1. 1 虚拟机操作

• 例：

• 制作虚拟机：

  virt-install -n M10Srv20_80_14 --memory 4096 --vcpus=2 --disk /data/kvm/M10Srv20_80_14.img,format=qcow2,size=92 --os-type=linux --cdrom /data/kvm/ubuntu-18.04.3-live-server-amd64.iso --vnc --vncport=5904 --vnclisten=0.0.0.0 --network bridge=br0,model=virtio
  

• 配置虚拟机：

• 操作虚拟机

  virsh list --allvirsh start/shutdown M10Srv20_80_14virsh edit (虚拟机name)

• 克隆虚拟机

  virt-clone --connect=qemu:///system -o M10Srv20_80_14 -n M10Srv20_80_15 -f /data/kvm/M10Srv20_80_15.img

2. 系统加固

2.1. 升级前准备操作

1. 开放root密码
2. 升级内核

dpkg -i linux-image-unsigned-4.18.20-041820-generic_4.18.20-041820.201812030624_amd64.deb linux-modules-4.18.20-041820-generic_4.18.20-041820.201812030624_amd64.deb

1. chown -R 1000:1000 /opt/
2. 配置apt源（指向内部源）
3. 注意：ntp指向内部时间同步服务器、有ktb字样的内容要删除、dns服务器给定再加、ntp源去掉KTB环境

2.2. 升级项

2.2.1. 磁盘分区

• 加固方法：
  使用官方网站提供的ubuntu-18.04.3-live-server-amd64.iso镜像，按照安装提示将磁盘按表格分区，安装系统。
• 检查方法

  lsblkdf -lTh

2.2.2. 添加内部环境的apt源

scp 10.10.108.121:/root/formssi.pub /root
cd /root;apt-key add formssi.pub
echo "deb http://10.10.108.121:1111 /packages/" >/etc/apt/sources.list
apt-get update
apt-get install -y python

2.2.3. 系统打补丁

• 加固方法
  下载包地址：https://usn.ubuntu.com/4079-2/?_ga=2.234059806.1471299125.1572330724-850771604.1572330724

dpkg -i libsox3 sox

• 检查方法

dpkg -l | grep libsox3
dokg -l | greo sox

2.2.4. log files

• 要求
  Log files are used by the system and application to record actions, errors, warnings, and problems. They are often quite useful for investigating system quirks, for discovering the root causes of tricky problems, and for watching attackers. There are typically two types of log files in the operating Environment system log files that are typically managed by the syslog daemon and application logs that are created by the application. Log files that are base on requirement, keeping the log files more than 7 days and require a log rotation.
  系统和应用程序使用日志文件来记录操作，错误，警告和问题。它们通常对于调查系统异常，发现棘手问题的根本原因以及监视攻击者非常有用。操作系统环境日志文件中通常有两种类型的日志文件，它们通常由syslog守护程序管理，而应用程序由应用程序创建。根据需要的日志文件，将日志文件保留7天以上，并且需要轮换日志。

2.2.4.1. enable logging

• 加固方法

vi /etc/rsyslog.conf
echo "*.info;mail.none;authpriv.none;cron.none                /var/log/messagesauthpriv.*                                              /var/log/securemail.*                                                  -/var/log/maillogcron.*                                                  /var/log/cron*.emerg                                                 :omusrmsg:*uucp,news.crit                                          /var/log/spoolerlocal7.*                                                /var/log/boot.log" >> /etc/rsyslog.conf

• 检查方法

  cat /etc/rsyslog.confsystemctl is-enabled rsyslog #检查rsyslog是否开机自启动

2.2.4.2. kernel tunning(内核调优)

• 加固方法：

echo "%opergrp         soft  nofile        10000%opergrp         soft    nofile      20000" >> /etc/security/limits.conf

2.2.4.2.1. 密码复杂度检测

• 加固方法

apt-get -y install libpam-cracklib
sed -i '/pam_cracklib.so/d' /etc/pam.d/common-password
sed -i '/pam_unix.so/d' /etc/pam.d/common-password
sed -i '/pam_deny.so/d' /etc/pam.d/common-password
sed -i '/pam_permit.so/d' /etc/pam.d/common-password
echo -e "
password\trequired\tpam_cracklib.so retry=3 minlen=8 difok=0 dcredit=-1 ucredit=0 lcredit=-1 ocredit=-1
password\tsufficient\tpam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password\trequisite\tpam_deny.so
password\trequired\tpam_permit.so
" >> /etc/pam.d/common-password
sed -i "s/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS\t30/g" /etc/login.defs
sed -i "s/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS\t7/g" /etc/login.defs
sed -i "s/^#PASS_MIN_LEN.*$/PASS_MIN_LEN\t8/g" /etc/login.defs 

