Production Environment Linux Server system security Configuration

Chapter I.account security and PermissionsFirst, disable Superuser other than root

1. detection method:

cat/etc/passwd to view the password file, the file format is as follows

login_name : Password:user_ID:group_ID:comment:home_dir:command

If user_id=0, the user has superuser privileges. See if there are multiple id=0 here

2. detection command:

cat/etc/passwd | Awk-f ': ' {print$1,$3} ' | grep ' 0$ '

3. Backup method:

Cp-p/etc/passwd/etc/passwd_bak

4. Reinforcement Method :

Use the command Passwd-l < username > lock unnecessary super accounts

Use the command Passwd-u < username > Unlock the super account you need to recover

or change the user shell to/sbin/nologin

Second, Delete unnecessary accounts

1. you should remove all default and unnecessary accounts that are started by the operating system itself, and Linux provides many default accounts, and the more accounts you have, the more vulnerable the system is to be attacked.

2. a user who can be deleted, such as

Adm,lp,sync,shutdown,halt,news,uucp,operator,games,gopher wait

3. a group that can be deleted, such as

adm,lp,news,uucp,games,dip,pppusers,popusers,slipusers wait

4. Delete command

Userdel username

Groupdel GroupName

third, User Password Settings

User password is a basic starting point of Linux/unix security, many people use the user password is too simple, which is tantamount to open the door to the intruder, although theoretically, as long as there is enough time and resources can be exploited, there is no can not crack the user password, but choose the correct password is difficult to crack. A better user password is a string of characters that are easy to remember and understand, and it is best not to record the password and, if necessary, to keep a record of the password, or to encrypt the file.

Production environment password requirements: contain uppercase letters, lowercase letters, numbers and special characters four of three, and the overall password length is greater than 10 bits, each server password is not the same.

Four, Check the empty password account

If you find that an account password is empty, you need to force a password that matches the specification

Check method:

#awk-F: ' ($ = = "") {print $} '/etc/shadow

Five, password file plus lock

chattr command to prevent unauthorized users from gaining access by adding immutable attributes to the following file.

#chattr +i/etc/passwd

#chattr +i/etc/shadow

#chattr +i/etc/group

#chattr +i/etc/gshadow

Six, SetRootautomatic account cancellation time limit

Modify the Tmout parameter in the environment boot file/etc/profile, the Tmout parameter is calculated by the second

Vim/etc/profile

Add the following line after "Histfilesize="

tmout=300

After you change this setting, you must log off the user and log in to activate this feature.

If you want to modify the automatic logoff time limit for a user, you can add the value to the ". BASHRC" file in the user directory to allow the system to have a special automatic logoff time for that user

Seven, LimitsuCommand

Prevent anyone from being able to switch su to root, edit the/etc/pam.d/su file, and add the following line:

authrequired pam_wheel.so Use_uid

At this point, only the user of the wheel group can be su as root. Thereafter, if you want user admin to be able to use Su as root, you can run the following command:

#usermod –G Admin

Eight, restrict normal users from performing sensitive operations such as shutting down, restarting, and configuring the network

Remove access control files for halt, reboot, Poweroff, shutdown, and other programs under/etc/security/console.apps to prohibit ordinary users from executing the command

You can also delete all of the configuration files under/etc/security/console.apps as a whole

rm–rf/etc/security/console.apps/*

Nine, DisabledCtrl+alt+deleteCombination key Restart Machine command

Modify the/etc/inittab file to comment out the "Ca::ctrlaltdel:/sbin/shutdown-t3-rnow" line.

10. Set Boot Service folder permissions

Set permissions for all files in the/etc/rc.d/init.d/directory, and the files in this directory

To boot the startup item, run the following command:

#chmod –R 700/etc/rc.d/init.d/

This allows only root to read, write, or execute all of the above script files.

11.AvoidLoginwhen displaying system and version information

To delete an information file:

Rm–rf/etc/issue

Rm–rf/etc/issue.net

Chapter IIRestricting network accessFirst, NFSAccess

Using the NFS Network File system service, you should ensure that/etc/exports has the most restrictive access settings, meaning that you do not use any wildcard characters, do not allow root write permissions, and can only be installed as a read-only file system. Edit the file/etc/exports and add the following two lines.

/dir/to/exporthost1.mydomain.com (ro, Root_squash)

/dir/to/exporthost2.mydomain.com (ro, Root_squash)

/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that is logged in to this directory, RO means mount into a read-only system, Root_squash prevents the root from writing to the directory. For the change to take effect, run the following command.

#/usr/sbin/exportfs-a

Second, Login Terminal Settings

/etc/securetty The file specifies a TTY device that allows root login, which is read by the/bin/login program and is formatted as a list of allowed names, which can be edited/etc/securetty and commented out in the following line.

#tty2

#tty3

#tty4

#tty5

#tty6

At this point, root can only log on at the Tty1 terminal.

Chapter IIIprevent attacksFirst, Prevent IP spoofing

Edit the host.conf file and add the following lines to prevent IP spoofing attacks.

Orderbind , the hosts

Multioff

Nospoofon

Second, Prevent Dos attacks

Setting resource limits on all users of the system can prevent DOS type attacks. such as the maximum number of processes and memory usage. For example, you can add the following lines in/etc/security/limits.conf:

*hardcore0

*hardrss5000

*hardnproc20

You must then edit the/etc/pam.d/login file to check if the following line exists.

Sessionrequired/lib/security/pam_limits.so

The above command prohibits debugging files, restricts the number of processes to 50 and limits memory usage to 5MB.

This article is from the "operations and Maintenance Technology accumulation" blog, please be sure to keep this source http://pkersun.blog.51cto.com/4481043/1581794

Production Environment Linux Server system security Configuration