内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档详细介绍
风哥提示:
Linux网络安全加固的实战方法和配置技巧。
Part01-网络安全基线
1.更多视频教程www.fgedu.net.cn1 安全基线配置
$ sudo systemctl disable bluetooth
$ sudo systemctl disable cups
$ sudo systemctl disable avahi-daemon
# 2. 配置密码策略
$ sudo tee /etc/security/pwquality.conf << EOF
minlen = 12
minclass = 4
maxrepeat = 2
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
EOF
# 3. 配置登录失败锁定
$ sudo tee -a /etc/pam.d/password-auth << EOF
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900
auth required pam_faillock.so authfail audit deny=5 unlock_time=900
EOF
# 4. 配置会话超时
$ sudo tee -a /etc/profile << EOF
export TMOUT=300
EOF
# 5. 限制root登录
$ sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# 6. 配置sudo权限
$ sudo visudo
%wheel ALL=(ALL) ALL
Defaults logfile=/var/log/sudo.log
# 7. 配置文件权限
$ sudo chmod 600 /etc/ssh/sshd_config
$ sudo chmod 600 /etc/security/pwquality.conf
$ sudo chmod 600 /etc/gshadow
$ sudo chmod 644 /etc/passwd
$ sudo chmod 644 /etc/group
# 8. 查找SUID文件
$ sudo find / -perm -4000 -type f -exec ls -ld {} \;
-rwsr-xr-x. 1 root root 53280 Nov 3 2024 /usr/bin/su
-rwsr-xr-x. 1 root root 78328 Nov 3 2024 /usr/bin/chsh
-rwsr-xr-x. 1 root root 54112 Nov 3 2024 /usr/bin/chfn
-rwsr-xr-x. 1 root root 78016 Nov 3 2024 /usr/bin/newgrp
-rwsr-xr-x. 1 root root 239864 Nov 3 2024 /usr/bin/sudo
Part02-防火墙安全配置
2.1 配置防火墙规则
$ sudo firewall-cmd –state
running
# 配置默认区域
$ sudo firewall-cmd –set-default-zone=public
# 允许必要服务
$ sudo firewall-cmd –permanent –add-service=ssh
$ sudo firewall-cmd –permanent –add-service=http
$ sudo firewall-cmd –permanent –add-service=https
# 限制SSH访问来源
$ sudo firewall-cmd –permanent –remove-service=ssh
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
# 配置端口转发
$ sudo firewall-cmd –permanent –add-forward-port=port=80:proto=tcp:toport=8080
# 配置IP伪装
$ sudo firewall-cmd –permanent –add-masquerade
# 配置ICMP限制
$ sudo firewall-cmd –permanent –add-icmp-block=echo-request
$ sudo firewall-cmd –permanent –add-icmp-block=echo-reply
# 配置日志记录
$ sudo firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”0.0.0.0/0″ service name=”ssh” log prefix=”SSH_ACCESS” level=”notice” accept’
# 重新加载配置
$ sudo firewall-cmd –reload
# 查看所有规则
$ sudo firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client http https
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
port=80:proto=tcp:toport=8080
source-ports:
icmp-blocks: echo-reply echo-request
rich rules:
rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept
Part03-SELinux安全配置
3.1 配置SELinux策略
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
# 查看SELinux模式
$ getenforce
Enforcing
# 临时设置为Permissive模式
$ sudo setenforce 0
# 永久设置为Enforcing模式
$ sudo sed -i ‘s/SELINUX=permissive/SELINUX=enforcing/’ /etc/selinux/config
# 查看SELinux布尔值
$ getsebool -a | grep http
httpd_can_network_connect –> off
httpd_can_network_connect_db –> off
httpd_can_sendmail –> off
httpd_enable_cgi –> on
# 设置SELinux布尔值
$ sudo setsebool -P httpd_can_network_connect on
# 查看文件SELinux上下文
$ ls -Z /var/www/html/index.html
unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
# 修改文件SELinux上下文
$ sudo chcon -t httpd_sys_content_t /var/www/html/index.html
# 恢复默认SELinux上下文
$ sudo restorecon -Rv /var/www/html/
# 查看SELinux日志
$ sudo ausearch -m AVC -ts recent
—-
time->Thu Apr 3 21:15:00 2026
type=AVC msg=audit(1712152500.123:12345): avc: denied { read } for pid=12345 comm=”httpd” name=”index.html” dev=”dm-0″ ino=123456 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
# 生成SELinux策略模块
$ sudo audit2allow -a -M mypolicy
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i mypolicy.pp
$ sudo semodule -i mypolicy.pp
Part04-入侵检测配置
4.1 配置入侵检测系统
$ sudo dnf install -y fail2ban
# 配置fail2ban
$ sudo tee /etc/fail2bafrom PG视频:www.itpux.comn/jail.local << EOF
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 3600
findtime = 600
maxretry = 5
backend = systemd
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
bantime = 3600
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
[postfix]
enabled = true
port = smtp
filter = postfix
logpath = /var/log/maillog
maxretry = 3
EOF
# 启动fail2ban
$ sudo systemctl enable --now fail2ban
# 查看fail2ban状态
$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 10
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.1.50
# 手动解封IP
$ sudo fail2ban-client set sshd unbanip 192.168.1.50
# 安装rkhunter检测rootkit
$ sudo dnf install -y rkhunter
# 更新rkhunter数据库
$ sudo rkhunter --update
# 扫描系统
$ sudo rkhunter --check
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
...
Part05-安全审计配置
5.1 配置审计系统
$ sudo dnf install -y audit
# 配置审计规则
$ sudo tee /etc/audit/rules.d/audit.rules << EOF
# 监控用户和组变更
-w /etc/passwd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k identity
# 监控登录事件
-w /var/log/secure -p wa -k logins
-w /var/log/wtmp -p wa -k logins
-w /var/run/utmp -p wa -k logins
# 监控系统时间变更
-w /etc/localtime -p wa -k time-change
# 监控网络配置变更
-w /etc/sysconfig/network-scripts/ -p wa -k network
# 监控SSH配置
-w /etc/ssh/sshd_config -p wa -k ssh-config
# 监控模块加载
-w /usr/bin/insmod -p x -k modules
-w /usr/bin/rmmod -p x -k modules
-w /usr/bin/modprobe -p x -k modules
# 监控文件系统挂载
-w /usr/bin/mount -p x -k mount
-w /usr/bin/umount -p x -k mount
EOF
# 重启audit服务
$ sudo systemctl restart auditd
# 查看审计日志
$ sudo ausearch -k identity | tail -20
----
time->Thu Apr 3 21:20:00 2026
type=PATH学习交流加群风哥微信: itpux-com msg=audit(1712152800.123:12345): item=0 name=”/etc/passwd” inode=123456 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1712152800.123:12345): cwd=”/home/user”
type=SYSCALL msg=audit(1712152800.123:12345): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffd12345678 a2=80000 a3=0 items=1 ppid=12345 pid=12346 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=”usermod” exe=”/usr/sbin/usermod” key=”identity”
# 生成审计报告
$ sudo aureport –start today
Summary Report
======================
Range of time in logs: 04/03/2026 00:00:00.000 – 04/03/2026 21:20:00.000
Selected time for report: 04/03/2026 00:00:00 – 04/03/2026 21:20:00
Number of changes in configuration: 10
Number of changes to accounts, groups, or roles: 5
Number of logins: 20
Number of failed logins: 3
Number of authentications: 25
Number of failed authentications: 2
Number of users: 5
Number of terminals: 3
Number of host names: 2
Number of executables: 15
Number of commands: 50
Number of files: 100
Number of AVC’s: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 10
Number of process IDs: 100
Number of events: 500
1. 定期更新系统和软件包
2. 配置强密码策略
3. 启用防火墙和SELinux
4. 配置入侵检测系统
5. 定期审计系统日志
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
