1. Basic security measures
1.1 System Account Cleanup
In the Linux system, in addition to the user manually created, but also included in the system or program during the installation process of a large number of other users, in addition to Superuser root, a large number of other accounts just to maintain the system operation, start or maintain the service process, generally not allowed to log in, and therefore become non-logged users.
Common non-login users are: Bin, ADM, LP, Mail, Nobody, MySQL, Dbus, FTP, GDM, Haldaemon, etc. To ensure system security, these users ' logon shells are usually/sbin/nologin, which means that terminal logons are forbidden and should be ensured without modification.
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/84/wKioL1Y7OayyDe8HAAGmQxYKWfc225.jpg" width= "558" height= "257"/ >
Many non-login users, there are a lot less use, for example: News, UUCP, games, gopher. These users can be considered redundant accounts, directly deleted. In addition, there are users installed with the program, after uninstallation, not automatically deleted, should be manually resolved.
For long-term non-applicable accounts, if it is not possible to determine whether or not should be deleted, you can temporarily lock them:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M01/75/84/wKioL1Y7Oa2jSNzdAACvS77ak2k903.jpg" width= "558" height= "91"/ >
If the user on the server is pinned and no longer required to change, you can lock its/etc/passwd and/etc/shadow two files so that even if the root user makes changes, it is read-only, as follows:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M02/75/84/wKioL1Y7Oa3A9VLpAACk6vO7iOk895.jpg" width= "558" height= "105"/ >
In the locked state, you will not be able to add delete account, modify user password, user login shell, host directory properties and other operations, do a test:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/84/wKioL1Y7Oa2DIeqTAABj6pGISSI339.jpg" width= "558" height= "70"/ >
1.2 Password Security Control
In an insecure network environment, in order to password is guessed or the risk of brute force, the user should form a regular change of the South Lake settings in the password habit, avoid long-term use of the same password. Administrators can limit the maximum number of days that a user's password is available on the server side, and must change the password for users who have expired passwords ( The normal user password must also meet the complexity requirements), or you cannot log on to the system lock.
For example, set a 30-day expiration date for the user (the Chage command is used to set the password time limit).
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M01/75/84/wKioL1Y7Oa2SvQIxAABNVLtr4yU886.jpg" width= "558" height= "51"/ >
/etc/login.defs file is suitable for users after changing this file;
The Chage command applies to the user before changing the/etc/login.defs file.
In some special cases, such as requiring a bulk-created user to change their own password when they first log on, the security plan requires all users to update the password, and so on, administrators can enforce the policy so that the user must change the password the next time they log on. For example, you can force users to change their password Lisi the next time they log on by doing the following:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/87/wKiom1Y7OW2TIVFVAABDxn6Y_Es032.jpg" width= "558" height= "44"/ >
Test with John Doe user login:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/87/wKiom1Y7OW3RV7rIAACPpwJG378928.jpg" width= "558" height= "138"/ >
1.3 Command history, automatic logoff
The command history mechanism of the shell environment provides users with great convenience, but on the other hand also brings the potential risk to the user, as long as the user's command history file, the user's command operation process will be sweeping, if once in the command line to enter the plaintext password, then inadvertently the server security barrier and a notch more.
In the bash environment, the record number of history commands is controlled by the variable histsize, the default 1000 bar, by modifying the value of the histsize variable in the global file/etc/profile, can affect the record of all user history commands.
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M01/75/87/wKiom1Y7OW6yr1P4AABNLJ6dQv0399.jpg" width= "558" height= "55"/ >
In addition, you can modify the "~/.bash_logout" file in the user's host directory, the contents of this file, after the user exits the system, the specified content will be cleared. This file then adds an action statement for the condition History command, so that when the user exits the logged-in bash environment, the recorded history command is automatically emptied. (If you want to do this, the "~/.bash_history" file should be recorded in the history command is also the case, if not emptied, then this file "~/.bash_history" before the command will not be emptied)
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M02/75/87/wKiom1Y7OW6yJZXjAABFcRYozYA092.jpg" width= "558" height= "80"/ >
Bash environment, you can also set an idle timeout, which will be logged off when there is no action over the specified time period. (Idle variable tmout to control, default unit is seconds)
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/87/wKiom1Y7OW7D0WoKAABF6S8J4RM240.jpg" width= "558" height= "53"/ >
Note: When you are executing program code compilation, modifying a time-consuming operation such as system configuration, you should avoid setting the tmout variable and, if necessary, execute the "unset tmout" command to cancel the tmout variable setting.
