hardening
12
总安装量
6
周安装量
#26492
全站排名
安装命令
npx skills add https://github.com/chaterm/terminal-skills --skill hardening
Agent 安装分布
claude-code
6
opencode
5
gemini-cli
4
windsurf
4
antigravity
4
github-copilot
4
Skill 文档
ç³»ç»å åº
æ¦è¿°
ç³»ç»å åºãåºçº¿é ç½®ãCIS æ åæè½ã
SSH å åº
é ç½®ä¼å
# /etc/ssh/sshd_config
# ç¦ç¨ root ç»å½
PermitRootLogin no
# ç¦ç¨å¯ç 认è¯
PasswordAuthentication no
PubkeyAuthentication yes
# éå¶ç¨æ·
AllowUsers admin deploy
AllowGroups sshusers
# ä¿®æ¹ç«¯å£
Port 2222
# è¶
æ¶è®¾ç½®
ClientAliveInterval 300
ClientAliveCountMax 2
# ç¦ç¨ç©ºå¯ç
PermitEmptyPasswords no
# åè®®çæ¬
Protocol 2
# æ¥å¿çº§å«
LogLevel VERBOSE
åºç¨é ç½®
# æ£æ¥é
ç½®
sshd -t
# éå¯æå¡
systemctl restart sshd
å æ ¸åæ°å åº
sysctl é ç½®
# /etc/sysctl.d/99-security.conf
# ç¦ç¨ IP 转å
net.ipv4.ip_forward = 0
# ç¦ç¨ ICMP éå®å
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# å¯ç¨ SYN Cookie
net.ipv4.tcp_syncookies = 1
# å¿½ç¥ ICMP 广æ
net.ipv4.icmp_echo_ignore_broadcasts = 1
# ç¦ç¨æºè·¯ç±
net.ipv4.conf.all.accept_source_route = 0
# å¯ç¨ååè·¯å¾è¿æ»¤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# è®°å½å¯çå
net.ipv4.conf.all.log_martians = 1
# ç¦ç¨ IPv6ï¼å¦ä¸éè¦ï¼
net.ipv6.conf.all.disable_ipv6 = 1
åºç¨é ç½®
sysctl -p /etc/sysctl.d/99-security.conf
ç¨æ·å®å ¨
å¯ç çç¥
# /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 12
PASS_WARN_AGE 14
# /etc/security/pwquality.conf
minlen = 12
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
è´¦æ·éå®
# /etc/pam.d/common-auth (Debian)
auth required pam_tally2.so deny=5 unlock_time=900
# /etc/pam.d/system-auth (RHEL)
auth required pam_faillock.so preauth deny=5 unlock_time=900
auth required pam_faillock.so authfail deny=5 unlock_time=900
æ¸ çæ ç¨è´¦æ·
# éå®è´¦æ·
usermod -L username
passwd -l username
# ç¦ç¨ shell
usermod -s /sbin/nologin username
# æ¥æ¾æ å¯ç è´¦æ·
awk -F: '($2 == "") {print $1}' /etc/shadow
æ件æé
å ³é®æ件
# 设置æé
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 600 /etc/gshadow
chmod 644 /etc/group
chmod 700 /root
chmod 600 /boot/grub/grub.cfg
# 设置å±æ§
chattr +i /etc/passwd
chattr +i /etc/shadow
æ¥æ¾é®é¢æ件
# æ¥æ¾ SUID/SGID æ件
find / -perm /4000 -type f 2>/dev/null
find / -perm /2000 -type f 2>/dev/null
# æ¥æ¾æ 主æ件
find / -nouser -o -nogroup 2>/dev/null
# æ¥æ¾å
¨å±å¯åæ件
find / -perm -002 -type f 2>/dev/null
æå¡å åº
ç¦ç¨ä¸å¿ è¦æå¡
# æ¥çæå¡
systemctl list-unit-files --type=service
# ç¦ç¨æå¡
systemctl disable telnet
systemctl disable rsh
systemctl disable rlogin
systemctl disable vsftpd
# åæ¢æå¡
systemctl stop telnet
éå¶ cron
# åªå
许ç¹å®ç¨æ·
echo "root" > /etc/cron.allow
chmod 600 /etc/cron.allow
rm -f /etc/cron.deny
常è§åºæ¯
åºæ¯ 1ï¼å¿«éå åºèæ¬
#!/bin/bash
echo "=== ç³»ç»å åº ==="
# SSH å åº
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
# å
æ ¸åæ°
cat >> /etc/sysctl.d/99-security.conf << EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
EOF
sysctl -p /etc/sysctl.d/99-security.conf
# æ件æé
chmod 600 /etc/shadow
chmod 644 /etc/passwd
echo "å åºå®æ"
åºæ¯ 2ï¼CIS åºçº¿æ£æ¥
#!/bin/bash
echo "=== CIS åºçº¿æ£æ¥ ==="
# æ£æ¥ SSH é
ç½®
echo "SSH PermitRootLogin:"
grep "^PermitRootLogin" /etc/ssh/sshd_config
# æ£æ¥å¯ç çç¥
echo "å¯ç æ大æææ:"
grep "^PASS_MAX_DAYS" /etc/login.defs
# æ£æ¥å
æ ¸åæ°
echo "TCP SYN Cookie:"
sysctl net.ipv4.tcp_syncookies
å åºæ£æ¥æ¸ å
| é¡¹ç® | æ£æ¥å 容 |
|---|---|
| SSH | ç¦ç¨ rootãå¯é¥è®¤è¯ |
| å¯ç | å¤æ度ãæææ |
| å æ ¸ | sysctl å®å ¨åæ° |
| æå¡ | ç¦ç¨ä¸å¿ è¦æå¡ |
| æé | å ³é®æ件æé |
| æ¥å¿ | 审计æ¥å¿å¯ç¨ |
æ éææ¥
# SSH æ æ³ç»å½
journalctl -u sshd -f
tail -f /var/log/auth.log
# æ£æ¥ PAM é
ç½®
cat /etc/pam.d/sshd
# æ£æ¥ SELinux
getenforce
ausearch -m avc -ts recent