1.登录账号加固
/etc/login.defs 创建⽤户的默认设置⽂件
grep -Ev "^#|^$" /etc/login.defs
/etc/login.defs ⽂件⽤于在创建⽤户时,对⽤户的⼀些基本属性做默认设置,例如指定⽤户 UID 和 GID 的范围,⽤户的过期时间,密码的最⼤⻓度,等等。
需要注意的是,该⽂件的⽤户默认配置对 root ⽤户⽆效。并且,当此⽂件中的配置与 /etc/passwd 和/etc/shadow ⽂件中的⽤户信息有冲突时,系统会以/etc/passwd 和 /etc/shadow 为准。
读者可⾃⾏使⽤ vim /etc/login.defs 命令查看该⽂件中的内容,表 1 中对⽂件中的各个选项做出了具体的解释。
设置项 | 含义 |
---|---|
MAIL_DIR /var/spool/mail | 创建⽤户时,系统会在⽬录 /var/spool/mail 中创建⼀个⽤户邮箱,⽐如 lamp ⽤户的邮箱是/var/spool/mail/lamp。 |
PASS_MAX_DAYS 99999 | 密码有效期,99999 是⾃ 1970 年 1 ⽉ 1 ⽇起密码有效的天数,相当于 273 年,可理解为密码始终有效。 |
PASS_MIN_DAYS 0 | 表示⾃上次修改密码以来,最少隔多少天后⽤户才能再次修改密码,默认值是 0。 |
PASS_MIN_LEN 5 | 指定密码的最⼩⻓度,默认不⼩于 5 位,但是现在⽤户登录时验证已经被 PAM 模块取代,所以这个选项并不⽣效。 |
PASS_WARN_AGE 7 | 指定在密码到期前多少天,系统就开始通过⽤户密码即将到期,默认为 7 天。 |
UID_MIN 500 | 指定最⼩ UID 为 500,也就是说,添加⽤户时,默认 UID 从 500 开始。注意,如果⼿⼯指定了⼀个⽤户的 UID 是 550,那么下⼀个创建的⽤户的 UID 就会从 551 开始,哪怕 500~549 之间的 UID 没有使⽤。 |
UID_MAX 60000 | 指定⽤户最⼤的 UID 为 60000 |
GID_MIN 500 | 指定最⼩ GID 为 500,也就是在添加组时,组的GID 从 500 开始。 |
GID_MAX 60000 | ⽤户 GID 最⼤为 60000。 |
CREATE_HOME yes | 指定在创建⽤户时,是否同时创建⽤户主⽬录,yes表示创建,no 则不创建,默认是 yes。 |
UMASK 077 | ⽤户主⽬录的权限默认设置为 077。 |
USERGROUPS_ENAB yes | 指定删除⽤户的时候是否同时删除⽤户组,准备地说,这⾥指的是删除⽤户的初始组,此项的默认值为yes。 |
ENCRYPT_METHOD SHA512 | 指定⽤户密码采⽤的加密规则,默认采⽤ SHA512,这是新的密码加密模式,原先的 Linux 只能⽤ DES或 MD5 加密。 |
linux 密码过期安全测了的参数配置要求
PASS_MAX_DAYS 90 #改密码有效天数 90 PASS_MIN_DAYS 0 PASS_MIN_LEN 12 #密码的⻓度 12 位数 PASS_WARN_AGE 7
设置密码复杂程度
在CentOS 7上实现密码复杂度策略设置,主要是使⽤PAM pwquality模块完成
备份原有配置
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
设置复杂度策略
vim /etc/pam.d/system-auth
找到包含pam_pwquality.so模块的⾏,将原有⾏注释并修改为如下的新配置,密码⻓度最少12位,⾄少包含⼀个⼤写字⺟,⼀个⼩写字⺟,⼀个数字,⼀个特殊符号。
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
minlen=12 密码最⼩⻓度为8个字符。 lcredit=-1 密码应包含的⼩写字⺟的⾄少⼀个 ucredit=-1 密码应包含的⼤写字⺟⾄少⼀个 dcredit=-1 将密码包含的数字⾄少为⼀个 ocredit=-1 设置其他符号的最⼩数量,例如@,#、! $%等,⾄少要有⼀个 enforce_for_root 确保即使是root⽤户设置密码,也应强制执⾏复杂性策略。
2.ssh安全加固
SSH(Secure Shell)是⼀种能够让⽤户安全访问远程系统的⽹络协议,它为不安全⽹络中的两台主机提供了⼀个强加密数据通信通道。SSH是Linux、UNIX系统管理员操作和管理主机的⾸选⽅式。虽然SSH⽐其他通信⽅式更加安全,但是错误的配置也可能导致其出现安全问题。
⾸先备份⽂件
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
#Port 22 默认端⼝ 可以修改设置端⼝ #AddressFamily any #ListenAddress 0.0.0.0 监听指定ip 只允许某个ip访问 ⼀般设置跳板机 #ListenAddress :: #PermitRootLogin yes #禁⽌root登录 yes允许登录 no 禁⽌登录 #MaxAuthTries 6 #设置登录时候 密码错误次数 默认是6次 #ClientAliveCountMax 3 #超时三分钟退出连接 #PasswordAuthentication no 禁⽤密码登录 #PubkeyAuthentication yes 使⽤公钥登录
客户端 默认密码输⼊三次 结束
可以使⽤ -o NumberOfPasswordPrompts=8 ⼤于⼋次设置密码
ssh -o NumberOfPasswordPrompts=8 root@192.168.135.128
└─# ssh -o NumberOfPasswordPrompts=8 root@192.168.135.128 root@192.168.135.128's password: Permission denied, please try again. root@192.168.135.128's password: Permission denied, please try again. root@192.168.135.128's password: Permission denied, please try again. root@192.168.135.128's password: Permission denied, please try again. root@192.168.135.128's password: Permission denied, please try again. root@192.168.135.128's password: Received disconnect from 192.168.135.128 port 22:2: Too many authentication failures Disconnected from 192.168.135.128 port 22
登录六次终⽌连接
ssh安全设置
PermitRootLogin no MaxAuthTries 3 ClientAliveCountMax 6
重启 systemctl restart sshd
3.⿊⽩名单配置
系统登录的⿊名单
vi /etc/hosts.deny
hosts.deny sshd:ALL ⿊名单
sshd:all:deny表示拒绝了所有sshd远程连接 deny是可以省略
vi /etc/hosts.allow