2 User Switching and power-up
2.1SU Command __ Switch User
With the SU command, you can switch to the specified other user with all the permissions of that user, and of course, the password for the target user needs to be verified when switching, (rootà any user, do not verify password ordinary user à other user, verify the password of the target user)
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M01/75/87/wKiom1Y7OW7Dr2vFAACDcKWZsh0549.jpg" width= "558" height= "123"/ >
In the above command, the option "-" is equivalent to "-l" or "--login" means that the target user's login shell environment will be used, if the switch-only identity is missing, the user environment is not switched, the situation can be omitted for switching to the root user.
By default, any user can use the "su" command to switch users, how to specify users to use it? You can use the Pam_wheel authentication module to allow only individual users! The implementation process is as follows:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M02/75/84/wKioL1Y7Oa6y8vtHAAB0HqMZIrs389.jpg" width= "558" height= "85"/ >
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M02/75/84/wKioL1Y7Oa6TIIjnAADXTRPyjyk006.jpg" width= "558" height= "257"/ >
When the Pam_wheel authentication module is enabled, users who are not authorized will not be able to use the "su" command and will be warned of "incorrect password" processing, thereby controlling the permissions of the switching user to a small extent.
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/84/wKioL1Y7Oa7x5aytAABa7rQ-Gzk821.jpg" width= "558" height= "90"/ >
Switching users using the SU command is recorded in the security log/var/log/secure file and can be viewed as needed. (Tail-f/var/log/secure)
2.2 sudo command __ elevate execution permissions
The SU command makes it very easy to switch users to another user, but only if the target user's login password must be known. For example, to switch from a Jerry user to a root user, you must know the root password. For Linux servers in a production environment, the security risk of each person knowing the privileged password increases by one point.
You can use the quick-freeze command to elevate execution permissions, which allows the normal user to have a subset of administrative privileges, without having to tell the root user the password. But it needs to be authorized.
1)/etc/sudoers
The default permission for this file is 440 and requires special tools for editing (Visudo), and when you use VIM editing, you will be prompted to "read this file" and use ": wq! "To save.
Authorization record format: User machine=commands
The authorization configuration includes: The user, the host, the command three parts.
User: An authorized user name, or in the form of a "% group name".
Computer (Machine): Using the hostname of this profile is primarily convenient for sharing the same copy (sudoers) file across multiple hosts, typically set to "localhost" or the actual hostname.
Command (COMMANDS): Allows execution of the command, but note that to enter the absolute path of the command, use "," between multiple commands to separate.
In a typical sudo configuration record, each behavior is a valid authorization record configuration. For example, to authorize user Jerry to execute the ifconfig command to modify an IP address, the user of the wheel group does not need to verify the password to execute any command:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M01/75/84/wKioL1Y7Oa7ibskAAABMVjerMjk595.jpg" width= "558" height= "64"/ >
A centrally defined alias can be used when the number of authorized users is more, or when the command is large. User name, hostname, command can use custom aliases (must be uppercase), the keyword is user_alias, Host_alias, Cmnd_alias to set. For example, the following actions add an authorization record by alias, allowing users Jerry, Tom, Tsengyia to perform RPM, Yum commands in host SMTP, pop.
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M02/75/84/wKioL1Y7Oa_jY5jeAABpQX2WqJE720.jpg" width= "558" height= "85"/ >
The command section of the sudo configuration record allows you to use the wildcard character "*" to take the inverse symbol "! "is especially useful when you need to authorize all commands in the entire directory or cancel individual commands in them.
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/84/wKioL1Y7Oa-BBACzAABAUgk0Ac8577.jpg" width= "558" height= "55"/ >
By default, actions performed by sudo are not logged and you need to add "Defaults logfile" configuration entries to their files:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M01/75/87/wKiom1Y7OW_QC_z5AAEqMVq9bPE099.jpg" width= "558" height= "187"/ >
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/84/wKioL1Y7Oa_A-p4oAAGplXC1EK0755.jpg" width= "558" height= "287"/ >
3. System Boot and Login control
3.1 Switch Machine safety control
1) Adjust BIOS boot settings
A: Set the first boot device as the disk on which the current system resides.
