# 系统安全加固的主要内容
# 账户安全加固：加强账户认证和授权
# 网络安全加固：加强网络安全配置
# 文件系统安全加固：加强文件系统权限
# 系统服务安全加固：加强系统服务安全
# 内核安全加固：加强内核安全配置
# 安全审计：配置安全审计和日志

# 账户安全加固

# 1. 设置密码策略
[root@localhost ~]# cat > /etc/login.defs << 'EOF' # 密码策略配置 PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_MIN_LEN 8 PASS_WARN_AGE 7 LOGIN_RETRIES 5 LOGIN_TIMEOUT 60 EOF # 2. 配置密码复杂度 [root@localhost ~]# cat > /etc/security/pwquality.conf << 'EOF' # 密码复杂度配置 minlen = 8 minclass = 3 maxrepeat = 3 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 EOF # 3. 禁用root远程登录 [root@localhost ~]# sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config [root@localhost ~]# systemctl restart sshd # 4. 配置SSH密钥认证 [root@localhost ~]# sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config [root@localhost ~]# systemctl restart sshd # 5. 限制sudo用户 [root@localhost ~]# cat > /etc/sudoers.d/security << 'EOF' # 限制sudo用户 Defaults timestamp_timeout=15 Defaults lecture=always Defaults use_pty Defaults logfile="/var/log/sudo.log" EOF # 6. 配置PAM策略 [root@localhost ~]# cat > /etc/pam.d/system-auth << 'EOF' # PAM策略配置 auth required pam_env.so auth required pam_faillock.so preauth silent deny=5 unlock_time=900 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so EOF # 7. 查看用户列表 [root@localhost ~]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin systemd-coredump:x:999:997:systemd Core Dumper:/:/usr/sbin/nologin dbus:x:81:81:System message bus:/:/usr/sbin/nologin polkitd:x:998:996:User for polkitd:/:/usr/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin nginx:x:996:994:Nginx web server:/var/lib/nginx:/sbin/nologin mysql:x:995:993:MySQL Server:/var/lib/mysql:/sbin/nologin user1:x:1000:1000::/home/user1:/bin/bash user2:x:1001:1001::/home/user2:/bin/bash

from PG视频:www.itpux.com

3. 网络安全加固

加强网络安全配置。

# 网络安全加固

# 1. 配置防火墙
[root@localhost ~]# firewall-cmd –set-default-zone=public
success
[root@localhost ~]# firewall-cmd –permanent –add-service=ssh
success
[root@localhost ~]# firewall-cmd –permanent –add-service=http
success
[root@localhost ~]# firewall-cmd –permanent –add-service=https
success
[root@localhost ~]# firewall-cmd –reload
success

# 2. 限制网络访问
[root@localhost ~]# firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ accept’
success
[root@localhost ~]# firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”0.0.0.0/0″ reject’
success
[root@localhost ~]# firewall-cmd –reload
success

# 3. 配置网络参数
[root@localhost ~]# cat > /etc/sysctl.d/99-network-security.conf << 'EOF' # 网络安全参数 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 EOF # 4. 应用网络参数 [root@localhost ~]# sysctl -p /etc/sysctl.d/99-network-security.conf net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # 5. 配置TCP参数 [root@localhost ~]# cat > /etc/sysctl.d/99-tcp-security.conf << 'EOF' # TCP安全参数 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl = 15 EOF # 6. 应用TCP参数 [root@localhost ~]# sysctl -p /etc/sysctl.d/99-tcp-security.conf net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_rfc1337 = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl = 15 # 7. 查看防火墙规则 [root@localhost ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client http https ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.1.0/24" accept rule family="ipv4" source address="0.0.0.0/0" reject

更多学习教程公众号风哥教程itpux_com

4. 文件系统安全加固

加强文件系统权限。

# 文件系统安全加固

# 1. 设置重要文件权限
[root@localhost ~]# chmod 600 /etc/shadow
[root@localhost ~]# chmod 600 /etc/gshadow
[root@localhost ~]# chmod 644 /etc/passwd
[root@localhost ~]# chmod 644 /etc/group
[root@localhost ~]# chmod 700 /root
[root@localhost ~]# chmod 755 /home/*

