Basic Linux system security applications

I. Basic Security 1. Account Security: Set the Shell of a non-logged-on user to/sbin/nologin to lock the account that is not used for a long time, delete useless account lock account files passwd and shadow lock files and view the status [root @ localhost ~] # Chattr + I/etc/passwd/etc/shadow [root @ localhost ~] # Lsattr/etc/passwd/etc/shadow -- I ---/etc/passwd -- I ---/etc/shadow unlock the file and view the status [root @ localhost ~] # Chattr-I/etc/passwd/etc/shadow [root @ localhost ~] # Lsattr/etc/passwd/etc/shadow -----/etc/passwd -----/etc/shadow 2. Password Security Setting Password validity period requires the user to change the password upon the next login applies to new users: [root @ localhost ~] # Vi/etc/login. defs ...... PASS_MAX_DAYS 30 applies to existing users: [root @ localhost ~] # Chage-M 30 lisi force password change at next login [root @ localhost ~] # Chage-d 0 zhangsan 3. Command history and automatic logout command history limit reduce the number of Command records automatically clear command history when logging out [root @ localhost ~] # Vi/etc/profile ...... HISTSIZE = 200 [root @ localhost ~] # Vi ~ /. Bash_logout ...... History-c clear terminal automatic logout: automatically deregister after 600 seconds of idle [root @ localhost ~] # Vi ~ /. Bash_profile ...... Export TMOUT = 600 4. su command control purpose and usage purpose: Substitute User, switch User format: su-target User password verification root to a arbitrary User, if you do not verify the password of a common user, you can use the su command to verify the password of the target user. If you enable the pam_wheel authentication module, users using the su command can be added to the wheel group [root @ localhost ~]. # Vi/etc/pam. d/su # % PAM-1.0 auth sufficient pam_rootok.so auth required pam_wheel.so use_uid ...... [Root @ localhost ~] # Gpasswd-a tsengyia wheel tsengyia is adding the user "tsengyia" to the "wheel" group to view the su operation record Security log File:/var/log/secure [root @ localhost ~] # Tail/var/log/secure ...... May 13 18:05:51 mail su: pam_unix (su-l: session): session opened for user root by tsengyia (uid = 1006) May 13 18:07:34 mail su: pam_unix (su-l: session): session opened for user jerry by tsengyia (uid = 1006) 5. Use the sudo mechanism to enhance the permission usage and usage: Use another user identity (such as root) command usage for executing authorization: When the sudo authorization command password is verified for the first time, the password of the current user does not need to be verified. [root @ localhost ~] # Sudo-u jerry/bin/touch/tmp/test. file [root @ localhost ~] # Ls-l/tmp/test. file-rw-r-1 jerry 0 07-12 05:39/tmp/test. file uses the-u option to specify the target user. By default, sudo is configured as the root user to authorize the mongodo or vi/etc/sudoers record format: User Host Name List = command program list [root @ localhost ~] # Just do ...... % Wheel ALL = NOPASSWD: ALL jerry localhost =/sbin/ifconfig syrianer localhost =/sbin /*,! /Sbin/ifconfig ,! /Sbin/route Cmnd_Alias PKGTOOLS =/bin/rpm,/usr/bin/yum mike localhost = PKGTOOLS: /var/log/sudo [root @ localhost ~] # Just do ...... Defaults logfile = "/var/log/sudo" query authorized sudo operations sudo-l II. On-Off Security Control 1. BIOS Security sets the first boot device as the hard disk of the current system other devices (optical discs, USB flash drives, and networks) the boot system sets the security level to setup, and sets the administrator password. 2. Disable Ctrl + Alt + delete to restart the machine command to modify the/etc/inittab file, and set "ca: ctrlaltdel: comment out the/sbin/shutdown-t3-r now line. Then reset/etc/rc. d/init. run the following command to grant permissions to all files in the d/directory: # chmod-R 700/etc/rc. d/init. d/* in this way, only the root user can read, write, or execute all the above script files. 