保持系统更新是防范安全威胁的第一道防线:
# 配置自动安全更新
sudo yum install yum-cron -y
sudo systemctl enable yum-cron
sudo systemctl start yum-cron
# 手动检查并安装更新
sudo yum update --security -y
使用firewalld强化网络防护:
# 确保firewalld已安装并运行
sudo yum install firewalld -y
sudo systemctl enable firewalld
sudo systemctl start firewalld
# 基本规则配置
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
# 限制SSH访问(根据实际需要调整IP)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload
确保SELinux处于强制模式:
# 检查当前状态
getenforce
# 设置为强制模式
sudo setenforce 1
# 永久生效(编辑/etc/selinux/config)
sudo sed -i 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
安装并配置ClamAV防病毒软件:
# 安装ClamAV
sudo yum install clamav clamav-update -y
# 更新病毒数据库
sudo freshclam
# 设置定期扫描(添加到cron)
echo "0 3 * * * /usr/bin/freshclam && /usr/bin/clamscan -r --bell -i /" | sudo tee -a /var/spool/cron/root
# 安装Rootkit检测工具
sudo yum install rkhunter chkrootkit -y
# 配置定期扫描
echo "0 4 * * * /usr/bin/rkhunter --update; /usr/bin/rkhunter --checkall --sk" | sudo tee -a /var/spool/cron/root
# 编辑SSH配置文件
sudo vi /etc/ssh/sshd_config
# 推荐修改以下参数:
Port 2222 # 修改默认端口
PermitRootLogin no
PasswordAuthentication no # 使用密钥认证
MaxAuthTries 3
LoginGraceTime 1m
AllowUsers your_username # 限制特定用户
ClientAliveInterval 300
ClientAliveCountMax 0
# 重启SSH服务
sudo systemctl restart sshd
# 设置敏感目录的权限
sudo chmod 700 /root
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
# 安装aide进行文件完整性检查
sudo yum install aide -y
sudo aide --init
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# 设置定期检查
echo "0 5 * * * /usr/sbin/aide --check" | sudo tee -a /var/spool/cron/root
编辑/etc/sysctl.conf添加以下内容:
# 防止SYN洪水攻击
net.ipv4.tcp_syncookies = 1
# 禁用ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# 防止IP欺骗
net.ipv4.conf.all.rp_filter = 1
# 禁用源路由
net.ipv4.conf.all.accept_source_route = 0
# 应用配置
sudo sysctl -p
# 设置密码策略
sudo vi /etc/login.defs
# 修改以下参数:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 12
PASS_WARN_AGE 14
# 安装cracklib加强密码复杂度
sudo yum install cracklib -y
sudo vi /etc/pam.d/system-auth
# 添加或修改以下行:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
# 查看并禁用不必要的服务
sudo systemctl list-unit-files --type=service | grep enabled
sudo systemctl disable <不需要的服务名>
# 安装并配置fail2ban防止暴力破解
sudo yum install epel-release -y
sudo yum install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# 安装并配置logwatch
sudo yum install logwatch -y
sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
# 编辑/etc/logwatch/conf/logwatch.conf
Output = mail
MailTo = your@email.com
Detail = High
# 设置定期日志分析
echo "0 4 * * * /usr/sbin/logwatch" | sudo tee -a /var/spool/cron/root
通过以上配置,您的CentOS系统将具备较强的防御能力,能够有效防范大多数恶意软件和病毒入侵。请根据实际业务需求调整相关配置。