sysaudit
echo Clouddeep@audit8890 |passwd --stdin sysaudit

2.修改visudo配置
visudo

#管理员
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
sysadmin ALL=(root) SOFTWARE,SERVICES,STORAGE

#操作员
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
sysoperator ALL=(root) DELEGATING,PROCESSES,NETWORKING

#审计员         #可以根据具体情况添加审计员可以查看的目录
sysaudit ALL=(root) NOPASSWD:/usr/bin/cat,/usr/bin/less,/usr/bin/more,/usr/bin/tail ,/usr/bin/head,/usr/bin/ls /project/logs/*

3.测试配置是否正确
visudo -c

 

五、升级当前OpenSSH_9.7p1版本为OpenSSH_9.9p1
升级前一定要安装telnet服务，不然出现问题无法登录恢复：

安装telnet服务略......

下载最新的openssh版本：

下载地址：https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.9p1.tar.gz

解压：

执行：tar xf openssh-9.9p1.tar.gz
执行：cd openssh-9.9p1
执行：./configure --prefix=/usr/local/openssh --with-zlib --with-pam                           #编译时必须添加--with-pam，表示开启支持PAM认证，不然升级后的sshd不支持PAM密码策略。

注意：如果报这个错：
checking for openssl... /usr/bin/openssl
checking for openssl/opensslv.h... no
configure: error: *** OpenSSL headers missing - please install first or check config.log ***
需要安装：

执行：yum install -y openssl-devel   （通过搭建本地yum源安装，搭建步骤看最后面）

注意：如果报这个错：
checking if getpgrp accepts zero args... yes
checking for openssl... /usr/bin/openssl
configure: error: *** working libcrypto not found, check config.log
需要执行：

执行：ln -s /usr/lib64/libcrypto.so.1.1.1f   /usr/lib64/libcrypto.so

然后执行：

执行：make && make install

执行：mv /usr/sbin/sshd /usr/sbin/sshd.bak

执行：mv /usr/bin/ssh /usr/bin/ssh.bak
执行：mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
执行：cp -rf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
执行：cp -rf /usr/local/openssh/bin/ssh /usr/bin/ssh
执行：cp -rf /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
然后重启sshd，验证服务是否正常：

注意：升级后的sshd会默认加载使用/usr/local/openssh/etc/sshd_config配置文件，如果要指定配置文件为/etc/ssh/sshd_config，需要再编译时使用--sysconfdir=/etc/ssh，指定配置文件的默认位置为/etc/ssh，那么会把之前的配置文件覆盖。

执行：systemctl restart sshd

 

制作本地镜像源：

1.在/mnt下新建目录ios为本地挂载做准备（可根据自身规划调整存放位置），以下为命令：mkdir /mnt/ios/

 

2.修改配置文件

 

1）进入存放yum源配置文件夹：cd /etc/yum.repos.d/

 

2）将原配置文件备份（此步骤也可将原配置文件删除或将原配置文件enabled参数改为0）：mv kylin_x86_64.repo kylin_x86_64.repo.bak

 

3）重写配置文件：vim local.repo（vim使用不了使用vi），写下以下内容（注意baseurl参数需与上面新建目录一致）：

 

[local]

name = local

baseurl = file:///mnt/ios

gpgcheck = 0

enabled = 1

4）

挂载yum源镜像（注意此处镜像上传存放位置与新建目录位置要与上面一直）：mount /home/Kylin-Server-10-SP2-x86-Release-Build09-20210524.iso   /mnt/ios

5）清理yum缓存 yum clean all

 然后就可以使用yum  -y install xxxx     安装镜像源中的软件包了

 

来源：https://www.cnblogs.com/wutao-007/p/18783343