B: Prohibit booting the system from other devices (such as CD-ROM, USB stick, network, etc.), the corresponding item is set to "Disable"
C: Change the security level of the BIOS to "Setup" and set the administrative password to prevent unauthorized modification.
2) Disable Ctrol+alt+del shortcut key restart
Where the Rhel6,ctrol+alt+del shortcut is located in/etc/init/control-alt-delete.conf, comment out the information.
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M01/75/84/wKioL1Y7Oa-BouIGAAFZiAnLRwo795.jpg" width= "558" height= "322"/ >
3) Restrict changes to grub boot parameters
From a system security standpoint, if anyone can modify the grub boot parameters, it is obviously a huge threat to the server itself, and in order to enhance the security control of the boot process, you can set a password for grub.
Generated using the "Grub-md5-crypt" command, which behaves as a string encrypted by the MD5 algorithm, is more secure. In Grub. Conf configuration file, use the "password--md5" configuration item to specify the MD5 encrypted password string.
PS: By default in RHEL6.5 character mode, you cannot use the cursor, install the GPM package, and start the service gpm start. When you want to copy something, just select it with your cursor and enter to copy it, then right-click to paste the content.
When a MD5 cipher is generated using the "grub-md5-crypt" command, it cannot be copied directly into a file and can be redirected to the specified file using a variable.
The steps are as follows:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M02/75/84/wKioL1Y7Oa_BRdsGAABbbZChGwI192.jpg" width= "558" height= "71"/ >
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/87/wKiom1Y7OW_yz37UAAF2rQiJxFo245.jpg" width= "558" height= "271"/ >
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/84/wKioL1Y7ObDzeWyaAAGsFOyz0Ew712.jpg" width= "558" height= "291"/ >
Verify:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M01/75/84/wKioL1Y7ObDxFbBoAADelbbhxl4155.jpg" width= "558" height= "347"/ >
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M02/75/84/wKioL1Y7ObCAlbr8AAIGwOwtp8M328.jpg" width= "522" height= "305"/ >
4. Terminal and Login control
4.1 Reducing the number of open TTY terminals
For remotely maintained Linux servers, six TTY terminals are actually a bit redundant, in the RHEL6.5 system, the control terminal configuration file is as follows:
/etc/init/tty.conf//Control the opening of the TTY terminal
/etc/init/start-ttys.conf//Control the number of open TTY terminals, device files
/etc/sysconfig/init//Control the number of opening of the TTY terminal, terminal color
By modifying the//etc/init/start-ttys.conf and/etc/sysconfig/init, you can reduce the number of open terminals, for example, only want to open Tty4, Tty5, tty6 three terminals, the modified operation is as follows:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M00/75/84/wKioL1Y7ObCS_pjZAAB3pDhLi84879.jpg" width= "558" height= "70"/ >
4.2 Disable root User Login
The login program reads the/etc/securetty file to determine which terminal (secure terminal) the root user is logged into the system from. To prevent the root user from logging in from a specified terminal, simply comment or delete the corresponding line.
Disable root login from Tty5, tty6, modify the/etc/securetty file as follows:
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M01/75/87/wKiom1Y7OZ7Cnnl3AAByjbpPebk606.jpg" width= "558" height= "311"/ >
4.3 Prohibit normal User login
When the server is running operations such as backup or debugging, you may not want new users to log on to your system. At this point, simply create the/etc/nologin file. The login program checks to see if the/etc/nologin file exists and rejects the normal user login system if it exists (root unrestricted)
650) this.width=650; "Style=" background-image:none;margin:0px;padding-left:0px;padding-right:0px; border-top-width:0px;border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt = "image" src= "http://s3.51cto.com/wyfs02/M02/75/87/wKiom1Y7OZ6SsclGAAAjz5vdl5E266.jpg" width= "558" height= "45"/ >
This method actually leverages the throttling mechanism of the shutdown delay shutdown and is only recommended for temporary use during server maintenance. When you manually delete this file or reboot the boot host, you are back to normal.
This article is from the "Wang Gaoli" blog, make sure to keep this source http://wanggaoli.blog.51cto.com/10422005/1710144
Linux basic security, enhanced system account password security, system boot and login security, user Switching, Su, sudo, grub menu