1. IT系统安全概述
IT系统安全管理是保护企业信息系统免受未经授权访问、使用、披露、修改或破坏的一系列措施。有效的安全管理可以确保业务连续性,保护敏感数据,并符合合规要求。更多学习教程www.fgedu.net.cn
# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2026-03-30 10:00:00 CST; 1h ago
Docs: man:firewalld(1)
Main PID: 1234 (firewalld)
CGroup: /system.slice/firewalld.service
└─1234 /usr/bin/python3 -Es /usr/sbin/firewalld –nofork –nopid
# 检查SELinux状态
# getenforce
Enforcing
# 检查系统更新状态
# yum check-update
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.fgedu.net.cn
* epel: mirror.fgedu.net.cn
* extras: mirror.fgedu.net.cn
* updates: mirror.fgedu.net.cn
No packages marked for update
2. 访问控制管理
访问控制是安全管理的核心,确保只有授权用户能够访问系统资源。学习交流加群风哥微信: itpux-com
# useradd -m -s /bin/bash user1
# 设置用户密码
# passwd user1
Changing password for user user1.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# 创建用户组
# groupadd admin
# 将用户添加到组
# usermod -aG admin user1
# 验证用户组
# id user1
uid=1001(user1) gid=1001(user1) groups=1001(user1),1002(admin)
# 设置文件权限
# chmod 700 /home/user1
# chown user1:user1 /home/user1
# 验证权限
# ls -la /home/user1
drwx—— 2 user1 user1 4096 Mar 30 10:00 .
drwxr-xr-x 3 root root 4096 Mar 30 10:00 ..
3. 密码策略管理
强密码策略是防止未授权访问的重要措施,包括密码长度、复杂度、过期时间等。
# cat /etc/login.defs | grep -E “PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_MIN_LEN|PASS_WARN_AGE”
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 8
PASS_WARN_AGE 7
# 配置密码复杂度
# cat /etc/security/pwquality.conf
# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 1
#
# Minimum acceptable size
minlen = 12
#
# Minimum number of lowercase characters
# lcredit = 1
#
# Minimum number of uppercase characters
ucredit = 1
#
# Minimum number of digits
# dcredit = 1
#
# Minimum number of other characters
# ocredit = 1
#
# Forbid the use of the same password for all authentication tokens
# enforcing_for_root
# 测试密码强度
# python3 -c “import crypt; print(crypt.crypt(‘StrongP@ssw0rd’, crypt.mksalt(crypt.METHOD_SHA512)))”
$6$rounds=4096$example$hashvalue
4. 防火墙配置
防火墙是网络安全的第一道防线,用于控制网络流量,防止未授权访问。
# firewall-cmd –state
running
# 查看当前规则
# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 添加服务
# firewall-cmd –permanent –add-service=http
success
# 添加端口
# firewall-cmd –permanent –add-port=8080/tcp
success
# 重新加载规则
# firewall-cmd –reload
success
# 验证规则
# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http
ports: 8080/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
5. 入侵检测与防御
入侵检测系统(IDS)和入侵防御系统(IPS)用于监控和阻止恶意活动。
# yum install -y epel-release
# yum install -y suricata
# 启动Suricata服务
# systemctl start suricata
# systemctl enable suricata
# 检查Suricata状态
# systemctl status suricata
● suricata.service – LSB: Suricata IDS/IPS daemon
Loaded: loaded (/etc/rc.d/init.d/suricata; generated)
Active: active (running) since Wed 2026-03-30 10:00:00 CST; 1h ago
Docs: man:systemd-sysv-generator(8)
Process: 1234 ExecStart=/etc/rc.d/init.d/suricata start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/suricata.service
└─1235 /usr/sbin/suricata -c /etc/suricata/suricata.yaml -i eth0
# 查看Suricata日志
# tail -f /var/log/suricata/fast.log
03/30/2026-10:00:00.123456 [**] [1:2000000:1] TEST RULE [**] [Classification: Generic Detection] [Priority: 3] {TCP} 192.168.1.100:12345 -> 192.168.1.1:80
6. 安全审计
安全审计用于记录和分析系统活动,检测异常行为,确保合规性。
# yum install -y audit
# 启动auditd服务
# systemctl start auditd
# systemctl enable auditd
# 检查auditd状态
# systemctl status auditd
● auditd.service – Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2026-03-30 10:00:00 CST; 1h ago
Docs: man:auditd(8)
man:auditctl(8)
man:audit.rules(5)
Main PID: 1234 (auditd)
CGroup: /system.slice/auditd.service
└─1234 /sbin/auditd
