System Security
Minimum Service Method
File Security (SUID/SGID/stick/chattr)
Upgrade system and software
Least permission method (SU/SUDO)
SSH Security suggestions
Min service method (System V/xinetd)
Disable unnecessary services:
# Vim/root/service. Sh
#! /Bin/bash
Service xinetd stop
Chkconfig xinetd off
Services = "Network sshd syslogs lvm2-monitor messagebus Sendmail crond GPM anacron auditd haldaemon irqbalance avahi-daemon"
Offservices = 'chkconfig -- list | grep 0: | awk '{print $1 }''
For I in $ offservices
Do
Chkconfig $ I off
Done
For I in $ services
Do
Chkconfig $ I on
Done
Reboot
Prohibit normal users from executing scripts in the init. d directory
# Chmod-R o =-/etc/rc. d/init. d
File Security (SUID/SGID/stick/chattr) Partition Security
Directories that require independent partitioning (partition principle: All users can write, recommended partition; read or write frequently, recommended partition ):
/
/Boot
Swap
/Usr or/OPT
/Home
/Var and/var/tmp
/Tmp
/Data
/Bak
Mount options:
1. noexec -- all the binary commands cannot be run in this partition, and the script cannot be run. It can be used to store data.
2. nodev -- all character files and device files cannot be used in this partition (for example, zero, SDA etc ).
3. nosuid -- files with risky and forced bits are not allowed in this partition
4. noatime -- the access time of updating files is not allowed to reduce the extra I/O overhead.
5. nodiratime -- the Directory Access time cannot be updated.
Create separate partitions for Apache and FTP server roots. edit/etc/fstab file and make sure you add the following configuration options:
Sample/etc/fstab entry to limit user access on/dev/sda5 (FTP server root directory ):
# Vim/etc/fstab
/Dev/sda5/ftpdata ext3 defaults, nodev, noexec 1 2
Disk Quota (all users need to limit the quota for writing Directories ):
1. Enable quotas per file system by modifying the/etc/fstab (usrquota) file.
2. Remount the file system (s). Mount-O remount/xx
3. Create the quota database files and generate the disk usage table.
Quotacheck-CMU/xx; quotaon-vu/xx
4. Assign quota policies.
Edquota-u user01
Edquota-P user01 user02
Setquota-u user01 1000 2000 10 20
Query:
Quota-u user01
Repquota-vu/xx
Lock inode nodes of important files
Chattr and lsattr commands
# Chattr + I/etc/passwd -- completely locking inode
# Useradd newuser
Useradd: Unable to open the password file
# Lsattr/etc/passwd
---- I --------/etc/passwd
# Chattr +-A/file -- only lock the ing between the old inode and the block and allow the append of the new block
Files to be locked:
/Boot/GRUB/grub. conf
/Etc/passwd
/Etc/shadow
/Etc/sudoers
SUID/SGID (partition mounting option: nosuid)
1. Manually find the file (snapshot) with SUID/SGID IN THE SYSTEM)
# Find/-type F-Perm + 6000-exec LS-lH {}\;
# Find/-type F-Perm + 6000-ls
2. Search and compare using scripts:
# Find/-type F-Perm + 6000>/etc/sfilelist
# Vim check_perm.sh
#! /Bin/bash
Old_list =/etc/sfilelist
For I in 'Find/-type f-a-Perm + 100'
Do
Grep-F "$ I" $ old_list &>/dev/null
[$? -Ne 0] & LS-lH $ I
Done
Upgrade system and software
# Yum List Installed
# Yum list packagename
# Yum remove packagename
Update softwares:
# Yum update -- upgrade the entire system
# Yum update packagename -- upgrade an independent software package or multiple
Least permission method (SU/SUDO)
Su -- full Elevation of Privilege. You need to know the authorization target user password.
Su -- if the user is not specified, switch to the super user, but the environment variable follows the variable of the previous user.
Su --- if the user is not specified, switch to the super user. The environment variable follows the current user variable.
Su username -- switch to a specified user
Su-Username
Su-l Username
Only one user or a group has the permission to switch to the root user. The remaining users do not have the permission for su elevation:
# Vim/etc/PAM. d/su
......
Auth required pam_wheel.so use_uid -- only members of the wheel group can use Su
......
# Gpasswd-A zhangsan Wheel
# Usermod-G wheel zhangsan
When using SSH to remotely manage Linux, avoid using the Administrator to log on directly. Instead, you should first use the common user to the system, and then escalate the permission through SU/sudo.
Benefit: avoid brute force cracking on the root user
Sudo -- minimal permissions: only assign the specified permissions and do not need to know the password of the target user (Root). The most effective permission Separation
You can edit the/etc/sudoers file in either of the following ways:
# Modify do -- use professional tools to modify the configuration file. You can check for syntax errors and save the configuration without force.
# Vim/etc/sudoers -- directly edit the configuration file, which does not check the syntax of the configuration file and must be forcibly saved.
Configuration File Format:
Root all = (all) All
Authorize the user to log on to the Linux client's source address user identity command
GROUP: %
Common Command Options:
Sudo-l view the list of commands allowed to be executed
Sudo-K clears the user password verification Timestamp
Sudo-V re-verify the password
Sudo ls executes the command through sudo (SUDO command line)
Sudo wildcard:
* Matches any set of zero or more characters.
? Matches any single character.
[...] Matches any character in the specified range.
[0-9]
[ABC]
[A-Z]
[0-9]
[1-2] [0-9] 10-29
[!...] Matches any character not in the specified range.
