本文展示了如何使用psad、Bastille和其他一些调整来保护CentOS服务器。psad是一种帮助检测端口扫描和其他可疑流量的工具，Bastille强化程序锁定操作系统，主动配置系统以提高安全性并降低其易受攻击性。

为系统管理创建一个附加帐户

“adduser”命令将创建一个帐户。

adduser service

“passwd”命令将设置“服务”帐户的密码。

passwd service

创建下载目录：

这将创建一个目录来下载RPM和其他文件。

mkdir /downloads
cd /downloads

安装PSAD

psad是三个轻量级系统守护进程（两个主守护进程和一个辅助守护进程）的集合，它们在Linux机器上运行，分析Netfilter日志消息以检测端口扫描和其他可疑流量。更多信息可以在这里找到。

wget http://www.cipherdyne.com/psad/download/psad-2.4.6.tar.gz
tar xfz psad-2.4.6.tar.gz
cd psad-2.4.6
./install.pl

安装Bastille

Bastille强化计划“锁定”操作系统，主动配置系统以提高安全性并降低其易受攻击性。巴士底狱还可以评估系统当前的强化状态，详细报告其工作的每个安全设置。更多信息可以在这里找到。

wget https://downloads.sourceforge.net/project/bastille-linux/bastille-linux/3.2.1/Bastille-3.2.1-0.1.noarch.rpm

rpm -ivh Bastille-3.2.1-0.1.noarch.rpm 

运行Bastille

这将启动交互式提示。

/usr/sbin/bastille -c

安装提示响应

这些设置是完美安装程序安装的建议。如果安装了其他软件或软件包，可能需要更改某些值。

accept

<ENTER>

Would you like to set more restrictive permissions on the administration utilities? -> YES

<ENTER>

Would you like to disable SUID status for mount/umount? -> YES
Would you like to disable SUID status for ping? -> YES
Would you like to disable SUID status for at? -> YES
Would you like to disable the r-tools? -> YES
Would you like to disable SUID status for usernetctl? -> YES
Would you like to disable SUID status for traceroute? -> YES
Should Bastille disable clear-text r-protocols that use IP-based authentication? -> YES
Would you like to enforce password aging? -> YES
Do you want to set the default umask? -> YES 
What umask would you like to set for users on the system? -> 007
Should we disallow root login on tty's 1-6? -> NO
Should Bastille ask you for extraneous accounts to delete? -> NO
Would you like to password-protect the GRUB prompt? -> NO
Would you like to disable CTRL-ALT-DELETE rebooting? -> YES
Would you like to password protect single-user mode? -> NO
Would you like to set a default-deny on TCP Wrappers and xinetd? -> NO
Would you like to display "Authorized Use" messages at log-in time? -> YES
Who is responsible for granting authorization to use this machine? -> YOUR COMPANY NAME
Would you like to put limits on system resource usage? -> YES

<ENTER>

Should we restrict console access to a small group of user accounts? -> YES
Which accounts should be able to login at console? -> root
Would you like to set up process accounting? -> NO

<ENTER>

Would you like to disable acpid and/or apmd? -> YES
Would you like to disable PCMCIA services? -> YES
Would you like to disable GPM? -> YES
Would you like to deactivate the HP OfficeJet (hpoj) script on this machine? -> YES
Would you like to deactivate the ISDN script on this machine? -> YES
Would you like to deactivate kudzu's run at boot? -> YES
Do you want to stop sendmail from running in daemon mode? -> YES
Would you like to deactivate named, at least for now? -> NO
Would you like to deactivate the Apache web server? -> NO
Would you like to bind the Web server to listen only to the localhost? -> NO
Would you like to bind the web server to a particular interface? -> NO

<ENTER>

Would you like to deactivate the following of symbolic links? -> YES
Would you like to disable printing? -> YES
Would you like to install TMPDIR/TMP scripts? -> NO
Would you like to run the packet filtering script? -> YES

<ENTER>

Do you need the advanced networking options? -> NO
DNS Servers: [0.0.0.0/0] -> **LEAVE DEFAULT**
Public interfaces: -> eth+
TCP services to audit: -> telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
UDP services to audit: -> 31337
ICMP services to audit: -> **BLANK**
TCP service names or port numbers to allow on public interfaces: -> 21 22 25 53 80 110 111 143 443 631 953 993 995 3306
UDP service names or port numbers to allow on public interfaces: -> **BLANK**
Force passive mode? -> YES
TCP services to block: -> 2049 2065:2090 6000:6020 7100
UDP services to block: -> 2049 6770
ICMP allowed types: -> destination-unreachable echo-reply time-exceeded
Enable source address verification? -> YES
Reject method: -> DENY
Interfaces for DHCP queries: -> **BLANK**
NTP servers to query: -> **BLANK**
ICMP types to disallow outbound: -> destination-unreachable time-exceeded
Should Bastille run the firewall and enable it at boot time? -> YES
Would you like to setup psad? -> YES
psad check interval: -> 15
Port range scan threshold: -> 1
Enable scan persistence? -> NO
Scan timeout: -> 3600
Show all scan signatures? -> NO
Danger Levels: -> 5 50 1000 5000 10000
Email addresses: -> root@localhost
Email alert danger level: -> 1
Alert on all new packets? -> YES
Enable automatic blocking of scanning IPs? -> NO
Should Bastille enable psad at boot time? -> YES
Are you finished answering the questions, i.e. may we make the changes? -> YES

<TAB>

编辑SSH配置

这将需要额外的步骤来保护SSH。以下设置将：

确保使用SSHv2
root用户无法通过SSH直接登录
不允许没有密码的帐户登录
显示登录提示。

vi /etc/ssh/sshd_config

编辑以下行并删除备注。别忘了保存并退出。

#Protocol 2,1 -> Protocol 2
#PermitRootLogin yes -> PermitRootLogin no
#PermitEmptyPasswords no -> PermitEmptyPasswords no
#Banner /some/path -> Banner /etc/issue

重新启动系统

请重新启动系统作为最后检查。确保一切正常开始。

reboot