備份集如何防勒索

近期，周邊發(fā)了幾起勒索病毒事件，大多事件的備份集也一并被修改加密，導致系統(tǒng)癱瘓、備份不可用。針對此情況，我對我們當前的備份方案緊急做了個調(diào)整優(yōu)化：原來備份的方式至掛在備份NAS，定時開啟備份腳本，備份完成。修改之后，大致改為了到備份時間時，主動掛在備份NAS，調(diào)用備份腳本，開啟備份，備份完成后，解掛備份NAS。另外增加操作系統(tǒng)掛在備份文件夾的權限管控，腳本大致如下：#修改chattr的默認命令名稱#mv/usr/bin/chattr/usr/bin/Lo0ckBkFi1le#0，定時任務提前3分鐘連接備份存儲介質(zhì)，并且測試連接成功#1，連接備份存儲，調(diào)用備份腳本#備份文件至文件夾：/BackUpFiles/cp/ShengChanFiles/data.csv/BackUpFiles/data_20220829.csv#壓縮備份文件，壓縮密碼為：Aa123456cd/BackUpFiles/tar-czdata_20220829.csv|openssldes3-salt-kAa123456-out/BackUpFiles/data_20220829.tar.gz#解壓命令為：openssldes3-d-kAa123456-salt-indata_20220829.tar.gz|tarxzf-#給備份文件上鎖Lo0ckBkFi1le+i/BackUpFiles/data_20220829.tar.gz#斷開備份存儲另：針對有備份軟件的公司，建議啟動備份軟件防勒索的功能。大多windows感染勒索比較容易，但是現(xiàn)在Linux系統(tǒng)也頻頻出現(xiàn)中勒索的情況，建議部署Linux系統(tǒng)按照基線部署，可參考如下腳本：#!/bin/sh#Name:centos7-os-init.sh#Writeby:Jan#LastModify:2019-09-20#DESC:Linux系統(tǒng)優(yōu)化和安全加固#CMD:shcentos7-os-init.sh#CMD說明:該腳本主要用于centos調(diào)優(yōu)，作為相對通用的模板，有一定的普適性，但是一般在實際生產(chǎn)環(huán)境##########中會根據(jù)系統(tǒng)的不同功能，進行不同的參數(shù)優(yōu)化，請各位注意。#--------------------------------------------------------------------#0添加epel的yum源##echo"[epel]">>/etc/yum.repos.d/epel.repo##echo"name=ExtraPackagesforCentos7-\$basearch">>/etc/yum.repos.d/epel.repo##echo"baseurl=/epel/7Server/\$basearch">>/etc/yum.repos.d/epel.repo##echo"failovermethod=priority">>/etc/yum.repos.d/epel.repo##echo"enabled=1">>/etc/yum.repos.d/epel.repo##echo"gpgcheck=0">>/etc/yum.repos.d/epel.repo###使配置生效##yumcleanall##yummakecache##yumrepolistyuminstall-ywgetwget-P/etc/yum.repos.d//repo/epel-7.repoyumcleanallyummakecacheyumrepolist##或者直接安裝

rpm

-ivh

/epel/epel-release-latest-7.noarch.rpm

#1設定時區(qū)，自動同步時間,定義為每天自動同步一次yuminstall-yntpdate\cp/usr/share/zoneinfo/Asia/Shanghai/etc/localtimentp_path=`whichntpdate`$ntp_path9hwclock-wecho"101***$ntp_path9">>/var/spool/cron/root#設置hostname,一般安裝的時候就會設置好

#2創(chuàng)建系統(tǒng)默認目錄：##腳本存放目錄mkdir-p/u01/shell##軟件安裝介質(zhì)存放位置mkdir-p/u01/src##日志存放位置mkdir-p/u02/log##備份存放位置，一般也會掛載nas存儲盤mkdir-p/u03/bakmkdir-p/u03/nas#mount-tcifs-ousername="jan",password="123456a?"http://8/DB_bak/u03/nas

#3優(yōu)化內(nèi)核參數(shù)##3.1修改最大系統(tǒng)最大打開文件數(shù)和最大進程數(shù)。echo"*softnproc65536">>/etc/security/limits.confecho"*hardnproc65536">>/etc/security/limits.confecho"*softnofile65536">>/etc/security/limits.confecho"*hardnofile65536">>/etc/security/limits.confecho"*softnproc65536">/etc/security/limits.d/20-nproc.confecho