host.allow sshd:192.168.135.130 ⽩名单
4.⽤户配置
环境变量 /etc/bashrc ⽤户配置/etc/profile
bashrc与profile的区别
要搞清bashrc与profile的区别,⾸先要弄明⽩什么是交互式shell和⾮交互式shell,什么是login shell 和non-login shell。
交互式模式就是shell等待你的输⼊,并且执⾏你提交的命令。这种模式被称作交互式是因为shell与⽤户进⾏交互。这种模式也是⼤多数⽤户⾮常熟悉的:登录、执⾏⼀些命令、签退。当你签退后,shell也终⽌了。
shell也可以运⾏在另外⼀种模式:⾮交互式模式。在这种模式下,shell不与你进⾏交互,⽽是读取存放在⽂件中的命令,并且执⾏它们。当它读到⽂件的结尾,shell也就终⽌了。
bashrc与profile都⽤于保存⽤户的环境信息,bashrc⽤于交互式non-loginshell,⽽profile⽤于交互式login shell。系统中存在许多bashrc和profile⽂件
所以设置话 两个⽂件都要同时设置 不然有时候不⽣效。
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; thenumask 002elseumask 022fi
umask值
umask值⽤于设置⽤户在创建⽂件时的默认权限,当我们在系统中创建⽬录或⽂件时,⽬录或⽂件所具
有的默认权限就是由umask值决定的。
linux中常⻅⽂件类型
-⽂件 d ⽬录 l 软连接
linux⽂件的权限
所有者读写允许
⽂件权限
⽂件的权限针对三类对象进⾏定义
owner 属主,缩写u group 属组,缩写g other 其他,缩写o
每个⽂件针对每类访问者定义了三种主要权限
r:Read 读 w:Write 写 x:eXecute 执⾏
另 X:针对⽬录加执⾏权限,⽂件不加执⾏权限(因⽂件具备执⾏权限有安全隐患)
注意:root账户不受⽂件权限的读写限制,执⾏权限受限制
对于⽂件和⽬录来说,r,w,x有着不同的作⽤和含义:
针对⽂件:
r:读取⽂件内容w:修改⽂件内容x:执⾏权限对除⼆进制程序以外的⽂件没什么意义
针对⽬录:⽬录本质可看做是存放⽂件列表、节点号等内容的⽂件
r:查看⽬录下的⽂件列表 w:删除和创建⽬录下的⽂件 x:可以cd进⼊⽬录,能查看⽬录中⽂件的详细属性,能访问⽬录下⽂件内容(基础权限)
umask决定⽬录和⽂件被创建时得到的初始权限
umask = 022时
新建的⽬录 权限是755
⽂件的权限是 644
也就是
777 - 022 ⽬录 755
666 - 022 ⽂件 644
这样设置的⽂件其他⽤户都可以读取 同组还可以修改 这样的权限存在问题的。
⽣产环境umask的值建议设置成 umask 027
vim /etc/profile
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; thenumask 002 elseumask 027 fi
vim /etc/profile和 vim /etc/bashrc 都要同时修改
⽣效
[root@centos-ssh tmp]# source /etc/profile [root@centos-ssh tmp]# source /etc/bashrc
创建⽂件测试 看到moon⽂件权限设置全成功
[root@centos-ssh tmp]# ls -al moonsec moon -rw-r-----. 1 root root 0 7⽉ 6 14:05 moon -rw-r--r--. 1 root root 0 7⽉ 6 13:40 moonsec
5.history ⽇志记录
history记录⽤户的操作记录。但是不同的bash空间并不会记录。
在⼀个终端上执⾏
[root@xuegod61 ~]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin libstoragemgmt:x:998:996:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin colord:x:997:995:User for colord:/var/lib/colord:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin saned:x:996:994:SANE scanner daemon user:/usr/share/sane:/sbin/nologin saslauth:x:995:76:Saslauthd user:/run/saslauthd:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin setroubleshoot:x:994:991::/var/lib/setroubleshoot:/sbin/nologin rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin radvd:x:75:75:radvd user:/:/sbin/nologin chrony:x:993:988::/var/lib/chrony:/sbin/nologin unbound:x:992:987:Unbound DNS resolver:/etc/unbound:/sbin/nologin qemu:x:107:107:qemu user:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin geoclue:x:991:985:User for geoclue:/var/lib/geoclue:/sbin/nologin gluster:x:990:984:GlusterFS daemons:/run/gluster:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin gnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin mk:x:1000:1000:mk:/home/mk:/bin/bash
查看⽇志记录并没有
历史⽇志记录 有效记录⽤户操作,如果服务器被⼊侵了可以排查⽇志 溯源攻击者,如果多个管理员登录服务器。操作错误 也⽅便排查。
################begin history log############### USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` HISTDIR=/var/log/history DT=`date +%Y-%m-%d` if [ -z $USER_IP ] #如果字符串是空 then USER_IP=`hostname` fi pdf="." if [[ ! $USER_IP == *${pdf}* ]] #如果ip中不包括点,则⽤主机名 then USER_IP=`hostname` fi if [ ! -d $HISTDIR ] then mkdir -p $HISTDIR chmod 773 $HISTDIR fi if [ ! -d $HISTDIR/${DT} ] then mkdir -p $HISTDIR/${DT} chmod 773 $HISTDIR/${DT} fi export HISTFILESIZE=10000 #定义⽂件中最多只有HISTFILESIZE⾏ export HISTSIZE=10000 #定义history命令输出的记录数 DT2=`date +%Y%m%d_%H:%M:%S` export HISTFILE="$HISTDIR/${DT}/${LOGNAME}@${USER_IP}_$DT2" export HISTTIMEFORMAT="%Y%m%d_%H:%M:%S# " #chmod 600 $HISTDIR/${DT}/*_* 2>/dev/null ################end history log###############
