内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文档介绍企业级安全防护体系部署综合实战案例。
风哥提示:
Part01-防火墙配置
1.1 iptables安全策略
[root@fgedu-firewall ~]# iptables -F
[root@fgedu-firewall ~]# iptables -X
# 设置默认策略
[root@fgedu-firewall ~]# iptables -P INPUT DROP
[root@fgedu-firewall ~]# iptables -P FORWARD DROP
[root@fgedu-firewall ~]# iptables -P OUTPUT ACCEPT
# 允许回环接口
[root@fgedu-firewall ~]# iptables -A INPUT -i lo -j ACCEPT
# 允许已建立的连接
[root@fgedu-firewall ~]# iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# 允许SSH
[root@fgedu-firewall ~]# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
[root@fgedu-firewall ~]# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –rttl –name SSH -j DROP
[root@fgedu-firewall ~]# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
# 允许Web服务
[root@fgedu-firewall ~]# iptables -A INPUT -p tcp –dport 80 -j ACCEPT
[root@fgedu-firewall ~]# iptables -A INPUT -p tcp –dport 443 -j ACCEPT
# 允许ICMP(限制速率)
[root@fgedu-firewall ~]# iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s –limit-burst 4 -j ACCEPT
# 防止常见攻击
[root@fgedu-firewall ~]# iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
[root@fgedu-firewall ~]# iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
[root@fgedu-firewall ~]# iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
[root@fgedu-firewall ~]# iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# 记录丢弃的数据包
[root@fgedu-firewall ~]# iptables -A INPUT -j LOG –log-prefix “IPTables-Dropped: ” –log-level 4
# 保存规则
[root@fgedu-firewall ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
# 查看规则
[root@fgedu-firewall ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
100 8000 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
5000 10M ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
50 3000 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
200 16000 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
150 12000 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Part02-入侵检测系统
2.1 OSSEC部署配置
[root@fgedu-ids ~]# wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
[root@fgedu-ids ~]# tar xzf 3.7.0.tar.gz
[root@fgedu-ids ~]# cd ossec-hids-3.7.0
[root@fgedu-ids ossec-hids-3.7.0]# ./install.sh
# 配置OSSEC
[root@fgedu-ids ~]# cat > /var/ossec/etc/ossec.conf << 'EOF'
EOF
# 启动OSSEC
[root@fgedu-ids ~]# /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.7.0…
Started ossec-maild…
Started ossec-execd…
Started ossec-analysisd…
Started ossec-logcollector…
Started ossec-remoted…
Started ossec-syscheckd…
Started ossec-monitord…
Completed.
# 查看告警
[root@fgedu-ids ~]# tail -20 /var/ossec/logs/alerts/alerts.logfrom PG视频:www.itpux.com
** Alert 1712246400.12345: – syslog,sshd,authentication_success,
2026 Apr 04 23:00:00 fgedu-server->/var/log/secure
Rule: 5715 (level: 3) -> ‘SSHD authentication success.’
Src IP: 192.168.1.100
User: admin
Apr 4 23:00:00 fgedu-server sshd[12345]: Accepted publickey for admin from 192.168.1.100 port 54321 ssh2
Part03-漏洞扫描
3.1 OpenVAS部署
[root@fgedu-scanner ~]# yum install -y epel-release
[root@fgedu-scanner ~]# yum install -y openvas
# 初始化OpenVAS
[root@fgedu-scanner ~]# gvm-setup
[*] Creating PostgreSQL database
[*] Creating user and group
[*] Creating database schema
[*] Creating certificate
[*] Creating admin user
User created with password: abc123-def456-ghi789
# 同步漏洞数据
[root@fgedu-scanner ~]# greenbone-feed-sync –type GVMD_DATA
[*] Downloading GVMD_DATA
[*] Synchronizing…
[*] Done
# 启动服务
[root@fgedu-scanner ~]# gvm-start
Starting Greenbone Vulnerability Manager…
Starting OpenVAS Scanner…
Starting GSAD…
Services started.
# 创建扫描任务
[root@fgedu-scanner ~]# cat > /tmp/scan-target.xml << 'EOF'
EOF
# 查看扫描结果
[root@fgedu-scanner ~]# gvm-cli –gmp-username admin –gmp-password admin socket < /tmp/get-results.xml
Part04-安全加固
4.1 系统安全加固脚本
[root@fgedu-sec ~]# cat > /usr/local/bin/security-harden.sh << 'EOF' #!/bin/bash # security-harden.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn echo "=== 系统安全加固开始 ===" echo "1. 账户安全加固" # 锁定不需要登录的账户 for user in daemon bin sys adm lp uucp nuucp; do usermod -L $user 2>/dev/null
done
# 设置密码策略
cat > /etc/security/pwquality.conf << 'PWCONF'
minlen = 12
minclass = 4
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
PWCONF
# 设置密码过期
sed -i 's/PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/' /etc/login.defs
echo "2. SSH安全加固"
cat > /etc/ssh/sshd_config.d/harden.conf << 'SSHCONF'
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
SSHCONF
echo "3. 服务加固"
# 禁用不必要的服务
for svc in telnet rsh rlogin rexec; do
systemctl disable $svc 2>/dev/null
done
echo “4. 文件权限加固”
chmod 600 /etc/passwd-
chmod 600 /etc/shadow-
chmod 600 /etc/group-
chmod 600 /etc/gshadow-
chmod 700 /root
echo “5. 内核安全加固”
cat > /etc/sysctl.d/99-security.conf << 'SYSCTL'
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
kernel.exec-shield = 1
kernel.randomize_va_space = 2
SYSCTL
sysctl -p /etc/sysctl.d/99-security.conf
echo "=== 系统安全加固完成 ==="
EOF
[root@fgedu-sec ~]# chmod +x /usr/local/bin/security-harden.sh
[root@fgedu-sec ~]# /usr/local学习交流加群风哥QQ113257174/bin/security-harden.sh
=== 系统安全加固开始 ===
1. 账户安全加固
2. SSH安全加固
3. 服务加固
4. 文件权限加固
5. 内核安全加固
=== 系统安全加固完成 ===
- 配置严格的防火墙策略
- 部署入侵检测系统
- 定期进行漏洞扫描
- 实施系统安全加固
- 建立安全运维流程
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
