<RedHat 계열 리눅스 서버 취약점 조치 방법> - 2024.06 By MirDaTe

아래는 Rocky Linux 8, 9 버전 서버 취약점 점검 조치방법을 정리한 것이다. 직접 해 본 후 정리한 자료이며 Apache 등의 웹서버 조치방법은 제외된 자료임.

 

1. sudo vi /etc/ssh/sshd_config

PermitRootLogin no

MaxAuthTries 5

 

2. sudo vi /etc/profile

HISTSIZE=2000
HISTTIMEFORMAT="%F %T "
TMOUT=900

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL HISTTIMEFORMAT TMOUT

 

3. sudo vi /etc/login.defs

PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 8
PASS_WARN_AGE 7

 

4. sudo vi /etc/pam.d/system-auth

# Generated by authselect on Wed Apr 24 15:45:49 2024
# Do not modify this file manually.

auth required pam_env.so
#아래줄 추가 by MirDaTe
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
#아래줄 추가 by MirDaTe
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#아래줄 추가 by MirDaTe
account required pam_faillock.so

password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

 

5. sudo vi /etc/pam.d/password-auth

# Generated by authselect on Wed Apr 24 15:45:49 2024
# Do not modify this file manually.

auth required pam_env.so
#아래줄 추가 By MirDaTe
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
#아래줄 추가 By MirDaTe
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#아래줄 추가 By MirDaTe
account required pam_faillock.so

password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

 

6. sudo vi /etc/security/pwquality.conf

minlen = 8
dcredit = 1
ucredit = 1
lcredit = 1
ocredit = 1
maxrepeat = 3
maxclassrepeat = 3
usercheck = 1

 

7. sudo touch /etc/cron.allow

    sudo chmod 640 /etc/cron.allow /etc/cron.deny /etc/at.deny

    sudo vi /etc/cron.allow

root
mirdate

 

8. sudo chmod -s /usr/bin/chage /usr/bin/gpasswd /sbin/unix_chkpwd /usr/bin/at /usr/bin/newgrp /usr/bin/write /usr/bin/chfn /bin/mount /bin/umount /usr/sbin/lockdev

 

9. sudo vi /etc/pam.d/su

auth required pam_wheel.so use_uid #주석해제

 

10. sudo usermod --groups wheel <사용자ID>

sudo usermod --groups wheel mirdate

 

11. sudo vi /etc/motd

*************************************************************
*                     !!! WARNING !!!                       *
*         All Connections are monitored and recorded        *
* Disconnect IMMEDIATELY if you are not an authorized user! *
*************************************************************

 

12. sudo vi /etc/issue.net

*************************************************************
*                     !!! WARNING !!!                       *
*         All Connections are monitored and recorded        *
* Disconnect IMMEDIATELY if you are not an authorized user! *
*************************************************************

\S
Kernel \r on an \m

 

13. sudo dnf install chrony

      sudo vi /etc/chrony.conf

server time.google.com iburst
server time.nist.gov iburst
server time.bora.net iburst
server time.kriss.re.kr iburst
server time.windows.com iburst

 

- 서비스활성화 : sudo systemctl enable chronyd

- 서비스시작 : sudo systemctl start chronyd

- 서비스상태확인 : sudo systemctl status chronyd

 

       sudo chronyc tracking

       sudo chronyc ntpdata