Linux Hardening Targets and objects

I. Linux hardening targets and objects

objective of the project strengthening: to solve the security problems of Linux servers identified by the company in the risk assessment work this year, and to promote the security status of Linux servers to a higher level of security, in combination with the requirements of the revised version of the Southern Power grid security baseline standard. Minimizing the security risks posed by Linux servers to the normal operation of the grid information business.

Project Reinforcement Object: This information security reinforcement object mainly includes the Linux system in the information system of Guizhou power grid ICT company. See Appendix "Linux System Host" for specific equipment

Two. Reinforcement Solutions

2.1 Device Management

2.1.1 Hardening content: Installing SSH

Description described: SSH is connected by encryption to improve the security of information transmission

steps: 1. Upload the SSH SSL rpm package.

2. Install SSL package: RPM–IVH openssl-xxxx.rpm

2. Install the RPM package: Rpm–ivh openssh-server-xxxx.rpm

Note: you need to install SSL before installing SSH

risk-free emergency measures: no risk, installation is not successful

Rpm–e openssh-server-xx.rpm Fallback

Whether to implement:

2.1.2 Hardening Content: Configuring access control with TCP wrapper

Description set access policy to prevent unauthorized access

steps: 1. Open the Hosts.allow file to add the IP that allows SSH login, add the line format as:

sshd:192.168.0.1 (single address)

sshd:192.168.0.0/255.255.255.0 (address segment)

2. Open the Hosts.deny file to add a reject all rows:

Sshd:all

Note: the address of the PC to be securely hardened must be in the allowed address list

there is a risk of emergency response measures: after setting up, not in the allowed address of the PC will not be able to log on to the server. Fallback method: Delete rows added in Hosts.allow and Hosts.deny files

Whether to implement:

2.2 User account and password security

2.2.1 Reinforcement Content: Limit the system useless default account login

Description Note: restricting unwanted accounts can prevent attackers from attacking through the default account

Step: Use the command lock useless account: #passwd –l account name, you need to lock the following account:

Daemon

Bin

Sys

Adm

Uucp

Lp

Nobody

Note: These accounts are locked by default and cannot be logged in

There are risk emergency measures: there is no risk. Fallback method: #passwd –u account name

Whether to implement:

2.2.2 Reinforcement content: Disable root telnet

Description : Disable root login to prevent remote access to the root

steps: 1. Modify the file/etc/ssh/sshd_config, uncomment the parameter Permitrootlogin No, and change "no" to "yes"

2. Restart sshd: #service sshd Restart

Precautions : None

there is a risk of emergency measures: after configuration, root cannot telnet, need to prepare a normal administrator account login and then switch to root. Fallback measures: Change the Permitrootlogin in/etc/ssh/sshd_config to Yes and restart sshd

Whether to implement:

2.2.3 Hardening Content: setting password policies

Description : setting Password policy can improve the security of account

Step: Modify File/etc/login.defs

pass_max_days 180 password is used for a maximum period of 180 days

Pass_min_days 1 password cannot be changed within 1 days

Pass_warn_age 28 password expires before 28 days prompt modification

Pass_min_len 8 Password Length minimum 8-bit characters

Note: When a password policy is modified, a password that does not conform to the standard will force the password to be changed when the user logs on

There are risk emergency measures: there is no risk. Fallback measures: Modify settings to pre-system hardening status based on account properties recorded prior to hardening

Whether to implement:

2.2.4 Hardening Content: Controlling User logon session time

Description : Setting Login timeout can control user logon session and improve system security

Step: set user 600 seconds after connection auto Disconnect

1. Adding lines to the/etc/profile file

tmout=600

1. Reread environment variables

#export/etc/profile

Precautions : None

risk response measures: no risk. Fallback method: Comment in/etc/profile file tmout=600

Whether to implement:

2.2.5 Hardening content: Prohibit the root user from using FTP

Description : prohibit root users from using FTP to prevent the transfer of files with high permissions

steps: 1. Add root to the/etc/ftpusers file

2. Restart the vsftpd. #service vsftpd Restart

Precautions : None

There are risk emergency measures: there is no risk. Fallback method: Delete root in/etc/ftpusers file and restart VSFTPD

Whether to implement:

2.3 Logs and audits

2.3.1 Hardening Content: Capturing Authpriv messages

Description Note: enable logging, can log, query attack behavior

steps: 1. Open the Syslog configuration file etc/syslog.conf Add line:

authpriv.*/var/log/secure

2. Restart SYSLOGD: #service syslogd restart

Note: The system saves Authpriv logs by default

There are risk emergency measures: there is no risk. Fallback method: Delete or comment The configuration file add lines and restart the SYSLOGD service.

Whether to implement:

2.3.2 Hardening Content: Logs are stored in the log server (optional)

Description Note: logs are stored in the log server, which can prevent attackers from deleting logs or keeping logs for long periods of time.

steps: 1. Configuration of the log server:

#vi/etc/sysconfig/syslog

Modify syslogd_options= "-M 0" to: syslogd_options= "-r-m 0"

-R indicates logging of remote hosts is enabled

2. Native configuration:

Modify the/etc/syslog.conf file

# vi/etc/syslog.conf

*. * @192.168.0.1 indicates that logs from this machine are logged to 192.168.0.1 on this server.

