Linux教程FG486-Linux安全加固实战

内容简介：本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容，详细介绍了相关技术的配置和使用方法。

风哥提示：

本文档介绍Linux安全加固实战案例。

Part01-账户安全加固

1.1 密码策略配置

# 查看当前密码策略
[root@fgedu-sec ~]# cat /etc/login.defs | grep -E ‘PASS_MIN_LEN|PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE’
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

# 配置密码策略
[root@fgedu-sec ~]# cat > /etc/login.defs << 'EOF' # 密码策略配置 PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_MIN_LEN 12 PASS_WARN_AGE 14 # 用户ID配置 UID_MIN 1000 UID_MAX 60000 GID_MIN 1000 GID_MAX 60000 # 加密算法 ENCRYPT_METHOD SHA512 EOF # 配置密码复杂度 [root@fgedu-sec ~]# cat > /etc/security/pwquality.conf << 'EOF' minlen = 12 minclass = 4 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3 maxsequence = 3 maxclassrepeat = 3 gecoscheck = 1 EOF # 配置登录失败锁定 [root@fgedu-sec ~]# cat >> /etc/pam.d/password-auth << 'EOF' auth required pam_faillock.so preauth silent deny=5 unlock_time=900 auth required pam_faillock.更多视频教程www.fgedu.net.cnso authfail deny=5 unlock_time=900 account required pam_faillock.so EOF [root@fgedu-sec ~]# cat >> /etc/pam.d/system-auth << 'EOF' auth required pam_faillock.so preauth silent deny=5 unlock_time=900 auth required pam_faillock.so authfail deny=5 unlock_time=900 account required pam_faillock.so EOF # 查看锁定用户 [root@fgedu-sec ~]# faillock --user testuser testuser: When Type Source Valid 2026-04-04 23:00:00 TTY pts/0 V # 解锁用户 [root@fgedu-sec ~]# faillock --user testuser --reset

Part02-SSH安全加固

2.1 SSH配置优化

# 备份SSH配置
[root@fgedu-sec ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# 配置SSH安全选项
[root@fgedu-sec ~]# cat > /etc/ssh/sshd_config << 'EOF' Port 2222 AddressFamily inet ListenAddress 0.0.0.0 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key PermitRootLogin no PermitEmptyPasswords no PasswordAuthentication no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys MaxAuthTries 3 MaxSessions 5 LoginGraceTime 60 ClientAliveInterval 300 ClientAliveCountMax 3 X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no Banner /etc/ssh/banner SyslogFacility AUTH LogLevel VERBOSE AllowGroups sshusers EOF # 创建SSH用户组 [root@fgedu-sec ~]# groupadd sshusers [root@fgedu-sec ~]# usermod -aG sshusers fgeduadmin # 创建SSH Banner [root@fgedu-sec ~]# cat > /etc/ssh/banner << 'EOF' ****************************************************************************** * FGEDU 安全警告 * * * * 未经授权访问本系统是违法行为！ * * 所有操作将被记录和审计。 * * * ****************************************************************************** EOF # 配置SSH超时 [root@fgedu-sec ~]# cat >> /etc/profile << 'EOF' TMOUT=300 export TMOUT EOF # 重启SSH服务 [root@fgedu-sec ~]# systemctl restart sshd # 验证SSH配置 [root@fgedu-sec ~]# sshd -t [root@fgedu-sec ~]# echo $? 0

Part03-防火墙配置

3.1 Firewalld配置

# 启动Firewalld
[root@fgedu-sec ~]# systemctl enable firewalld –now

# 查看默认区域
[root@fgedu-sec ~]# firewall-cmd –get-default-zone
public

# 配置区域规则
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –set-target=DROP
success

# 允许必要服务
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –add-service=ssh
success
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –add-service=http
success
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –add-service=https
success

# 允许特定端口
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –add-port=2222/tcp
success

# 限制SSH访问
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept’
success

# 配置端口转发
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –add-forward-port=port=80:proto=tcp:toport=8080
success

# 配置IP伪装
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –add-masquerade
success

# 配置ICMP限制
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –add-icmp-block=echo-request
success
[root@fgedu-sec ~]# firewall-cmd –permanent –zone=public –add-icmp-block=timestamp-request
success

# 重载配置
[root@fgedu-sec ~]# firewall-cmd –reload
success

# 查看所有规则
[root@fgedu-sec ~]# firewall-cmd –list-all
public (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh http https
ports: 2222/tcp
protocols:
forward: yes
masquerade: yes
forward-ports:
port=80:proto=tcp:toport=8080:toaddr=
source-ports:
icmp-blocks: echo-request timestamp-request
rich rules:
rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” accept

Part04-安全审计配置

4.1 Audit审计系统

# 安装Audit
[root@fgedu-sec ~]# yum install -y audit
[root@fgedu-sec ~]# systemctl enable auditd –now

# 配置审计规则
[root@fgedu-sec ~]# cat > /etc/audit/rules.d/fgedu.rules << 'EOF' ## 审计规则配置 # 监控用户和组变更 -w /etc/passwd -p wa -k identity -w /etc/group -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k sudoers # 监控登录相关文件 -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/wtmp -p wa -k logins -w /var/run/utmp -p wa -k logins # 监控系统配置 -w /etc/sysctl.conf -p wa -k sysconfig -w /etc/ssh/sshd_config -p wa -k sshconfig # 监控模块加载 -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules # 监控时间变更 -w /etc/localtime -p wa -k time-change # 监控系统调用 -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change # 监控文件删除和权限变更 -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -k perm_mod

# 监控未授权访问
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
EOF

# 重启auditd
[root@fgedu-sec ~]# service auditd restart
Stopping logging: [ OK ]
Redirecting start to systemctl
Starting logging: [ OK ]

# 查看审计日志
[root@fgedu-sec ~]# ausearch -k identity | tail -10
—-
time->Sat Apr 4 23:00:0更多学习教程公众号风哥教程itpux_com0 2026
type=PROCTITLE msg=audit(1712246400.123:456): proctitle=737368003A206670616D4学习交流加群风哥QQ11325717407074733000
type=PATH msg=audit(1712246400.123:456): item=1 name=”/etc/passwd” inode=123456 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1712246400.123:456): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffd12345678 a2=0 a3=0 items=2 ppid=1234 pid=5678 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=”cat” exe=”/usr/bin/cat” key=”identity”

# 生成审计报告
[root@fgedu-sec ~]# aureport –summary
Summary Report
======================
Range of time in logs: 04/01/2026 00:00:00.000 – 04/04/2026 23:00:00.000
Selected time for report: 04/01/2026 00:00:00 – 04/04/2026 23:00:00.000
Number of changes in configuration: 10
Number of changes to accounts, groups, or roles: 5
Number of logins: 25
Number of failed logins: 3
Number of authentications: 50
Number of failed authentications: 5
Number of users: 10
Number of terminals: 5
Number of host names: 3
Number of executables: 20
Number of commands: 100
Number of files: 50
Number of AVC’s: 0
Number of MAC events: 0
Number of failed syscalls: 10
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 10
Number of process IDs: 100
Number of events: 5000

风哥针对安全加固建议：

配置强密码策略
禁用root远程登录
配置防火墙规则
启用安全审计
定期进行安全检查

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html