• 检查方法

grep "^password" /etc/pam.d/common-password
grep "^PASS" /etc/login.defs

2.2.4.3. “身份认证”

• 加固方法

sed -i '/pam_unix.so/d' /etc/pam.d/common-auth
sed -i '/pam_deny.so/d' /etc/pam.d/common-auth
echo -e "
auth\trequired\tpam_env.so
auth\trequired\tpam_tally2.so noerr=fail deny=3
auth\tsufficient\tpam_unix.so nullok try_first_pass
auth\trequisite\tpam_succeed_if.so uid>=500 quiet
auth\trequired\tpam_deny.so
" >> /etc/pam.d/common-auth 

• 检查方法

grep "^auth" /etc/pam.d/common-auth

2.2.4.4. 指定root用户可以从那台TTY设备登陆

• 加固方法

echo "console" > /etc/securetty“/etc/securetty”文件允许你规定“root”用户可以从那个TTY设备登录。登录程序（通常是“/bin/login”）需要读取“/etc/securetty”文件。

• 检查方法

cat /etc/securetty

2.2.4.5. 账户锁定

• 加固方法：

 echo "bindaemonadmlpmailuucpoperatorgamesgopherftpnobodynscdmailnullsmmspvcsapcaprpcrpcusernfsnobodysshddbushldaemonavahi-autoipdavahiapachentpxfsgdmsabayon" | while read line ; do passwd -l $line; done

• 检查方法：

 echo "bindaemonadmlpmailuucpoperatorgamesgopherftpnobodynscdmailnullsmmspvcsapcaprpcrpcusernfsnobodysshddbushldaemonavahi-autoipdavahiapachentpxfsgdmsabayon" | while read line ; do passwd -S $line; done

2.2.4.6. 检查UID是否有重复

• 检查方法：

cat /etc/passwd |awk -F":" '{CNT[$3]++} END{for (i in CNT) {if (CNT[i] > 1) {printf "UID not ONCE: %s\n", i}}}'

2.2.4.7. 安全审计

• 加固方法：

apt-get -y install auditd
systemctl enable auditd
systemctl restart auditd
审计（audit）是linux安全体系的重要组成部分，他是一种“被动”的防御体系。

• 检查方法：

systemctl status auditd

2.2.4.8. 添加审计规则

• 加固方法

echo "-a always,exit -F arch=b64 -S create -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S create -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access"
> /etc/audit/rules.d/failedfileandprogramaccess.rules
systemctl restart auditd

• 检查方法

cat /etc/audit/audit.rules

2.2.4.9. log管理

2.2.4.9.1. enable system logging

• 加固方法

sed -i "s/^*.*;auth,authpriv.none/#*.*;auth,authpriv.none/g" /etc/rsyslog.d/50-default.conf
echo "*.info;mail.none;authpriv.none;cron.none /var/log/messages" >> /etc/rsyslog.d/50-default.conf

• 检查办法：
  重启主机，查看/var/log/messages 文件是否存在，是否有日志信息

2.2.4.9.2. Successful and unsuccessful logins and logouts must enable

• 加固办法

echo "authpriv.*                      /var/log/secure" >> /etc/rsyslog.d/50-default.conf

• 检查办法：
  登录一次，查看/var/log/secure文件是否存在，是否有登录信息

2.2.4.9.3. all log files must keep at least for 90 days

sed -i "s/rotate 7/rotate 91/g" /etc/logrotate.d/rsyslog
sed -i "s/rotate 4/rotate 13/g" /etc/logrotate.d/rsyslog
sed -i "s/rotate 1/rotate 3/" /etc/logrotate.conf
sed -i "s/rotate 4/rotate 13/" /etc/logrotate.conf

• 检查办法：

1. 检查日志轮循的程序是否安装

logrotate --version

1. 检查按周轮循的切割次数与次数

cat /etc/logrotate.conf
cat /etc/logrotate.d/rsyslog

按月切割，保留3份
如果按周切割，则至少保留 13 份
按日切割，保留91份

2.2.4.10. 关闭root远程登录，建议在集群创建完成后加固，不然重启服务root没法远程

sed -i "s/^PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
systemctl restart sshd

• 检查办法：
  用root账号密码应该不能登录

参考文档：

• Ubuntu系统日志
• Ubuntu 中登录相关的日志
• linux系统日志

2.2.4.11. 服务设置非开机自启

systemctl  disable sendmail
/lib/systemd/systemd-sysv-install disable sendmail
systemctl  disable cups
systemctl  disable ypbind
systemctl  disable ypserv
systemctl  disable yppasswd
systemctl  disable smb
systemctl  disable autofs
systemctl  disable portmap
systemctl  disable rpcidmapd
systemctl  disable rpcgssd
systemctl  disable nfs
systemctl  disable nfslock
systemctl  disable telnet
systemctl  disable rlogin
systemctl  disable rexec
systemctl  disable rexd
systemctl  disable rsh
systemctl  disable tftp
systemctl  disable vsftp
systemctl  disable eklogin
systemctl  disable klogin
systemctl  disable gssftp
systemctl  disable kshell
systemctl  disable shell
systemctl  disable loginp
systemctl  disable krb5-telnet
systemctl  disable finger
systemctl  disable chargen
systemctl  disable daytime-udp
systemctl  disable time-udp
systemctl  disable daytime
systemctl  disable time
systemctl  disable echo-udp
systemctl  disable rsync
/lib/systemd/systemd-sysv-install disable rsync
systemctl  disable chargen-udp
systemctl  disable echo
systemctl  disable biff
systemctl  disable discard
systemctl  disable exec
systemctl  disable name
systemctl  disable printer
systemctl  disable talk
systemctl  disable uucp
systemctl  disable sprayd
systemctl  disable who
systemctl  disable chargen-dgram
systemctl  disable cvs
systemctl  disable daytime-dgram
systemctl  disable daytime-stream
systemctl  disable discard-dgram
systemctl  disable discard-stream
systemctl  disable echo-stream
systemctl  disable ekrb5-telnet
systemctl  disable tcpmux-server
systemctl  disable time-dgram
systemctl  disable time-stream
systemctl disable acpid
/lib/systemd/systemd-sysv-install disable acpid
systemctl disable atd
/lib/systemd/systemd-sysv-install disable atd
systemctl disable autofs
systemctl disable avahi-daemon
systemctl disable avahi-dnsconfd
systemctl disable bluetooth
systemctl disable bind
systemctl disable conman
systemctl disable cpuspeed
systemctl disable dnsmasq
systemctl disable dovecot
systemctl disable dund
systemctl disable firstboot
systemctl disable gpm
systemctl disable haldeamon
systemctl disable hidd
systemctl disable httpd
systemctl disable ip6tables
systemctl disable ipmi
systemctl disable iptables
systemctl disable irda
systemctl disable irqbalance
/lib/systemd/systemd-sysv-install disable irqbalance
systemctl disable kdump
systemctl disable kudzu
systemctl disable mcstrans
systemctl disable mdmonitor
systemctl disable netconsole
systemctl disable netfs
systemctl disable netplugd
systemctl disable nscd
systemctl disable pand
systemctl disable pcscd
systemctl disable portmap
systemctl disable psacct
systemctl disable rdisc
systemctl disable readahead_early
systemctl disable readahead_later
systemctl disable restorecond
systemctl disable rhnsd
systemctl disable rpcgssd
systemctl disable rpcidmapd
systemctl disable rpcsvcgssd
systemctl disable rwhod
systemctl disable sendmail
systemctl disable setroubleshoot
systemctl disable smartd
systemctl disable smb
systemctl disable vncserver
systemctl disable vsftpd
systemctl disable wdaemon
systemctl disable winbind
systemctl disable wpa_supplicant
systemctl disable xfs
systemctl disable ypbind
systemctl disable yum-updatesd
systemctl disable snmp

• 检查方法：

service service_name status

2.2.4.12. 登陆后显示标语

 vi /etc/motd***********************************************WARNING:This system is restricted to KTB Computer Services (KTBCS) authorized users for business purposes only. Unauthorized access or use is a violation of laws and KTBCS security policy. This service may be monitored for administrative and security reasons. By proceeding, you consent to this monitoring.**********************************************

• 检查方法：
  重新登录系统，登录成功后显示上述标语。

2.2.4.13. 设置会话保持时间

sudo vim /etc/profile
##最后一行添加
export TMOUT=600
source /etc/profile

• 检查方法：
  重新登录系统，开启新的会话，不做任何操作，10分钟后time out 自动退出，则表示配置已生效。

2.2.4.14. 设置内核运行参数

vi /etc/sysctl.conf#Enable TCP SYN Cookie to prevent SYN flood
net.ipv4.tcp_syncookies=1
#Disable IP Source Routing
net.ipv4.conf.all.accept_source_route=0
#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects=0
#Disable Secure ICMP Redirect Acceptance to prevent outsider update system routing tables
net.ipv4.conf.all.secure_redirects=0
#Enable IP Spoofing Protection
net.ipv4.conf.all.rp_filter=1
#Enable Ignoring Broadcasts Request
net.ipv4.icmp_echo_ignore_broadcasts=1
#Enable Bad Error Message Protection to prevent kernel from logging bogus responses
net.ipv4.icmp_ignore_bogus_error_responses=1
#Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packet
net.ipv4.conf.all.log_martians=1

• 检查方法：

sysctl -p

2.2.4.15. 默认为 umask 0022， 不需要修改

2.2.4.16. secure shell (ssh)

• 要求：
  建议安装许可证/购买的SSH（F-secure，SSH）或开源（OpenSSH），以确保在传输过程中对数据进行加密。所有安装了SSH的服务器都应关闭“ telnet”和“ ftp”
  港口。即20、21、23端口。

• 加固方法：

sed -i "s/OpenSSH_7.6p1\ Ubuntu-4ubuntu0.3/ /g" /usr/sbin/sshd  #删除
sed -i "s/OpenSSH_7.6/ /g" /usr/sbin/sshd
service sshd restart

• 检查方法：
  检查OpenSSH的版本信息：

ssh -V

检查是否已消除对外暴露的版本信息：

telnet 10.10.108.12 22

检查20，21，23端口是否开启:

netstat -ntpl|grep 20
netstat -ntpl|grep 21
netstat -ntpl|grep 23

因系统并没开启telnet和ftp端口，因此不需要关闭
再从外部检查：

telnet 10.10.108.12 20
telnet 10.10.108.12 21
telnet 10.10.108.12 23
telnet 10.10.108.12 22

2.2.4.17. 时钟同步

All server must be configured to be time synchronize with a ntp service. Depending on the environment or segment which the server is located, these servers should be time synchronized.

• 加固放法：

apt-get install ntp ntpdate -y
修改配置文件： vim /etc/ntp.conf
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
#server
prefer  #此行为本地环境时钟服务器，同步正确时间的时候用，客户现场应以以下两个为准
#server NTP_PBS_ST1.kcs
#server NTP_BBT_ST1.kcs

停止ntp服务：systemctl stop ntp
先手工同步正确的时间：
本地环境：ntpdate 10.10.108.121     #选择本地或客户环境是要求而定
客户环境：ntpdate NTP_PBS_ST1.kcs
开启ntp服务：systemctl start ntp
设置开机启动：systemctl enable ntp
检查是否同步：ntpq -p

2.2.4.18. 修改sync账号nologin

root@KTBDEVPU24:/home/ktb# vi /etc/passwd
sync:x:4:65534:sync:/bin:/usr/sbin/nologin

2.2.4.19. 修改日志保存

• 加固方法：

root@KTBDEVPU24:/home/ktb# vi /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
#weekly
daily# use the syslog group by default, since this is the owning group
# of /var/log/syslog.
su root syslog
# keep 4 weeks worth of backlogs
rotate 90# create new (empty) log files after rotating old ones
create# uncomment this if you want your log files compressed
#compress# packages drop log rotation information into this directory
include /etc/logrotate.d# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {missingokdailycreate 0664 root utmprotate 3
}/var/log/btmp {missingokdailycreate 0660 root utmprotate 3
}
/var/log/secure {dailycreate 0664 root rootcompressrotate 90
}
/var/log/message {dailycreate 0640 root rootcompressrotate 90
}
/var/log/audit/audit.log {dailycreate 0640 root rootcompressrotate 90
}
# system-specific logs may be configured here

2.2.4.20. 去掉ubunt版本(登陆前显示)

root@KTBDEVPU24:/home/ktb# vi /etc/issue  #删除内容
root@KTBDEVPU24:/home/ktb# vi /etc/issue.net  #删除内容

虚拟机配置及系统加固相关推荐

1. VMware Workstation 14 虚拟机配置xp系统

   准备材料:  - VMware Workstation ,下载地址:http://www.pc6.com/softview/SoftView_58489.html - window xp iso镜像文 ...

