CentOS security reinforcement

Redhat is currently the most popular type of Linux in enterprises, and more hackers are attacking Redhat. How should we reinforce the security of such servers?

I. Account Security

1.1 lock unused user-created accounts in the system

Check Method:

Execute Command

# Cat/etc/passwd

# Cat/etc/shadow

View the account and password files and check with the system administrator for unnecessary accounts. For some Reserved System pseudo accounts such as bin, sys, adm, uucp, lp, nuucp, hpdb, www, and daemon, you can lock the logon as needed.

Backup method:

# Cp-p/etc/passwd/etc/passwd_bak

# Cp-p/etc/shadow/etc/shadow_bak

Reinforcement method:

Use the command passwd-l <User Name> to lock unnecessary accounts.

Run passwd-u to unlock the account to be restored.

Risks:

Confirm with the Administrator that this operation will not affect the login of the business system.

1.2 set system password policies

Check Method:

Use commands

# Cat/etc/login. defs | grep PASS view password policy settings

Backup method:

Cp-p/etc/login. defs/etc/login. defs_bak

Reinforcement method:

# Vi/etc/login. defs modify the configuration file

PASS_MAX_DAYS 90 # maximum number of days for creating a user's password

PASS_MIN_DAYS 0 # minimum number of days to use a new user's password

PASS_WARN_AGE 7 # Number of days before the new user's password expires

PASS_MIN_LEN 9 # minimum password length 9

Risk: no visible risk

1.3 disable super users other than root users

Check Method:

# Cat/etc/passwd: view the password file in the following format:

Login_name: password: user_ID: group_ID: comment: home_dir: command

Login_name: User Name

Password: Encrypted User password

User_ID: User ID, (1 ~ 6000) if the user ID is 0, the user has the superuser permission. Check whether multiple IDs are 0.

Group_ID: User Group ID

Comment: User's full name or other comments

Home_dir: user root directory

Command: The execution command after the user logs on

Backup method:

# Cp-p/etc/passwd/etc/passwd_bak

Reinforcement method:

Use the command passwd-l <User Name> to lock unnecessary super accounts.

Use the command passwd-u <User Name> to unlock the super account to be restored.

Risk: check with the Administrator for the purpose of this super user.

1.4 restrict users that can be su root

Check Method:

# Cat/etc/pam. d/su, check whether there are configuration entries such as auth required/lib/security/pam_wheel.so

Backup method: # cp-p/etc/pam. d/etc/pam. d_bak

Reinforcement method:

# Vi/etc/pam. d/su

Add in the header:

Auth required/lib/security/pam_wheel.so group = wheel

In this way, only the user in the wheel group can su to the root user.

# Usermod-G10 test Add the test user to the wheel group

Risk: The PAM package must be supported. The modification to the pam file should be carefully checked. Once an error occurs, the system cannot log on. The administrator can confirm with the Administrator which users need su.

When a problem occurs during system verification, check the output information in/var/log/messages or/var/log/secure to determine whether the user account is valid.

. If the root user cannot log on because of a PAM verification failure, the single user or rescue mode can only be used for troubleshooting.

1.5 check the shadow empty password account

Check Method:

# Awk-F: '(= "") {print}'/etc/shadow

Backup method: cp-p/etc/shadow/etc/shadow_bak

Reinforcement Method: Lock an empty password account or require a new password.

Risk: Check whether the empty password account is associated with the application and whether adding a password will cause the application to be unable to connect.

Ii. minimal service

2.1 stop or disable services unrelated to the bearer service

Check Method:

# Who-r or runlevel to view the current init level

# Chkconfig -- list view the status of all services

Backup method: record the name of the service to be disabled

Reinforcement method:

# Chkconfig -- level <service name> on | off | reset sets whether to enable the Service at the init level.

Risk: Some applications require specific services and need to be confirmed with the administrator.

Iii. Data Access Control

3.1 set reasonable initial File Permissions

Check Method:

# Cat/etc/profile view umask values

Backup method:

# Cp-p/etc/profile/etc/profile_bak

Reinforcement method:

# Vi/etc/profile

Umask = 027

Risk: the default permissions of new files are modified. If the server is a WEB application, this option is modified with caution.

Iv. Network Access Control

4.1 Use SSH for management

Check Method:

# Ps-aef | grep sshd check whether this service exists

Backup method:

Reinforcement method:

Use commands to enable the ssh service

# Service sshd start

Risk: Changing the habits of Administrators

4.2 set an access control policy to restrict the IP addresses that can manage the Local Machine

Check Method:

# Cat/etc/ssh/sshd_config check for AllowUsers statements

Backup method:

# Cp-p/etc/ssh/sshd_config/etc/ssh/sshd_config_bak

Reinforcement method:

# Vi/etc/ssh/sshd_config, add the following statement

AllowUsers * @ 10. 138. *. *. Only allow all users in the 10.138.0.0/16 CIDR block to access through ssh.

Save and restart the ssh service.

# Service sshd restart

Risk: confirm with the Administrator the IP segments that can be managed

4.3 prohibit remote login by the root user

Check Method:

# Cat/etc/ssh/sshd_config check whether PermitRootLogin is no

Backup method:

# Cp-p/etc/ssh/sshd_config/etc/ssh/sshd_config_bak

Reinforcement method:

# Vi/etc/ssh/sshd_config

PermitRootLogin no

Save and restart the ssh service.

