Chapter I.account security and PermissionsFirst, disable Superuser other than root
1. detection method:
cat/etc/passwd to view the password file, the file format is as follows
login_name : Password:user_ID:group_ID:comment:home_dir:command
If user_id=0, the user has superuser privileges. See if there are multiple id=0 here
2. detection command:
cat/etc/passwd | Awk-f ': ' {print$1,$3} ' | grep ' 0$ '
3. Backup method:
Cp-p/etc/passwd/etc/passwd_bak
4. Reinforcement Method :
Use the command Passwd-l < username > lock unnecessary super accounts
Use the command Passwd-u < username > Unlock the super account you need to recover
or change the user shell to/sbin/nologin
Second, Delete unnecessary accounts
1. you should remove all default and unnecessary accounts that are started by the operating system itself, and Linux provides many default accounts, and the more accounts you have, the more vulnerable the system is to be attacked.
2. a user who can be deleted, such as
Adm,lp,sync,shutdown,halt,news,uucp,operator,games,gopher wait
3. a group that can be deleted, such as
adm,lp,news,uucp,games,dip,pppusers,popusers,slipusers wait
4. Delete command
Userdel username
Groupdel GroupName
third, User Password Settings
User password is a basic starting point of Linux/unix security, many people use the user password is too simple, which is tantamount to open the door to the intruder, although theoretically, as long as there is enough time and resources can be exploited, there is no can not crack the user password, but choose the correct password is difficult to crack. A better user password is a string of characters that are easy to remember and understand, and it is best not to record the password and, if necessary, to keep a record of the password, or to encrypt the file.
Production environment password requirements: contain uppercase letters, lowercase letters, numbers and special characters four of three, and the overall password length is greater than 10 bits, each server password is not the same.
Four, Check the empty password account
If you find that an account password is empty, you need to force a password that matches the specification
Check method:
#awk-F: ' ($ = = "") {print $} '/etc/shadow
Five, password file plus lock
chattr command to prevent unauthorized users from gaining access by adding immutable attributes to the following file.
#chattr +i/etc/passwd
#chattr +i/etc/shadow
#chattr +i/etc/group
#chattr +i/etc/gshadow
Six, SetRootautomatic account cancellation time limit
Modify the Tmout parameter in the environment boot file/etc/profile, the Tmout parameter is calculated by the second
Vim/etc/profile
Add the following line after "Histfilesize="
tmout=300
After you change this setting, you must log off the user and log in to activate this feature.
If you want to modify the automatic logoff time limit for a user, you can add the value to the ". BASHRC" file in the user directory to allow the system to have a special automatic logoff time for that user
Seven, LimitsuCommand
Prevent anyone from being able to switch su to root, edit the/etc/pam.d/su file, and add the following line:
authrequired pam_wheel.so Use_uid
At this point, only the user of the wheel group can be su as root. Thereafter, if you want user admin to be able to use Su as root, you can run the following command:
#usermod –G Admin
Eight, restrict normal users from performing sensitive operations such as shutting down, restarting, and configuring the network
Remove access control files for halt, reboot, Poweroff, shutdown, and other programs under/etc/security/console.apps to prohibit ordinary users from executing the command
You can also delete all of the configuration files under/etc/security/console.apps as a whole
rm–rf/etc/security/console.apps/*
Nine, DisabledCtrl+alt+deleteCombination key Restart Machine command
Modify the/etc/inittab file to comment out the "Ca::ctrlaltdel:/sbin/shutdown-t3-rnow" line.
10. Set Boot Service folder permissions
Set permissions for all files in the/etc/rc.d/init.d/directory, and the files in this directory
To boot the startup item, run the following command:
#chmod –R 700/etc/rc.d/init.d/
This allows only root to read, write, or execute all of the above script files.
11.AvoidLoginwhen displaying system and version information
To delete an information file:
Rm–rf/etc/issue
Rm–rf/etc/issue.net
Chapter IIRestricting network accessFirst, NFSAccess
Using the NFS Network File system service, you should ensure that/etc/exports has the most restrictive access settings, meaning that you do not use any wildcard characters, do not allow root write permissions, and can only be installed as a read-only file system. Edit the file/etc/exports and add the following two lines.
/dir/to/exporthost1.mydomain.com (ro, Root_squash)
/dir/to/exporthost2.mydomain.com (ro, Root_squash)
/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that is logged in to this directory, RO means mount into a read-only system, Root_squash prevents the root from writing to the directory. For the change to take effect, run the following command.
#/usr/sbin/exportfs-a
Second, Login Terminal Settings
/etc/securetty The file specifies a TTY device that allows root login, which is read by the/bin/login program and is formatted as a list of allowed names, which can be edited/etc/securetty and commented out in the following line.
#tty2
#tty3
#tty4
#tty5
#tty6
At this point, root can only log on at the Tty1 terminal.
Chapter IIIprevent attacksFirst, Prevent IP spoofing
Edit the host.conf file and add the following lines to prevent IP spoofing attacks.
Orderbind , the hosts
Multioff
Nospoofon
Second, Prevent Dos attacks
Setting resource limits on all users of the system can prevent DOS type attacks. such as the maximum number of processes and memory usage. For example, you can add the following lines in/etc/security/limits.conf:
*hardcore0
*hardrss5000
*hardnproc20
You must then edit the/etc/pam.d/login file to check if the following line exists.
Sessionrequired/lib/security/pam_limits.so
The above command prohibits debugging files, restricts the number of processes to 50 and limits memory usage to 5MB.
This article is from the "operations and Maintenance Technology accumulation" blog, please be sure to keep this source http://pkersun.blog.51cto.com/4481043/1581794
Production Environment Linux Server system security Configuration