Full explanation of inux host Security Configuration-system OS Security (Part 2)

System Security

Minimum Service Method

File Security (SUID/SGID/stick/chattr)

Upgrade system and software

Least permission method (SU/SUDO)

SSH Security suggestions

Min service method (System V/xinetd)

Disable unnecessary services:

# Vim/root/service. Sh

#! /Bin/bash

Service xinetd stop

Chkconfig xinetd off

Services = "Network sshd syslogs lvm2-monitor messagebus Sendmail crond GPM anacron auditd haldaemon irqbalance avahi-daemon"

Offservices = 'chkconfig -- list | grep 0: | awk '{print $1 }''

For I in $ offservices

Do

Chkconfig $ I off

Done

For I in $ services

Do

Chkconfig $ I on

Done

Reboot

Prohibit normal users from executing scripts in the init. d directory

# Chmod-R o =-/etc/rc. d/init. d

File Security (SUID/SGID/stick/chattr) Partition Security

Directories that require independent partitioning (partition principle: All users can write, recommended partition; read or write frequently, recommended partition ):

/

/Boot

Swap

/Usr or/OPT

/Home

/Var and/var/tmp

/Tmp

/Data

/Bak

Mount options:

1. noexec -- all the binary commands cannot be run in this partition, and the script cannot be run. It can be used to store data.

2. nodev -- all character files and device files cannot be used in this partition (for example, zero, SDA etc ).

3. nosuid -- files with risky and forced bits are not allowed in this partition

4. noatime -- the access time of updating files is not allowed to reduce the extra I/O overhead.

5. nodiratime -- the Directory Access time cannot be updated.

Create separate partitions for Apache and FTP server roots. edit/etc/fstab file and make sure you add the following configuration options:

Sample/etc/fstab entry to limit user access on/dev/sda5 (FTP server root directory ):

# Vim/etc/fstab

/Dev/sda5/ftpdata ext3 defaults, nodev, noexec 1 2

Disk Quota (all users need to limit the quota for writing Directories ):

1. Enable quotas per file system by modifying the/etc/fstab (usrquota) file.

2. Remount the file system (s). Mount-O remount/xx

3. Create the quota database files and generate the disk usage table.

Quotacheck-CMU/xx; quotaon-vu/xx

4. Assign quota policies.

Edquota-u user01

Edquota-P user01 user02

Setquota-u user01 1000 2000 10 20

Query:

Quota-u user01

Repquota-vu/xx

Lock inode nodes of important files

Chattr and lsattr commands

# Chattr + I/etc/passwd -- completely locking inode

# Useradd newuser

Useradd: Unable to open the password file

# Lsattr/etc/passwd

---- I --------/etc/passwd

# Chattr +-A/file -- only lock the ing between the old inode and the block and allow the append of the new block

Files to be locked:

/Boot/GRUB/grub. conf

/Etc/passwd

/Etc/shadow

/Etc/sudoers

SUID/SGID (partition mounting option: nosuid)

1. Manually find the file (snapshot) with SUID/SGID IN THE SYSTEM)

# Find/-type F-Perm + 6000-exec LS-lH {}\;

# Find/-type F-Perm + 6000-ls

2. Search and compare using scripts:

# Find/-type F-Perm + 6000>/etc/sfilelist

# Vim check_perm.sh

#! /Bin/bash

Old_list =/etc/sfilelist

For I in 'Find/-type f-a-Perm + 100'

Do

Grep-F "$ I" $ old_list &>/dev/null

[$? -Ne 0] & LS-lH $ I

Done

Upgrade system and software

# Yum List Installed

# Yum list packagename

# Yum remove packagename

Update softwares:

# Yum update -- upgrade the entire system

# Yum update packagename -- upgrade an independent software package or multiple

Least permission method (SU/SUDO)

Su -- full Elevation of Privilege. You need to know the authorization target user password.

Su -- if the user is not specified, switch to the super user, but the environment variable follows the variable of the previous user.

Su --- if the user is not specified, switch to the super user. The environment variable follows the current user variable.

Su username -- switch to a specified user

Su-Username

Su-l Username

Only one user or a group has the permission to switch to the root user. The remaining users do not have the permission for su elevation:

# Vim/etc/PAM. d/su

......

Auth required pam_wheel.so use_uid -- only members of the wheel group can use Su

......

# Gpasswd-A zhangsan Wheel

# Usermod-G wheel zhangsan

When using SSH to remotely manage Linux, avoid using the Administrator to log on directly. Instead, you should first use the common user to the system, and then escalate the permission through SU/sudo.

Benefit: avoid brute force cracking on the root user

Sudo -- minimal permissions: only assign the specified permissions and do not need to know the password of the target user (Root). The most effective permission Separation

You can edit the/etc/sudoers file in either of the following ways:

# Modify do -- use professional tools to modify the configuration file. You can check for syntax errors and save the configuration without force.

# Vim/etc/sudoers -- directly edit the configuration file, which does not check the syntax of the configuration file and must be forcibly saved.

Configuration File Format:

Root all = (all) All

Authorize the user to log on to the Linux client's source address user identity command

GROUP: %

Common Command Options:

Sudo-l view the list of commands allowed to be executed

Sudo-K clears the user password verification Timestamp

Sudo-V re-verify the password

Sudo ls executes the command through sudo (SUDO command line)

Sudo wildcard:

* Matches any set of zero or more characters.

? Matches any single character.

[...] Matches any character in the specified range.

[0-9]

[ABC]

[A-Z]

[0-9]

[1-2] [0-9] 10-29

[!...] Matches any character not in the specified range.

