Security hardening strategy of Linux system (II.)

First, installation and upgrade
Use custom to customize the installation, unnecessary packages as far as possible, if necessary to add password restrictions to the Lilo/grub bootloader, after the installation is completed using Up2date, yum or apt (Debian) upgrade system software, sometimes upgrading the kernel is also necessary.
Edit/etc/sudoers Add the following:
Jinshuai All=nopasswd:all
Second, the account security
1, the general server is placed in the IDC room, need to be managed by remote access, to restrict root remote access, the administrator through the ordinary account login, and then su to root, developers only use ordinary account permissions.
1) in the/etc/default/login file, add a line to the Setup command:
CONSOLE =/dev/tty01
2) You can disable access to the console through the following script:
#!/bin/sh
Cd/etc/pam.d
For i in *; Do
Sed '/[^#].*pam_console.so/s/^/#/' foo && mv Foo $I
Done
3) The following measures can be used to prevent anyone can su as root, add the following two lines in the/ETC/PAM.D/SU.
Auth sufficient/lib/security/$ISA/pam_rootok.so Debug
Auth required/lib/security/$ISA/pam_wheel.so group=wheel
Then put the user you want to perform SU as root into the wheel group:
USERMOD-G10 Admin
2. Edit the/etc/securetty, comment out all consoles that allow root telnet, and then disable all console programs with the following commands:
Rm-f/etc/security/console.apps/servicename
Third, the use of the minimum service principle, all unnecessary services will be commented out. In the/etc/inetd.conf do not need to add "#" before the service, the higher version has no inetd, and replaced with xinetd; cancel the boot autorun service, the first letter "S" of the service that does not need to run under/ETC/RC.D/RC3.D to "K", the other unchanged .
Four. File system permissions
1) to find out all of the system contains S "bits of the program, the unnecessary" s "bit removed, or simply do not need to delete directly, so as to prevent users from abusing and improve the possibility of permission, the command is as follows:
Find/-type F-perm-4000-o-perm-2000-print | Xargs LS-LG
2) Add an immutable attribute to the important file (this is not the case in general):
Chattr +i/etc/passwd
Immutable, the system does not allow any modifications to this file. If the directory has this attribute, then any process can only modify files under the directory, not allow the creation and deletion of files.
3) Locate the file in the system that is not owned by the master:
Find/-nouser-o-nogroup
4) identify any files and directories that have write permissions:
Find/-type f-perm-2-o-perm-20 |xagrs LS-LG
Find/-type d-perm-2-o-perm-20 |xagrs ls-ldg
5) FTP upload directory can not give execution permissions, such as providing a virtual hosting service that can run CGI, should do additional security configuration./etc/security/limits.conf, add or change the following line:
Hard Core 0
Hard RSS 5000
Hard Nproc 20
Five. Banner Camouflage
1) Intruders are usually attacked by operating system, service, and application versions, and the list of oil spills and attacks are categorized by this, so it is necessary to do something to make the intrusion more difficult.
So the editor/etc/rc.d/rc.local is as follows:
echo "Kernel $ (uname-r) on $a $ (uname-m)" >/etc/issue
echo "Kernel \ r" \m ">>/etc/issue
Cp-f/etc/issue/etc/issue.net
Echo >>/etc/issue
2) for Apache configuration file, find Servertokens and serversignature two directive, modify its default properties as follows, use no echo version number:
Servertokens PROD
Serversignature OFF
Vi. iptables Firewall Rules:
Iptables-a input-p--dport 22-j ACCEPT
Iptables-a input-i eth0-p TCP--dport 80-j ACCEPT
Iptables-a input-m State--state established,related-j ACCEPT
Iptables-a input-j DROP
The above rule will block TCP active pick-up from the inside out. Above is a simple example, the Iptables function is very powerful, you can set the firewall rules according to the specific situation.
Seven, Tripwire is a more famous tool, it can help you to determine whether some important system files have been modified. The current Linux distribution has an open source version of the tool, and it can be used with some sensitive files in the default Check object configuration file.
Eight. Self-scan
General Security hardening is basically done, we can do a risk assessment ourselves, we recommend the use of Nessus latest version.
Nine. Logging Policy
The main thing is to create a hard copy of the important log that is related to human invasion, not even the last black box when the emergency response is made. They can be redirected to a printer, Administrator mail, a separate log server and its hot backup.
10. Snort Intrusion Detection system
This is necessary for systems with a high level of human intrusion response and security log requirements; For a general system, if an administrator does not look at a lot of logs at all, it consumes system resources in vain, just like a chicken.
The following recommendations are summarized for the prevention of viruses in Linux platforms, for reference only:
(1) Do a good job of system strengthening.
(2) Pay attention to the security bulletin, timely correction of loopholes.
(3) Do not use root privileges for daily operation.
(4) Do not randomly install various device drivers of unknown origin.
(5) Do not run some unknown executable program or script on the important server.
(6) Install anti-virus software as much as possible and upgrade the viral code base regularly.
(7) for Linux servers connected to the Internet, periodically detect the presence of Linux viruses, worms, and Trojans.
(8) for Linux servers that provide file services, it's a good idea to deploy software that can both Windows and Linux viruses.
(9) For Linux servers that provide mail services, it is best to use an e-mail virus scanner.
In a word, there are many ways to protect against viruses in Linux, but it is not uncommon for Linux viruses to be taken lightly.

This article is from the "Du Haiqiang" blog, make sure to keep this source http://dulinux.blog.51cto.com/10803129/1709701

Security hardening strategy of Linux system (II.)