1. 安全加固与审计概述
安全加固与审计是IT系统运维的重要组成部分,通过安全加固可以提高系统的安全性,通过安全审计可以发现并解决安全问题。有效的安全加固与审计可以确保系统的安全性和可靠性,防止安全漏洞和攻击。更多学习教程www.fgedu.net.cn
2. 系统安全加固
系统安全加固包括操作系统的安全配置、用户权限管理、密码策略等,确保系统的安全性。
# cat /etc/os-release
NAME=”CentOS Linux”
VERSION=”7 (Core)”
ID=”centos”
ID_LIKE=”rhel fedora”
VERSION_ID=”7″
PRETTY_NAME=”CentOS Linux 7 (Core)”
ANSI_COLOR=”0;31″
CPE_NAME=”cpe:/o:centos:centos:7″
HOME_URL=”https://www.centos.org/”
BUG_REPORT_URL=”https://bugs.centos.org/”
CENTOS_MANTISBT_PROJECT=”CentOS-7″
CENTOS_MANTISBT_PROJECT_VERSION=”7″
REDHAT_SUPPORT_PRODUCT=”centos”
REDHAT_SUPPORT_PRODUCT_VERSION=”7″
# 安装安全更新
# yum update -y
# 配置防火墙
# firewall-cmd –permanent –add-service=ssh
# firewall-cmd –permanent –add-service=http
# firewall-cmd –permanent –add-service=https
# firewall-cmd –reload
# 配置SELinux
# setenforce 1
# vi /etc/selinux/config
SELINUX=enforcing
# 配置密码策略
# vi /etc/security/pwquality.conf
minlen = 12
minclass = 3
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
# 配置用户登录超时
# vi /etc/profile
export TMOUT=300
# 配置SSH服务
# vi /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
# 重启SSH服务
# systemctl restart sshd
# 禁用不必要的服务
# systemctl stop cups
# systemctl disable cups
# systemctl stop avahi-daemon
# systemctl disable avahi-daemon
# systemctl stop bluetooth
# systemctl disable bluetooth
3. 网络安全加固
网络安全加固包括网络设备的安全配置、网络访问控制、入侵检测等,确保网络的安全性。
# vi /etc/hosts.deny
ALL: ALL
# vi /etc/hosts.allow
sshd: 192.168.1.0/24
httpd: 192.168.1.0/24
# 安装并配置fail2ban
# yum install -y fail2ban
# vi /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
# 启动fail2ban服务
# systemctl start fail2ban
# systemctl enable fail2ban
# 配置网络参数
# vi /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_fin_timeout = 30
# 使网络参数生效
# sysctl -p
4. 应用安全加固
应用安全加固包括Web应用、应用服务器的安全配置,确保应用的安全性。
# yum install -y mod_security
# 配置Web应用防火墙
# vi /etc/httpd/conf.d/mod_security.conf
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:User-Agent “^$” “id:1000,phase:1,deny,status:403,msg:’Missing User Agent'”
SecRule REQUEST_METHOD “^(PUT|DELETE)” “id:1001,phase:1,deny,status:403,msg:’Forbidden Method'”
# 重启Apache服务
# systemctl restart httpd
# 配置Tomcat安全
# vi /opt/tomcat/conf/server.xml
# 配置Tomcat访问控制
# vi /opt/tomcat/conf/tomcat-users.xml
# 重启Tomcat服务
# systemctl restart tomcat
5. 数据库安全加固
数据库安全加固包括数据库的安全配置、用户权限管理、密码策略等,确保数据库的安全性。
# mysql_secure_installation
Securing the MySQL server deployment.
Enter password for user root:
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?
Press y|Y for Yes, any other key for No:
Please set the password for root here.
New password:
Re-enter new password:
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.
Remove anonymous users? (Press y|Y for Yes, any other key for No): y
Success.
Normally, root should only be allowed to connect from
‘fgedudb’. This ensures that someone cannot guess at
the root password from the network.
