AgentSkillsCN

linux-hardening

依据CIS基准与安全基线,加固Linux服务器,配置SSH、管理用户、实施防火墙规则并启用安全功能。在为生产环境加固Linux系统,或满足安全合规要求时加以运用。

SKILL.md
--- frontmatter
name: linux-hardening
description: Apply CIS benchmarks and secure Linux servers. Configure SSH, manage users, implement firewall rules, and enable security features. Use when hardening Linux systems for production or meeting security compliance requirements.
license: MIT
metadata:
  author: devops-skills
  version: "1.0"

Linux Hardening

Secure Linux servers following CIS benchmarks and security best practices.

When to Use This Skill

Use this skill when:

  • Hardening production servers
  • Meeting compliance requirements
  • Implementing security baselines
  • Configuring secure SSH access

SSH Hardening

bash
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers deploy admin
Protocol 2

User Security

bash
# Password policy
sudo apt install libpam-pwquality
# /etc/security/pwquality.conf
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

# Lock inactive accounts
useradd -D -f 30

# Audit sudo usage
echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers

Firewall Configuration

bash
# UFW setup
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 443/tcp
ufw enable

# Or iptables
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Kernel Hardening

bash
# /etc/sysctl.d/99-security.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0

# Apply
sysctl -p

File Permissions

bash
# Critical files
chmod 600 /etc/shadow
chmod 644 /etc/passwd
chmod 700 /root
chmod 600 /etc/ssh/sshd_config

# Find world-writable files
find / -type f -perm -0002 -ls

# Find SUID files
find / -perm -4000 -type f -ls

Audit Configuration

bash
# Install auditd
apt install auditd

# /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k actions
-a always,exit -F arch=b64 -S execve -k exec

Best Practices

  • Disable unused services
  • Keep system updated
  • Use fail2ban for intrusion prevention
  • Enable SELinux/AppArmor
  • Regular security audits
  • Monitor log files
  • Implement least privilege

Related Skills