Experience sharing of Linux server operation and maintenance security policy

http://jxtm.jzu.cn/?p=3692

Hello everyone, I am a South African ant, today share with you the topic is: Online linux server operation and maintenance security policy experience. Security is the IT industry a commonplace topic, from the previous "prism door" incident reflected a lot of security issues, to deal with information security issues have become urgent. Therefore, as operations personnel, it is necessary to understand a number of safe operation and maintenance guidelines, and to protect their own business, first of all, to stand in the attacker's perspective to think about, repair any potential threats and loopholes. Today, I speak for you, mainly divided into five parts: account and login security account security is the first barrier of system security, is also the core of system security, to ensure the security of the login account, to a certain extent, can improve the security level of the server, the following focus on the Linux system login account security settings method.

1. Delete special accounts and account groups Linux provides a variety of different roles of the system account, after the installation of the system, the default installs a lot of unnecessary users and user groups, if you do not need some users or groups, it is necessary to delete it immediately, because the more accounts, the system is more insecure, is likely to be exploited by hackers, This in turn threatens the security of the server.

The default users and groups that can be removed from a Linux system are roughly the following:

can be deleted by users, such as Adm,lp,sync,shutdown,halt,news,uucp,operator,games,gopher.

A group that can be deleted, such as Adm,lp,news,uucp,games,dip,pppusers,popusers,slipusers.

2, shut down the system does not need the service After the installation is complete, Linux binds a lot of useless services, which are automatically started by default. For the server, the more services running, the more insecure the system, the less the service is running, the better the security, so close some unnecessary services, the system security has a great help. Specifically which services can be closed, depending on the purpose of the server, under normal circumstances, as long as the system itself is not used by the services are considered unnecessary services. For example, if a Linux server is used for WWW applications, other services can be turned off, in addition to httpd services and system operations. The following services are generally not required and can be selected to close: Anacron, AUDITD, AutoFS, Avahi-daemon, AVAHI-DNSCONFD, Bluetooth, Cpuspeed, Firstboot, GPM, Haldaemon, Hidd, Ip6tables, IPSec, ISDN, LPD, Mcstrans, Messagebus, Netfs, NFS, Nfslock, NSCD, Pcscd Portmap, Readahead_ Early, Restorecond, RPCGSSD, RPCIDMAPD, RSTATD, SendMail, Setroubleshoot, Yppasswdd ypserv

under Linux, there are two authentication methods for remote login systems: password authentication and key authentication. The Password authentication method is the traditional security policy, for the password setting, the more common saying is: at least 6 characters or more, the password should contain numbers, letters, underscores, special symbols and so on. Set a relatively complex password, the security of the system can play a certain role, but also face some other problems, such as password brute force hack, password leakage, password loss, and too complex password on operation and maintenance work will also cause a certain burden. Key authentication is a new type of authentication method, the public key is stored on the remote server, the private key is saved locally, when the system needs to log on, the local private key and the remote server's public key for pairing authentication, if the authentication is successful, the system successfully logged in. This type of authentication avoids the risk of brute force, and as long as the local private key is not compromised by hackers, the attacker generally cannot access the system by means of key authentication. Therefore, it is recommended to use the key authentication method to log in the system under Linux, so that the disadvantage of Password Authentication login system can be discarded. linux servers are generally remotely maintained and managed through tools such as SECURECRT, Putty, and Xshell, The key authentication method is realized by using the SSH service in SECURECRT software and Linux system.