两个⽂件都要更改 /etc/profile和 /etc/bashrc ⽣效 source /etc/profile source /etc/bashrc
登录测试 设置成功
6.端⼝安全设置
端⼝是提供对开访问的服务 端⼝分别有tcp和upd两种协议
tcp端⼝常⻅ 21 80 8080等端⼝
upd端⼝ dns 53端⼝
端⼝规范
端⼝号 0 不使⽤;
端⼝号 1 - 1023,系统默认只给root使⽤;
端⼝号 1024 - 4999 由客户端程序⾃由分配;
端⼝号 5000 - 65535 由服务器端程序⾃由分配;
在 /etc/services的⽂件,记录着服务名和他们对应的端⼝和协议。
integra-sme 484/udp # Integra Software Management Environment powerburst 485/tcp # Air Soft Power Burst powerburst 485/udp # Air Soft Power Burst avian 486/tcp # avian avian 486/udp # avian nest-protocol 489/tcp # nest-protocol nest-protocol 489/udp # nest-protocol micom-pfs 490/tcp # micom-pfs micom-pfs 490/udp # micom-pfs go-login 491/tcp # go-login go-login 491/udp # go-login ticf-1 492/tcp # Transport Independent Convergence for FNA ticf-1 492/udp # Transport Independent Convergence for FNA ticf-2 493/tcp # Transport Independent Convergence for FNA ticf-2 493/udp # Transport Independent Convergence for FNA pov-ray 494/tcp # POV-Ray pov-ray 494/udp # POV-Ray intecourier 495/tcp # intecourier intecourier 495/udp # intecourier retrospect 497/tcp # Retrospect backup retrospect 497/udp # Retrospect backup siam 498/tcp # siam siam 498/udp # siam iso-ill 499/tcp # ISO ILL Protocol iso-ill 499/udp # ISO ILL Protocol stmf 501/tcp # STMF stmf 501/udp # STMF asa-appl-proto 502/tcp # asa-appl-proto asa-appl-proto 502/udp # asa-appl-proto intrinsa 503/tcp # Intrinsa intrinsa 503/udp # Intrinsa citadel 504/tcp # citadel citadel 504/udp # citadel mailbox-lm 505/tcp # mailbox-lm mailbox-lm 505/udp # mailbox-lm ohimsrv 506/tcp # ohimsrv ohimsrv 506/udp # ohimsrv crs 507/tcp # crs crs 507/udp # crs xvttp 508/tcp # xvttp xvttp 508/udp # xvttp snare 509/tcp # snare snare 509/udp # snare fcp 510/tcp # FirstClass Protocol fcp 510/udp # FirstClass Protocol passgo 511/tcp # PassGo passgo 511/udp # PassGo videotex 516/tcp # videotex videotex 516/udp # videotex talk 517/tcp # like tenex link, but across ntalk 518/tcp # ulp 522/tcp # ULP ulp 522/udp # ULP ibm-db2 523/tcp # IBM-DB2 ibm-db2 523/udp # IBM-DB2 ncp 524/tcp # NCP ncp 524/udp # NCP tempo 526/udp # newdate stx 527/tcp # Stock IXChange stx 527/udp # Stock IXChange custix 528/tcp # Customer IXChange custix 528/udp # Customer IXChange irc-serv 529/tcp # IRC-SERV irc-serv 529/udp # IRC-SERV courier 530/udp # rpc conference 531/udp # chat netnews 532/udp # readnews netwall 533/tcp # for emergency broadcasts windream 534/tcp # windream Admin windream 534/udp # windream Admin opalis-rdv 536/tcp # opalis-rdv opalis-rdv 536/udp # opalis-rdv nmsp 537/tcp # Networked Media Streaming Protocol nmsp 537/udp # Networked Media Streaming Protocol apertus-ldp 539/tcp # Apertus Technologies Load Determination apertus-ldp 539/udp # Apertus Technologies Load Determination uucp 540/udp # uucpd uucp-rlogin 541/tcp # uucp-rlogin uucp-rlogin 541/udp # uucp-rlogin commerce 542/tcp # commerce commerce 542/udp # commerce klogin 543/udp # kshell 544/udp # krcmd appleqtcsrvr 