再交付新機器時先做安全性補強,一方面也順便做資產盤點完成出機步驟前不可連Internet及服務內網
這不用解釋大家都知道的痛...
可以直接參考
https://security.utexas.edu/os-hardening-checklist
Windows
Linux 參考:CentOS 7 主机加固手册 (http://www.defvul.com/921/
# vi /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no
# vi /etc/pam.d/system-auth
auth pam_pwquality.so retry=3
# vim /etc/pam.d/system-auth
session required pam_lastlog.so showfailed
echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
echo "TMOUT=300" >> /etc/bashrc
echo "TMOUT=300" >> /etc/skel/.bashrc
echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf
echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf
echo "install rds /bin/false" > /etc/modprobe.d/rds.conf
echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf
echo “tty1″ > /etc/securetty
chmod 700 /root
sudo systemctl enable iptables
systemctl start iptables.service
網路上一些Script,可以拿來改 (別直接用
https://github.com/CentOS/Community-Kickstarts/blob/master/secure-kickstart.cfg
https://github.com/advertcn/server/blob/master/centos.sh
我寫完後才發現這個資料,下載下來,照著做就好...
https://www.cisecurity.org/cybersecurity-best-practices/