Common Linux Security Settings

User Management User Permissions

1) Restrict root

12 echo "tty1">/etc/securettychmod700/root

2) password policy

1234 echo "Passwords expire every 180 days" perl-npe's/PASS_MAX_DAYSs + 99999/PASS_MAX_DAYS 180/'-I/etc/login. defsecho "Passwords may only be changed once a day" perl-npe's/PASS_MIN_DAYSs + 0/PASS_MIN_DAYS 1/G'-I/etc/login. defs

Use sha512 to protect passwords instead of md5

1 authconfig -- passalgo = sha512 -- update

3) umask restrictions
Change umask to 077

12 perl-npe's/umasks + 0d2/umask 077/G'-I/etc/bashrcperl-npe's/umasks + 0d2/umask 077/G'-I/etc /csh. cshrc

4) Modify Pam

1 touch/var/log/tallylog123456789101112131415161718192021222324cat <'eof '>/etc/pam. d/system-auth # % PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required token required nullok token requisite token uid> = 500 quietauth required token deny = 3 onerr = fail unlock_time = 60 account required token uid <500 quietaccount required token required per_userpassword requisite quota retry = 3 minlen = 9 lcredit =-2 ucredit =-2 dcredit =-2 ocredit =-2 password quota pam_unix.so sha512 shadow nullok quota use_authtok remember = 10 password required limit optional pam_keyinit.so revokesession required pam_limits.sosession [success = 1 default = ignore] pam_succeed_if.so serviceincrond quiet use_uidsession required pam_unix.soEOF

/Var/log/tallylog is a binary log that records Authentication failures. You can use pam_tally2 -- reset-u username to unlock
5) reclaim idle users

1234 echo "Idle users will be removed after 15 minutes" echo "readonly TMOUT = 900">/etc/profile. d/os-security.shecho "readonly HISTFILE">/etc/profile. d/os-security.shchmod + x/etc/profile. d/os-security.sh

6) cron and at restrictions

12345678 echo "Locking down Cron" touch/etc/cron. allowchmod600/etc/cron. allowawk-F: '{print $1}'/etc/passwd | grep-vroot>/etc/cron. denyecho "Locking down AT" touch/etc/. allowchmod600/etc/. allowawk-F: '{print $1}'/etc/passwd | grep-vroot>/etc/. denyDelete special users and groups in the system1234567891011 userdel usernameuserdel admuserdel lpuserdelsyncuserdelshutdownuserdel haltuserdel newsuserdel uucpuserdel operatoruserdel gamesuserdel gopher

The deleted users are created by default by the system, but some accounts are not used in common servers. However, these accounts are often used and attacked by hackers.

1234567 groupdel usernamegroupdel admgroupdel lpgroupdel newsgroupdel uuucpgroupdel gamesgroupdel dip

Similarly, the group accounts created by default for system installation are deleted. This reduces the chances of being attacked.

Service Management shut down services not used by the System123456789101112 chkconfig level 35 apmd offchkconfig level 35 netfs offchkconfig level 35 yppasswdd offchkconfig level 35 ypserv offchkconfig level 35 dhcpd off? Chkconfig level 35 portmap offchkconfig level 35 lpd offchkconfig level 35 nfs offchkconfig level 35 sendmail offchkconfig level 35 snmpd offchkconfig level 35 rstatd offchkconfig level 35 atd off ??Regularly update the system

Yum-y update, which can be added to the cron job.

Ssh service security

Use a certificate to log on to the system, not detailed, please refer to this article http://www.centos.bz/2012/02/strengthen-ssh-security-login-with-certificate/

LAMP Security System File Permissions

Modify the execution permission of the init directory file

1chmod-R 700/etc/init. d /*

Modify SUID and SGID permissions for some system files

Examples/usr/bin/chagechmoda-s/usr/bin/gpasswdchmoda-s/usr/bin/wallchmoda-s/usr/bin/chfnchmoda-s/usr/bin/chshchmoda- s/usr/bin/newkgchmoda-s/usr/bin/writechmoda-s/usr/sbin/usernetctlchmoda-s/usr/sbin/traceroutechmoda-s/bin/mountchmoda-s/ bin/umountchmoda-s/bin/pingchmoda-s/sbin/netreport

Modify the system boot file

12chmod600/etc/grub. confchattr + I/etc/grub. confLog Management 1. System Boot log

Dmesg
You can use the dmesg command to quickly view the boot log of the last system boot. Usually it has a lot of content, so you often want to transmit it to a reader through a pipeline.

2. system operation logs

A. Linux logs are stored in the/var/log directory.
There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can only be read by the root user. However, you only need to modify the file access permission to allow others to read the logs.
The names of common system log files and their descriptions are as follows:
Lastlog records the last successful logon time of the user.
Poor loginlog logon attempt records?
Messages records messages output to the system console and generated by syslog system service programs
Utmp records each user currently logged on
Utmpx extended utmp
Wtmp records the historical information of each user logon and logout. wtmpx expanded wtmp
Vold. log records errors with external media
Xferkig records Ftp access sulog records su command usage
Acct records commands used by each user
Aculog outbound automatic call record
B./var/log/messages
Messages logs are core system log files. It contains boot messages when the system is started and other status messages when the system is running. IO errors, network errors, and other system errors are recorded in this file. Other information, such as switching a person's identity to root, is also listed here. If the service is running, such as a DHCP server, you can observe its activity in the messages file. In general,/var/log/messages is the file you need to view before troubleshooting.
C./var/log/XFree86.0.log
This log records the last execution result of Xfree86 Xwindows server. If you encounter a problem when starting to the graphic mode, you can find the cause of the failure from this file.

Use TCP_WRAPPERS for network security

Using TCP_WRAPPERS can protect your system against external intrusion. The best policy is to stop all
Host (in "/etc/hosts. add "ALL: ALL @ ALL, PARANOID") to the deny file, and then add it to "/etc/hosts. add a list Of all allowed hosts to the allow file.
Step 1:
Edit the hosts. deny file (vi/etc/hosts. deny) and add the following line:
# Deny access to everyone.
ALL: ALL @ ALL, PARANOID
This indicates that all services and addresses are blocked unless the address package is in the list of hosts allowed to access.
Step 2:
Edit the hosts. allow file (vi/etc/hosts. allow) and add the list of hosts allowed to access.
For example:
Ftp: 202.54.15.99 foo.com
202.54.15.99 and foo.com are IP addresses and host names that allow access to the ftp service.
Step 3:
The tcpdchk program is the tepd wrapper setting check program. It is used to check your tcp wrapper settings and report potential and real problems found. After setting, run the following command:
[Root @ kapil/] # tcpdchk

Use iptables Firewall

Here not much introduction, please refer to: http://www.centoscn.com/CentosSecurity/CentosSafe/2013/0801/854.html