Production Environment Linux Server System Security Configuration
Chapter 1 account security and permissions
1. Disable super users other than root users
1. Check Method:
Cat/etc/passwd: view the password file in the following format:
Login_name: password: user_ID: group_ID: comment: home_dir: command
If user_ID = 0, the user has the superuser permission. Check whether there are multiple IDs = 0
2. Check command:
Cat/etc/passwd | awk-F': ''{print $1, $3} '| grep '0 $'
3. Backup method:
Cp-p/etc/passwd/etc/passwd_bak
4. reinforcement method:
Use command passwd-l <User Name> to lock unnecessary super accounts
Run passwd-u to unlock the super account to be restored.
Or change the User shell to/sbin/nologin.
Ii. Delete unnecessary accounts
1. you should delete all default accounts started by the operating system and unnecessary accounts. Linux provides many default accounts, and the more accounts, the more vulnerable the system will be to attacks.
2. Users that can be deleted, such
Adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc.
3. Groups that can be deleted, such
Adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers, etc.
4. delete command
Userdel username
Groupdel groupname
3. User password settings
User passwords are a basic starting point for Linux/Unix security. The user passwords used by many users are too simple. This is equivalent to opening the door for intruders, although theoretically speaking, as long as you have enough time and resources to use, there is no user password that cannot be cracked, but it is difficult to choose a proper password. A good user password is a string of characters that are easily remembered and understood by him. It is best not to record the password. If necessary, keep the password record files, or encrypt the file.
Production Environment password requirements: contains three types of characters: uppercase letters, lowercase letters, numbers, and special characters, and the overall length of the password is greater than 10 characters, the passwords of each server are different.
4. Check the empty password account
If an account password is blank, add a password that meets the specifications.
Check Method:
# Awk-F: '($2 = "") {print $1}'/etc/shadow
5. Lock the password file
The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.
# Chattr + I/etc/passwd
# Chattr + I/etc/shadow
# Chattr + I/etc/group
# Chattr + I/etc/gshadow
6. Set the automatic cancellation time limit for the root account
Modify the TMOUT parameter in the Environment boot file/etc/profile. The TMOUT parameter is calculated in seconds.
Vim/etc/profile
Add the following line after "HISTFILESIZE ="
TMOUT = 300
After changing this setting, you must log out of the user and then log on to the user to activate this function.
If you want to modify the automatic logout time limit of a user, you can add this value to the ". bashrc" file in the user directory so that the system can perform a special automatic logout time for the user.
VII. Restrict su commands
Prohibit anyone from switching su to root, edit the/etc/pam. d/su file, and add the following lines:
Authrequired pam_wheel.so use_uid
In this case, only the user in the wheel group can su as the root user. After that, if you want the user admin to be able to su as root, you can run the following command:
# Usermod-G 10 admin
8. Restrict normal users from performing sensitive operations such as shutdown, restart, and network configuration.
Delete the access control files of programs such as halt, reboot, poweroff, and shutdown under/etc/security/console. apps to prohibit normal users from executing this command
You can also delete all configuration files in/etc/security/console. apps.
Rm-rf/etc/security/console. apps /*
9. Disable Ctrl + Alt + Delete to restart the machine command.
Modify the/etc/inittab file and comment out the line "ca: ctrlaltdel:/sbin/shutdown-t3-rnow.
10. Set the startup service folder permission
Set the permission for all files in the/etc/rc. d/init. d/directory.
For the boot item, run the following command:
# Chmod-r 700/etc/rc. d/init. d/
In this way, only the root user can read, write, or execute all the above script files.
11. Avoid Displaying System and version information during login
Delete information files:
Rm-rf/etc/issue
Rm-rf/etc/issue.net
For more details, please continue to read the highlights on the next page: