13、麒麟操作系统等保的加固
Categories:
少于1分钟
设置密码策略
chage -m 8 -M 90 -W 7 username
设置登录限制及锁定
pam_tally2 –user username –reset
pam_tally2 –user username –deny=5 –lock-time=600
设置登录空闲超时
TMOUT=1800
export TMOUT
建立三个账户并实现权限分离
useradd qwer
useradd qazx
useradd wsxc
usermod -G wheel qwer
usermod -G wheel qazx
usermod -G wheel wsxc
删除无用的账户
userdel username
禁止root远程登录
sed -i ’s/PermitRootLogin yes/PermitRootLogin no/g’ /etc/ssh/sshd_config
systemctl restart sshd
开启SSH,关闭Telnet
systemctl enable sshd
systemctl disable telnet
关闭未使用的端口
firewall-cmd –zone=public –add-port=port/protocol –permanent
firewall-cmd –reload
配置登录限制及白名单
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.5 -j ACCEPT
iptables -A INPUT -p tcp –dport 134 -j DROP
iptables -A INPUT -p tcp –dport 445 -j DROP
iptables -A INPUT -p tcp –dport 139 -j DROP
配置日志及远程监控
sed -i ’s/^#SyslogHost/SyslogHost/g’ /etc/rsyslog.conf
sed -i ’s/127.0.0.1/192.168.1.1/g’ /etc/rsyslog.conf
systemctl restart rsyslog
sed -i ’s/^com2sec notConfigUser.*/com2sec local localhost your_snmp_community/g’ /etc/snmp/snmpd.conf
sed -i ’s/^com2sec notConfigUser.*/com2sec public default your_snmp_community/g’ /etc/snmp/snmpd.conf
systemctl restart snmpd