3. Restart 2 server Log Services

/etc/init.d/syslog restart

Note: If no log server this item does not strengthen

risk Mitigation measures: Deleting or commenting on configuration files adding lines and restarting the log service

Whether to implement:

2.3.3 Reinforcement Content: Logs must be kept for 6 months or 180 days

Description Note: The log is saved for a long time and can be queried for a longer period of time

Step: None

Note: The system default log save time is permanent, this item does not do the reinforcement

There are risks to the emergency treatment measures:

Whether to implement:

2.3.4 Hardening Content: Log System Profile Protection

Description log File Protection, which prevents an attacker from accessing the log configuration file

Step: Modify log profile only Administrator readable

chmod 400/etc/syslog.conf

Precautions: None

risk response measures: no risk. Fallback measures: chmod 644/etc/syslog.conf

Whether to implement:

2.4 Service Optimization

2.4.1 Reinforcement content: Close xinetd Control Service

Description : turning off unwanted services can improve the security of the system or optimize the system.

Step: Modify the configuration files for each service under/etc/xinetd.d/:

Change disable = No to Yes

Save exit, restart XINETD
#service xinetd Restart

Services that need to be closed:

Telnet klogin Kshell Ntalk tftp

Note: Ntalk may not have

There are risk emergency measures: there is no risk. Fallback action: Disable = yes to No in config file, restart xinetd service

Whether to implement:

2.4.2 Hardening content: Turn off FTP service (optional)

Description : turning off unwanted services can improve system security

step: 1. Closed FTP Service:

Service VSFTPD Stop

2. Disable boot start:

Chkconfig vsftpd off

Precautions : None

There are risk emergency measures: there is no risk. 1. Start FTP service: Service VSFTPD start 2. Set up boot FTP service: Chkconfig vsftpd on

Whether to implement:

2.4.3 Reinforcement content: Turn off SendMail service (optional)

Description : shutting down the SendMail service prevents attacks on the system with this service.

steps: 1. Close the SendMail service:

Service SendMail Stop

2. Disable Boot start:

Chkconfig SendMail off

Note: The system will not receive mail after the SendMail is closed

risk response measures: no risk. Fallback operation: 1. Service SendMail Stop

2. Chkconfig SendMail off

Whether to implement:

2.4.4 Reinforcement content: Turn off POP3, IMAP services

Description : turning off unwanted services can improve system security

steps: 1. Close the Dovecot service:

#service Dovecot Stop

2. Disable Boot start:

#chkconfig Dovecot off

Note: Linux POP3 and IMAP are managed by Dovecot, but the system is not installed by default Dovecot

There are risk contingency measures: The service cannot be closed on the mail server. Fallback method:

1. Start Dovecot Service: #service dovecot start

2. Set Boot Dovecot service: #chkconfig dovecot on

Whether to implement:

2.4.5 Reinforcement content: Turn off the graphical window service

Description If you do not need to be able to shut down to prevent potential attack behavior

steps: 1. Turn off Graphics:

#init 3

2. Set the boot not to start graphical

#vi/etc/inittab

Modify Boot RunLevel to 3

Id:3:initdefault

Note: the power on after reboot will not start the graphical

There are risk emergency measures: there is no risk. Fallback method: #init 5

Whether to implement:

2.4.6 Reinforcement content: Turn off normal service

Description : turning off unwanted services can improve the security of the system or optimize the system.

steps: 1. Use service < service name > stop services

2. Use the command "Chkconfig--level <init level > < service name > off" Setting up the service does not boot at each init level

3. You can use Chkconfig–list to view service boot status

4. The service needs to be closed:

NFS, Nfslock, AutoFS, Ypbind
Ypserv, Yppasswdd, Portmap
SMB, Netfs, LPD, Apache
httpd, Tux, SNMPD, named
PostgreSQL, Mysqld, Webmin,
Kudzu, squid, cups, ip6tables
Iptables, PCMCIA, Bluetooth
Nsresponder, APMD, Avahi-daemon
Canna, Cups-config-daemon
Freewnn, GPM, Hidd, etc.

Considerations : NFS, httpd, iptables may be used. Some services are not installed by default

there is a risk of emergency treatment measures: none. Fallback method:

Start Services: Service name start

Set up Boot service: Chkconfig service name on

Whether to implement:

2.5 Safety Protection

2.5.1 Reinforcement Content: Set umask value

Description Set Umask value to define access rights for new files

Step: Add line in/etc/profile: umask=022

Precautions : None

risk response measures: when modified, the new file permission defaults to 644. Fallback method: Change/etc/profile file to pre-hardening state

Whether to implement:

2.5.2 Reinforcement Content: Security for sensitive files

Description : prevents attackers from attacking critical files

Steps: Modify permissions for the following files:

#chmod 644/etc/passwd

#chmod 644/etc/group

#chmod 400/etc/shadow

Precautions:

there is a risk of emergency treatment measures: none. Modify the permissions of the file to the pre-hardening permissions.

Whether to implement:

Linux Hardening Targets and objects