DIY Linux security platform!

How can we maximize security? Tailored, targeted, proper choice is the key. The following aspects are described in detail.

Control file attributes and permissions

Paying close attention to file attributes and permission settings is essential to ensure the integrity of the file system on the host.

The two special file access permissions are SUID (4000 in octal) and SGID (2000 in octal ). Files with these two permissions will have the owner's permissions when other users execute them. That is to say, if a program is set to SUID, even normal users use it as root. Therefore, SUID/SGID files are a security risk.

SUID and SGID attack prevention:

1. Strictly review file permissions in the system. You can find out the files that use SUID/sgid in the system, list the files, and save them. The command is as follows:

[Root #] find/-type f-perm + 6000-ls | less

[Root #] find/-type f-perm + 6000> Suid-Sgid.txt

2. Some programs must be set to SUID, which can be managed in a centralized manner. However, SUID programs cannot exist in the user's home directory.

3. Make sure that important SUID scripts cannot be written. The command is as follows:

[Root #] find/-perm-2! -Type l-ls

4. For programs that do not absolutely need to be set to SUID, change their access permissions or uninstall programs. For example:

[Root #] chmod-s [program]

5. Search for all files in the system that do not belong to any user or group. These files are easily exploited to gain the permissions to intrude into the host, posing a potential threat. The command is as follows:

[Root #] find/-nouser-o-nogroup

6. good at using the lsattr and chattr two ext2/3 attribute commands. This article will mainly discuss attributes a and I, because these two attributes are of great benefit to improve the security of the file system and ensure the integrity of the file system. Append-only: the system only allows data to be appended to this file, and does not allow any process to overwrite or intercept this file. If the directory has this attribute, the system will only allow the creation and modification of files under this directory, and will not allow the deletion of any files. The system does not allow any modifications to this file. If the directory has this attribute, any process can only modify the files under the Directory and cannot create or delete files.

If the host is directly exposed to the Internet or in other dangerous environments (such as other non-Administrators can also access the server), there are many Shell accounts or network services such as HTTP and FTP, after the installation and configuration are complete, run the following command to protect these important directories:

[Root #] chattr-R + I/bin/boot/etc/lib/sbin

[Root #] chattr-R + I/usr/bin/usr/include/usr/lib/usr/sbin

[Root #] chattr + a/var/log/messages/var/log/secure ......

If you rarely add, change, or delete an account, setting/home itself to the Immutable attribute will not cause any problems.

In many cases, the entire/usr directory tree should also have unchangeable attributes. In fact, in addition to the chattr-R + I/usr/command for the/usr directory, you can also use the ro option in the/etc/fstab file, load the partition of the/usr directory in read-only mode.

In addition, setting the system log file to only Append-only will make it impossible for the intruders to erase their traces for law enforcement personnel to collect evidence and analyze them.

1 2 3 4 5 Next Page