"root

soft

nproc

unlimited">>/etc/security/limits.d/20-nproc.confecho"測試方式:當前session退出后重新登錄執(zhí)行:ulimit-Snulimit-Hn"

##3.2調(diào)整內(nèi)核參數(shù)、網(wǎng)絡參數(shù)、安全參數(shù)以應對高并發(fā)環(huán)境。cp/etc/sysctl.conf/etc/sysctl.conf.bkecho''>/etc/sysctl.conf

#關閉ipv6echo"net.ipv6.conf.all.disable_ipv6=1">>/etc/sysctl.confecho"net.ipv6.conf.default.disable_ipv6=1">>/etc/sysctl.conf#避免放大攻擊echo"net.ipv4.icmp_echo_ignore_broadcasts=1">>/etc/sysctl.conf#開啟惡意icmp錯誤消息保護echo"net.ipv4.icmp_ignore_bogus_error_responses=1">>/etc/sysctl.conf#關閉路由轉(zhuǎn)發(fā)echo"net.ipv4.ip_forward=0">>/etc/sysctl.confecho"net.ipv4.conf.all.send_redirects=0">>/etc/sysctl.confecho"net.ipv4.conf.default.send_redirects=0">>/etc/sysctl.conf#開啟反向路徑過濾echo"net.ipv4.conf.all.rp_filter=1">>/etc/sysctl.confecho"net.ipv4.conf.default.rp_filter=1">>/etc/sysctl.conf#處理無源路由的包echo"net.ipv4.conf.all.accept_source_route=0">>/etc/sysctl.confecho"net.ipv4.conf.default.accept_source_route=0">>/etc/sysctl.conf#關閉sysrq功能echo"kernel.sysrq=0">>/etc/sysctl.conf#core文件名中添加pid作為擴展名echo"kernel.core_uses_pid=1">>/etc/sysctl.conf#開啟SYN洪水攻擊保護echo"net.ipv4.tcp_syncookies=1">>/etc/sysctl.conf#修改消息隊列長度echo"kernel.msgmnb=65536">>/etc/sysctl.confecho"kernel.msgmax=65536">>/etc/sysctl.conf#設置最大內(nèi)存共享段大小bytes，這兩個參數(shù)主要在安裝oracle數(shù)據(jù)庫的時候，結(jié)合SGA使用echo"kernel.shmmax>>/etc/sysctl.conf#建議修改為內(nèi)存大小例如16G內(nèi)存echo"kernel.shmall=4194304">>/etc/sysctl.conf#默認=kernel.shmmax/4KB(4096)#timewait的數(shù)量，默認180000echo"net.ipv4.tcp_max_tw_buckets=6000">>/etc/sysctl.confecho"net.ipv4.tcp_sack=1">>/etc/sysctl.confecho"net.ipv4.tcp_window_scaling=1">>/etc/sysctl.confecho"net.ipv4.tcp_rmem=4096873804194304">>/etc/sysctl.confecho"net.ipv4.tcp_wmem=4096163844194304">>/etc/sysctl.confecho"net.core.wmem_default=8388608">>/etc/sysctl.confecho"net.core.rmem_default=8388608">>/etc/sysctl.confecho"net.core.rmem_max=16777216">>/etc/sysctl.confecho"net.core.wmem_max=16777216">>/etc/sysctl.conf#每個網(wǎng)絡接口接收數(shù)據(jù)包的速率比內(nèi)核處理這些包的速率快時，允許送到隊列的數(shù)據(jù)包的最大數(shù)目echo"dev_max_backlog=262144">>/etc/sysctl.conf#限制僅僅是為了防止簡單的DoS攻擊echo"net.ipv4.tcp_max_orphans=3276800">>/etc/sysctl.conf#未收到客戶端確認信息的連接請求的最大值echo"net.ipv4.tcp_max_syn_backlog=262144">>/etc/sysctl.confecho"net.ipv4.tcp_timestamps=0">>/etc/sysctl.conf#內(nèi)核放棄建立連接之前發(fā)送SYNACK包的數(shù)量echo"net.ipv4.tcp_synack_retries=1">>/etc/sysctl.conf#內(nèi)核放棄建立連接之前發(fā)送SYN包的數(shù)量echo"net.ipv4.tcp_syn_retries=1">>/etc/sysctl.conf#啟用timewait快速回收echo"net.ipv4.tcp_tw_recycle=1">>/etc/sysctl.conf#開啟重用。允許將TIME-WAITsockets重新用于新的TCP連接echo"net.ipv4.tcp_tw_reuse=1">>/etc/sysctl.confecho"net.ipv4.tcp_mem=94500000915000000927000000">>/etc/sysctl.confecho"net.ipv4.tcp_fin_timeout=1">>/etc/sysctl.conf#當keepalive起用的時候，TCP發(fā)送keepalive消息的頻度。缺省是2小時echo"net.ipv4.tcp_keepalive_time=30">>/etc/sysctl.conf#允許系統(tǒng)打開的端口范圍echo"net.ipv4.ip_local_port_range=3276865000">>/etc/sysctl.conf#修改防火墻表大小，默認65536#filter.nf_conntrack_max=655350#filter.nf_conntrack_tcp_timeout_established=1200#確保無人能修改路由表echo"net.ipv4.conf.all.accept_redirects=0">>/etc/sysctl.confecho"net.ipv4.conf.default.accept_redirects=0">>/etc/sysctl.confecho"net.ipv4.conf.all.secure_redirects=0">>/etc/sysctl.confecho"net.ipv4.conf.default.secure_redirects=0">>/etc/sysctl.conf#開啟并記錄欺騙，源路由和重定向包echo"net.ipv4.conf.all.log_martians=1">>/etc/sysctl.confecho"net.ipv4.conf.default.log_martians=1">>/etc/sysctl.confecho"fs.file-max=6815744">>/etc/sysctl.confecho"fs.aio-max-nr=1048576">>/etc/sysctl.confecho"kernel.shmmni=4096">>/etc/sysctl.confecho"kernel.sem=25032000100128">>/etc/sysctl.confecho"net.ipv4.route.gc_timeout=100">>/etc/sysctl.conf

