In today’s rapidly changing technology landscape, attackers are attempting to infiltrate enterprise IT infrastructures using ever-evolving malware and phishing techniques to obtain sensitive data. Particularly in Linux systems, the open-source nature can lead to default configurations becoming security blind spots, posing potential threats to the protection of core business assets.
This article will mainly focus on Ubuntu and CentOS systems, referencing Level 3 of the security standards, and will provide a lightweight security hardening script for readers’ reference.
Ubuntu System Hardening Script:
#!/bin/bash
set -e
# Disable remote login for the root user
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd
# Stop unnecessary services
services=(nfs rpcbind bind mountd)
for service in "${services[@]}"; do
systemctl stop $service
systemctl disable $service
done
# Configure firewall policy
ufw default deny incoming
ufw allow 22/tcp # SSH port, adjust as necessary
ufw allow 80/tcp # HTTP port, adjust as necessary
ufw allow 443/tcp # HTTPS port, adjust as necessary
ufw enable
# Configure SELinux
sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
setenforce 1
# Configure password policy
echo "minlen=12" >> /etc/pam.d/common-password
echo "dcredit=-3" >> /etc/pam.d/common-password
echo "ucredit=-3" >> /etc/pam.d/common-password
echo "lcredit=-3" >> /etc/pam.d/common-password
echo "ocredit=0" >> /etc/pam.d/common-password
# Configure log server
apt-get install -y rsyslog
cat << EOF > /etc/rsyslog.conf
*.* @@192.168.1.100:514 # Security log server IP and port, adjust as necessary
EOF
systemctl restart rsyslog
# Configure log retention policy
mkdir -p /var/log/audit
touch /var/log/audit/audit.log
cat << EOF > /etc/logrotate.d/_audit
/var/log/audit/audit.log {
rotate 7
compress
delaycompress
missingok
notifempty
}
EOF
# Enable audit service
apt-get install -y auditd
cp /etc/audisp/audisp-redhat.conf /etc/audisp/audisp.d/rules.d/
systemctl start auditd && systemctl enable auditd
# Configure minimal installation
apt-get remove --purge -y xserver*
CentOS System Hardening Script:
#!/bin/bash
set -e
# Disable remote login for the root user
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd
# Stop unnecessary services
services=(nfs rpcbind bind mountd)
for service in "${services[@]}"; do
systemctl stop $service
systemctl disable $service
done
# Configure firewall policy
firewall-cmd --permanent --zone=public --remove-port=22/tcp
firewall-cmd --permanent --add-service=ssh # Adjust as necessary
firewall-cmd --permanent --add-service=http # HTTP port, adjust as necessary
firewall-cmd --permanent --add-service=https # HTTPS port, adjust as necessary
firewall-cmd --reload
# Configure SELinux
sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
setenforce 1
# Configure password policy
echo "minlen=12" >> /etc/pam.d/system-auth-ac
echo "dcredit=-3" >> /etc/pam.d/system-auth-ac
echo "ucredit=-3" >> /etc/pam.d/system-auth-ac
echo "lcredit=-3" >> /etc/pam.d/system-auth-ac
echo "ocredit=0" >> /etc/pam.d/system-auth-ac
# Configure log server
cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
cat << EOF > /etc/rsyslog.conf
*.* @@192.168.1.100:514 # Security log server IP and port, adjust as necessary
EOF
systemctl restart rsyslog
# Configure log retention policy
mkdir -p /var/log/audit
touch /var/log/audit/audit.log
cat << EOF > /etc/logrotate.d/_audit
/var/log/audit/audit.log {
rotate 7
compress
delaycompress
missingok
notifempty
}
EOF
# Enable audit service
yum install -y audit
cp /etc/audisp/rules.d/active/50-default.rules /etc/audisp/rules.d/
systemctl start auditd && systemctl enable auditd
# Configure minimal installation
yum groupremove -y "X Window System"
Notes:
- 1. These scripts are just a foundation for hardening and need to be adjusted based on specific business requirements.
- 2. Please back up data before use to ensure critical services are not affected.
- 3. It is recommended to restart the system after executing the scripts to load all changes.