3. Modify the startup parameters without authorization in the GRUB menu. Access to the specified system is prohibited without authorization. Password setting method (grub. conf): password plaintext password string password-md5 encrypted password string password record location: Global part (before the first "title") system boot part (after each "title" part) use the grub-md5-crypt to get the encrypted string: [root @ localhost ~] # Grub-md5-crypt Password: Retype password: $1 $ Kndw50 $ wRW2w1v/jbZ8n5q2fON4y/modify the grub. conf file, add Password record: [root @ localhost ~] # Vi/boot/grub. conf ...... Password-md5 $1 $ Kndw50 $ wRW2w1v/jbZ8n5q2fON4y/title Red Hat Enterprise Linux Server (2.6.18-194. el5) root (hd0, 0) kernel/vmlinuz-2.6.18-194.el5 ro root =/dev/VolGroup00/LogVol00 initrd/initrd-2.6.18-194.el5.img 3. Terminal login security 1. login information system login information stored in/etc/issue,/etc/issue.net folder, including the operating system type and kernel version. One idea is to comment out the information in the relevant files, as follows: # Thiswilloverwrite/etc/issueateveryboot. so, makeanychangesyou # wanttomaketo/etc/issuehereoryouwilllosethemwhenyoureboot. # echo \ ">/etc/issue # echo \" $ R \ ">/etc/issue # echo \" Kernel $ (uname-r) on $ a $ (uname-m) \ ">/etc/issue # cp-f/etc/issue/etc/issue.net # echo>/etc/issue then, perform the following operations: # rm-f/etc/issue # rm-f/etc/issue.net # touch/etc/issue # touch/etc/issue.net another idea is to modify the login information to fool attackers: local logon prompt:/etc /Issue network logon prompt:/etc/issue.net [root @ localhost ~] # Vi/etc/issue Microsoft Windows Server 2008 R2 2. log on to the terminal to reduce the number of opened tty terminals: Modify the initialization configuration file/etc/inittab, this reduces the number of open tty terminals. You can only log on to [root @ localhost ~] for versions 4, 5, and 6. # Vi/etc/inittab ...... # Run gettys in standard runlevels #1: 2345: respawn:/sbin/mingetty tty1 #2: 2345: respawn:/sbin/mingetty tty2 #3: 2345: respawn: /sbin/mingetty tty3 4: 2345: respawn:/sbin/mingetty tty4 5: 2345: respawn:/sbin/mingetty tty5 6: 2345: respawn: /sbin/mingetty tty6 [root @ localhost ~] # Init q // reload the configuration file Root user login: Another idea is that the/etc/securetty file specifies the tty device that allows root login, which is read by the/bin/login program, the format is a list of allowed names. You can edit/etc/securetty and comment out the following lines # tty1 # tty2 # tty3 # tty4 # tty5 # tty6, root can only log on to the tty1 terminal. Normal user login: Create a/etc/nologin file to prevent normal users from logging on to delete the nologin file or restoring the file to normal after restart [root @ localhost ~] # Touch/etc/nologin [root @ localhost ~] # Rm-rf/etc/nologin 4. Attack prevention 1. Prevent ping. If no one can ping your system, security will naturally increase. For this reason, you can go to/etc/rc. d/rc. add the following line to the local file: echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all 2. prevent IP spoofing to edit the host. conf file and add the following lines to prevent IP spoofing attacks. Orderbind, hosts multioff nospoofon 3. Prevent DoS attacks and set resource limits for all users in the system to prevent DoS attacks. Such as the maximum number of processes and memory usage. For example, in/etc/security/limits. add the following lines to the conf file: * hardcore0 * hardrss5000 * hardnproc20 and then edit/etc/pam. d/login file to check whether the following row exists. The command above sessionrequired/lib/security/pam_limits.so prohibits debugging files. The maximum number of processes is 50 and the memory usage is 5 MB. After the preceding settings, your Linux Server can be immune to the vast majority of known security issues and network attacks. However, a good system administrator must always pay attention to network security trends, fix exposed and potential security vulnerabilities at any time.