一、方案概述
本方案针对基于 RHEL(Red Hat Enterprise Linux)、CentOS 及其衍生版本(Rocky Linux、AlmaLinux 等)的 Linux 操作系统,提供一套基础安全加固与性能优化配置指南。方案遵循最小权限原则和纵深防御策略,覆盖系统配置、访问控制、网络防护、审计监控等关键领域,适用于生产环境和关键业务系统。测试环境先行:所有配置变更前必须在测试环境验证
备份原则:修改关键配置文件前务必备份(如cp file file.bak.$(date +%Y%m%d))
分步实施:按照业务影响程度分批实施,避免业务中断
文档记录:记录所有变更内容、时间和原因
适用系统:RHEL/CentOS 7.x, 8.x, 9.x 及兼容发行版
注意事项:部分配置可能需根据实际业务需求调整,特别是网络和性能相关参数。
二、系统安全加固
2.1 文件与目录权限
# 1. 关键目录权限设置chmod 750 /etc/rc.d/init.d/ # 系统启动脚本目录chmod 600 /etc/security/opasswd # 旧密码存储文件chmod 700 /root # root 主目录chmod 700 /boot /usr/src /lib/modules # 内核相关目录# 2. 设置不可修改的系统文件属性(chattr +i)chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadowchattr +i /etc/inittab /etc/rc.local /etc/fstabchattr +i /etc/sudoers /etc/ssh/sshd_config# 3. 特殊权限文件检查与清理# 查找 SUID/SGID 文件并评估必要性find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; > /tmp/suid_sgid.list# 查找无属主文件find / -nouser -o -nogroup -exec ls -l {} \; > /tmp/nouser_files.list# 4. 挂载参数优化(/etc/fstab)# 添加 noexec,nosuid,nodev 参数到临时文件系统# 示例:/dev/mapper/vg_tmp /tmp ext4 defaults,nosuid,noexec,nodev 0 0# /dev/shm 临时内存文件系统加固echo "tmpfs /dev/shm tmpfs defaults,nosuid,noexec,nodev 0 0" >> /etc/fstab
chattr +i设置不可修改属性,防止误操作或恶意修改
SUID/SGID 文件可能被用于权限提升攻击,需定期审计
/tmp和/dev/shm使用noexec防止执行恶意程序
2.2 SSH 服务安全加固
# 备份原配置文件cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%Y%m%d)# 1. 协议与加密算法配置sed -i 's/#Protocol 2/Protocol 2/' /etc/ssh/sshd_configecho "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_configecho "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config# 2. 访问控制配置sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_configsed -i 's/#MaxAuthTries 6/MaxAuthTries 3/' /etc/ssh/sshd_configecho "AllowUsers admin_user1 admin_user2" >> /etc/ssh/sshd_config # 限制可登录用户echo "AllowGroups sshusers" >> /etc/ssh/sshd_config # 限制可登录组# 3. 会话超时与连接限制sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/' /etc/ssh/sshd_configsed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 2/' /etc/ssh/sshd_configsed -i 's/#MaxSessions 10/MaxSessions 3/' /etc/ssh/sshd_config# 4. 其他安全设置sed -i 's/#LoginGraceTime 2m/LoginGraceTime 1m/' /etc/ssh/sshd_configsed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_configsed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/' /etc/ssh/sshd_configecho "UseDNS no" >> /etc/ssh/sshd_config # 加快连接速度# 5. 重启 SSH 服务systemctl restart sshd# 测试连接正常后再断开当前会话
Protocol 2禁用不安全的 SSHv1
PermitRootLogin no强制使用普通用户+sudo 方式
ClientAliveInterval防止僵尸会话占用资源
修改端口后需同步更新防火墙规则:firewall-cmd --permanent --add-port=2022/tcp
2.3 防火墙配置
# 1. 启用并配置 firewalld(CentOS 7+/RHEL 7+)systemctl start firewalldsystemctl enable firewalld# 2. 基础规则配置firewall-cmd --permanent --zone=public --set-target=DROP # 默认拒绝firewall-cmd --permanent --zone=public --add-service=ssh # 放行 SSHfirewall-cmd --permanent --zone=public --add-port=80/tcp # 放行 HTTPfirewall-cmd --permanent --zone=public --add-port=443/tcp # 放行 HTTPS# 3. 限制 SSH 访问源 IP(按需设置)firewall-cmd --permanent --zone=public --add-rich-rule=' rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="22" accept'# 4. 防洪水攻击规则firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 \ -p tcp --dport 22 -m state --state NEW -m recent --setfirewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 2 \ -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP# 5. 应用配置firewall-cmd --reloadfirewall-cmd --list-all # 验证规则# 6. 传统 iptables 配置(CentOS 6/RHEL 6)iptables -F # 清空现有规则iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTservice iptables save
三、账户与访问控制
3.1 密码策略强化