4, the rational use of Su, sudo command su command: is a tool to switch users, often used to switch the ordinary user to the Superuser, of course, can also switch from the super user to the ordinary user. In order to ensure the security of the server, almost all servers prohibit the superuser to log into the system directly, but through the normal user login system, and then through the SU command to switch to the superuser, to perform some work that requires super privilege. Through the SU command can bring some convenience to the system management, but there are also unsafe factors, such as: The system has 10 ordinary users, each user needs to perform some super-privileged operation, you must give the super user password to the 10 ordinary users, if the 10 users have super permissions, Can do anything through super-privilege, then to some extent, the security of the system caused the association. Therefore, the SU command in many people need to participate in the system management, is not the best choice, super-user password should be in the hands of a few, when the sudo command comes in handy. sudo command: Allows the system administrator to assign to ordinary users some reasonable "rights", and does not require ordinary users to know the superuser password, you can let them do some only superuser or other privileged users to complete the task. For example: system service restart, editing system configuration file, this way not only can reduce the number of super User login and management time, but also improve the system security. as a result, the sudo command is still relatively secure relative to the unrestricted permission Su, so sudo is also known as the restricted Su, and sudo is also known as an authenticated SU because it requires prior authorization authentication.

the process for sudo to execute a command is to switch the current user to a superuser, or to switch to the specified user, and then execute the command as a superuser or the user it specifies to switch to, and then directly back to the current user after execution, and all this is done via sudo's configuration file/etc /sudoers to authorize.

The purpose of sudo design is to give the user as few permissions as possible but still allow them to do their work, which is both security and ease of use, so it is highly recommended to manage the security of the system account via sudo, allowing only ordinary users to log on to the system, and if these users need special permissions, It is done by configuring/etc/sudoers, which is also the basic way of account security management under multi-user system.

5. Delete System Login Welcome information Some of the system's welcome information or version information, although it can bring some convenience to the System Manager, but this information can sometimes be exploited by hackers, as an accomplice to attack the server, in order to ensure the security of the system, you can modify or delete some system files,There are 4 files that need to be modified or deleted, namely:/etc/issue,/etc/issue.net,/etc/redhat-release and/ETC/MOTD.The /etc/issue and/etc/issue.net files both record the operating system name and version number, and when the user logs on to the system via a local terminal or a local virtual console, the contents of the/etc/issue file are displayed. When a user remotely logs in via SSH or Telnet, the contents of the/etc/issue.net file are displayed after login. By default, the content of the/etc/issue.net file is not displayed after SSH login, to display this information can modify the/etc/ssh/sshd_config file, add the following content in this file:Banner/etc/issue.net In fact, these login tips are obviously leaking system information, for security purposes, it is recommended to delete or modify the contents of this file./etc/redhat-releaseThe file also records the name and version number of the operating system, and for security reasons, you can delete the contents of this file. The/ETC/MOTD file is a system announcement information. Each time the user logs in, the contents of the/ETC/MOTD file are displayed in the user's terminal. Through this file system administrator can release some software or hardware upgrades, system maintenance and other notification information, but this file is the most useful, can be issued some warning message, when the hacker logged into the system, will find these warning messages, and then have some deterrent effect. Read a foreign report, the hacker hacked a server, and this server gave a welcome login information, so the court does not make any decision. Remote Access and authentication security 1, remote login to cancel telnet and use SSH mode Telnet is an ancient remote login authentication service that transmits passwords and data in plaintext on the network, so that people with ulterior motives can easily intercept these passwords and data. Also, the Telnet service is extremely vulnerable to security authentication, and the attacker can easily transmit false information to the server. Telnet now basically discards this way, and instead, telnet to the server via the SSH service.2, reasonable use of shell history command logging function Under Linux, the History command allows you to view all of the user's historical operations records, while the shell command action record is saved by default in the. bash_history file in the user directory, which allows you to query the execution history of the shell command. Help operations personnel to conduct system audits and troubleshooting, while the server has been hacked, you can also use this command or file to query the hacker login server to perform the historical command operation, but sometimes hackers in order to destroy the server after the destruction of traces, may be deleted. bash_history file, This requires a reasonable protection or backup. bash_history file.3. Enable Tcp_wrappers firewallTcp_wrappers is a software used to analyze TCP/IP packets, similar to IP packet software and iptables. Linux tcp_wrappers is installed by default. As a secure system, Linux itself has two layers of security firewalls that enable the first layer of protection through the iptables of IP filtering mechanisms. iptables firewall protects the whole system from attack and damage by visually monitoring the health of the system, blocking some malicious attacks in the network. If you pass the first layer of protection, then the next layer of protection is tcp_wrappers. The tcp_wrappers can be used to open and close, allow and prohibit some of the services provided in the system, so as to ensure the safe operation of the system more effectively. File system security1. Locking system Important FilesThe system operator may sometimes encounter situations where a file cannot be modified or deleted by the root user, most likely because the file is locked. The command to lock a file under Linux is Chattr, which allows you to modify the file properties of the Ext2, ext3, and Ext4 file systems, but this command must be performed by Superuser root. The command corresponding to this command is lsattr, which is used to query the file properties. Locking up important files can improve the security of the server, but it can also cause some inconvenience.For example, when installing and upgrading the software, you may need to remove the immutable and Append-only properties of the directory and files, and set the Append-only property on the log file, which may make the log rotation (logrotate) impossible. Therefore, before using the chattr command, you need to balance the server's application environment against whether you need to set the immutable property and the Append-only property. In addition, although modifying file properties with the Chattr command can improve the security of the file system, it is not suitable for all directories. The CHATTR command cannot protect directories such as/,/dev,/tmp,/var. The root directory cannot have non-modifiable properties, because the system simply does not work if the root directory has non-modifiable properties:/ Dev at startup, the syslog needs to delete and re-establish the/dev/log socket device, which may be problematic if the non-modifiable attribute is set.The /tmp directory will have many applications and system programs to create temporary files in this directory, and can not set non-modifiable properties;/var is the system and program log directory, if set to non-modifiable properties, then the system write log will not be able to do so, and can not be protected by the chattr command. 2. File permission check and modificationImproper permission settings directly threaten the security of the system, so OPS personnel should be able to detect these incorrect permission settings in a timely manner and fix them immediately. Here are a few ways to find insecure permissions for your system. (1) Find a file or directory where any user in the system has write permission