# 2. 设置SUID/SGID文件
[root@localhost ~]# find / -perm -4000 -type f -exec ls -l {} \;
-rwsr-xr-x. 1 root root 123456 Jan 11 18:35 /usr/bin/passwd
-rwsr-xr-x. 1 root root 12345 Jan 11 18:35 /usr/bin/gpasswd
-rwsr-xr-x. 1 root root 12345 Jan 11 18:35 /usr/bin/chsh
-rwsr-xr-x. 1 root root 12345 Jan 11 18:35 /usr/bin/chfn
-rwsr-xr-x. 1 root root 12345 Jan 11 18:35 /usr/bin/newgrp
-rwsr-xr-x. 1 root root 12345 Jan 11 18:35 /usr/bin/su
-rwsr-xr-x. 1 root root 12345 Jan 11 18:35 /usr/bin/sudo
-rwsr-xr-x. 1 root root 12345 Jan 11 18:35 /usr/bin/pkexec
-rwsr-xr-x. 1 root root 12345 Jan 11 18:35 /usr/bin/chage
-rwsr-xr-x. 1 root root 12345 Jan 11 18:35 /usr/bin/crontab

# 3. 查找无主文件
[root@localhost ~]# find / -nouser -nogroup -type f
/tmp/test.txt

# 4. 设置文件系统挂载选项
[root@localhost ~]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Wed Jan 11 18:35:18 2023
#
# Accessible filesystems, by reference, are maintained under ‘/dev/disk/’.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run ‘systemctl daemon-reload’ to update systemd
# units generated from this file.
#
/dev/mapper/rootvg-rootlv / xfs defaults,noatime 0 0
UUID=1234-5678 /boot ext4 defaults,noatime 0 0
/dev/mapper/rootvg-swaplv none swap defaults 0 0
/dev/mapper/rootvg-datalv /data xfs defaults,noatime 0 0
/dev/sdb1 /backup xfs defaults,noatime 0 0

# 5. 配置文件系统权限
[root@localhost ~]# cat > /etc/sysctl.d/99-filesystem-security.conf << 'EOF' # 文件系统安全参数 fs.protected_regular = 1 fs.protected_fifos = 1 fs.suid_dumpable = 0 kernel.dmesg_restrict = 1 kernel.kptr_restrict = 2 kernel.perf_event_paranoid = 2 EOF # 6. 应用文件系统参数 [root@localhost ~]# sysctl -p /etc/sysctl.d/99-filesystem-security.conf fs.protected_regular = 1 fs.protected_fifos = 1 fs.suid_dumpable = 0 kernel.dmesg_restrict = 1 kernel.kptr_restrict = 2 kernel.perf_event_paranoid = 2 # 7. 配置SELinux [root@localhost ~]# setenforce 1 [root@localhost ~]# sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config [root@localhost ~]# getenforce Enforcing

风哥提示：

5. 系统服务安全加固

加强系统服务安全。

# 系统服务安全加固

# 1. 查看系统服务
[root@localhost ~]# systemctl list-unit-files –type=service
UNIT FILE STATE VENDOR PRESET
auditd.service enabled enabled
chronyd.service enabled enabled
crond.service enabled enabled
dbus-broker.service enabled enabled
firewalld.service enabled enabled
NetworkManager.service enabled enabled
sshd.service enabled enabled
systemd-logind.service enabled enabled
systemd-udevd.service enabled-runtime enabled
mysqld.service disabled disabled
nginx.service disabled disabled

# 2. 禁用不必要的服务
[root@localhost ~]# systemctl disable –now telnet.socket
Removed /etc/systemd/system/multi-user.target.wants/telnet.socket.
[root@localhost ~]# systemctl disable –now rsh.socket
Removed /etc/systemd/system/multi-user.target.wants/rsh.socket.
[root@localhost ~]# systemctl disable –now rexec.socket
Removed /etc/systemd/system/multi-user.target.wants/rexec.socket.
[root@localhost ~]# systemctl disable –now rlogin.socket
Removed /etc/systemd/system/multi-user.target.wants/rlogin.socket.

# 3. 配置SSH服务
[root@localhost ~]# cat > /etc/ssh/sshd_config << 'EOF' # SSH服务配置 Port 22 Protocol 2 PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes X11Forwarding no MaxAuthTries 3 ClientAliveInterval 300 ClientAliveCountMax 2 AllowUsers user1 user2 AllowGroups wheel EOF # 4. 重启SSH服务 [root@localhost ~]# systemctl restart sshd # 5. 配置审计服务 [root@localhost ~]# cat > /etc/audit/rules.d/audit.rules << 'EOF' # 审计规则 -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/sudoers -p wa -k sudo -w /var/log/audit/ -p wa -k audit -w /var/log/secure -p wa -k logins -a always,exit -F arch=b64 -S execve -k exec -a always,exit -F arch=b32 -S execve -k exec EOF # 6. 重启审计服务 [root@localhost ~]# systemctl restart auditd # 7. 配置日志服务 [root@localhost ~]# cat > /etc/rsyslog.d/security.conf << 'EOF' # 安全日志配置 *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* EOF # 8. 重启日志服务 [root@localhost ~]# systemctl restart rsyslog