# 添加审计规则
# auditctl -w /etc/passwd -p wa -k passwd_changes
# 查看审计规则
# auditctl -l
-w /etc/passwd -p wa -k passwd_changes
# 查看审计日志
# ausearch -k passwd_changes
—-
type=CONFIG_CHANGE msg=audit(1234567890.123:456): audit(1234567890.123:456): policy loaded auid=0 ses=1 res=1
—-
type=SYSCALL msg=audit(1234567890.123:456): arch=c000003e syscall=2 success=yes exit=3 a0=7f8a1b2c3d4e a1=2 a2=0 a3=0 items=2 ppid=1234 pid=5678 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=”vim” exe=”/usr/bin/vim” subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=”passwd_changes”
7. 补丁管理
及时应用安全补丁是防止系统漏洞被利用的关键措施。
# yum check-update
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.fgedu.net.cn
* epel: mirror.fgedu.net.cn
* extras: mirror.fgedu.net.cn
* updates: mirror.fgedu.net.cn
# 安装安全更新
# yum update –security
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.fgedu.net.cn
* epel: mirror.fgedu.net.cn
* extras: mirror.fgedu.net.cn
* updates: mirror.fgedu.net.cn
Resolving Dependencies
–> Running transaction check
—> Package openssl.x86_64 1:1.0.2k-19.el7 will be updated
—> Package openssl.x86_64 1:1.0.2k-21.el7 will be an update
–> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
openssl x86_64 1:1.0.2k-21.el7 updates 1.5 M
Transaction Summary
================================================================================
Upgrade 1 Package
Total download size: 1.5 M
Is this ok [y/d/N]: y
Downloading packages:
openssl-1.0.2k-21.el7.x86_64.rpm | 1.5 MB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : 1:openssl-1.0.2k-21.el7.x86_64 1/2
Cleanup : 1:openssl-1.0.2k-19.el7.x86_64 2/2
Verifying : 1:openssl-1.0.2k-21.el7.x86_64 1/2
Verifying : 1:openssl-1.0.2k-19.el7.x86_64 2/2
Updated:
openssl.x86_64 1:1.0.2k-21.el7
Complete!
# 检查系统版本
# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
8. 数据加密
数据加密可以保护敏感信息,防止未授权访问和数据泄露。
# yum install -y openssl
# 生成密钥对
# openssl genrsa -out private.key 2048
Generating RSA private key, 2048 bit long modulus
………………………………………………………………………………………………………………………………………………………………………………………+++
………………………………………………………………………..+++
e is 65537 (0x10001)
# 提取公钥
# openssl rsa -in private.key -pubout -out public.key
writing RSA key
# 加密文件
# echo “敏感数据” > secret.txt
# openssl enc -aes-256-cbc -salt -in secret.txt -out secret.txt.enc -pass file:private.key
# 解密文件
# openssl enc -d -aes-256-cbc -in secret.txt.enc -out secret.txt.dec -pass file:private.key
# 验证解密结果
# cat secret.txt.dec
敏感数据
9. 安全监控
安全监控用于实时检测和响应安全事件,确保系统安全。
# rpm -ivh https://packages.wazuh.com/4.x/yum/wazuh-agent-4.3.10-1.x86_64.rpm
# 配置Wazuh Agent
# vi /var/ossec/etc/ossec.conf
# 启动Wazuh Agent
# systemctl start wazuh-agent
# systemctl enable wazuh-agent
# 检查Wazuh Agent状态
# systemctl status wazuh-agent
● wazuh-agent.service – Wazuh Agent
Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2026-03-30 10:00:00 CST; 1h ago
Docs: https://documentation.wazuh.com
Main PID: 1234 (wazuh-agentd)
CGroup: /system.slice/wazuh-agent.service
├─1234 /var/ossec/bin/wazuh-agentd
├─1235 /var/ossec/bin/wazuh-execd
├─1236 /var/ossec/bin/wazuh-syscheckd
├─1237 /var/ossec/bin/wazuh-logcollector
└─1238 /var/ossec/bin/wazuh-monitord
10. 安全最佳实践
遵循安全最佳实践可以有效提高系统安全性,减少安全风险。
# 仅授予用户必要的权限
# 定期备份
# crontab -e
0 2 * * * /usr/bin/rsync -av /data /backup
# 启用日志轮转
# cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
{
daily
rotate 7
compress
delaycompress
missingok
postrotate
/bin/systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# 定期安全扫描
# nmap -sV -p 1-65535 192.168.1.1
Starting Nmap 7.70 ( https://nmap.org ) at 2026-03-30 10:00 CST
Nmap scan report for 192.168.1.1
Host is up (0.001s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
