CentOS system simple security reinforcement Solution

Source: Internet
Author: User
Tags account security

CentOS system simple security reinforcement Solution

When talking about the management and security of linux accounts, the two files/etc/passwd/etc/shadow must be involved.
Here, the content of the two files is analyzed in text instructions, and some practical security reinforcement solutions are provided.

Note: This article will be updated continuously, and subsequent content will be presented in the form of direct uploads, hoping to be closer to the needs of actual O & M environment workers.

Delete or lock built-in user accounts and group accounts in the system

Some built-in accounts in the system may make intrusion easier, because these accounts expand the attack surface of the system. You can delete, lock, or comment to reinforce account security.

The operation involves the following files:

/Etc/passwd

/Etc/shadow

/Etc/group

Before modification, we recommend that you back up the above three files and store copies of the files on mobile storage devices, such as USB flash drives, mobile hard disks, or network Cloud disks. Once the system encounters an account-related fault, replace the original file with the copy to restore the system:

[Root @ centos6-5vm desktop] # mkdir/backup [root @ centos6-5vm desktop] # cp-p/etc/passwd/backup/passwd_backup [root @ centos6-5vm desktop] # cp-p/etc /shadow/backup/shadow_backup [root @ centos6-5vm desktop] # cp-p/etc/group/backup/group_backup

Store the three copies in the/backup/directory of the local file system to the various storage media mentioned above. Remember not to put the eggs in the same basket.

Subsequent modifications are made to the original file. When you need to restore the file from a copy, perform the following operations:

[Root @ centos6-5vm desktop] # mv/backup/passwd_backup/etc/passwd [root @ centos6-5vm desktop] # mv/backup/shadow_backup/etc/shadow [root @ centos6-5vm desktop] # mv /backup/group_backup/etc/group

This will replace the original file with incorrect configuration. For example:

With the above test guarantee, we can continue the security settings related to the user account:

Batch Delete the first 4 ~ of passwd files ~ 10 rows of users, which are rarely used:

[Root @ centos6-5vm desktop] # foriinadmlpsyncshutdownhaltmailuucpoperatorgamesgopherftp; douserdel $ I; done

There is an ftp account at the end of the account. If you need to build an FTP server in the future, such as vsftpd, you can keep the account and do not delete it.

To delete redundant user groups in group files in batches, use a single shell script similar to the preceding one:

[Root @ centos6-5vm desktop] # foriinadmlpmailnewsuucpgamesdippppuserspopusersslipusers; dogroupdel $ I; done

Note: depending on your system environment, some users and groups may not be created initially. Here, only all users and groups that may exist and need to be deleted are provided.

If you do not want to delete these users and groups and use backup files to restore them if necessary, comment out the original files or lock these accounts and groups. For comments, the following describes how to lock:

Lock: passwd-l [user name]

Unlock: passwd-u [user name]

You can also replace this command with The userdel command in the previous shell script to implement batch locking and unlocking.

Finally, the account in the locked state is displayed in the second column of the shadow file !! It indicates that it is locked and can be logged on to the system only after being unlocked.

In addition, only the root user (root) has the permission to perform the lock and unlock operations.

Disable SELinux

If you set SELinux to "enable" or "force" at the first time after installing the system, you can disable it as follows:

[Root @ centos6-5vm desktop] # ls-ail/etc/selinux/config262465-rw-r -- r --. 1rootroot458 June 25 16: 58/etc/selinux/config [root @ centos6-5vm desktop] # vim/etc/selinux/config

Set the value after SELINUX = a row to disable, save and exit vim, And the setting will take effect permanently after the system is restarted.

If you do not modify/etc/selinux/config, you need to take effect immediately without restarting (restart failed) and execute the following command:

This command sets SELlinux to Permissive mode, which is equivalent to temporarily disabling

[Root @ centos6-5vm desktop] # setenforce0

To temporarily enable SELlinux (set to Enforcing mode), run the following command:

[Root @ centos6-5vm desktop] # setenforce1

The other method is to add selinux = 0 after the startup parameter of GRUB (Boot Loader ).

Modify Kernel Parameter Reinforcement System

By default, for ping packets sent by other machines with icmp echo requests, centos returns packets with icmp echo responses. However, this method may cause security risks, this is because malicious attackers can determine whether the target machine is online based on the information returned by ping, and then initiate subsequent port scans and other attacks.

Therefore, we need to modify the TCP/IP protocol stack parameters of the Linux kernel to prohibit returning icmp echo response packets to other machines, so as to alleviate the blind ping step discovered by the host, as to why it is "mitigating", we will mention it later.

Modify the configuration file:

[Root @ centos6-5 desktop] # vim/etc/sysctl. conf

Add the following content to the file:

Net. ipv4.icmp _ echo_ignore_all = 1

According to the comments on the first line of the file, we can see that if the binary value is 1, a feature is activated, and if the binary value is 0, a feature is disabled. The above is to activate the "ignore all remote icmp echo requests" feature.

This method of modifying the configuration file takes effect only after the system is restarted. However, servers in the online production environment cannot be restarted at will, resulting in service interruption, even the data sent by the user is lost.