# 实战案例：系统安全加固

# 1. 创建安全加固脚本
[root@localhost ~]# cat > /usr/local/bin/security-hardening.sh << 'EOF' #!/bin/bash # script.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn # 安全加固脚本 LOG_FILE="/var/log/security-hardening.log" # 记录日志函数 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> $LOG_FILE
}

# 账户安全加固
harden_accounts() {
log “Hardening accounts…”

# 设置密码策略
cat > /etc/login.defs << 'EOF' PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_MIN_LEN 8 PASS_WARN_AGE 7 LOGIN_RETRIES 5 LOGIN_TIMEOUT 60 EOF # 配置密码复杂度 cat > /etc/security/pwquality.conf << 'EOF' minlen = 8 minclass = 3 maxrepeat = 3 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 EOF # 禁用root远程登录 sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config systemctl restart sshd log "Accounts hardened." } # 网络安全加固 harden_network() { log "Hardening network..." # 配置防火墙 firewall-cmd --set-default-zone=public firewall-cmd --permanent --add-service=ssh firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --reload # 配置网络参数 cat > /etc/sysctl.d/99-network-security.conf << 'EOF' net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 EOF sysctl -p /etc/sysctl.d/99-network-security.conf log "Network hardened." } # 文件系统安全加固 harden_filesystem() { log "Hardening filesystem..." # 设置重要文件权限 chmod 600 /etc/shadow chmod 600 /etc/gshadow chmod 644 /etc/passwd chmod 644 /etc/group chmod 700 /root # 配置文件系统参数 cat > /etc/sysctl.d/99-filesystem-security.conf << 'EOF' fs.protected_regular = 1 fs.protected_fifos = 1 fs.suid_dumpable = 0 kernel.dmesg_restrict = 1 kernel.kptr_restrict = 2 kernel.perf_event_paranoid = 2 EOF sysctl -p /etc/sysctl.d/99-filesystem-security.conf # 配置SELinux setenforce 1 sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config log "Filesystem hardened." } # 系统服务安全加固 harden_services() { log "Hardening services..." # 禁用不必要的服务 systemctl disable --now telnet.socket systemctl disable --now rsh.socket systemctl disable --now rexec.socket systemctl disable --now rlogin.socket # 配置SSH服务 cat > /etc/ssh/sshd_config << 'EOF' Port 22 Protocol 2 PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes X11Forwarding no MaxAuthTries 3 ClientAliveInterval 300 ClientAliveCountMax 2 EOF systemctl restart sshd # 配置审计服务 cat > /etc/audit/rules.d/audit.rules << 'EOF' -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/sudoers -p wa -k sudo -w /var/log/audit/ -p wa -k audit -w /var/log/secure -p wa -k logins EOF systemctl restart auditd log "Services hardened." } # 主函数 main() { log "Starting security hardening..." # 加固各项 harden_accounts harden_network harden_filesystem harden_services log "Security hardening completed." } # 执行主函数 main EOF # 2. 设置脚本执行权限 [root@localhost ~]# chmod +x /usr/local/bin/security-hardening.sh # 3. 创建日志文件 [root@localhost ~]# touch /var/log/security-hardening.log [root@localhost ~]# chmod 644 /var/log/security-hardening.log # 4. 测试安全加固脚本 [root@localhost ~]# /usr/local/bin/security-hardening.sh # 5. 查看日志 [root@localhost ~]# tail -f /var/log/security-hardening.log [2026-04-03 10:00:00] Starting security hardening... [2026-04-03 10:00:01] Hardening accounts... [2026-04-03 10:00:02] Accounts hardened. [2026-04-03 10:00:03] Hardening network... [2026-04-03 10:00:04] Network hardened. [2026-04-03 10:00:05] Hardening filesystem... [2026-04-03 10:00:06] Filesystem hardened. [2026-04-03 10:00:07] Hardening services... [2026-04-03 10:00:08] Services hardened. [2026-04-03 10:00:09] Security hardening completed. # 6. 创建安全检查脚本 [root@localhost ~]# cat > /usr/local/bin/security-check.sh << 'EOF' #!/bin/bash # 安全检查脚本 LOG_FILE="/var/log/security-check.log" REPORT_FILE="/var/log/security-check-report.txt" # 记录日志函数 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> $LOG_FILE
}