545/tcp # appleqtcsrvr appleqtcsrvr 545/udp # appleqtcsrvr idfp 549/tcp # IDFP idfp 549/udp # IDFP new-rwho 550/tcp # new-who new-rwho 550/udp # new-who cybercash 551/tcp # cybercash cybercash 551/udp # cybercash devshr-nts 552/tcp # DeviceShare devshr-nts 552/udp # DeviceShare pirp 553/tcp # pirp pirp 553/udp # pirp dsf 555/tcp # dsf 555/udp # remotefs 556/udp # rfs server openvms-sysipc 557/tcp # openvms-sysipc openvms-sysipc 557/udp # openvms-sysipc sdnskmp 558/tcp # SDNSKMP sdnskmp 558/udp # SDNSKMP teedtap 559/tcp # TEEDTAP teedtap 559/udp # TEEDTAP rmonitor 560/tcp # rmonitord rmonitor 560/udp # rmonitord monitor 561/tcp # monitor 561/udp # chshell 562/tcp # chcmd chshell 562/udp # chcmd 9pfs 564/tcp # plan 9 file service 9pfs 564/udp # plan 9 file service streettalk 566/tcp # streettalk streettalk 566/udp # streettalk banyan-rpc 567/tcp # banyan-rpc banyan-rpc 567/udp # banyan-rpc ms-shuttle 568/tcp # microsoft shuttle ms-shuttle 568/udp # microsoft shuttle ms-rome 569/tcp # microsoft rome ms-rome 569/udp # microsoft rome meter 570/tcp # demon meter 570/udp # demon #meter 571/tcp # udemon #meter 571/udp # udemon sonar 572/tcp # sonar sonar 572/udp # sonar banyan-vip 573/tcp # banyan-vip banyan-vip 573/udp # banyan-vip ftp-agent 574/tcp # FTP Software Agent System ftp-agent 574/udp # FTP Software Agent System vemmi 575/tcp # VEMMI vemmi 575/udp # VEMMI ipcd 576/tcp # ipcd ipcd 576/udp # ipcd vnas 577/tcp # vnas vnas 577/udp # vnas ipdd 578/tcp # ipdd ipdd 578/udp # ipdd decbsrv 579/tcp # decbsrv decbsrv 579/udp # decbsrv sntp-heartbeat 580/tcp # SNTP HEARTBEAT sntp-heartbeat 580/udp # SNTP HEARTBEAT bdp 581/tcp # Bundle Discovery Protocol bdp 581/udp # Bundle Discovery Protocol scc-security 582/tcp # SCC Security scc-security 582/udp # SCC Security philips-vc 583/tcp # Philips Video-Conferencing philips-vc 583/udp # Philips Video-Conferencing keyserver 584/tcp # Key Server keyserver 584/udp # Key Server password-chg 586/tcp # Password Change password-chg 586/udp # Password Change cal 588/tcp # CAL cal 588/udp # CAL eyelink 589/tcp # EyeLink eyelink 589/udp # EyeLink tns-cml 590/tcp # TNS CML tns-cml 590/udp # TNS CML eudora-set 592/tcp # Eudora Set eudora-set 592/udp # Eudora Set http-rpc-epmap 593/tcp # HTTP RPC Ep Map http-rpc-epmap 593/udp # HTTP RPC Ep Map tpip 594/tcp # TPIP tpip 594/udp # TPIP cab-protocol 595/tcp # CAB Protocol cab-protocol 595/udp # CAB Protocol smsd 596/tcp # SMSD smsd 596/udp # SMSD ptcnameservice 597/tcp # PTC Name Service ptcnameservice 597/udp # PTC Name Service sco-websrvrmg3 598/tcp # SCO Web Server Manager 3 sco-websrvrmg3 598/udp # SCO Web Server Manager 3 acp 599/tcp # Aeolon Core Protocol acp 599/udp # Aeolon Core Protocol ipcserver 600/tcp # Sun IPC server ipcserver 600/udp # Sun IPC server syslog-conn 601/tcp # Reliable Syslog Service syslog-conn 601/udp # Reliable Syslog Service xmlrpc-beep 602/tcp # XML-RPC over BEEP xmlrpc-beep 602/udp # XML-RPC over BEEP idxp 603/tcp # IDXP idxp 603/udp # IDXP tunnel 604/tcp # TUNNEL tunnel 604/udp # TUNNEL soap-beep 605/tcp # SOAP over BEEP soap-beep 605/udp # SOAP over BEEP urm 606/tcp # Cray Unified Resource Manager urm 606/udp # Cray Unified Resource Manager nqs 607/tcp # nqs nqs 607/udp # nqs