Linux Server Basic Security Configuration Manual

Article Title: linux Server Basic Security Configuration manual. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

If you want to build a Linux server and want to maintain it for a long time, you need to consider many factors such as security performance and speed. A correct basic linux Security Configuration manual is especially important. In this article, I will introduce you to the Basic Security Configuration manual for Linux servers under edhat/centos 4 and 5.

Installation notes

1. delete a special user account of the system:

Disable all accounts that are started by the operating system and do not need it by default. This check should be performed when you install the system for the first time. Linux provides various accounts, which you may not need, if you do not need this account, remove it. The more accounts you have, the more vulnerable you will be to attacks.

# To delete users on your system, run the following command:

[Root @ c1gstudio] # userdel username

# Batch deletion method

# Delete the "adm lp sync shutdown halt mail news uucp operator games gopher ftp" account

# If you are using ftp or other services, you can retain the ftp account.

For I in adm lp sync shutdown halt mail news uucp ope

Rator games gopher ftp; do userdel $ I; done

2. Delete special system group accounts

[Root @ c1gstudio] # groupdel groupname

# Batch deletion method

For I in adm lp mail news uucp games dip pppusers pop

Users slipusers; do groupdel $ I; done

3. User password settings

The minimum length of the default password for linux installation is 5 bytes, but this is not enough. Set it to 8 bytes. To change the shortest password length, edit the login. defs file # vi/etc/login. defs

PASS_MAX_DAYS 99999 # Maximum Password validity period (default)

PASS_MIN_DAYS 0 # set the minimum password Validity Period

PASS_MIN_LEN 5 # set the minimum password length and change 5 to 8

PASS_WARN_AGE 7 # How many days in advance to warn that the user password is about to expire.

Then modify the Root password.

# Passwd root

New UNIX password:

Retype new UNIX password:

Passwd: all authentication tokens updated successfully.

4. Modify the automatic account cancellation time

The root account has the highest privilege in Linux. If the system administrator forgets to log out of the root account before leaving the system, this poses a major security risk and should be automatically logged out by the system. You can implement this function by modifying the "TMOUT" parameter in your account. TMOUT is calculated in seconds. Edit your profile file (vi/etc/profile) and add the following line after "HISTSIZE =:

TMOUT = 300

300 indicates 300 seconds, that is, 5 minutes. In this way, if the user logged on to the system does not take action within five minutes, the system will automatically cancel the account.

5. Limit the Shell Command record size

By default, bash shell stores up to 500 Command records in the file $ HOME/. bash_history (the default number of records varies depending on the system ). In the system, each user's home directory has such a file. I strongly recommend that you limit the size of this file.

You can edit the/etc/profile file and modify the options as follows:

HISTFILESIZE = 30 or HISTSIZE = 30

# Vi/etc/profile

HISTSIZE = 30

6. DELETE Command records when logging out

Edit the/etc/skel/. bash_logout file and add the following lines:

Rm-f $ HOME/. bash_history

In this way, all users in the system will delete their command records when logging out.

If you only need to set a specific user, such as the root user, you can only modify the/$ HOME/. bash_history file in the user's HOME directory and add the same row.

7. Use the following command to add the Required User Group and User Account

[Root @ c1gstudio] # groupadd

For example, add a website user group and groupadd website

Then, call the vigr command to view the added user group.

Use the following command to add the Required User Account

[Root @ c1gstudio] # useradd username-g website // Add a user to the website group (as the common administrator of the webserver, rather than the root administrator)

Then, call the vipw command to view the added users.

Use the following command to change the user password (enter a password consisting of at least eight letters and digits, and record the password in the dedicated documents on the local machine to prevent forgetting)

[Root @ c1gstudio] # passwd username

8. prevent anyone from using su as root

If you don't want anyone to use su as the root user, you can edit/etc/pam. d/su and add the following lines:

# Vi/etc/pam. d/su

Auth sufficient/lib/security/$ ISA/pam_rootok.so debug

Auth required/lib/security/$ ISA/pam_wheel.so group = website

This means that only users in the website group can use su as the root.

9. Modify the root logon permission of the ssh service

Modify the ssh service configuration file so that the ssh service does not allow the root user to log on directly. This reduces the chance of malicious system logon attacks.

# Vi/etc/ssh/sshd_config

PermitRootLogin yes

After removing the # Before this line, modify it:

PermitRootLogin no

10. Modify the sshd port of the ssh service

Ssh listens to port 22 by default. You can change it to port 6022 to avoid regular scanning.

Note: modifying port errors may cause you to be unable to connect to the server next time. You can first open ports 22 and 6022 at the same time, and then turn off ports 22;

Restarting sshd won't pop up your current connection. You can open another client to test the service;

# Vi/etc/ssh/sshd_config

# Add changes

# Port 22 # disable Port 22

Port 6022 # add Port 6022

# Restart the sshd service

Service sshd restart

Check whether the sshd listening port is correct.

Netstat-lnp | grep ssh

# Iptables open port 6022 of sshd

Vi/etc/sysconfig/iptables

# Add a redhat default rule

-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport 6022-j ACCEPT

# Or

Iptables-a input-p tcp -- dport 6022-j ACCEPT

Iptables-a output-p udp -- sport 6022-j ACCEPT

Restart the iptables service

Service iptables restart

# Test whether two ports can be connected. After the two ports are connected, delete port 22.

For details, refer:

How to modify SSH port 22 by default in Linux

[1] [2] [3] [4] Next page