2. mac安装虚拟机配置win10系统

   下载资源 链接:https://pan.baidu.com/s/16FSltDxXBToBOqZmw1v2rg 提取码:8xf1

3. 固定linux虚拟机ip地址,虚拟机下linux 系统网卡配置、固定IP地址

   1.进入该目录下修改内容 vi       /etc/sysconfig/network-scripts/  ifcfg-eth0 TYPE=Ethernet BOOTPROTO=static DEF ...

4. win10安装虚拟机Linux Centos7系统网络配置

   win10安装虚拟机Linux Centos7系统网络配置 查看本机网络IP 虚拟网络编辑器 CentOS7 ifcfg-ens33网卡配置 重启网络服务 关闭防火墙(仅限虚拟机) 启用本机Telne ...

5. 系统崩溃、重装后 Hyper-V 虚拟机配置的恢复

   公司服务器可能因为打的8月补丁有问题,重启后蓝屏,又没做备份还原只能重装(懒的错啊,曾经有一次要搞备份,发现没有桌面系统的系统还原点功能,Windows Server Backup又觉得麻烦还要重启就 ...

6. Windows下使用WSL安装配置Kali/Windows Terminal安装/Win-Kex安装配置（非虚拟机or双系统）

   Windows下使用WSL安装配置Kali/Windows Terminal安装/Win-Kex安装配置(非虚拟机or双系统) 最近因为某些原因含泪拾起自己很久没碰过的CTF,首当其冲是配置环境.首选 ...

7. 《Linux就那么学》虚拟机安装配置及系统和配置的全过程

   安装配置vm虚拟机 1.虚拟机程序的安装:链接:https://pan.baidu.com/s/16t-yBZRPZsgEl3vUnRkUNA 提取码:lcju 下载完成后点击安装,初始化界面 然后点 ...

8. 基于VM虚拟机的CENTOS 系统网络配置

   一 前言 近期在VM虚拟机中安装了CENTOS系统,系统无法上网,查阅了众多资料,今天结合本机的设置过程,重写一篇较全的<基于VM虚拟机的CENTOS 系统网络配置>技术文章. 二 查看本 ...

9. AWD系统加固，系统渗透笔记

   AWD系统加固,系统渗透笔记 由于在内网进行安全加固并不能连接外网所以无法使用最新的更新源只能使用自己系统自带的更新包 首先总结一下ubantu系统加固的套方案 第一步安装并配置好lamp环境 第二步 ...

最新文章

1. push msg php_基于web-msg-sender进行消息推送
2. WCF duplex service + silverlight 聊天代码
3. startService和onBinderService混合开发音乐播放器
4. 为什么黑客都用python-终于发现为什么黑客都用python
5. GridView数据导出到Excel的类
6. java 父子级json组装不用递归_揭秘java中无数人伤透脑筋最为神秘的技术之一——ClassLoader...
7. 已知二叉树先序和中序，求后序。
8. stm32—光敏电阻传感器的初步使用
9. 如何在 Chrome 浏览器中安装印象笔记·剪藏插件
10. 老祖宗留下来的千古绝句，读完终身受益
11. grub4dos和bootmgr双启动
12. aspack（工具+手动）脱壳
13. 微商卖养生产品怎么吸粉？让客户慢慢进入你的营销场景
14. 移植vsftpd FTP服务器到ARM-Linux系统
15. yocto项目下载与编译
16. TPC817隔离光耦使用小结
17. element-plus icon图标的正确使用姿势
18. edge如何导入html文件收藏夹,win10系统edge浏览器收藏夹导入/导出的操作方法
19. 自媒体如何快速涨粉？除了互粉还有这3个方法，能轻松上手
20. 功率放大器驱动容性负载、感性负载，有哪些注意事项？

热门文章

1. （实测可用）STM32CubeMX教程-STM32L431RCT6开发板研究串口通信（DMA）
2. ambari hdfs 启动报错_Ambari 1.6 自动安装hadoop 2.2.0 在Ambari启动namenode时报错
3. 解决md导入CSDN中图片大小过大 改变图片的大小
4. 信号量优先级反转问题记录（总是遗忘）
5. Photoshop - 关于在 PS 中使用渐变会产生条纹色阶的问题
6. 服务启动时，报Command line is too long异常
7. HTML5及CSS3基础知识（持续更新）
8. 【学生毕业设计】基于web学生信息管理系统网站的设计与实现(13个页面)
9. Java入门和第一个项目
10. linux中负载值为多少正常_Linux系统Load average负载详细解释