LinuxЧÀÍÆ÷Çå¾²ÐÔÊÃ÷ÈÕ½£ºÓÃÏÂÁîÐй¤¾ß¾ÙÐзÀÓù
LinuxЧÀÍÆ÷Çå¾²ÐÔÊÃ÷ÈÕ½£ºÓÃÏÂÁîÐй¤¾ß¾ÙÐзÀÓù
СÐò£º
×÷ΪһÃûLinuxЧÀÍÆ÷ÖÎÀíÔ±£¬ÎÒÃDZØÐèʱ¿Ì±£»¤Ð§ÀÍÆ÷µÄÇå¾²ÐÔ¡£ÔÚÒ»Ñùƽ³£ÊÂÇéÖУ¬Ê¹ÓÃÏÂÁîÐй¤¾ß¾ÙÐÐЧÀÍÆ÷µÄ·ÀÓùÊÇÒ»ÖÖ¼òÆÓ¸ßЧµÄÒªÁì¡£±¾ÎĽ«ÏÈÈÝһЩ³£ÓõÄÏÂÁîÐй¤¾ß£¬²¢¸ø³öÏìÓ¦µÄ´úÂëʾÀý£¬×ÊÖúÖÎÀíÔ±ÔöǿЧÀÍÆ÷µÄÇå¾²ÐÔ¡£
Ò»¡¢·À»ðǽÉèÖÃ
·À»ðǽÊDZ£»¤Ð§ÀÍÆ÷ÃâÊܶñÒâ¹¥»÷µÄÖ÷Òª¹¤¾ß¡£LinuxϵͳÖг£ÓõķÀ»ðǽ¹¤¾ßÊÇiptables¡£ÒÔÏÂÊÇһЩ³£ÓõÄiptablesÏÂÁÓÃÓÚÉèÖÃЧÀÍÆ÷µÄ·À»ðǽ¹æÔò£º
ÔÊÐíÖ¸¶¨IP»á¼ûÌض¨¶Ë¿Ú£º
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
µÇ¼ºó¸´ÖÆ
¾Ü¾øËùÓÐÆäËûIP»á¼ûÖ¸¶¨¶Ë¿Ú£º
iptables -A INPUT -p tcp --dport 22 -j DROP
µÇ¼ºó¸´ÖÆ
Éó²éÄ¿½ñ·À»ðǽ¹æÔò£º
iptables -L
µÇ¼ºó¸´ÖÆ
¶þ¡¢SSHÇå¾²ÉèÖÃ
SSHÊÇЧÀÍÆ÷Óë¿Í»§¶ËÖ®¼äÇ徲ͨѶµÄ»ù´¡¡£Æ¾Ö¤ÏêϸÐèÇ󣬿ÉÒÔ¶ÔSSH¾ÙÐÐÒÔÏÂÇå¾²ÉèÖãº
ÐÞ¸ÄSSHĬÈ϶˿ڣ¨Ä¬ÒÔΪ22£©£º
vi /etc/ssh/sshd_config # ÐÞ¸ÄPort 22ΪÆäËû¶Ë¿ÚºÅ
µÇ¼ºó¸´ÖÆ
եȡrootÓû§Í¨¹ýSSHÔ¶³ÌµÇ¼£º
vi /etc/ssh/sshd_config # ÐÞ¸ÄPermitRootLoginΪno
µÇ¼ºó¸´ÖÆ
եȡ¿ÕÃÜÂëµÇ¼£º
vi /etc/ssh/sshd_config # ÐÞ¸ÄPermitEmptyPasswordsΪno
µÇ¼ºó¸´ÖÆ
Èý¡¢ÈëÇÖ¼ì²âϵͳ£¨HIDS£©
ÈëÇÖ¼ì²âϵͳ£¨Host-based Intrusion Detection System£¬¼ò³ÆHIDS£©¿ÉÒÔ¼ì²âºÍ·ÀÓùЧÀÍÆ÷ÉϵÄÇå¾²Íþв¡£ÒÔÏÂÊÇһЩ³£ÓõÄHIDS¹¤¾ßºÍÏÂÁ
ʹÓÃOpen Source Tripwire¾ÙÐÐÎļþÍêÕûÐÔ¼ì²é£º
tripwire --check
µÇ¼ºó¸´ÖÆ
ʹÓÃAIDE£¨Advanced Intrusion Detection Environment£©¾ÙÐÐÎļþÍêÕûÐÔ¼ì²é£º
aide --check
µÇ¼ºó¸´ÖÆ
ËÄ¡¢ÍøÂçÁ÷Á¿ÆÊÎö