# 1. 修改全局密码策略(/etc/login.defs)sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs # 密码最长 90 天sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/' /etc/login.defs # 密码修改间隔 7 天sed -i 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 12/' /etc/login.defs # 密码最小长度 12sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 14/' /etc/login.defs # 过期前 14 天警告# 2. PAM 密码复杂度配置(/etc/security/pwquality.conf 或/etc/pam.d/system-auth)echo "minlen = 12" >> /etc/security/pwquality.confecho "minclass = 3" >> /etc/security/pwquality.conf # 至少 3 种字符类型echo "maxrepeat = 3" >> /etc/security/pwquality.conf # 相同字符最多重复 3 次echo "dcredit = -1" >> /etc/security/pwquality.conf # 至少 1 位数字echo "ucredit = -1" >> /etc/security/pwquality.conf # 至少 1 位大写字母echo "lcredit = -1" >> /etc/security/pwquality.conf # 至少 1 位小写字母echo "ocredit = -1" >> /etc/security/pwquality.conf # 至少 1 位特殊字符# 3. 应用密码策略到现有用户for user in $(awk -F: '$3 >= 1000 {print $1}' /etc/passwd); do chage -M 90 -m 7 -W 14 $userdone# 4. 登录失败锁定策略(/etc/pam.d/password-auth)echo "auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900" >> /etc/pam.d/password-authecho "auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900" >> /etc/pam.d/password-authecho "account required pam_faillock.so" >> /etc/pam.d/password-auth
3.2 用户与权限管理
# 1. 检查空密码账户awk -F: '($2 == "") {print $1}' /etc/shadow# 2. 检查 UID 为 0 的非 root 账户awk -F: '($3 == 0) {print $1}' /etc/passwd | grep -v root# 3. 创建系统管理组并配置 sudogroupadd -g 10000 adminecho "%admin ALL=(ALL) ALL" >> /etc/sudoers.d/admin_group# 精细化 sudo 权限示例:echo "%webadmins ALL=(root) /usr/bin/systemctl restart nginx, /usr/bin/systemctl status nginx" >> /etc/sudoers.d/webadmin# 4. 设置用户历史命令记录echo "export HISTTIMEFORMAT=\"%F %T \"" >> /etc/profileecho "export HISTSIZE=10000" >> /etc/profileecho "export HISTFILESIZE=10000" >> /etc/profileecho "export HISTCONTROL=ignoredups:erasedups" >> /etc/profileecho "shopt -s histappend" >> /etc/profileecho "export PROMPT_COMMAND=\"history -a\"" >> /etc/profile# 5. 配置 umask 默认值echo "umask 027" >> /etc/profile # 文件默认权限 640,目录 750echo "umask 027" >> /etc/bashrc
3.3 会话超时设置
# 1. 设置全局会话超时(/etc/profile)echo "export TMOUT=900" >> /etc/profile # 15 分钟无操作超时echo "readonly TMOUT" >> /etc/profile # 防止用户修改# 2. 配置 sshd 超时(已在前面 SSH 部分配置)# 3. 配置屏幕锁定(需要安装 vlock)yum install -y vlockecho "alias lock='vlock -a'" >> /etc/profile.d/alias.sh # 创建锁定别名
四、内核参数优化
4.1 网络参数调优
# 创建专用配置文件cat > /etc/sysctl.d/99-sysctl-optimize.conf << EOF# 避免放大攻击net.ipv4.icmp_echo_ignore_broadcasts = 1# 开启恶意 icmp 错误消息保护net.ipv4.icmp_ignore_bogus_error_responses = 1# 开启 SYN 洪水攻击保护net.ipv4.tcp_syncookies = 1net.ipv4.tcp_syn_retries = 3net.ipv4.tcp_synack_retries = 3# 开启并记录欺骗、源路由和重定向包net.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1net.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1# 不响应 ICMP 时间戳请求net.ipv4.tcp_timestamps = 0# 开启 IP 转发(网关/路由器需要,服务器通常关闭)net.ipv4.ip_forward = 0# 优化 TCP 缓冲区net.ipv4.tcp_rmem = 4096 87380 16777216net.ipv4.tcp_wmem = 4096 65536 16777216# 增加最大连接数net.core.somaxconn = 65535net.ipv4.tcp_max_syn_backlog = 65535# TIME_WAIT 连接重用和快速回收net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_tw_recycle = 0 # 在 NAT 环境中建议为 0net.ipv4.tcp_fin_timeout = 30# 保持连接时间net.ipv4.tcp_keepalive_time = 1200net.ipv4.tcp_keepalive_probes = 3net.ipv4.tcp_keepalive_intvl = 15# 限制系统资源使用kernel.pid_max = 65535vm.swappiness = 10 # 减少交换倾向vm.dirty_ratio = 10 # 内存脏页比例vm.dirty_background_ratio = 5# 禁止 core dump(生产环境)fs.suid_dumpable = 0EOF# 应用配置sysctl -p /etc/sysctl.d/99-sysctl-optimize.conf
4.2 系统资源限制