sift-uft 608/tcp # Sender-Initiated/Unsolicited File Transfer sift-uft 608/udp # Sender-Initiated/Unsolicited File Transfer npmp-trap 609/tcp # npmp-trap npmp-trap 609/udp # npmp-trap hmmp-op 613/tcp # HMMP Operation hmmp-op 613/udp # HMMP Operation sshell 614/tcp # SSLshell sshell 614/udp # SSLshell sco-inetmgr 615/tcp # Internet Configuration Manager sco-inetmgr 615/udp # Internet Configuration Manager sco-sysmgr 616/tcp gii # SCO System Administration Server sco-sysmgr 616/udp # SCO System Administration Server sco-dtmgr 617/tcp # SCO Desktop Administration Server sco-dtmgr 617/udp # SCO Desktop Administration Server dei-icda 618/tcp # DEI-ICDA dei-icda 618/udp # DEI-ICDA compaq-evm 619/tcp # Compaq EVM compaq-evm 619/udp # Compaq EVM sco-websrvrmgr 620/tcp # SCO WebServer Manager sco-websrvrmgr 620/udp # SCO WebServer Manager escp-ip 621/tcp # ESCP escp-ip 621/udp # ESCP collaborator 622/tcp # Collaborator collaborator 622/udp # Collaborator oob-ws-http 623/tcp # DMTF out-of-band web services management protocol asf-rmcp 623/udp # ASF Remote Management and Control Protocol cryptoadmin 624/tcp # Crypto Admin cryptoadmin 624/udp # Crypto Admin dec_dlm 625/tcp dec-dlm # DEC DLM dec_dlm 625/udp dec-dlm # DEC DLM asia 626/tcp # ASIA asia 626/udp # ASIA passgo-tivoli 627/tcp # PassGo Tivoli passgo-tivoli 627/udp # PassGo Tivoli qmqp 628/tcp # QMQP qmqp 628/udp # QMQP 3com-amp3 629/tcp # 3Com AMP3 3com-amp3 629/udp # 3Com AMP3 rda 630/tcp # RDA rda 630/udp # RDA bmpp 632/tcp # bmpp bmpp 632/udp # bmpp servstat 633/tcp # Service Status update (Sterling Software) servstat 633/udp # Service Status update (Sterling Software) ginad 634/tcp # ginad ginad 634/udp # ginad rlzdbase 635/tcp # RLZ DBase rlzdbase 635/udp # RLZ DBase lanserver 637/tcp # lanserver lanserver 637/udp # lanserver mcns-sec 638/tcp # mcns-sec mcns-sec 638/udp # mcns-sec msdp 639/tcp # MSDP msdp 639/udp # MSDP entrust-sps 640/tcp # entrust-sps entrust-sps 640/udp # entrust-sps repcmd 641/tcp # repcmd repcmd 641/udp # repcmd esro-emsdp 642/tcp # ESRO-EMSDP V1.3 esro-emsdp 642/udp # ESRO-EMSDP V1.3 sanity 643/tcp # SANity sanity 643/udp # SANity dwr 644/tcp # dwr dwr 644/udp # dwr pssc 645/tcp # PSSC pssc 645/udp # PSSC ldp 646/tcp # LDP ldp 646/udp # LDP dhcp-failover 647/tcp # DHCP Failover dhcp-failover 647/udp # DHCP Failover rrp 648/tcp # Registry Registrar Protocol (RRP) rrp 648/udp # Registry Registrar Protocol (RRP) cadview-3d 649/tcp # Cadview-3d - streaming 3d models over the internet cadview-3d 649/udp # Cadview-3d - streaming 3d models over the internet obex 650/tcp # OBEX obex 650/udp # OBEX ieee-mms 651/tcp # IEEE MMS ieee-mms 651/udp # IEEE MMS hello-port 652/tcp # HELLO_PORT hello-port 652/udp # HELLO_PORT repscmd 653/tcp # RepCmd repscmd 653/udp # RepCmd aodv 654/tcp # AODV aodv 654/udp # AODV tinc 655/tcp # TINC tinc 655/udp # TINC spmp 656/tcp # SPMP spmp 656/udp # SPMP rmc 657/tcp # RMC rmc 657/udp # RMC tenfold 658/tcp # TenFold tenfold 658/udp # TenFold mac-srvr-admin 660/tcp # MacOS Server Admin mac-srvr-admin 660/udp # MacOS Server Admin hap 661/tcp # HAP hap 661/udp # HAP pftp 662/tcp # PFTP pftp 662/udp # PFTP purenoise 663/tcp # PureNoise purenoise 663/udp # PureNoise oob-ws-https 664/tcp # DMTF