Linux Security Advice

发表于 更新于 分类于 本文字数: 4.1k 阅读时长 ≈ 4 分钟

Fly

One time I accidentally discovered Kali’s tool Lynis, I tried to run it and found a new continent. So I was out of control, and was installed Lynis on Linux systems such as Raspberry Pi, Notebook and VPS.
Then I summed up the security advice provided by Lynis and wrote this article.

Install the security softwares provided by Lynis.

1
:~$ sudo apt-get install iptables debsums unattended-upgrades arpwatch sysstat auditd rkhunter

iptables

see iptables

arpwatch

Arpwatch keeps track for ethernet/ip address pairings. It syslogs activity and reports certain changes via
email. Arpwatch uses pcap(3) to listen for arp packets on a local ethernet interface.

install

1
:~$ sudo apt-get install arpwatch

configure

  1. /etc/rc.d/init.d/arpwatch:arpwatch服务或停止守护进程。
  2. /etc/default/arpwatch.conf:这是全局配置文件.
  3. /var/lib/arpwatch/:arpwatch数据存储目录。
  4. /var/log/messages :日志文件,记录arpwatch监测到的任何更改。

因各版本系统里的arpwatch配置方法各不相同,主要有以下两种:

  • systemd:查看是否存在arpwatch@.service。如果存在,则使用systemctl start arpwatch@eth0.service来监听指定interface。
  • /init.d/arpwatch:使用这种方法时,一般用户配置文件为/etc/arpwatch.conf,修改里面的参数即可配置。

used systemd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
:~$ cat /etc/default/arpwatch.conf
# Global options for arpwatch(8).

# do not use the -i, -f or -u options here, they are added automatically
# Debian: don't report bogons, don't use PROMISC.
ARGS="-N -p"

# if you want to add a pcap filter, uncomment and adjust the option below (you
# will need spaces so adding -F to the ARGS above will cause problems). See -F
# option in man 8 arpwatch for more information
#PCAP_FILTER="not ether host (00:11:22:33:44:55 or 66:77:88:99:aa:bb)"

# Debian: run as `arpwatch' user.  Empty this to run as root.
RUNAS="arpwatch"

# when using systemd you have to enable arpwatch explicitly for each interface
# you want to run it on by running:
# systemctl enable arpwatch@IFACE
# systemctl start arpwatch@IFACE

# For the LSB init script, enter a list of interfaces into the list below;
# arpwatch will be started to listen on these interfaces.
# Note: This is ignored when using systemd!
# INTERFACES="eth0 eth1"
INTERFACES=""
:~$ sudo systemctl enable arpwatch@eth0
:~$ sudo systemctl start arpwatch@eth0
:~$ sudo systemctl enable arpwatch@wlan0
:~$ sudo systemctl start arpwatch@wlan0

use init.d script

/etc/arpwatch.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# /etc/arpwatch.conf: Debian-specific way to watch multiple interfaces.
# Format of this configuration file is:
#
#<dev1>	<arpwatch options for dev1>
#<dev2>	<arpwatch options for dev2>
#...
#<devN>	<arpwatch options for devN>
#
# You can set global options for all interfaces by editing
# /etc/default/arpwatch

# For example:

#eth0	-m root
#eth1	-m root
#eth2	-m root

# or, if you have an MTA configured for plussed addressing:
#
#eth0	-m root+eth0
#eth1	-m root+eth1
#eth2	-m root+eth2

Log

1
2
3
4
5
6
7
8
9
10
11
:~$ sudo journalctl -u [arpwatch/arpwatch@eth0]
-- Logs begin at Sun 2019-09-01 08:21:33 HKT, end at Sun 2019-09-01 09:13:34 HKT. --
Sep 01 08:36:00 kali systemd[1]: Starting arpwatch service on interface wlan0...
Sep 01 08:36:00 kali systemd[1]: Started arpwatch service on interface wlan0.
Sep 01 08:36:00 kali arpwatch[2185]: Running as uid=117 gid=121
Sep 01 08:36:00 kali arpwatch[2185]: listening on eth0
Sep 01 08:36:05 kali arpwatch[2185]: new station 192.168.0.104 xx:xx:xx:xx:xx:xx eth0
Sep 01 08:36:05 kali arpwatch[2185]: new station 192.168.0.100 xx:xx:xx:xx:xx:xx eth0
Sep 01 08:36:08 kali arpwatch[2185]: new station 192.168.0.97 xx:xx:xx:xx:xx:xx eth0
Sep 01 08:36:08 kali arpwatch[2185]: changed station 192.168.0.97 xx:xx:xx:xx:xx:xx eth0
...

sysstat

sysstat是一个软件包,包含监测系统性能及效率的一组工具,这些工具对于我们收集系统性能数据,比如:CPU 使用率、硬盘和网络吞吐数据,这些数据的收集和分析,有利于我们判断系统是否正常运行,是提高系统运行效率、安全运行服务器的得力助手。

sysstat参考文章链接

Install

1
:~$ sudo apt-get install sysstat

include tools

  • iostat - 输出CPU的统计信息和所有I/O设备的输入输出(I/O)统计信息
  • mpstat - 关于CPU的详细信息(单独输出或者分组输出)
  • pidstat - 关于运行中的进程/任务、CPU、内存等的统计信息
  • sar - 保存并输出不同系统资源(CPU、内存、IO、网络、内核等)的详细信息
  • sadc - 系统活动数据收集器,用于收集sar工具的后端数据
  • sa1 - 系统收集并存储sadc数据文件的二进制数据,与sadc工具配合使用
  • sa2 - 配合sar工具使用,产生每日的摘要报告
  • sadf - 用于以不同的数据格式(CVS或者XML)来格式化sar工具的输出
  • sysstat - sysstat 工具包的 man 帮助页面。
  • nfsiostat - NFS(Network File System)的I/O统计信息
  • cifsiostat - CIFS(Common Internet File System)的统计信息

start service

1
2
3
4
# enable daemon
:~$ sed -i 's/^\s*ENABLED="false"/ENABLED="true"/' /etc/default/sysstat
:~$ sudo systemctl enable sysstat
:~$ sudo systemctl restart sysstat

References:
iptables
sysstat
cisofy.com