Next, continue to describe some of the Linux server Security configuration.
#6, strong password policy. When we use the Useradd, Usermod command to create or maintain user accounts, ensure that strong password policies are always applied. For example, a good password includes at least 8 characters, including letters, numbers, and special strings, capitalization, and so on. Use a tool such as "John the Ripper" to find weak password users and use pam_cracklib.so to enhance the password policy.
#6.1 Password life cycle. The chage command modifies the password modification period and the date of the most recent password modification. The system determines whether the user's password should be modified based on this information. Some options, including the password life cycle, are defined in the/etc/login.defs file. If you need to disable the password life cycle for a user, the following:
1 99999 UserName
Get Password expiration information, enter:
1 chage-l userName
We can also define these fields in the/etc/shadow file:
{Username}:{password}:{lastpasswdchanged}:{minimum_days}:{maximum_days}:{warn}:{inactive}:{expire}:Where: Minimum_days defines the minimum time interval for password modification, which is the minimum interval at which the user can modify the password. Maximum_days defines the time interval at which the password is valid, beyond which the user must change the password. Warn defines how many days before the password expires, the user is prompted for password modification. Expire defines the number of days from January 1, 1970 to expiration, after which the user will no longer be able to log on. It is recommended to use the Chage command instead of modifying the/etc/shadow file
1 - 7 7 UserName
#6.2, prohibit the use of the previous password.
Can be set to prohibit all users from using the old password before, Pam_unix module provides this feature, allows us to define the previous few old password can not be used.
#6.3, the user is locked after a login failure. In Linux, you can use the Faillog command to display failed logins or to set a failed login limit. To view a failed login, you can enter: Faillog unlock the user who failed the login, run faillog-r-u userName Note You can use the passwd command to lock or unlock the user's password.
#6.4, how to check if there is an account using a blank password. Use the following command:
1 awk ' ($ = = "") {print} ' /etc/shadow
Lock all accounts with blank passwords
1 passwd -L AccountName
#6.5, ensure that no non-root user uid is 0.
Only the root user has a UID of 0, which has all the privileges of the system. Use the following command to check:
awk ' ($ = = "0") {print} ' /etc/passwd
You should see only the results of the root row, and if there are other users, delete them.
#7, prohibit root user login. Never log on with the root user, you should use sudo to perform commands that require root privileges. sudo avoids the sharing of root passwords, while providing some support for auditing and tracking functions.
#8, the physical security of the server. We must ensure the physical security of the server and configure the BIOS to prohibit booting from external devices. Sets the password for the BIOS and Grub boot loader. All devices should be securely stored in IDC (Internet Data Center) and the appropriate room security is scheduled.
#9, disable services that you do not need. Disable all unnecessary services and daemons, and remove them from the system boot. Use the following command to check if a service is booting with the system.
grep ' 3:on '
To disable a service, you can use the following command:
# service ServiceName stop# chkconfig serviceName off
#9.1, check the network monitoring port.
Use the netstat command to see which listener ports are on the server # NETSTAT-TULPN if you have unwanted services, you can use Chkconfig to close them. If external shielding is required, iptables can be used.
#10, delete x Windows. For the server, X windows is completely unnecessary. You can use the Package management tool to remove. # yum Groupremove "X window System"
20 Linux Server Security Hardening Recommendations (II)