# 编辑/etc/security/limits.confcat >> /etc/security/limits.conf << EOF* soft nofile 65535* hard nofile 65535* soft nproc 65535* hard nproc 65535* soft core 0* hard core 0@webadmins soft nofile 102400@webadmins hard nofile 102400root soft nofile unlimitedroot hard nofile unlimitedEOF# 对于 systemd 服务,还需要配置/etc/systemd/system.confsed -i 's/#DefaultLimitNOFILE=/DefaultLimitNOFILE=65535/' /etc/systemd/system.confsed -i 's/#DefaultLimitNPROC=/DefaultLimitNPROC=65535/' /etc/systemd/system.conf# 重新加载 systemd 配置systemctl daemon-reload
五、日志与审计
5.1 系统日志配置
# 1. 配置 rsyslog(/etc/rsyslog.conf)echo "auth,authpriv.* /var/log/secure" >> /etc/rsyslog.confecho "*.info;mail.none;authpriv.none;cron.none /var/log/messages" >> /etc/rsyslog.confecho "cron.* /var/log/cron" >> /etc/rsyslog.conf# 2. 配置日志轮转(/etc/logrotate.d/syslog)cat > /etc/logrotate.d/syslog << EOF/var/log/messages/var/log/secure/var/log/cron{ daily rotate 30 missingok compress delaycompress sharedscripts postrotate /bin/kill -HUP \$(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true endscript}EOF# 3. 启用日志服务器转发(可选)echo "*.* @192.168.1.100:514" >> /etc/rsyslog.conf # 转发到远程日志服务器systemctl restart rsyslog
5.2 审计服务配置
# 1. 安装并启用 auditdyum install -y auditsystemctl start auditdsystemctl enable auditd# 2. 关键审计规则配置(/etc/audit/rules.d/audit.rules)cat > /etc/audit/rules.d/audit.rules << EOF# 监控系统调用-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change-a always,exit -F arch=b64 -S clock_settime -k time-change-a always,exit -F arch=b32 -S clock_settime -k time-change# 监控用户和组管理-w /etc/passwd -p wa -k identity-w /etc/group -p wa -k identity-w /etc/gshadow -p wa -k identity# 监控文件系统挂载-a always,exit -F arch=b64 -S mount -S umount2 -k mounts# 监控特权命令执行-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged# 监控文件删除-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -k delete# 监控网络配置-w /etc/hosts -p wa -k network_modify-w /etc/sysconfig/network -p wa -k network_modifyEOF# 3. 重启审计服务augenrules --loadsystemctl restart auditd# 4. 常用审计查询命令auditctl -l # 查看当前审计规则ausearch -k identity # 按关键词查询审计记录aureport -m # 生成审计报告
六、服务与性能优化
6.1 服务管理优化
# 1. 禁用不必要的服务systemctl disable bluetooth cups postfix sendmail # 按需禁用systemctl stop bluetooth cups postfix sendmail# 2. 配置服务启动超时sed -i 's/#DefaultTimeoutStartSec=90s/DefaultTimeoutStartSec=30s/' /etc/systemd/system.conf# 3. 优化 journald 日志(/etc/systemd/journald.conf)sed -i 's/#SystemMaxUse=/SystemMaxUse=1G/' /etc/systemd/journald.confsed -i 's/#SystemMaxFileSize=/SystemMaxFileSize=100M/' /etc/systemd/journald.conf# 4. 配置 NTP 时间同步yum install -y chronysystemctl start chronydsystemctl enable chronydecho "server ntp.aliyun.com iburst" >> /etc/chrony.confecho "server time1.cloud.tencent.com iburst" >> /etc/chrony.confsystemctl restart chronydchronyc sources -v # 验证时间源
6.2 性能监控工具
# 1. 安装常用监控工具yum install -y htop iotop iftop nmon sysstat dstat net-tools# 2. 配置 sar 数据收集(sysstat)sed -i 's/^HISTORY=.*/HISTORY=30/' /etc/sysconfig/sysstat # 保存 30 天数据systemctl start sysstatsystemctl enable sysstat# 3. 创建性能监控脚本cat > /usr/local/bin/system_check.sh << 'EOF'#!/bin/bashecho "=== 系统时间 ==="dateecho ""echo "=== 系统负载 ==="uptimeecho ""echo "=== 内存使用 ==="free -hecho ""echo "=== 磁盘使用 ==="df -hTecho ""echo "=== TOP 进程 ==="ps aux --sort=-%cpu | head -10EOFchmod +x /usr/local/bin/system_check.sh# 4. 配置定期清理任务(/etc/cron.weekly/cleanup)cat > /etc/cron.weekly/cleanup << 'EOF'#!/bin/bash# 清理临时文件find /tmp -type f -atime +7 -deletefind /var/tmp -type f -atime +7 -delete# 清理旧日志find /var/log -name "*.log.*" -type f -mtime +30 -deletefind /var/log -name "*.gz" -type f -mtime +90 -delete# 清理包管理器缓存yum clean alldnf clean all # 如果使用 dnfEOFchmod +x /etc/cron.weekly/cleanup
七、实施检查清单
7.1 实施前检查
7.2 基础安全配置
7.3 内核与性能优化
7.4 验证测试
7.5 文档记录
提示:本方案为通用加固方案,在实际生产环境中实施前,请根据具体的业务需求、系统负载和安全等级要求进行适当的调整和测试。定期审查和更新安全配置是保持系统安全的关键。