ÍøÂçÁ÷Á¿ÆÊÎö¿ÉÒÔ×ÊÖúÖÎÀíÔ±¼à¿ØЧÀÍÆ÷µÄÍøÂçÔ˶¯£¬ÊµÊ±·¢Ã÷Òì³£²¢½ÓÄÉÏìÓ¦µÄÇå¾²²½·¥¡£ÒÔÏÂÊÇһЩ³£ÓõÄÍøÂçÁ÷Á¿ÆÊÎö¹¤¾ßºÍÏÂÁ
ʹÓÃtcpdump²¶»ñÍøÂçÁ÷Á¿£º
tcpdump -i eth0 -s 0 -w output.pcap
µÇ¼ºó¸´ÖÆ
ʹÓÃWiresharkÆÊÎö²¶»ñµÄÍøÂçÁ÷Á¿£º
wireshark -r output.pcap
µÇ¼ºó¸´ÖÆ
Îå¡¢ÈÕÖ¾ÆÊÎö
ÈÕÖ¾ÆÊÎöÊÇʵʱ·¢Ã÷ЧÀÍÆ÷Òì³£µÄÖ÷ÒªÊֶΡ£ÒÔÏÂÊÇһЩ³£ÓõÄÈÕÖ¾ÆÊÎö¹¤¾ßºÍÏÂÁ
ͳ¼ÆµÇ¼ʧ°ÜµÄÓû§£º
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn
µÇ¼ºó¸´ÖÆ
¼ì²éµÇ¼ÀֳɵÄÓû§£º
grep "Accepted password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn
µÇ¼ºó¸´ÖÆ
Áù¡¢ÃÜÂëÇå¾²Õ½ÂÔ
ÓÅÒìµÄÃÜÂëÇå¾²Õ½ÂÔÊDZ£»¤Ð§ÀÍÆ÷Çå¾²ÐÔµÄÒªº¦¡£ÒÔÏÂÊÇһЩ³£ÓõÄÃÜÂëÇå¾²Õ½ÂÔÏÂÁ
ÐÞ¸ÄÃÜÂë×îС³¤¶È£º
vi /etc/login.defs # ÐÞ¸ÄPASS_MIN_LENΪËùÐèµÄ×îСÃÜÂ볤¶È
µÇ¼ºó¸´ÖÆ
ÃÜÂëÖØƯºóÕ½ÂÔÉèÖãº
vi /etc/pam.d/common-password # ÐÞ¸Äpassword requisite pam_cracklib.so²ÎÊý£¬ÉèÖÃÃÜÂëÖØƯºóÕ½ÂÔ
µÇ¼ºó¸´ÖÆ
½áÂÛ£º
ͨ¹ýÔËÓÃÏÂÁîÐй¤¾ß¾ÙÐзÀÓù£¬ÎÒÃÇ¿ÉÒÔÌá¸ßLinuxЧÀÍÆ÷µÄÇå¾²ÐÔ¡£±¾ÎÄÏÈÈÝÁËһЩ³£ÓõÄÏÂÁîÐй¤¾ß£¬²¢¸ø³öÁËÏìÓ¦µÄ´úÂëʾÀý£¬Ï£ÍûÄܸøÖÎÀíÔ±ÌṩһЩ²Î¿¼¡£
²Î¿¼ÎÄÏ×£º
[1] Linux¿ØÖÆ̨ÏÂÁî·À»ðǽÉèÖÃÉèÖÃÏÂÁîiptablesÏÈÈÝ£¬https://blog.csdn.net/u010648555/article/details/82840741
[2] Linux·À»ðǽÉèÖÃÏê½â£¬https://cloud.tencent.com/developer/article/1006847
[3] SSHÔ¶³ÌµÇ¼µÄÇå¾²ÉèÖã¬https://www.cnblogs.com/me115/p/13098681.html
ÒÔÉϾÍÊÇLinuxЧÀÍÆ÷Çå¾²ÐÔÊÃ÷ÈÕ½£ºÓÃÏÂÁîÐй¤¾ß¾ÙÐзÀÓùµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