Find Files: Find/-type f-perm-2-o-perm-20 |xargs ls-al Search directory: Find/-type d-perm-2

-o-perm-20 |xargs ls–ld

(2) Find All Programs with "s" bits in the system

Find/-type f-perm-4000-o-perm-2000-print | xargs ls–al

A program with "s" bit permissions is a threat to system security, and by locating all programs with "s" bits in the system, some unnecessary "s" bit programs can be removed, which prevents the user from abusing the privileges or the possibility of elevation. (3) Check all suid and Sgid files in the system

Find/-user root-perm-2000-print-exec md5sum {} \;find/-user root-perm-4000-print-exec md5sum {} \;

Save the results of the check to a file that can be used as a reference in future system checks. (4) Check the system for files that are not owned by the master

Find/-nouser-o–nogroup

Orphan files that are not owned by the owner are more dangerous and often become a tool for hackers, so when they are found, they are either deleted or modified to be in a secure state by the owner of the file.3,/tmp,/VAR/TMP,/DEV/SHM security SettingsIn the Linux system, there are two main directories or partitions for temporary files, namely/TMP and/VAR/TMP. The directory or partition where temporary files are stored has one thing in common: All users can read and write, executable, which leaves a security risk to the system. The attacker can put the virus or Trojan script into the directory of temporary files for information collection or camouflage, serious impact on the security of the server, if you modify the temporary directory read and write execution permissions, but also can affect the normal operation of the application on the system, so, if you want to balance the two, You will need to have special settings for both directories or partitions. /DEV/SHM is a shared memory device under Linux, the system will load/DEV/SHM by default when Linux is booted, the loaded/DEV/SHM uses the Tmpfs file system, and TMPFS is a memory file system. The data stored in the Tmpfs file system resides entirely in RAM, so that the/DEV/SHM can directly manipulate the system memory, which is very dangerous, so how to ensure/DEV/SHM security is also critical. For the/TMP security settings, you need to see if/TMP is a separate disk partition, or a folder under the root partition, if/TMP is a separate disk partition, then the setup is very simple, modify the/etc/fstab file in the/TMP partition corresponding mount properties, plus nosuid, Noexec, Nodev three options, the modified/TMP partition mount properties are similar to the following: label=/tmp/tmp ext3 rw,nosuid,noexec,nodev 0 0 among them, the Nosuid, noexec, and Nodev options indicate that no suid programs are allowed, and that no scripts can be executed in this partition, and no device files exist. After the Mount property setting is complete, re-mount the/TMP partition to ensure that the settings are in effect. For/var/tmp, if it is a separate partition, the Setup method of installing/TMP is to modify the/etc/fstab file, and if it is a directory under the/var partition, you can move all the data in the/VAR/TMP directory under the/TMP partition, then do a point/ The soft connection of TMP. The following actions are performed:

[email protected] ~]# mv/var/tmp/*/tmp[[email protected] ~]# ln-s/tmp/var/tmp

If/tmp is a directory under the root directory, the settings are slightly more complex and can be mounted by creating a loopback file system that takes advantage of the Linux kernel's loopback feature to mount the file system to/TMP and then specify the limit load option when mounting. A simple example of the operation is as follows:

[[email protected] ~]# dd If=/dev/zero OF=/DEV/TMPFS bs=1m count=10000[[email protected] ~]# mke2fs-j/dev/tmpfs[[e Mail protected] ~]# cp-av/tmp/tmp.old[[email protected] ~]# mount-o loop,noexec,nosuid,rw/dev/tmpfs/tmp[[email prote CTED] ~]# chmod 1777/tmp[[email protected] ~]# mv-f/tmp.old/*/tmp/[[email protected] ~]# rm-rf/tmp.old

Finally, edit/etc/fstab to add the following so that the system automatically loads the loopback file system at startup:

/dev/tmpfs/tmp ext3 loop,nosuid,noexec,rw 0 0

Linux Backdoor Intrusion Detection ToolrootkitLinux platform is the most common type of Trojan backdoor tool, it mainly by replacing the system files to achieve intrusion and covert purposes, such Trojans than ordinary Trojan backdoor more dangerous and covert, ordinary detection tools and inspection means difficult to find this Trojan. Rootkit attacks are extremely powerful and can be very damaging to the system by creating backdoor and hidden tracks through a set of tools that allow an attacker to retain access to the system at all times by using root privileges. There are two main types of rootkits:file-level and kernel-level, respectively, are described below. file LevelRootkit is usually through a program vulnerability or system vulnerability into the system, by modifying the system's important files to achieve the purpose of hiding. After the system suffers a rootkit attack, the legitimate file is replaced by a Trojan horse program, which becomes the shell, and the inside is a hidden backdoor program. System programs that are usually easily replaced by rootkits are login, LS, PS, ifconfig, Du, find, netstat, and so on, where the login program is most often replaced, because when you access Linux, whether by logging on locally or remotely,/bin/ The login program runs and the system collects and checks the user's account and password via/bin/login, and the rootkit uses the program's features to replace the system's/bin/login with a/bin/login with the root access backdoor password. This allows an attacker to enter the system easily by entering a set password. At this point, even if the system administrator modifies the root password or clears the root password, the attacker can log on to the system through the root user. Attackers usually enter a Linux system and perform a series of attack actions, most commonly by installing a sniffer to collect important data from the computer or other servers on the network. By default, there are also some system files in Linux that monitor these tool actions, such as the ifconfig command, so attackers will find ways to replace other system files in order to avoid being discovered, usually LS, PS, ifconfig, Du, find, netstat, and so on. If these files are replaced, it is difficult at the system level to find that the rootkit is already running in the system. This is the file-level rootkit, the system maintenance is very large, the most effective defense method is to regularly check the integrity of the system important files, if the discovery of files are modified or replaced, it is likely that the system has suffered a rootkit intrusion. There are many tools for inspecting integrity, such as tripwire, aide and so on, which can be used to check the integrity of the file system periodically to detect if the system is compromised by a rootkit.kernel-level rootkitis a more advanced form of intrusion than file-level rootkit, which allows an attacker to gain full control of the underlying system, where an attacker can modify the system kernel to intercept commands that the program submits to the kernel and redirect it to the program selected by the intruder and run the program, which means When the user wants to run program A, the kernel modified by the intruder pretends to execute the a program, but actually executes program B. Kernel-level rootkit is mainly attached to the kernel, it does not make any changes to the system files, so the general detection tool is difficult to detect its existence, so that once the system kernel is implanted in a rootkit, the attacker can do whatever the system does without being discovered. At present, there is no good defense tool for kernel-level rootkit, so it is very important to do well in system security, to keep the system within the minimum permissions, so long as an attacker cannot gain root privileges, it is impossible to implant rootkits in the kernel.1. rootkit Backdoor Detection Tool Chkrootkit Chkrootkitis a tool for locating and detecting rootkit backdoors under a Linux system, with its official address:http://www.chkrootkit.org/. Chkrootkit is not included in the official CentOS source, so a manual compilation is needed to install it, but the installation method is also more secure. The use of Chkrootkit is relatively simple, the direct execution of the Chkrootkit command can automatically start the detection system. The following is a test result for a system:

