Linux Operating system hardening

1. Account number and password1.1 Disabling or deleting unused accounts

Reduce the system useless account, reduce the security risk.

Operation Steps

• Use userdel <用户名> the command to delete unnecessary accounts.
• Use passwd -l <用户名> the command to lock out unnecessary accounts.
• Use passwd -u <用户名> the command to unlock the necessary accounts.

1.2 Checking special accounts

Check if there is an account with a null password and root privileges.

Operation Steps

1. Check the empty password and root account to confirm the presence of the exception account:
   • Use the command to awk -F: ‘($2=="")‘ /etc/shadow view the empty password account.
   • Use awk -F: ‘($3==0)‘ /etc/passwd the command to view the account with zero UID.
2. Hardened empty Password account:
   • Use passwd <用户名> the command to set the password for the empty password account.
   • Confirm that the account with the UID zero is the root account only.

1.3 Adding a password policy

Enhance the complexity of the password, etc., reduce the likelihood of being guessed.

Operation Steps

1. Use the command to vi /etc/login.defs modify the configuration file.
   • PASS_MAX_DAYS 90 #新建用户的密码最长使用天数
   • PASS_MIN_DAYS 0 #新建用户的密码最短使用天数
   • PASS_WARN_AGE 7 #新建用户的密码到期提前提醒天数
2. Use the chage command to modify user settings.
   For example, the maximum chage -m 0 -M 30 -E 2000-01-01 -W 7 <用户名> number of days to use for this user's password is set to 30, the minimum number of days is set to 0, the password expires January 1, 2000, and the user is warned seven days before it expires.
3. Set the password three consecutive times, the account is locked for five minutes. Use the command vi /etc/pam.d/common-auth to modify the configuration file and add it to the configuration file auth required pam_tally.so onerr=fail deny=3 unlock_time=300 .

1.4 restricting user su

Restrict the user who can su to root.

Operation Steps

Use the command vi /etc/pam.d/su to modify the configuration file to add rows to the configuration file. For example, to allow only the test group user Su to root, add auth required pam_wheel.so group=test .

1.4 Disable root user direct login

Restrict root user login directly.

Operation Steps

1. Create normal rights account and configure password to prevent remote login;
2. Use the command to vi /etc/ssh/sshd_config modify the configuration file to change the value of Permitrootlogin to No, save it, and then use the Restart service sshd restart service.

2. Service2.1. Turn off unnecessary services

Reduce risk by shutting down unnecessary services, such as normal services and xinetd services.

Operation Steps

Use systemctl disable <服务名> the command to set up a service that does not start automatically when the machine is started.

Note : For some older Linux operating systems (such as CentOS 6), you can use the command chkconfig --level <init级别> <服务名> off settings service to not start automatically at the specified init level.

2.2 SSH Service security

Secure the SSH service to prevent brute force success.

Operation Steps

Use the commands to vim /etc/ssh/sshd_config edit the configuration file.

• The root account is not allowed to log in directly to the system.
  Set the value of Permitrootlogin to No.
• Modify the protocol version used by SSH.
  Set the version of Protocol to 2.
• Modify the number of allowed password errors (default 6).
  Set the value of Maxauthtries to 3.

After the configuration file modification is complete, restart the SSHD service to take effect.

3. File System3.1 Setting the Umask value

Set the default Umask value for enhanced security.

Operation Steps

Use the command to vi /etc/profile modify the configuration file, add the row umask 027 , that is, the newly created file owner has read and write execution permissions, the same group of users with the permissions of reading and execution, other users do not have permissions.

3.2 Setting the login timeout

After setting the system logon, the connection time-out period is increased security.

Operation Steps

Use the command to vi /etc/profile modify the configuration file, set to the TMOUT= beginning of the line comment, that is TMOUT=180 , the time-out is three minutes.

4. Log4.1 syslogd Log

Enable the logging feature and configure logging.

Operation Steps

The following types of logs are enabled by default on Linux systems:

• System log (default)/var/log/messages
• Cron log (default)/var/log/cron
• Security log (default)/var/log/secure

Note : Some systems may use the Syslog-ng log, the configuration file is:/etc/syslog-ng/syslog-ng.conf.

You can configure verbose logging to suit your needs.

4.2 Logging of logins and operations logs for all users

The script code implements logging of all user login operations to prevent the occurrence of security incidents and no data can be traced.

Operation Steps

2. Run the [[email protected] /]# vim /etc/profile open configuration file.
3. Enter the following in the configuration file:
   
   2. history
   4. USER=`whoami`
   6. USER_IP=`who -u am i 2>/dev/null| awk ‘{print $NF}‘|sed -e ‘s/[()]//g‘`
   8. if [ "$USER_IP" = "" ]; then
   10. USER_IP=`hostname`
   12. fi
   14. if [ ! -d /var/log/history ]; then
   16. mkdir /var/log/history
   18. chmod 777 /var/log/history
   20. fi
   22. if [! -d /var /log/history/ ${logname} ]; then
   24. mkdir /var/log/history/${LOGNAME}
   26. chmod 300 /var/log/history/${LOGNAME}
   28. fi
   30. export HISTSIZE=4096
   32. DT=`date +"%Y%m%d_%H:%M:%S"`
   34. export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"
   36. chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null
5. Run the [[email protected] /]# source /etc/profile load configuration to take effect.
   Note :/var/log/history is where the logging is stored and can be customized.

With the above steps, you can create a new folder under the/var/log/history directory with each user name, and each time the user exits, a log file with the user name, login IP, and time will be generated that contains all the actions of this user (except the root user).

It is also recommended that you use the OSS service to collect storage logs.

Linux Operating system hardening