#啟用內(nèi)核中的SYNcookie保護：(一般情況下操作系統(tǒng)已經(jīng)默認開啟)echo"1">/proc/sys/net/ipv4/tcp_syncookies#優(yōu)化swapecho"vm.swappiness=10">>/etc/sysctl.confsysctl-p

#4安全加固相關：#4.1關閉selinuxsed-i's/SELINUX=enforcing/SELINUX=disabled/g'/etc/selinux/config

#4.2關閉不常用服務。根據(jù)服務器的用途和安裝系統(tǒng)時候的選擇進行優(yōu)化，將不必要的服務關閉，提高性能。#chkconfigiptablesoff#chkconfigip6tablesoff#chkconfigabrt-ccppoff#chkconfigabrtdoff#chkconfigacpidoff#chkconfigatdoff#chkconfigauditdoff#chkconfigautofsoff#chkconfigblk-availabilityoff#chkconfigbluetoothoff#chkconfigcertmongeroff#chkconfigcpuspeedoff#chkconfigcupsoff#chkconfigdnsmasqoff#chkconfigfirstbootoff#chkconfigkdumpoff#chkconfigmdmonitoroff#chkconfignetconsoleoff#chkconfigpostfixoff#chkconfigquota_nldoff#chkconfigrdiscoff#chkconfigrestorecondoff#chkconfigsaslauthdoff#chkconfigsmartdoff#chkconfigwpa_supplicantoff#chkconfigypbindoff

#4.3安裝監(jiān)控客戶端##安裝監(jiān)控客戶端

#4.4清除不必要的系統(tǒng)帳戶userdeladmuserdellpuserdelsyncuserdelshutdownuserdelhaltuserdeloperatoruserdelftp

#4.5隱藏linux版本號#>/etc/issue#>/etc/

#4.6系統(tǒng)關閉Ping#關閉ping，使系統(tǒng)對ping不做反應，對網(wǎng)絡安全大有好處。#echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all#echo"echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all">>/etc/rc.d/rc.local#恢復系統(tǒng)的Ping響應：#echo0>/proc/sys/net/ipv4/icmp_echo_ignore_all

###4.7升級OpenSSHOpenSSL至安全版本#######禁止root賬戶遠程登錄,更改ssh端口##sed-i's/#Port22/Port2022/g'/etc/ssh/sshd_config##sed-i's/#PermitRootLoginyes/PermitRootLoginno/g'/etc/ssh/sshd_config

#4.8安裝telnetyuminstall-ytelnet

###4.9創(chuàng)建普通用戶,指定/u01u02u03所屬##groupaddgapp##useradd-ggappappuser##echo"apuserPWD"|passwd--stdinappuser##chown-Rappuser.gapp/u01##chown-Rappuser.gapp/u02##chown-Rappuser.gapp/u03##chown-Rap