Vsftpd instance authorization:

1. You can use the Administrator to install and uninstall vsftpd.

2. The vsftpd service can be restarted.

3. The configuration file of vsftpd can be modified.

4. Ability to modify the file permissions of anonymous vsftpd users

# Mongodo

U01 all =/usr/bin/Yum * vsftpd,/sbin/service vsftpd *,/usr/bin/Vim/etc/vsftpd /*, /bin/CH [Mo] **/var/FTP /*

User Management permissions:

1. Users can be created and deleted, but new administrators cannot be created.

2. You can set the password and expiration time, but cannot set the administrator password.

3. Users can be added to or removed from a group.

# Mongodo

U01 all =/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/chage,/usr/bin/passwd ,! /Usr/sbin/useradd *-O *,! /Usr/sbin/userdel * root *,! /Usr/sbin/usermod *-O *,! /Usr/bin/chage * root *,! /Usr/bin/passwd * root *

Httpd authorization:

# Mongodo

U01 all = (Root)/usr/bin/Vim/etc/httpd/conf */*. conf,/bin/chown */var/www/html/*,/bin/chmod */var/www/html/*,/sbin/service httpd *, /usr/bin/Yum-y install httpd *

Authorization in combination with the wheel group (in groups ):

% Wheel all = (all) All

% Wheel all = (all) nopasswd: All

Use aliases for authorization:

Instance 1:

# Mongodo

User_alias operators = Jerry, Tom, tsengyia

Host_alias mailservers = Mail, SMTP, Pop -- ensure that these three host names can be resolved

Cmnd_alias software =/bin/RPM,/usr/bin/yum

Operators mailservers = software -- reference variables to configure sudo Permissions

Instance 2:

Set up a group account "managers" to authorize all member users in the Group to add, delete, and change user accounts.

# Groupadd managers

# Gpasswd-M zhangsan, Lisi managers

# Mongodo

Cmnd_alias useradm =/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod ,! /Usr/sbin/useradd *-O *,! /Usr/sbin/userdel * root *,! /Usr/sbin/usermod *-O *

% Managers all = useradm

Allows users to manage Apache

User01all =/usr/bin/Vim/etc/httpd/*,/sbin/service httpd *

Use an alias to grant httpd management permissions to u01 and u02 users:

User_alias http_admin = u01, u02

Cmnd_alias http_comm =/usr/bin/Vim/etc/httpd/conf */*. conf,/bin/chown */var/www/html/*,/bin/chmod */var/www/html/*,/sbin/service httpd *, /usr/bin/Yum-y install httpd *

Http_admin all = nopasswd: http_comm

SSH Security suggestions:

1. Only Use SSH v2

Protocol 2

Listenaddress x. x -- if you have a VPN channel in your environment, it is recommended that sshd listen to the Intranet address.

2. restrict user access (can I use a space to separate users? * Wildcard)

Allowusersuser01 root -- only users allowed to log on via SSH

Denyusersuser02 user03 -- either of the two methods:

Denygroups

Allowgroups

3. Configure idle timeout to automatically disconnect

Use shell variables to complete direct and simple: tmout

4. Prohibit the administrator from using SSH to log on directly:

Permitrootlogin no -- use a common user to log on and call SU/sudo to raise the permission.

5. Change the default listening port and IP address

Port 5589

Listenaddress 0.0.0.0 -- you can set the listener to the private address of the server as required. If the listener is on the public address, you need to change the port. port 22 cannot be used directly.

6. Set strong passwords for accounts

# Rpm-IVH expect-5.43.0-5.1.i386.rpm

# Mkpasswd-l 128-D 8-C 15-S 10

Oml1_cu3fxivsqtotyu 'nk6tr (zhp1jcel_gxjnqederpx_1g4u] amtqst3igWXb-f2eqqqJohfjuzccdC.coMok7Abvtjfzej & vfvftblgbmwmijqh. W & acegjrqwqq

-L password length

-D Number

-C Number of uppercase letters

-S: Number of special symbols

F

7. key pair Verification:

# Ssh-keygen-T RSA

# Ssh-copy-ID/$ home/. Ssh/ID. RSA. Pub [email protected]

8. Use iptables control to prevent brute force SSH password cracking ):

Only three new connections are allowed to connect to the SSH server per minute, and three concurrent connections are allowed. If this value is exceeded, the connection is denied.

# Iptables-A input-p tcp -- dport 22-M state -- state new-m limit -- limit 3/min -- limit-burst 3-J accept

# Iptables-A input-p tcp -- dport 22-M state -- State established-J accept

# Iptables-A input-p tcp -- dport 22-J Drop

# Iptables-A output-O eth0-p tcp -- Sport 22-M state -- State established-J accept

9. Reduce Password error attempts:

Maxauthtries 3 -- set the number of failed password attempts

Tcpwrappers + bash scrpts (the error attempt source address repeat times reaches a certain limit ):

Last -- query the online status of all users (/var/log/wtmp)

Lastlog -- query the Last Logon Time

Lastb -- Query logon Failure records

Use a script to intercept the sshd brute-force cracking IP address and put the IP address that failed to log on to the system through SSH for more than three consecutive times to/etc/hosts. Deny. The IP address in the file cannot be the same.

The script must be executed every 10 minutes.

Lastb is the same as last, doesn t that by default it shows a log of the file/var/log/btmp, which contains all the bad login attempts

# Lastb-I-A | grep SSH | awk '{print $ NF}' | uniq-c | awk '$1> 3 {print $2 }'

This article is from "O & M! Liberation !" Blog, declined to reprint!