out-of-band secure web services management protocol asf-secure-rmcp 664/udp # ASF Secure Remote Management and Control Protocol sun-dr 665/tcp # Sun DR sun-dr 665/udp # Sun DR mdqs 666/tcp doom # doom Id Software mdqs 666/udp doom # doom Id Software disclose 667/tcp # campaign contribution disclosures - SDR Technologies disclose 667/udp # campaign contribution disclosures - SDR Technologies mecomm 668/tcp # MeComm mecomm 668/udp # MeComm meregister 669/tcp # MeRegister meregister 669/udp # MeRegister vacdsm-sws 670/tcp # VACDSM-SWS vacdsm-sws 670/udp # VACDSM-SWS vacdsm-app 671/tcp # VACDSM-APP vacdsm-app 671/udp # VACDSM-APP vpps-qua 672/tcp # VPPS-QUA vpps-qua 672/udp # VPPS-QUA cimplex 673/tcp # CIMPLEX cimplex 673/udp # CIMPLEX dctp 675/tcp # DCTP dctp 675/udp # DCTP vpps-via 676/tcp # VPPS Via vpps-via 676/udp # VPPS Via vpp 677/tcp # Virtual Presence Protocol vpp 677/udp # Virtual Presence Protocol ggf-ncp 678/tcp # GNU Generation Foundation NCP ggf-ncp 678/udp # GNU Generation Foundation NCP mrm 679/tcp # MRM mrm 679/udp # MRM entrust-aaas 680/tcp # entrust-aaas entrust-aaas 680/udp # entrust-aaas entrust-aams 681/tcp # entrust-aams entrust-aams 681/udp # entrust-aams xfr 682/tcp # XFR xfr 682/udp # XFR corba-iiop 683/tcp # CORBA IIOP corba-iiop 683/udp # CORBA IIOP corba-iiop-ssl 684/tcp # CORBA IIOP SSL corba-iiop-ssl 684/udp # CORBA IIOP SSL mdc-portmapper 685/tcp # MDC Port Mapper mdc-portmapper 685/udp # MDC Port Mapper hcp-wismar 686/tcp # Hardware Control Protocol Wismar hcp-wismar 686/udp # Hardware Control Protocol Wismar asipregistry 687/tcp # asipregistry asipregistry 687/udp # asipregistry realm-rusd 688/tcp # ApplianceWare managment protocol realm-rusd 688/udp # ApplianceWare managment protocol nmap 689/tcp # NMAP nmap 689/udp # NMAP vatp 690/tcp # Velazquez Application Transfer Protocol vatp 690/udp # Velazquez Application Transfer Protocol msexch-routing 691/tcp # MS Exchange Routing msexch-routing 691/udp # MS Exchange Routing hyperwave-isp 692/tcp # Hyperwave-ISP hyperwave-isp 692/udp # Hyperwave-ISP connendp 693/tcp # almanid Connection Endpoint connendp 693/udp # almanid Connection Endpoint ieee-mms-ssl 695/tcp # IEEE-MMS-SSL ieee-mms-ssl 695/udp # IEEE-MMS-SSL rushd 696/tcp # RUSHD rushd 696/udp # RUSHD uuidgen 697/tcp # UUIDGEN uuidgen 697/udp # UUIDGEN olsr 698/tcp # OLSR olsr 698/udp # OLSR accessnetwork 699/tcp # Access Network accessnetwork 699/udp # Access Network epp 700/tcp # Extensible Provisioning Protocol epp 700/udp # Extensible Provisioning Protocol lmp 701/tcp # Link Management Protocol (LMP) lmp 701/udp # Link Management Protocol (LMP) iris-beep 702/tcp # IRIS over BEEP iris-beep 702/udp # IRIS over BEEP elcsd 704/tcp # errlog copy/server daemon elcsd 704/udp # errlog copy/server daemon agentx 705/tcp # AgentX agentx 705/udp # AgentX silc 706/tcp # SILC silc 706/udp # SILC borland-dsj 707/tcp # Borland DSJ borland-dsj 707/udp # Borland DSJ entrust-kmsh 709/tcp # Entrust Key Management Service Handler entrust-kmsh 709/udp # Entrust Key Management Service Handler entrust-ash 710/tcp # Entrust Administration Service Handler entrust-ash 710/udp # Entrust Administration Service Handler cisco-tdp 711/tcp # Cisco TDP cisco-tdp 711/udp # Cisco TDP