Vsftpd instance authorization:
1. You can use the Administrator to install and uninstall vsftpd.
2. The vsftpd service can be restarted.
3. The configuration file of vsftpd can be modified.
4. Ability to modify the file permissions of anonymous vsftpd users
# Mongodo
U01 all =/usr/bin/Yum * vsftpd,/sbin/service vsftpd *,/usr/bin/Vim/etc/vsftpd /*, /bin/CH [Mo] **/var/FTP /*
User Management permissions:
1. Users can be created and deleted, but new administrators cannot be created.
2. You can set the password and expiration time, but cannot set the administrator password.
3. Users can be added to or removed from a group.
# Mongodo
U01 all =/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/chage,/usr/bin/passwd ,! /Usr/sbin/useradd *-O *,! /Usr/sbin/userdel * root *,! /Usr/sbin/usermod *-O *,! /Usr/bin/chage * root *,! /Usr/bin/passwd * root *
Httpd authorization:
# Mongodo
U01 all = (Root)/usr/bin/Vim/etc/httpd/conf */*. conf,/bin/chown */var/www/html/*,/bin/chmod */var/www/html/*,/sbin/service httpd *, /usr/bin/Yum-y install httpd *
Authorization in combination with the wheel group (in groups ):
% Wheel all = (all) All
% Wheel all = (all) nopasswd: All
Use aliases for authorization:
Instance 1:
# Mongodo
User_alias operators = Jerry, Tom, tsengyia
Host_alias mailservers = Mail, SMTP, Pop -- ensure that these three host names can be resolved
Cmnd_alias software =/bin/RPM,/usr/bin/yum
Operators mailservers = software -- reference variables to configure sudo Permissions
Instance 2:
Set up a group account "managers" to authorize all member users in the Group to add, delete, and change user accounts.
# Groupadd managers
# Gpasswd-M zhangsan, Lisi managers
# Mongodo
Cmnd_alias useradm =/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod ,! /Usr/sbin/useradd *-O *,! /Usr/sbin/userdel * root *,! /Usr/sbin/usermod *-O *
% Managers all = useradm
Allows users to manage Apache
User01all =/usr/bin/Vim/etc/httpd/*,/sbin/service httpd *
Use an alias to grant httpd management permissions to u01 and u02 users:
User_alias http_admin = u01, u02
Cmnd_alias http_comm =/usr/bin/Vim/etc/httpd/conf */*. conf,/bin/chown */var/www/html/*,/bin/chmod */var/www/html/*,/sbin/service httpd *, /usr/bin/Yum-y install httpd *
Http_admin all = nopasswd: http_comm
SSH Security suggestions:
1. Only Use SSH v2
Protocol 2
Listenaddress x. x -- if you have a VPN channel in your environment, it is recommended that sshd listen to the Intranet address.
2. restrict user access (can I use a space to separate users? * Wildcard)
Allowusersuser01 root -- only users allowed to log on via SSH
Denyusersuser02 user03 -- either of the two methods:
Denygroups
Allowgroups
3. Configure idle timeout to automatically disconnect
Use shell variables to complete direct and simple: tmout
4. Prohibit the administrator from using SSH to log on directly:
Permitrootlogin no -- use a common user to log on and call SU/sudo to raise the permission.
5. Change the default listening port and IP address
Port 5589
Listenaddress 0.0.0.0 -- you can set the listener to the private address of the server as required. If the listener is on the public address, you need to change the port. port 22 cannot be used directly.
6. Set strong passwords for accounts
# Rpm-IVH expect-5.43.0-5.1.i386.rpm
# Mkpasswd-l 128-D 8-C 15-S 10
Oml1_cu3fxivsqtotyu 'nk6tr (zhp1jcel_gxjnqederpx_1g4u] amtqst3igWXb-f2eqqqJohfjuzccdC.coMok7Abvtjfzej & vfvftblgbmwmijqh. W & acegjrqwqq
-L password length
-D Number
-C Number of uppercase letters
-S: Number of special symbols
F
7. key pair Verification:
# Ssh-keygen-T RSA
# Ssh-copy-ID/$ home/. Ssh/ID. RSA. Pub [email protected]
8. Use iptables control to prevent brute force SSH password cracking ):
Only three new connections are allowed to connect to the SSH server per minute, and three concurrent connections are allowed. If this value is exceeded, the connection is denied.
# Iptables-A input-p tcp -- dport 22-M state -- state new-m limit -- limit 3/min -- limit-burst 3-J accept
# Iptables-A input-p tcp -- dport 22-M state -- State established-J accept
# Iptables-A input-p tcp -- dport 22-J Drop
# Iptables-A output-O eth0-p tcp -- Sport 22-M state -- State established-J accept
9. Reduce Password error attempts:
Maxauthtries 3 -- set the number of failed password attempts
Tcpwrappers + bash scrpts (the error attempt source address repeat times reaches a certain limit ):
Last -- query the online status of all users (/var/log/wtmp)
Lastlog -- query the Last Logon Time
Lastb -- Query logon Failure records
Use a script to intercept the sshd brute-force cracking IP address and put the IP address that failed to log on to the system through SSH for more than three consecutive times to/etc/hosts. Deny. The IP address in the file cannot be the same.
The script must be executed every 10 minutes.
Lastb is the same as last, doesn t that by default it shows a log of the file/var/log/btmp, which contains all the bad login attempts
# Lastb-I-A | grep SSH | awk '{print $ NF}' | uniq-c | awk '$1> 3 {print $2 }'
This article is from "O & M! Liberation !" Blog, declined to reprint!