linux基本安全防护

1，常用服务：修改默认用户名密码

a, cloudera manager

mysql> update  scm.USERS set USER_NAME='admin456' where USER_NAME like '%admin%';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> select * from  scm.USERS where USER_NAME like '%admin%';
+---------+-----------+------------------------------------------------------------------+---------------------+----------------+-------------------------+
| USER_ID | USER_NAME | PASSWORD_HASH                                                    | PASSWORD_SALT       | PASSWORD_LOGIN | OPTIMISTIC_LOCK_VERSION |
+---------+-----------+------------------------------------------------------------------+---------------------+----------------+-------------------------+
|       1 | admin456  | 0b87d30c5587d98dcfc6298e85b9aa41f840e877ac4868d094ba7ee31b54968e | 4886822280275476414 |              1 |                       1 |
+---------+-----------+------------------------------------------------------------------+---------------------+----------------+-------------------------+
1 row in set (0.00 sec)

2，操作系统基本安全配置

#0, 升级mysql5.7 审计功能，库重命名系统默认账户，限制访问权限; 设置密码复杂度
#设备本地设置访问控制列表限制终端接入范围,开启have_openssl加密协议
# create user 'root'@'192.168.1.%' identified by 'ABCabc123!'; 


#1, 操作系统审计,日志保留半年
if which systemctl &>/dev/null  ;then 
	echo centos7
	systemctl start  rsyslog auditd 
	systemctl enable  rsyslog auditd 
else
	echo centos6
	service rsyslog start; service auditd start
	chkconfig rsyslog on ; chkconfig auditd on 
fi
sed -i  's/^rotate.*/rotate 26/' /etc/logrotate.conf
sed -i  '1i/var/log/audit/audit.log' /etc/logrotate.d/syslog
sed -i  's/max_log_file_action.*/max_log_file_action = KEEP_LOGS/' /etc/audit/auditd.conf
service auditd restart

#2, 操作系统未根据管理用户的角色合理分配权限 :创建sudo权限用户，默认密码( 用户名_pass@123# )
pass_suffix="_pass@123#" 
useradd shenji
echo -e "shenji${pass_suffix}\nshenji${pass_suffix}" |passwd shenji 
chage  -M 90  -m 5 -W 20 shenji 
chage  -d 0 shenji
sed -i '/NOPASS/ashenji ALL = (ALL)  /bin/cat , /usr/bin/less , /bin/more , /usr/bin/tail , /usr/bin/head' /etc/sudoers

useradd anquan
echo -e "anquan${pass_suffix}\nanquan${pass_suffix}" |passwd anquan 
chage  -M 90  -m 5 -W 20 anquan 
chage  -d 0 anquan
sed -i '/NOPASS/aanquan    ALL=(ALL)       ALL' /etc/sudoers



#3, 操作系统未重命名默认账户（root）
sed -i.bak  's@^root@superuser@' /etc/shadow  
sed -i.bak  's@^root@superuser@' /etc/group   
sed -i.bak  's@^root@superuser@' /etc/passwd  


#4,操作系统存在多余的账户(adm、lp、games、uucp)
for i in adm lp news uucp shutdown halt mail operator games ftp nobody  nfsnobody llama ;  do 
	sed -i.bak "s@^$i@#$i@"    /etc/passwd  /etc/shadow 
done


#5,设定终端接入方式或网络地址范围对通过网络进行管理的管理终端进行限制
echo 'sshd : ALL'  >>  /etc/hosts.deny

ip_range_arr=$( hostname -I |xargs -n1|sed 's/.[0-9]*$/./'  )
for i in ${ip_range_arr[*]} 'localhost'
do
   echo sshd : $i >> /etc/hosts.allow
done
echo   "the local net range ,to access this server are:  $ip_range_arr" |xargs


#6,操作系统未设置密码复杂度要求,密码有效期为90天
sed -i 's/PASS_MAX_DAYS.*/PASS_MAX_DAYS   90/' /etc/login.defs
sed -i 's/PASS_MIN_LEN.*/PASS_MIN_LEN     8/' /etc/login.defs
sed -i 's/PASS_MIN_DAYS.*/PASS_MIN_DAYS   2/' /etc/login.defs
sed -i '/^password/s/\(pam_cracklib.so.*type=\)/\1 difok=1 minlen=8  ucredit=-1  lcredit=-1 ocredit=-1 dcredit=-1 /' /etc/pam.d/system-auth
#awk -F: '{if(index($2,"$")>0 ) print " chage  -M 90  -m 5 -W 20",$1}' /etc/shadow |bash


#7, 操作系统未设置登录失败处理功能，未限制登录次数，登录超时自动退出
sed -i '1iauth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=10' /etc/pam.d/login
sed -i '/^auth.*required/iauth    required    pam_tally2.so    deny=3    unlock_time=120 even_deny_root root_unlock_time=300' /etc/pam.d/sshd
echo "export TMOUT=300"  >> /etc/profile 
echo "export TMOUT=300"  >> /etc/bashrc