Service sshd restart

Risk: the root user cannot log on remotely. the user must log on with a common account and then log on to the su

4.4 restricted Trusted Hosts

Check Method:

# Cat/etc/hosts. equiv view the host

# Cat/$ HOME/. rhosts

Backup method:

# Cp-p/etc/hosts. equiv/etc/hosts. equiv_bak

# Cp-p/$ HOME/. rhosts/$ HOME/. rhosts_bak

Reinforcement method:

# Vi/etc/hosts. equiv Delete unnecessary hosts

# Vi/$ HOME/. rhosts Delete unnecessary hosts

Risk: In the multi-host mutual backup environment, the IP address of other hosts must be kept trustworthy.

4.5 shield logon banner information

Check Method:

# Cat/etc/ssh/sshd_config check whether the Banner field exists in the file or the banner field is NONE

# Cat/etc/motd.

Backup method:

# Cp-p/etc/ssh/sshd_config/etc/ssh/sshd_config_bak

# Cp-p/etc/motd/etc/motd_bak

Reinforcement method:

# Vi/etc/ssh/sshd_config

Banner NONE

# Vi/etc/motd

Delete all content or update the content you want to add

Risk: no visible risk

4.6 prevent false use of Ctrl + Alt + Del to restart the system

Check Method:

# Cat/etc/inittab | grep ctrlaltdel check whether the input row is commented out

Backup method:

# Cp-p/etc/inittab/etc/inittab_bak

Reinforcement method:

# Vi/etc/inittab

Add the comment symbol "#" at the beginning of the line

# Ca: ctrlaltdel:/sbin/shutdown-t3-r now

Risk: no visible risk

V. User Identification

5.1 set the number of Logon failures and lock time for account locking

Check Method:

# Cat/etc/pam. d/system-auth check for auth required pam_tally.so settings

Backup method:

# Cp-p/etc/pam. d/system-auth/etc/pam. d/system-auth_bak

Reinforcement method:

# Vi/etc/pam. d/system-auth

Auth required pam_tally.so onerr = fail deny = 6 unlock_time = 300 the password is locked six times consecutively due to a wrong password. The lock time is 300 seconds.

Unlock user faillog-u <User Name>-r

Risk: The PAM package must be supported. The modification to the pam file should be carefully checked. Once an error occurs, the PAM file cannot be logged on;

When a problem occurs during system verification, check the output information in/var/log/messages or/var/log/secure to determine whether the user account is valid.

.

5.2 modify the account TMOUT value and set the automatic logout time

Check Method:

# Cat/etc/profile check for TMOUT settings

Backup method:

# Cp-p/etc/profile/etc/profile_bak

Reinforcement method:

# Vi/etc/profile

Add

TMOUT = 600 no operation automatically exits after 600 seconds

Risk: no visible risk

5.3 Grub/Lilo Password

Check Method:

# Cat/etc/grub. conf | grep password check whether the grub password is set

# Cat/etc/lilo. conf | grep password check whether lilo has set a password

Backup method:

# Cp-p/etc/grub. conf/etc/grub. conf_bak

# Cp-p/etc/lilo. conf/etc/lilo. conf_bak

Reinforcement Method: set a password for grub or lilo

Risk: etc/grub. conf is usually linked to/boot/grub. conf

5.4 restrict FTP Logon

Check Method:

# Cat/etc/ftpusers check whether the user name is included. These user names are not allowed to log on to the FTP service.

Backup method:

# Cp-p/etc/ftpusers/etc/ftpusers_bak

Reinforcement method:

# Add rows in vi/etc/ftpusers. Each row contains a user name. The added user is prohibited from logging on to the FTP service.

Risk: no visible risk

5.5 set the number of retained commands in Bash

Check Method:

# Cat/etc/profile | grep HISTSIZE =

# Cat/etc/profile | grep HISTFILESIZE = view the number of commands that keep history

Backup method:

# Cp-p/etc/profile/etc/profile_bak

Reinforcement method:

# Vi/etc/profile

Modify HISTSIZE = 5 and HISTFILESIZE = 5 to retain the latest five commands.

Risk: no visible risk

Vi. Audit Policy

6.1 configure the system log policy configuration file

Check Method:

# Ps-aef | grep syslog check whether syslog is enabled

# Cat/etc/syslog. conf check the configuration of syslogd and check whether the log file exists

System log (default)/var/log/messages

Cron log (default)/var/log/cron

Security log (default)/var/log/secure

Backup method:

# Cp-p/etc/syslog. conf

6.2 allocate reasonable storage space and storage time for audit data

Check Method:

# Cat/etc/logrotate. conf

# Rotate log files weekly

Weekly

# Keep 4 weeks worth of backlogs

Rotate 4 Configuration

Backup method:

# Cp-p/etc/logrotate. conf/etc/logrotate. conf_bak

Reinforcement method:

# Vi/etc/logrotate. d/syslog

Add

The number of log files stored in rotate 4 is 4. When 5th logs are generated, the earliest logs are deleted.

Size 100 k size of each log

After reinforcement, it should be similar to the following:

/Var/log/syslog/* _ log {

Missingok

Notifempty

Size 100 k # log files will be rotated when they grow bigger that 100 k.

Rotate 5 # will keep the logs for 5 weeks.

Compress # log files will be compressed.

Sharedscripts

Postrotate

/Etc/init. d/syslog condrestart>/dev/null 2> 1 | true

Endscript

}