- 系统版本查阅
plengong@plengong:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal- 网络配置
plengong@plengong:~$ vim /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
ethernets:
ens33:
dhcp4: no
addresses:
- 192.168.224.110/24
gateway4: 192.168.224.2
nameservers:
addresses:
- 223.5.5.5
- 114.114.114.114
version: 2
root@plengong:/home/plengong# netplan apply # 应用配置文件ubuntu 系统加固
- 最小密码长度不得少于 12 个字符(所有用户)
- 密码复杂度设置要求应包含大小写字母,数字和特殊字符(所有用户)
sudo vim /etc/pam.d/common-password
# here are the per-package modules (the "Primary" block)
password requisite pam_cracklib.so retry=3 minlen=12 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1配置参数详解:
参数 | 备注 |
minlen=12 | 密码长度 |
ocredit=-1 | 密码包含的标点符号个数 |
ucredit=-1 | 密码包含的大写字母个数 |
lcredit=-1 | 密码包含的小写字母个数 |
dcredit=-1 | 密码包含的数字个数 |
- 在用户登录系统时,应该有“For authorized users only”的 banner 提示信息。
- 登录前(终端)
plengong@plengong:~$ vim /etc/issue
Ubuntu 20.04.6 LTS \n \l
"For authorized users only" # 请不要使用任何关于欢迎类的字眼- 登陆前(网络)
plengong@plengong:~$ vim /etc/issue.net
Ubuntu 20.04.6 LTS
"For authorized users only" # 请不要使用任何关于欢迎类的字眼- 登陆后
plengong@plengong:~$ cd /etc/update-motd.d/
plengong@plengong:/etc/update-motd.d$ cat 60-my-welcome-info
#!/bin/bash
printf "For authorized users only"tips:文件开头数字越小,优先加载
plengong@plengong:/etc/update-motd.d$ ll
total 68
drwxr-xr-x 2 root root 4096 Apr 28 00:56 ./
drwxr-xr-x 99 root root 4096 Apr 28 01:04 ../
-rwxr-xr-x 1 root root 1220 Dec 5 2019 00-header*
-rwxr-xr-x 1 root root 1157 Dec 5 2019 10-help-text*
lrwxrwxrwx 1 root root 46 Mar 14 22:43 50-landscape-sysinfo -> /usr/share/landscape/landscape-sysinfo.wrapper*
-rwxr-xr-x 1 root root 5023 Aug 17 2020 50-motd-news*
-rwxr-xr-x 1 root root 752 Apr 28 00:56 60-my-welcome-info*
-rwxr-xr-x 1 root root 84 Jul 3 2022 85-fwupd*
-rwxr-xr-x 1 root root 106 Feb 28 19:17 88-esm-announce*
-rwxr-xr-x 1 root root 218 Jan 20 19:17 90-updates-available*
-rwxr-xr-x 1 root root 263 Feb 28 19:17 91-contract-ua-esm-status*
-rwxr-xr-x 1 root root 374 Nov 20 22:31 91-release-upgrade*
-rwxr-xr-x 1 root root 165 Apr 25 2022 92-unattended-upgrades*
-rwxr-xr-x 1 root root 129 Jan 20 19:17 95-hwe-eol*
-rwxr-xr-x 1 root root 111 Nov 2 2021 97-overlayroot*
-rwxr-xr-x 1 root root 142 Jan 20 19:17 98-fsck-at-reboot*
-rwxr-xr-x 1 root root 144 Jan 20 19:17 98-reboot-required*- 一分钟内仅允许 5 次登录失败的尝试,超过 5 次,登录帐号锁定 1 分钟。(所有用户)
- pam模块配置文件(ssh远程登录)
plengong@plengong:~$ sudo vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
auth required pam_tally2.so deny=5 unlock_time=60- pam模块配置文件(终端登录)
plengong@plengong:~$ sudo vim /etc/pam.d/login
#
# The PAM configuration file for the Shadow `login' service
#
auth required pam_tally2.so deny=5 unlock_time=60- 非活动超时时间不得超过 1 分钟
plengong@plengong:~$ sudo vim /etc/profile
# 在文件末尾追加
export TMOUT=59 # 非活动时间(秒)
readonly TMOUT # 值设置为readonly 防止用户更改,在shell中无法修改TMOUT
plengong@plengong:~$ source /etc/profile # 刷新配置文件,立即生效WWW
配置https服務
- 过滤配置文件
grep -v '#' default-ssl.conf_bak > default-ssl.conf- 添加配置ssl文件
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/gd.crt
SSLCertificateKeyFile /etc/ssl/private/gd.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>- 导入ssl模块,重启服务
sudo a2enmod ssl
sudo systemctl restart apache2配置HTTP重定向HTTPS
<VirtualHost *:80>
Servername 192.168.224.110
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Redirect permanent / https://192.168.224.110
</VirtualHost>禁止浏览web目录服务
<Directory /var/www/>
# Options Indexes FollowSymLinks
Options None
AllowOverride None
Require all granted
</Directory>隐藏apache信息(网站服务,版本号)
ServerTokens Prod
ServerSignature Off