tbrpf 712/tcp # TBRPF tbrpf 712/udp # TBRPF iris-xpc 713/tcp # IRIS over XPC iris-xpc 713/udp # IRIS over XPC iris-xpcs 714/tcp # IRIS over XPCS iris-xpcs 714/udp # IRIS over XPCS iris-lwz 715/tcp # IRIS-LWZ iris-lwz 715/udp # IRIS-LWZ pana 716/udp # PANA Messages netviewdm1 729/tcp # IBM NetView DM/6000 Server/Client netviewdm1 729/udp # IBM NetView DM/6000 Server/Client netviewdm2 730/tcp # IBM NetView DM/6000 send/tcp netviewdm2 730/udp # IBM NetView DM/6000 send/tcp netviewdm3 731/tcp # IBM NetView DM/6000 receive/tcp netviewdm3 731/udp # IBM NetView DM/6000 receive/tcp netgw 741/tcp # netGW netgw 741/udp # netGW netrcs 742/tcp # Network based Rev. Cont. Sys. netrcs 742/udp # Network based Rev. Cont. Sys. flexlm 744/tcp # Flexible License Manager flexlm 744/udp # Flexible License Manager fujitsu-dev 747/tcp # Fujitsu Device Control fujitsu-dev 747/udp # Fujitsu Device Control ris-cm 748/tcp # Russell Info Sci Calendar Manager ris-cm 748/udp # Russell Info Sci Calendar Manager qrh 752/tcp # rrh 753/tcp # rrh 753/udp # tell 754/udp # send nlogin 758/tcp # nlogin 758/udp # con 759/tcp # con 759/udp # ns 760/udp # rxe 761/tcp # rxe 761/udp # quotad 762/tcp # quotad 762/udp # cycleserv 763/tcp # cycleserv 763/udp # omserv 764/tcp # omserv 764/udp # vid 769/tcp # vid 769/udp # cadlock 770/tcp # cadlock 770/udp # rtip 771/tcp # rtip 771/udp # cycleserv2 772/tcp # cycleserv2 772/udp # submit 773/tcp # notify 773/udp # rpasswd 774/tcp # acmaint_dbd 774/udp acmaint-dbd # entomb 775/tcp # acmaint_transd 775/udp acmaint-transd # wpages 776/tcp # wpages 776/udp # multiling-http 777/tcp # Multiling HTTP multiling-http 777/udp # Multiling HTTP wpgs 780/tcp # wpgs 780/udp # mdbs_daemon 800/tcp mdbs-daemon # mdbs_daemon 800/udp mdbs-daemon # device 801/tcp # device 801/udp # fcp-udp 810/tcp # FCP fcp-udp 810/udp # FCP Datagram itm-mcell-s 828/tcp # itm-mcell-s itm-mcell-s 828/udp # itm-mcell-s pkix-3-ca-ra 829/tcp # PKIX-3 CA/RA pkix-3-ca-ra 829/udp # PKIX-3 CA/RA netconf-ssh 830/tcp # NETCONF over SSH netconf-ssh 830/udp # NETCONF over SSH netconf-beep 831/tcp # NETCONF over BEEP netconf-beep 831/udp # NETCONF over BEEP netconfsoaphttp 832/tcp # NETCONF for SOAP over HTTPS netconfsoaphttp 832/udp # NETCONF for SOAP over HTTPS netconfsoapbeep 833/tcp # NETCONF for SOAP over BEEP netconfsoapbeep 833/udp # NETCONF for SOAP over BEEP dhcp-failover2 847/tcp # dhcp-failover 2 dhcp-failover2 847/udp # dhcp-failover 2 gdoi 848/tcp # GDOI gdoi 848/udp # GDOI iscsi 860/tcp # iSCSI iscsi 860/udp # iSCSI owamp-control 861/tcp # OWAMP-Control owamp-control 861/udp # OWAMP-Control twamp-control 862/tcp # Two-way Active Measurement Protocol (TWAMP) Control twamp-control 862/udp # Two-way Active Measurement Protocol (TWAMP) Control iclcnet-locate 886/tcp # ICL coNETion locate server iclcnet-locate 886/udp # ICL coNETion locate server iclcnet_svinfo 887/tcp iclcnet-svinfo # ICL coNETion server info iclcnet_svinfo 887/udp iclcnet-svinfo # ICL coNETion server info #accessbuilder 888/tcp # AccessBuilder #accessbuilder 888/udp # AccessBuilder cddbp 888/tcp # CD Database Protocol omginitialrefs 900/tcp # OMG Initial Refs omginitialrefs 900/udp # OMG Initial Refs smpnameres 901/udp # SMPNAMERES ideafarm-door 902/tcp # self documenting Telnet Door ideafarm-door 902/udp # self documenting Door: send 0x00 for info ideafarm-panic 903/tcp # self documenting Telnet Panic Door ideafarm-panic 903/udp # self documenting Panic Door: send 0x00 for info kink 910/tcp # Kerberized Internet Negotiation of Keys (KINK) kink 910/udp # Kerberized Internet Negotiation of Keys (KINK) xact-backup 911/tcp # xact-backup xact-backup 911/udp # xact-backup apex-mesh 912/tcp # APEX relay-relay service apex-mesh 912/udp # APEX relay-relay service apex-edge 913/tcp # APEX endpoint-relay service apex-edge 913/udp # APEX endpoint-relay service ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps-data 989/udp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL ftps 990/udp # ftp protocol, control, over TLS/SSL nas 991/tcp # Netnews Administration System nas 991/udp # Netnews Administration System vsinet 996/tcp # vsinet vsinet 996/udp # vsinet maitrd 997/tcp # maitrd 997/udp # busboy 998/tcp # puparp 998/udp # garcon 999/tcp # applix 999/udp # Applix ac #puprouter 999/tcp # #puprouter 999/udp # cadlock2 1000/tcp # cadlock2 1000/udp # surf 1010/tcp # surf surf 1010/udp # surf exp1 1021/tcp # RFC3692-style Experiment 1 (*) [RFC4727] exp1 1021/udp # RFC3692-style Experiment 1 (*) [RFC4727] exp1 1021/sctp # RFC3692-style Experiment 1 (*) [RFC4727] exp1 1021/dccp # RFC3692-style Experiment 1 (*) [RFC4727] exp2 1022/tcp # RFC3692-style Experiment 2 (*) [RFC4727] exp2 1022/udp # RFC3692-style Experiment 2 (*) [RFC4727] exp2 1022/sctp # RFC3692-style Experiment 2 (*) [RFC4727] exp2 1022/dccp # RFC3692-style Experiment 2 (*) [RFC4727] blackjack 1025/tcp # network blackjack blackjack 1025/udp # network blackjack cap 1026/tcp # Calendar Access Protocol cap 1026/udp # Calendar Access Protocol 6a44 1027/udp # IPv6 Behind NAT44 CPEs solid-mux 1029/tcp # Solid Mux Server solid-mux 1029/udp # Solid Mux Server iad1 1030/tcp # BBN IAD iad1 1030/udp # BBN IAD iad2 1031/tcp # BBN IAD iad2 1031/udp # BBN IAD iad3 1032/tcp # BBN IAD iad3 1032/udp # BBN IAD netinfo-local 1033/tcp # local netinfo port netinfo-local 1033/udp # local netinfo port activesync 1034/tcp # ActiveSync Notifications activesync 1034/udp # ActiveSync Notifications mxxrlogin 1035/tcp # MX-XR RPC mxxrlogin 1035/udp # MX-XR RPC nsstp 1036/tcp # Nebula Secure Segment Transfer Protocol nsstp 1036/udp # Nebula Secure Segment Transfer Protocol ams 1037/tcp # AMS
查看端⼝开放端⼝
查看端⼝开放 ss命令
netstat -anultp 查看upd tcp开放的端⼝
tcp端⼝⼀般只留 ssh访问端⼝ web80端⼝
安装 redis
yum install epel-release yum install redis systemctl start redis systemctl enable redis.service
默认reids 6379 只允许本地访问
修改 vi /etc/redis.conf 设置强⼝令
requirepass X.@qqq22
安装httpd
yum install -y httpd
防⽕墙设置
centos7开始 firewalld 防⽕墙
安装 yum install firewalld
查看状态
firewall-cmd --state
开启
systemctl start firewalld.servicefirewall-cmd --zone=public --add-port=80/tcp --permanent #开放端⼝ firewall-cmd --zone=public --remove-port=80/tcp --permanent #关闭80端⼝ systemctl restart firewalld.service #重启⽣效
--permanent:永久⽣效;(如果没有此参数,则只能维持当前服务⽣命周期内,重新启动后失效;)重启(添加/关闭端⼝后,需要重启才能⽣效)
⿊盒模式下检测端⼝开放情况
masscan快速扫描端⼝
sudo masscan -p 1-65535 192.168.135.128 --rate=500
nmap扫描端⼝
nmap -sV -A -Pn 192.168.135.128
7.校验⽂件是否被更改
⽤md5进⾏⽂件校验
md5sum moonsec >> hash
md5sum --check hash