系统安全性1设置登录超时退出机制/etc/profile中加入:TMOUT=180---3分钟无操作,退出source/etc/profile--即时生效2历史记录/etc/profile中修改:HISTSIZE=30---保留历史记录30条source/etc/profile--即时生效3登录策略/etc/pam.d/system-auth中:authrequiredpam_env.so下面添加:authrequiredpam_tally.soonerr=failno_magic_rootdeny=3unlock_time=300账户连续3次输入密码错误,锁定5分钟4账户策略/etc/login.defs中修改PASS_MAX_DAYSPASS_MIN_DAYS90#新建用户的密码最长使用天数0#新建用户的密码最短使用天数PASS_MIN_LEN8#密码最小长度PASS_WARN_AGE7#新建用户的密码到期提前提醒天数/etc/pam.d/system-auth中添加:passwordrequisitepam_cracklib.sotry_first_passretry=3minlen=8lcredit=-1ucredit=-1dcredit=-1ocredit=-1---passwd最小长度为8--passwordrequisitepam_cracklib.sotry_first_passretry=3minlen=8lcredit=-1ucredit=-1dcredit=-1ocredit=-1difok=3---新密码和旧密码不能有3个以上字符重复---passwordsufficientpam_unix.somd5shadownulloktry_first_passuse_authtokremember=5---以前的5次之内的密码不能使用---此设置如果要生效还依赖于一个文件,/etc/security/opasswd,如果不存在,自己创建:touch/etc/security/opasswdchownroot:root/etc/security/opasswdchmod600/etc/security/opasswd配置项说明:lcredit=-1:小写字母最少1位ucredit=-1:大写字母最少1位dcredit=-1:数字最少1位ocredit=-1:其他字符最少1位difok=3:新旧密码不同的位数minlen=8:密码的最少位数禁止root登录:/etc/ssh/sshd_config中修改:PermitRootLogin改成no重启服务/etc/rc.d/sshdrestart禁止普通用户suroot:/etc/pam.d/su中添加:authsufficient/lib/security/pam_rootok.sodebugauthrequired/lib/security/pam_wheel.sogroup=pay将authrequiredpam_wheel.souse_uid注释#去掉仅pay组的用户可以用su作为root---如果你希望用户test能够用su作为root,可以运行如下命令usermod-G10test5停止服务chkconfigbluetoothoffchkconfigfirstbootoffchkconfigisdnoffchkconfigpcscdoffchkconfigrestorecondoffchkconfigcupsdoffchkconfigmcstransoffchkconfigavahi-daemonoff锁定无用的用户:usermod-Ladmusermod-Llpusermod-Lshutdownusermod-Lhaltusermod-Lnewsusermod-Luucpusermod-Loperatorusermod-Lgamesusermod-Lgopher6监控用户建立专门的nagios用户:useraddnagios--nagios用户只能启动nagios服务,不能登录7控制用户使用资源限制/etc/pam.d/login中添加:sessionrequiredpam_limits.so/etc/security/limits.conf中添加相应的资源限制test-nofile20##20##test-nproc20##20##test-maxlogins5####test-memlock64000#64M#8安装clamav防火墙安装包放在工作机x盘保留1个月中:clamav-0・97・tar・gzgroupaddclamavuseradd-gclamav-s/bin/false-c"ClamAntiVirus"clamavtarzxvfclamav-0.97.tar.gzcdclamav-0.97./configure--prefix=/usr/local/clamav--with-dbdir=/usr/local/share/clamavmakemakeinstall创建日志目录:mkdirclamvtouchfreshclam.logchownclamavfreshclam.logtouchclamd.logchownclamavclamd.log配置文件修改:vi/usr/local/clamav/etc/clamd.conf#Commentorremovethelinebelow.#Example这条注释掉LocalSocket/tmp/clamd.socket---注释去掉LogFile/log/clamav/clamd.log---设置你的log路径vi/usr/local/clamav/etc/freshclam.conf#Example这条注释掉UpdateLogFile设置你的log路径创建启动脚本:clamd将启动脚本上传至/etc/init.d中chmod755/etc/init.d/clamd启动ClamAV/etc/init.d/clamdstart/usr/local/clamav/bin./clamscanhelp./freshclam
