HackMD - Collaborative Markdown Knowledge Base

==CentOS登入帳密== root / Xsw@#edC2345 user / Xsw@#edC2345 ==su, sudo練習== visudo ## Allow root to run any commands anywhere root ALL=(ALL) ALL user ALL=(ALL) /bin/systemctl * ==停用firewalld，改用iptables== systemctl stop firewalld.service systemctl disable firewalld.service yum install iptables-services systemctl start iptables.service systemctl enable iptables.service ==安裝EPEL== yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm ==/etc/fail2ban/jail.d/sshd.conf== [sshd] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] maxretry = 10 ==Windows以Key Pair登入SSH== [/etc/ssh/sshd_config] PubkeyAuthentication yes ==密碼複雜度== [/etc/pam.d/system-auth] password requisite pam_cracklib.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=4 ==設定帳號鎖定時間(錯3次，鎖15分鐘)== [ssh登入]/etc/pam.d/password-auth-ac，加入以下設定： auth required pam_tally2.so deny=3 unlock_time=900 account required pam_tally2.so [本機(console)登入]/etc/pam.d/system-auth ，加入以下設定： auth required pam_tally2.so deny=3 unlock_time=900 account required pam_tally2.so ==設定帳號閒罝自動登出(例如30分鐘)== [bash]在/etc/bashrc加入以下內容 TMOUT=1800 readonly TMOUT export TMOUT [csh]在/etc/cshrc加入以下內容 set -r autologout = 1800 ==/etc/ntp.conf== server tock.stdtime.gov.tw server watch.stdtime.gov.tw server time.stdtime.gov.tw server clock.stdtime.gov.tw server tick.stdtime.gov.tw ==禁止使用USB儲存裝置== mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko.xz /root/ usb-storage.ko.xz.bak modprobe -r usb-storage lsmod | grep usb-storage [/etc/modprobe.d/blacklist.conf] blacklist usb-storage [/etc/modprobe.d/usb-storage.conf] install usb-storage /bin/true ==iptables recent module範例== iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 11 -j LOG --log-prefix "Possible DDoS Attack" iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 11 -j DROP iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT ==knock server下載網址== (先安裝wget： yum install wget) wget http://li.nux.ro/download/nux/dextop/el7/x86_64/knock-server-0.7-2.el7.nux.x86_64.rpm yum install knock-server-0.7-2.el7.nux.x86_64.rpm ==knock client下載網址== 【windows版】http://www.zeroflux.org/proj/knock/files/knock-win32.zip 【Linux版】 http://li.nux.ro/download/nux/dextop/el7/x86_64/knock-0.7-2.el7.nux.x86_64.rpm ==/etc/knockd.conf== [options] UseSyslog LogFile = /var/log/knockd.log Interface = ens33 [openSSH] sequence = 2222:udp,3333:tcp,4444:udp seq_timeout = 15 tcpflags = syn start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport ssh -j ACCEPT cmd_timeout = 10 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT [closeSSH] sequence = 4444:udp,3333:tcp,2222:udp seq_timeout = 15 tcpflags = syn command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT ==課後問卷== https://docs.google.com/forms/d/1hcLAflgjvEG0-LmiIbFIFLwCkQDrE7ezh3yvMCbiT9g/edit