vi/etc/yum.repos.d/cisofy-lynis.repo[lynis]name=CISOfySoftware-Lynispackagebaseurl=https://packages.cisofy.com/community/lynis/rpm/enabled=1gpgkey=https://packages.cisofy.com/keys/cisofy-software-rpms-public.keygpgcheck=1priority=2yuminstalllynis(图片可放大查看)(图片可放大查看)2、使用用lynis扫描系统lynis-hlynisauditsystem(图片可放大查看)(图片可放大查看)3、根据上面安全加固建议进行安全加固例如扫描出来的SSH的加固建议有如下加固项(图片可放大查看)修改之前的CentOS7安全加固脚本中ssh加固部分,可以参考之前文章CentOS7一键安全加固及系统优化脚本修改成如下sec_ssh(){echo"=============secssh=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"sed-i's/#UseDNS.$/UseDNSno/'/etc/ssh/sshd_configsed-i's/^#LoginGraceTime.$/LoginGraceTime60/'/etc/ssh/sshd_configsed-i's/^#PermitEmptyPasswords.$/PermitEmptyPasswordsno/'/etc/ssh/sshd_configsed-i's/^#PubkeyAuthentication.$/PubkeyAuthenticationyes/'/etc/ssh/sshd_configsed-i's/^#MaxAuthTries.$/MaxAuthTries3/'/etc/ssh/sshd_configsed-i"s/#ClientAliveInterval0/ClientAliveInterval30/g"/etc/ssh/sshd_configsed-i"s/#ClientAliveCountMax3/ClientAliveCountMax3/g"/etc/ssh/sshd_configsed-i"s/X11Forwardingyes/X11Forwardingno/g"/etc/ssh/sshd_configsed-i"s/#AllowAgentForwardingyes/AllowAgentForwardingno/g"/etc/ssh/sshd_configsed-i"s/#AllowTcpForwardingyes/AllowTcpForwardingno/g"/etc/ssh/sshd_configsed-i"s/#TCPKeepAliveyes/TCPKeepAliveno/g"/etc/ssh/sshd_configsed-i"s/#Compressiondelayed/Compressionno/g"/etc/ssh/sshd_configsed-i"s/#MaxSessions10/MaxSessions2/g"/etc/ssh/sshd_configsed-i"s/#LogLevelINFO/LogLevelVERBOSE/g"/etc/ssh/sshd_configsed-i"s/#Bannernone/Banner\/etc\/issue.net/g"/etc/ssh/sshd_configecho"Authorizedusersonly.Allactivitymaybemonitoredandreported.">/etc/issue.netsystemctlrestartsshd.service>>${LOCK}2>&1cat/etc/ssh/sshd_config>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}然后执行CentOS7安全加固脚本后,再进行lynis扫描 (图片可放大查看)(图片可放大查看)可以看到目前SSH安全基线只剩下3个安全加固建议
(图片来源网络,侵删)
0 评论