728x90
<RedHat 계열 리눅스 서버 취약점 조치 방법> - 2024.06 By MirDaTe
아래는 Rocky Linux 8, 9 버전 서버 취약점 점검 조치방법을 정리한 것이다. 직접 해 본 후 정리한 자료이며 Apache 등의 웹서버 조치방법은 제외된 자료임.
1. sudo vi /etc/ssh/sshd_config
PermitRootLogin no
MaxAuthTries 5
2. sudo vi /etc/profile
HISTSIZE=2000
HISTTIMEFORMAT="%F %T "
TMOUT=900
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL HISTTIMEFORMAT TMOUT
3. sudo vi /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 8
PASS_WARN_AGE 7
4. sudo vi /etc/pam.d/system-auth
# Generated by authselect on Wed Apr 24 15:45:49 2024
# Do not modify this file manually.
auth required pam_env.so
#아래줄 추가 by MirDaTe
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
#아래줄 추가 by MirDaTe
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#아래줄 추가 by MirDaTe
account required pam_faillock.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
5. sudo vi /etc/pam.d/password-auth
# Generated by authselect on Wed Apr 24 15:45:49 2024
# Do not modify this file manually.
auth required pam_env.so
#아래줄 추가 By MirDaTe
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
#아래줄 추가 By MirDaTe
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#아래줄 추가 By MirDaTe
account required pam_faillock.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
6. sudo vi /etc/security/pwquality.conf
minlen = 8
dcredit = 1
ucredit = 1
lcredit = 1
ocredit = 1
maxrepeat = 3
maxclassrepeat = 3
usercheck = 1
7. sudo touch /etc/cron.allow
sudo chmod 640 /etc/cron.allow /etc/cron.deny /etc/at.deny
sudo vi /etc/cron.allow
root
mirdate
8. sudo chmod -s /usr/bin/chage /usr/bin/gpasswd /sbin/unix_chkpwd /usr/bin/at /usr/bin/newgrp /usr/bin/write /usr/bin/chfn /bin/mount /bin/umount /usr/sbin/lockdev
9. sudo vi /etc/pam.d/su
auth required pam_wheel.so use_uid #주석해제
10. sudo usermod --groups wheel <사용자ID>
sudo usermod --groups wheel mirdate
11. sudo vi /etc/motd
*************************************************************
* !!! WARNING !!! *
* All Connections are monitored and recorded *
* Disconnect IMMEDIATELY if you are not an authorized user! *
*************************************************************
12. sudo vi /etc/issue.net
*************************************************************
* !!! WARNING !!! *
* All Connections are monitored and recorded *
* Disconnect IMMEDIATELY if you are not an authorized user! *
*************************************************************
\S
Kernel \r on an \m
13. sudo dnf install chrony
sudo vi /etc/chrony.conf
server time.google.com iburst
server time.nist.gov iburst
server time.bora.net iburst
server time.kriss.re.kr iburst
server time.windows.com iburst
- 서비스활성화 : sudo systemctl enable chronyd
- 서비스시작 : sudo systemctl start chronyd
- 서비스상태확인 : sudo systemctl status chronyd
sudo chronyc tracking
sudo chronyc ntpdata
'IT > 리눅스(Linux)' 카테고리의 다른 글
| Rocky Linux 비밀번호 입력 초과로 인한 계정잠김 확인 및 해제 방법 (0) | 2024.11.28 |
|---|---|
| Arch Linux mirrorlist 갱신하기 (0) | 2024.11.13 |
| [Arch Linux] pacman을 사용하여 시스템 업그레이드 시 패키지 손상으로 인한 업그레이드 안되는 증상 해결방법 (0) | 2024.05.23 |
| [Linux] Apache 보안 설정 (ServerTokens, ServerSignature) (0) | 2024.05.03 |
| Apache 웹서버 보안 설정 (0) | 2024.05.03 |