[email protected] chkrootkit]#/usr/local/chkrootkit/chkrootkitchecking ' ifconfig ' ... infectedchecking ' ls ' ... Infectedchecking ' Login ' ... Infectedchecking ' netstat ' ... Infectedchecking ' ps ' ... Infectedchecking ' top ' ... Infectedchecking ' sshd ' ... not infectedchecking ' syslogd '

... not tested

As you can see from the output, the ifconfig, ls, login, netstat, PS, and top commands for this system have been infected. The safest and most effective way to target infected rootkit systems is to back up the data and reinstall the system. Chkrootkit uses some of the system commands during the check of the rootkit, so if the server is hacked, then the dependent system commands may have been replaced by the intruder, at which point the Chkrootkit's detection will become completely untrustworthy. In order to avoid the problem of chkrootkit, you can back up the system commands used by Chkrootkit before the server is open, and use the original system commands of the backup to allow Chkrootkit to detect the rootkit when needed. 2. Rootkit Backdoor Detection Tool Rkhunter Rkhunter is a professional detection system that infects rootkit tools by executing a series of scripts to confirm that the server is infected with a rootkit. In the official information, Rkhunter can do things such as: MD5 check test, check whether the file has changed

detect rootkits using binary and System Tools file detect Trojan Signature detection Common program file attributes whether anomaly detection system related test detect hidden file detect suspicious Core Module LKM detect system started listening port

In the Linux terminal using Rkhunter to detect, the biggest advantage is that each test result has a different color display, if the green is not a problem, if it is red, it will cause concern. Also, in the process of performing the detection, after each partial detection is complete, you need to continue with the ENTER key. If you want your program to run automatically, you can execute the following command:

[email protected] ~]#/usr/local/bin/rkhunter–check–skip-keypress

Also, if you want the test program to run regularly every day, you can add the following to the/etc/crontab:

* * * *

root/usr/local/bin/rkhunter–check–cronjob

This way, the Rkhunter detection program runs at 9:30 minutes per day. After the server is under attack, the process security is always relative, and the security server may be vulnerable to attack. As a safe operation and maintenance personnel, to grasp the principle is: as far as possible to do a good job of system security, repair all known dangerous behavior, while the system is under attack can quickly and effectively deal with attack behavior, minimize the impact of the attack on the system.1, the general idea of dealing with the attack of server System attack is not terrible, terrible is the face of attack helpless, the following detailed introduction under the server after the attack of the general processing ideas. (1) Cut off the network all attacks are from the network, therefore, after knowing that the system is being attacked by hackers, the first thing to do is to disconnect the server network connection, so in addition to cut off the source of the attack, but also to protect the server on the network of other hosts. (2) Find an attack source you can view suspicious information by analyzing the system log or log file, and also to see which ports are open on the system, which processes are running, and what suspicious programs are analyzed through these processes. This process must be traced and analyzed based on experience and comprehensive judgment. The following is a detailed introduction to the process of thinking. (3) Analysis of the reasons for the intrusion and the way since the system has been compromised, then the reasons are manifold, may be a system vulnerability, it may be a program vulnerability, it is important to find out which is the cause of the attack, and also to find out the way of attacks, found the source of the attack, because only know the cause and way of attack To remove the attack source and fix the vulnerability at the same time. (4) Backup user data after a server attack, you need to back up the user data on the server immediately, but also to see whether the attack source is hidden in the data. If the source of the attack is in the user data, be sure to delete it completely and then back up the user data to a safe place. (5) Reinstall the system never think that you can completely clear the source of the attack, because no one can better understand the attack program than hackers, after the server is attacked, the safest and easiest way is to reinstall the system, because most of the attacks will be attached to the system files or kernel, So reinstall the system to completely remove the attack source. (6) Hotfix or system vulnerability in the discovery of a system vulnerability or application vulnerability, the first thing to do is to repair the system vulnerability or change the program bug, because only the program to repair the vulnerability to formally run on the server. (7) Restore the data and connect the network copy the backed up data to the newly installed server, then turn on the service, and finally turn the server on the network connection and provide services externally.2. Check and lock suspicious users When the server is found to be attacked, the first to cut off the network connection, but in some cases, such as the inability to immediately cut off the network connection, you must log on to the system to see if there are suspicious users, if a suspicious user logged in the system, you need to lock the user immediately, and then interrupt this user's remote connection.3. View the System log Viewing the system log is the best way to find the source of the attack, the system log can be checked for/var/log/messages,/var/log/secure, and so on, these two log files can record the running state of the software and the remote user's login status, you can also view each user directory. Bash_ The history file, especially the. bash_history file in the/root directory, which records all the historical commands performed by the user.4. Check and close the system suspicious process There are a lot of commands to check for suspicious processes, such as PS, top, etc., but sometimes only know the name of the process is not known the path, at this time can be viewed by the following command: First through the pidof command to find the running process PID, for example, to find the PID of the sshd process, execute the following command:

[email protected] ~]# pidof sshd13276 12942 4284

Then go to the memory directory to see the corresponding PID directory exe file information:

[[email protected] ~]# Ls-al/proc/13276/exe lrwxrwxrwx 1 root root 0 Oct 4 22:09/proc/13276/exe-/usr/sbin/ Sshd

The complete execution path corresponding to the process is found. If you also have a handle to the view file, you can view the following directory:

[email protected] ~]# ls-al/proc/13276/fd

In this way, you can basically find complete execution information for any process. 5, check the integrity of the file system check whether file attributes change is the simplest and most straightforward way to verify file system integrity, for example, you can check whether the size of the/bin/ls file on the compromised server is the same size as this file on the normal system to verify that the file is replaced, But this method is relatively low-level. This can be done with Linux under the RPM tool to complete the verification, the operation is as follows:

[email protected] ~]# rpm-va....l ... c/etc/pam.d/system-auths.5 ... c/etc/security/limits.confs.5....t c/etc/sysctl.confs.5....t/etc/sgml/docbook-simple.cats.5....t c/etc/login.defss.5 ....  . c/etc/openldap/ldap.confs.5....t c/etc/sudoers

6. Re-install the system Recovery data

In many cases, the compromised system is no longer trusted, so the best way to do this is to back up the data on the server, reinstall the system, and then restore the data.

Data recovery is completed, the system is immediately described above the security hardening strategy to ensure system security. Transfer from: Chinaunix Public service Account

Experience sharing of Linux server operation and maintenance security policy