Linux Security Reinforcement

Source: Internet
Author: User
Tags auth ftp reserved syslog system log ssh account security file permissions

I. Account security

1.1 Lock the redundant self-built account in the system

Check method:

Execute command

#cat/etc/passwd

#cat/etc/shadow

Check the account, password file, and the system administrator to confirm the unnecessary account. For some reserved system pseudo accounts such as: Bin, sys,adm,uucp,lp, nuucp,hpdb, www, daemon, etc. can be locked to login as needed.

Backup method:

#cp-P/etc/passwd/etc/passwd_bak

#cp-P/etc/shadow/etc/shadow_bak

Reinforcement method:

Use command Passwd-l < username > lock unnecessary accounts.

Use command Passwd-u < username > Unlock account that needs to be restored.

1.2 Setting the System password policy

Check method:

Using commands

#cat/etc/login.defs|grep Pass to view password policy settings

Backup method:

Cp-p/etc/login.defs/etc/login.defs_bak

Reinforcement method:

#vi/etc/login.defs Modify configuration file

Pass_max_days #新建用户的密码最长使用天数

Pass_min_days 0 #新建用户的密码最短使用天数

Pass_warn_age 7 #新建用户的密码到期提前提醒天数

Pass_min_len 9 #最小密码长度9

1.3 Disabling Superuser Beyond root

Check method:

#cat/etc/passwd View password file, password file format is as follows:

Login_name:password:user_ID:group_ID:comment:home_dir:command

Login_name: User Name

Password: Encrypted user password

USER_ID: User ID, (1 ~ 6000) If the user id=0, the user has Superuser's privileges. See if there are multiple id=0 here.

GROUP_ID: User Group ID

Comment: Full name of the user or other annotation information

Home_dir: User root directory

Command: Execute command after user logs in

Backup method:

#cp-P/etc/passwd/etc/passwd_bak

Reinforcement method:

Use command Passwd-l < username > lock unnecessary super account.

Use command Passwd-u < username > Unlock the super account that needs to be restored.

Risk: The use of this superuser needs to be confirmed with the administrator.

1.4 Limits the ability to Su-root users

Check method:

#cat/etc/pam.d/su to see if there are any configuration entries such as Auth required/lib/security/pam_wheel.so

Backup method: #cp-P/etc/pam.d/etc/pam.d_bak

Reinforcement method:

#vi/etc/pam.d/su

Add in head:

Auth required/lib/security/pam_wheel.so Group=wheel

This way, only users of the wheel group can su to root

#usermod-g10 test to add the test user to the wheel group

When the system verifies the problem, first should check the output information in the/var/log/messages or/var/log/secure, according to the information to judge the validity of the user account

Of If it is due to a PAM validation failure and the root is not logged in, it can only be done using single user or rescue mode.

1.5 Check Shadow Hollow password account

Check method:

#awk-F: ' (= = "") {print} '/etc/shadow

Backup method: Cp-p/etc/shadow/etc/shadow_bak

Reinforcement method: The blank password account is locked, or require additional password

  Second, the minimization of services

2.1 Stop or disable services unrelated to the hosting business

Check method:

To view the current init level #who –r or RunLevel

#chkconfig--list View the status of all services

Backup method: Log The name of the service you want to turn off

Reinforcement method:

#chkconfig--level < service name > On|off|reset set Service to boot at init level

  Third, data access control

3.1 Set Reasonable initial file permissions

Check method:

#cat/etc/profile to view umask values

Backup method:

#cp-P/etc/profile/etc/profile_bak

Reinforcement method:

#vi/etc/profile

umask=027

Risk: The default permissions for the new file are modified, and this is carefully modified if the server is a Web application.

  Four, network access control

4.1 Using SSH for Administration

Check method:

#ps –AEF | grep sshd to see if there is no such service

Backup method:

Reinforcement method:

Open SSH service with command

#service sshd Start

Risk: Changing administrator usage habits

4.2 Setting access control policies to restrict the ability to manage IP addresses on this computer

Check method:

#cat/etc/ssh/sshd_config to view statements with or without allowusers

Backup method:

#cp-P/etc/ssh/sshd_config/etc/ssh/sshd_config_bak

Reinforcement method:

#vi/etc/ssh/sshd_config, add the following statement

Allowusers *@10.138.*.* This sentence means: Only allow all users of the 10.138.0.0/16 network segment to access through SSH

Reboot SSH service after saving

#service sshd Restart

Risk: Need and administrator to identify IP segments that can be managed

4.3 Prohibit remote login of root user

Check method:

#cat/etc/ssh/sshd_config to see if Permitrootlogin is no

Backup method:

#cp-P/etc/ssh/sshd_config/etc/ssh/sshd_config_bak

Reinforcement method:

#vi/etc/ssh/sshd_config

Permitrootlogin No

Reboot SSH service after saving

Service sshd Restart

4.4 Qualifying Trusted Hosts

Check method:

#cat/ETC/HOSTS.EQUIV View the hosts

#cat/$HOME/.rhosts View the hosts

Backup method:

#cp-P/etc/hosts.equiv/etc/hosts.equiv_bak

#cp-P/$HOME/.rhosts/$HOME/.rhosts_bak

Reinforcement method:

#vi/etc/hosts.equiv Remove unnecessary hosts

#vi/$HOME/.rhosts Remove unnecessary hosts

Risk: In a multiple-computer environment, the IP trust of other hosts needs to be preserved.