# 检查账户安全
check_accounts() {
log “Checking accounts…”

echo “=== Account Security Check ===” >> $REPORT_FILE
echo “” >> $REPORT_FILE

# 检查空密码用户
EMPTY_PASSWORD=$(awk -F: ‘($2 == “”) {print $1}’ /etc/shadow)
if [ -n “$EMPTY_PASSWORD” ]; then
echo “WARNING: Users with empty password: $EMPTY_PASSWORD” >> $REPORT_FILE
fi

# 检查UID为0的用户
ROOT_USERS=$(awk -F: ‘($3 == 0) {print $1}’ /etc/passwd)
echo “Users with UID 0: $ROOT_USERS” >> $REPORT_FILE

echo “” >> $REPORT_FILE
}

# 检查网络安全
check_network() {
log “Checking network…”

echo “=== Network Security Check ===” >> $REPORT_FILE
echo “” >> $REPORT_FILE

# 检查防火墙状态
FIREWALL_STATUS=$(systemctl is-active firewalld)
echo “Firewall status: $FIREWALL_STATUS” >> $REPORT_FILE

# 检查监听端口
LISTENING_PORTS=$(ss -tlnp | grep LISTEN | awk ‘{print $4}’ | sort -u)
echo “Listening ports: $LISTEN_PORTS” >> $REPORT_FILE

echo “” >> $REPORT_FILE
}

# 检查文件系统安全
check_filesystem() {
log “Checking filesystem…”

echo “=== Filesystem Security Check ===” >> $REPORT_FILE
echo “” >> $REPORT_FILE

# 检查SUID文件
SUID_FILES=$(find / -perm -4000 -type f 2>/dev/null)
echo “SUID files: $SUID_FILES” >> $REPORT_FILE

# 检查无主文件
ORPHAN_FILES=$(find / -nouser -nogroup -type f 2>/dev/null)
if [ -n “$ORPHAN_FILES” ]; then
echo “WARNING: Orphan files: $ORPHAN_FILES” >> $REPORT_FILE
fi

echo “” >> $REPORT_FILE
}

# 检查系统服务
check_services() {
log “Checking services…”

echo “=== System Services Check ===” >> $REPORT_FILE
echo “” >> $REPORT_FILE

# 检查失败服务
FAILED_SERVICES=$(systemctl list-units –failed | grep “loaded failed” | awk ‘{print $1}’)
if [ -n “$FAILED_SERVICES” ]; then
echo “WARNING: Failed services: $FAILED_SERVICES” >> $REPORT_FILE
fi

# 检查SELinux状态
SELINUX_STATUS=$(getenforce)
echo “SELinux status: $SELINUX_STATUS” >> $REPORT_FILE

echo “” >> $REPORT_FILE
}

# 主函数
main() {
log “Starting security check…”

# 清空报告文件
> $REPORT_FILE

# 检查各项
check_accounts
check_network
check_filesystem
check_services

log “Security check completed. Report saved to $REPORT_FILE”
}

# 执行主函数
main
EOF

# 7. 设置脚本执行权限
[root@localhost ~]# chmod +x /usr/local/bin/security-check.sh

# 8. 测试安全检查脚本
[root@localhost ~]# /usr/local/bin/security-check.sh

# 9. 查看报告
[root@localhost ~]# cat /var/log/security-check-report.txt
=== Account Security Check ===

Users with UID 0: root

=== Network Security Check ===

Firewall status: active
Listening ports: :22 :80 :443

=== Filesystem Security Check ===

SUID files: /usr/bin/passwd /usr/bin/gpasswd /usr/bin/chsh /usr/bin/chfn /usr/bin/newgrp /usr/bin/su /usr/bin/sudo /usr/bin/pkexec /usr/bin/chage /usr/bin/crontab

=== System Services Check ===

SELinux status: Enforcing

# 10. 查看日志
[root@localhost ~]# tail -f /var/log/security-check.log
[2026-04-03 10:00:00] Starting security check…
[2026-04-03 10:00:01] Checking accounts…
[2026-04-03 10:00:02] Checking network…
[2026-04-03 10:00:03] Checking filesystem…
[2026-04-03 10:00:04] Checking services…
[2026-04-03 10:00:05] Security check completed. Report saved to /var/log/security-check-report.txt