Therefore, use the following command to make changes to the configuration file take effect immediately:

[Root @ centos6-5 desktop] # sysctl-p

Verify whether the parameter is effective. Although the test is performed on a virtual machine, the result is no different from that of the real-world machine.

The IP address of the centos machine is 192.168.1.20.

The IP address of the windows xp Server that sends ping packets is 192.168.1.30.

We can see that all four ping packets sent by windows xp return the request timeout result, with a packet loss rate of 100%.

Then, the app performs a penetration test on the well-known BackTrack 5 platform:

Of course, any slightly experienced Penetration Tester or hacker will not use the BT5 ping tool because it

The security of a target machine cannot be correctly reflected. On the contrary, the widely used Nmap can reveal that the security level of the target machine still needs to be enhanced:

The above example is just a reference, and I hope you can give a similar picture.

Also, for/etc/sysctl. if the kernel parameters in conf are enabled or disabled, it is recommended that you do not disable or activate them by commenting, because it is troublesome to restart the system, the recommended method for this file should be used: set the value to 0 or 1, save and exit vim,

Run the sysctl-p command to make the configuration take effect immediately. Or the above is an example:

Continue to the previous topic: When the firewall is not enabled, it is only in/etc/sysctl. conf adds a parameter to prohibit the local machine from responding to remote ping data packets. Therefore, attackers can enumerate the service version using Nmap port scanning.

Therefore, you must enable the iptables firewall of centos6.5.

As we can see below, as long as iptables is enabled, the default rule is adopted: Allow all inbound requests to initiate connections to the socket of the locally enabled service listening port, even if the corresponding service is not disabled, nmap scanning will not obtain available information:

First, according to the Nmap scan results, we know that TCP 111,443,902 and other ports and corresponding services are open on the local machine (refer to the above). You can use lsof with the netstat command to confirm:

[Root @ centos6-5 desktop] # lsof-I: 111 [root @ centos6-5 desktop] # netstat-antupeo | grep111 [root @ centos6-5 desktop] # lsof-I: 902 [root @ centos6-5 desktop] # netstat-antupeo | grep902 [root @ centos6-5 desktop] # lsof-I: 443

Note that we do not use service [service] stop and

Ps-ef | grep [PID] & kill-9 [PID]

And other similar commands to close the service and port, but directly start the iptables Firewall:

The iptables firewall rules are not modified. When the Default policy is used, various nmap detection data packets based on TCP segment flag are blocked:

For linux hosts that are directly exposed to the Internet and provide users with specific services (HTTP/S, FTP, etc.): Correct, robust, highly operable iptables firewall security policy settings are critical;

However, most organizations use vrouters with built-in firewalls.

(For example, cisco IOS firewalls, ASA, PIX firewalls, hardware firewalls of other vendors, and hardware Load Balancing Devices) are placed at the front end of the server for public network access, in addition, DMZ is also divided into DMZ (so-called non-military defense zone) to isolate machines from the Intranet and set the security level between regions... Various reinforcement methods make it redundant to enable iptables on linux Hosts (unless the Intranet has been infiltrated, enabling iptables can prevent the attacker from "horizontal" Elevation of Privilege intrusion ), it also affects the server performance. Therefore, we recommend that you run the following command to disable it:

[Root @ centos6-5 desktop] # serviceiptablesstop & chkconfig -- level2345iptablesoff


After the system is restarted, whether it enters the multi-user mode with x-window or the multi-user mode of the shell terminal,

Iptables does not start.

You can add the following kernel parameters to/etc/sysctl. in the conf file, some of the parameters have not been tested. We recommend that you use them with caution. Some interpretations of these parameters refer to Articles widely reproduced on the Internet, we shall not assume any legal liability for any abuse, including but not limited to business losses or data loss.

For background information related to specific parameter explanations, refer to this blog:

Http://shayi1983.blog.51cto.com/4681835/1434989

We recommend that you first perform performance and benchmark tests on these parameters in the virtual machine environment, evaluate them carefully, and then add them to the actual production server:

Net. ipv4.tcp _ fin_timeout = 30

# When a TCP segment with a FIN flag on the local sender (sender) requires that the connection be closed, if the receiver still has data to send to the sender, then, the sending end should keep the time for enabling the TCP Communication Pipeline (socket) used to receive data from the other end (TCP finite state machine is kept in FIN-WAIT-2, that is, the time when the half-off state is kept ),

Set it to 30 seconds. After the timeout, the sender closes the connection and the data transmitted from the other party is lost.

For the mail server, it is appropriate to set this value to 30 seconds, because the server must be closed at this time, and usually the client does not have data to be passed, in addition, the server must support multiple clients concurrently. Therefore, at the kernel level, only 30 seconds for each client to process unsent packets.

There are still many kernel parameters related to network security and system optimization, which will be introduced later. As O & M personnel, we should fully understand how these system underlying parameters affect your application layer business, user Experience, high availability, stability, and security of servers are undoubtedly of great help to improve core competitiveness.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.