4.5 Screen Login Banner information

Check method:

#cat/etc/ssh/sshd_config to see if banner fields exist in the file, or banner field none

#cat/ETC/MOTD View the contents of the file, which will be displayed as banner information to the logged-in user.

Backup method:

#cp-P/etc/ssh/sshd_config/etc/ssh/sshd_config_bak

#cp-P/etc/motd/etc/motd_bak

Reinforcement method:

#vi/etc/ssh/sshd_config

Banner NONE

#vi/ETC/MOTD

Delete all content or update to what you want to add

Risk: No visible risk

4.6 Prevent misuse of Ctrl+alt+del reboot system

Check method:

#cat/etc/inittab|grep Ctrlaltdel See if the input line is commented

Backup method:

#cp-P/etc/inittab/etc/inittab_bak

Reinforcement method:

#vi/etc/inittab

Add an annotation symbol "#" at the beginning of a line

#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now

  V. User identification

5.1 Set account lockout logon failed lock count, lockout time

Check method:

#cat/etc/pam.d/system-auth to view settings for Auth required pam_tally.so entries

Backup method:

#cp-P/etc/pam.d/system-auth/etc/pam.d/system-auth_bak

Reinforcement method:

#vi/etc/pam.d/system-auth

Auth Required pam_tally.so onerr=fail deny=6 unlock_time=300 set to password continuous error 6 lock, lockout time 300 seconds

Unlock user faillog-u < user name >-r

Risk: Need PAM package support, the modification of Pam file should be carefully checked, once the error will result in no landing;

When the system verifies the problem, first should check the output information in/var/log/messages or/var/log/secure, according to the information to judge the validity of the user account.

5.2 Modify the Account Tmout value, set the automatic logoff time

Check method:

#cat/etc/profile to view settings with no Tmout

Backup method:

#cp-P/etc/profile/etc/profile_bak

Reinforcement method:

#vi/etc/profile

Increase

tmout=600 no operation 600 seconds after automatic exit

Risk: No visible risk

5.3 Grub/lilo Password

Check method:

#cat/etc/grub.conf|grep Password to see if grub sets a password

#cat/etc/lilo.conf|grep Password See if Lilo sets a password

Backup method:

#cp-P/etc/grub.conf/etc/grub.conf_bak

#cp-P/etc/lilo.conf/etc/lilo.conf_bak

Strengthening method: Setting a password for grub or Lilo

Risk: etc/grub.conf is usually linked to/boot/grub/grub.conf

5.4 Restrict FTP logins

Check method:

#cat/etc/ftpusers confirm that the user name is included and that the user name is not allowed to log on to the FTP service

Backup method:

#cp-P/etc/ftpusers/etc/ftpusers_bak

Reinforcement method:

#vi/etc/ftpusers Add rows, each row contains a username, the added user will be prevented from logging on to the FTP service

Risk: No visible risk

5.5 Set the number of bash retention history commands

Check method:

#cat/etc/profile|grep histsize=

#cat/etc/profile|grep histfilesize= View the number of bars for a reserved history command

Backup method:

#cp-P/etc/profile/etc/profile_bak

Reinforcement method:

#vi/etc/profile

Modify histsize=5 and histfilesize=5 to keep the most recently executed 5 commands

  Vi. Audit Strategies

6.1 Configuring the System log policy configuration file

Check method:

#ps –AEF | grep Syslog confirms that the syslog is enabled

#cat/etc/syslog.conf View the configuration of the syslogd and confirm that the log file exists

System log (default)/var/log/messages

Cron log (default)/var/log/cron

Security log (default)/var/log/secure

Backup method:

#cp-P/etc/syslog.conf

6.2 Allocate reasonable storage space and storage time for the data generated by audit

Check method:

#cat/etc/logrotate.conf to view the system polling configuration, with or without

# Rotate log Files Weekly

Weekly

# Keep 4 weeks worth of backlogs

Configuration of Rotate 4

Backup method:

#cp-P/etc/logrotate.conf/etc/logrotate.conf_bak

Reinforcement method:

#vi/etc/logrotate.d/syslog

Increase

Rotate 4th log File save number is 4, when the 5th generation, delete the oldest logs

Size 100k per Log

The reinforcement should resemble the following:

/var/log/syslog/*_log {

Missingok

Notifempty

Size 100k # Log files would be rotated when they grow bigger that 100k.

Rotate 5 # would keep the logs for 5 weeks.

Compress # log files would be compressed.

Sharedscripts

Postrotate

/etc/init.d/syslog condrestart >/dev/null 2>1 | | True

Endscript

}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.