Disallow root login remotely? (Press y|Y for Yes, any other key for No): y
Success.
By default, MySQL comes with a database named ‘test’ that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.
Remove test database and access to it? (Press y|Y for Yes, any other key for No): y
– Dropping test database…
Success.
– Removing privileges on test database…
Success.
Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.
Reload privilege tables now? (Press y|Y for Yes, any other key for No): y
Success.
All done!
# 配置MySQL密码策略
# vi /etc/my.cnf
[mysqld]
validate_password_policy = STRONG
validate_password_length = 12
validate_password_mixed_case_count = 1
validate_password_number_count = 1
validate_password_special_char_count = 1
# 重启MySQL服务
# systemctl restart mysqld
# 查看MySQL用户权限
# mysql -u root -p -e “SELECT user, host FROM mysql.user;”
Enter password:
+—————+———–+
| user | host |
+—————+———–+
| root | fgedudb |
| mysql.sys | fgedudb |
| mysql.session | fgedudb |
+—————+———–+
6. 安全审计
安全审计包括系统日志审计、网络日志审计、应用日志审计等,确保系统的安全性和可靠性。
# yum install -y auditd
# 启动审计服务
# systemctl start auditd
# systemctl enable auditd
# 配置审计规则
# vi /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /var/log/ -p wa -k log_changes
# 重启审计服务
# systemctl restart auditd
# 查看审计日志
# ausearch -k passwd_changes
—-
type=SYSCALL msg=audit(1234567890.123:1234): arch=c000003e syscall=2 success=yes exit=3 a0=7f1234567890 a1=241 a2=1b6 a3=7f1234567890 items=2 ppid=1234 pid=5678 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=”vi” exe=”/usr/bin/vi” subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=”passwd_changes”
# 安装日志分析工具
# yum install -y logwatch
# 配置日志分析
# vi /etc/logwatch/conf/logwatch.conf
MailTo = admin@fgedu.net.cn
Detail = High
# 运行日志分析
# logwatch –detail High –mailto admin@fgedu.net.cn
7. 安全监控
安全监控包括实时监控系统的安全状态、网络流量、应用行为等,及时发现并解决安全问题。
# yum install -y ossec-hids
# 配置安全监控
# vi /var/ossec/etc/ossec.conf
# 启动安全监控服务
# systemctl start ossec-hids
# systemctl enable ossec-hids
# 安装入侵检测系统
# yum install -y snort
# 配置入侵检测系统
# vi /etc/snort/snort.conf
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var RULE_PATH /etc/snort/rules
# 启动入侵检测系统
# systemctl start snort
# systemctl enable snort
# 查看安全监控日志
# tail -f /var/ossec/logs/alerts/alerts.log
2026-03-30 10:00:00 alert: Rule 1002 fired (level 7) -> “System started.”
2026-03-30 10:00:00 src ip: 127.0.0.1
2026-03-30 10:00:00 dst ip: 127.0.0.1
2026-03-30 10:00:00 src port: 0
2026-03-30 10:00:00 dst port: 0
2026-03-30 10:00:00 protocol: tcp
2026-03-30 10:00:00 user: root
2026-03-30 10:00:00 program: systemd
2026-03-30 10:00:00 log: Starting systemd 219
8. 安全加固与审计最佳实践
安全加固与审计最佳实践包括定期安全扫描、漏洞评估、安全培训等,确保系统的安全性和可靠性。
- 定期进行安全扫描,发现并修复安全漏洞
- 实施漏洞评估,评估系统的安全状况
- 建立安全审计机制,定期审计系统的安全配置
- 实施安全监控,实时监控系统的安全状态
- 定期进行安全培训,提高员工的安全意识
- 建立安全响应机制,快速处理安全事件
- 定期更新系统和应用,修复安全漏洞
- 制定安全策略,规范系统的安全配置
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
