在日常運維工作中,對加固伺服器的安全設定是一個機器重要的環境。比較推薦的做法是:
1)嚴格限制ssh登陸(參考:Linux系統下的ssh使用(依據個人經驗總結)):
修改ssh預設監聽埠
禁用root登陸,單獨設定用於ssh登陸的賬號或組;
禁用密碼登陸,採用證書登陸;
ListenAddress繫結本機內網ip,即只能ssh連線本機的內網ip進行登陸;
2)對登陸的ip做白名單限制(iptables、/etc/hosts.allow、/etc/hosts.deny)
3)可以專門找兩臺機器作為堡壘機,其他機器做白名單後只能通過堡壘機登陸,將機房伺服器的登陸進去的口子收緊;
另外,將上面限制ssh的做法用在堡壘機上,並且最好設定登陸後的二次驗證環境(Google-Authenticator身份驗證)
4)嚴格的sudo許可權控制(參考:linux系統下的許可權知識梳理)
5)使用chattr命令鎖定伺服器上重要資訊檔案,如/etc/passwd、/etc/group、/etc/shadow、/etc/sudoers、/etc/sysconfig/iptables、/var/spool/cron/root等
6)禁ping(echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all)
今天這裡主要說下伺服器安全登陸的白名單設定,通過下面兩種方法:
1)iptables對ssh埠做限制;
2)/etc/hosts.allow和/etc/hosts.deny限制;這兩個檔案是控制遠端訪問設定的,通過他可以允許或者拒絕某個ip或者ip段的客戶訪問linux的某項服務。
如果當iptables、hosts.allow和hosts.deny三者都設定時或設定出現衝突時,遵循的優先順序是hosts.allow > hosts.deny >iptables
下面來看一下幾個限制本地伺服器登陸的設定:
1)iptables和hosts.allow設定一致,hosts.deny不設定。如果出現衝突,以hosts.allow設定為主。
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
# //切記:這裡的192.168.1.*網段設定不能改為192.168.1.0/24;多個ip之間用逗號隔開
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow //最後的allow可以省略
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
如上的設定,133.110.186.139雖然沒有出現在iptables的白名單設定裡,但是出現在hosts.allow設定裡,那麼它是允許登陸本地伺服器的;
也就是說hosts.allow裡設定的ip都可以登陸本地伺服器,hosts.allow裡沒有設定而iptables裡設定的ip不能登陸本地伺服器;
所以,只要hosts.allow裡設定了,iptables其實就沒有必要再對ssh進行限制了;
2)hosts.allow不設定,iptables和hosts.deny設定(二者出現衝突,以hosts.deny為主)
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:133.110.186.130:deny //最後的deny可以省略
以上雖然133.110.186.130在iptables裡設定了,但是在hosts.deny裡也設定了,這時要遵循hosts.deny的設定,即133.110.186.130這個ip不能登陸本地伺服器;
也就是說上面只有192.168.1.0網段和114.165.77.144能登陸本地伺服器;
3)當iptables、hosts.allow、hosts.deny三者都設定時,遵循的hosts.allow!
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.133 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.137 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow //最後的allow可以省略
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
sshd:all:deny //最後的deny可以省略
上面設定之後,只有hosts.allow裡面設定的192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139這些ip能登陸本地伺服器
4)還有一種設定,hosts.deny不動,在hosts.allow裡面設定deny
[root@localhost ~]# cat /etc/sysconfig/iptables
.....
-A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 114.165.77.144 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s 133.110.186.130 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139:allow //最後的allow可以省略
sshd:all:deny //這個本來是在hosts.deny裡的設定,也可以放在這,表示出了上面的ip之外都被限制登陸了。
[root@localhost ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
5)iptables關閉,則hosts.allow和hosts.deny檔案同時設定才有效。
==========================================================
/etc/hosts.allow和/etc/hosts.deny檔案配置後不生效問題:
如果在/etc/hosts.allow和/etc/hosts.deny檔案裡配置了相關服務(如sshd、ftp)的ip限制後,發現不生效!
原因可能如下:
1)/etc/hosts.allow 與 /etc/hosts.deny 只對ssh應用呼叫了tcp_wrappers的伺服器才起作用;
2)檢視伺服器的ssh是否支援tcp_wrappers。使用下面兩個命令:
# strings /usr/sbin/sshd|grep hosts_access
# ldd `which sshd` | grep libwrap
3)如果上面的兩個檢視命令都沒有結果,說明本機的ssh不支援tcp_wrappers
4)一般centos6預設的ssh都是支援tcp_wrappers的。但要是將伺服器的ssh升級到openssh6.7之後,則就不支援了!
因為從openssh6.7開始,ssh官方就移除了對tcp wrappers的支援!!!!
5)也就是說,centos6系統下預設的ssh版本(OpenSSH_5.3p1)如果升級到了openssh6.7之後,ssh應用就不支援tcp wrappers了。
這樣/etc/hosts.allow和/etc/hosts.deny檔案裡的限制設定也就無效了!
6)但是centos7預設的ssh版本是OpenSSH_7.4p1,centos7下預設的ssh版本是支援tcp wrappers的!
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@localhost ~]# ldd `which sshd` | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fd302fc9000)
[root@localhost ~]# strings /usr/sbin/sshd|grep hosts_access
hosts_access