In-depth analysis of Linux system security reinforcement

Article Title: in-depth analysis of Linux system security reinforcement. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Linux system security cannot be ignored. However, system reinforcement is not very easy. The author briefly introduces the in-depth security reinforcement for Linux systems.
　　
★Deep security reinforcement for Linux systems
　　
Author: ayazero drdos@163.com
Personal web -- http://overflow.nease.net
Team's site -- http://ph4nt0m.net
　　
Note: The following content may not apply to some occasions. Please check your account
　　
　　 1. Installation and upgrade
Try to use the latest Linux release version. Unplug the network cable and disconnect the physical connection before installation. During installation, we recommend that you install software packages in the custom mode with a small number of packages, generally, there is no need to install X-windows on the server. Add password restrictions to the lilo/grub boot loader to prevent malicious users who are physically exposed from skipping this restriction because of the rescue mode of the Linux installation CD, therefore, you need to add a password to the bios or lock the server chassis/var,/home,/usr,/root and other directories with independent physical partitions to prevent the hard disk from filling up junk data and logs. o. S attack.
　　
The root account gives a strong password.
　　
Upgrade the system software with up2date or apt immediately after installation. Sometimes upgrading the kernel is also necessary, because of kernel problems, Apt is also a powerful package management tool in Debian GNU Linux and can be used in other versions of Linux.
　　
　　 2. Account
If there are many users in the system, you can edit/etc/login. defs and change the password policy.
　　
Delete unnecessary accounts and groups in the system,
[Root @ ayazero/] # userdel-r username
　　
If anonymous ftp is not enabled, you can delete the ftp account.
　　
The safest way is local maintenance. Unfortunately, it is not realistic, but you still need to restrict the remote access of the root user. The administrator can log on remotely with an ordinary account and then su to the root user, we can add su users to the wheel group to improve security.
　　
Add the following two lines to the header of the/etc/pam. d/su file:
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_wheel.so group = wheel
　　
Then, put the users that can execute su into the wheel group.
[Root @ ayazero/] # usermod-G10 admin
　　
Edit/etc/securetty, comment out all the consoles that allow remote root logon, and disable all console programs, [root @ ayazero/] # rm-f/etc/security/console. apps/servicename
　　
Encrypted ssh is used for login. If the Administrator only logs on from a fixed terminal, the range of valid ssh clients should be limited to prevent sniffing and man-in-the-middle attacks.
　　
Classify the command history as zero to hide what you have done as much as possible.
[Root @ ayazero/] # unset HISTFILESIZE
　　
　　 3. Service
Minimum service principle. all unnecessary services are commented out.
In/etc/inetd. add "#" to the services not required in conf. In later versions, the inetd is no longer available, but the Xinetd is replaced. Cancel the Automatic startup of the service and set/etc/rc. in d/rc3.d, the first letter of the service that does not need to be run is changed to lowercase, or the service changes in the GUI interface started by the setup command
　　
If you want to make it simple, you can use the/etc/host. allow,/etc/host. deny files. However, this article plans to use the iptables firewall, so we will not detail it here.
　　
　　 4. File System Permissions
Find all programs with "s" bits in the system, remove unnecessary "s" bits, or delete unnecessary ones directly.
[Root @ ayazero/] # find/-type f (-perm-04000-o-perm-02000)-exec ls-lg {}
[Root @ ayazero/] # chmod a-s filename
　　
Preventing abuse and elevation of permissions by users
　　
Add important files with unchangeable attributes
[Root @ ayazero/] # chattr + I/etc/passwd
[Root @ ayazero/] # chattr + I/etc/shadow
[Root @ ayazero/] # chattr + I/etc/gshadow
[Root @ ayazero/] # chattr + I/etc/group
[Root @ ayazero/] # chattr + I/etc/inetd. conf
[Root @ ayazero/] # chattr + I/etc/httpd. conf
...............................
Depending on the actual needs, I suspect that the current intruders know this command, and some exploit overflows to inetd. conf writes a statement to bind the shell to listen on a port. At this time, this command takes effect. The superficial intruders will think that the overflow will fail.
　　
Find the file without a master in the system:
[Root @ ayazero/] # find/-nouser-o-nogroup
　　
Find the files and directories with write permissions for anyone:
[Root @ ayazero/] # find/-type f (-perm-2-o-perm-20)-exec ls-lg {}
[Root @ ayazero/] # find/-type d (-perm-2-o-perm-20)-exec ls-ldg {}
　　
Prevent intruders from writing Trojan statements (such as a copy of a shell) to it or inheriting the master permission for illegal access
　　
Find and reinforce files that have been used by intruders, such as. rhosts
　　
Edit/etc/security/limits. conf and add or change the following lines:
* Hard core 0
* Hard rss 5000
* Hard nproc 20
　　
　　 5. Banner disguise
Intruders usually attack through the operating system, service, and application versions. The vulnerability list and attack programs are also classified based on this. Therefore, it is necessary to make some effort to increase the difficulty of intrusion.
　　
Change/etc/issue. Because reboot is reloaded, edit/ect/rc. d/rc. local
# This will overwrite/etc/issue at every boot. So, make any changes you
# Want to make to/etc/issue here or you will lose them when you reboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue
#
# Cp-f/etc/issue/etc/issue.net
# Echo>/etc/issue
Remove "#" before the preceding row
　　
Apache does not echo the version:
In the apache configuration file, find ServerTokens and ServerSignature direve VE and modify the default attributes:
# ServerTokens Full
ServerTokens Prod <----------
# ServerSignature On
ServerSignature Off <----------
　　
Modify uname
Find the uname. c source code and find the following line:
Print_element (PRINT_SYSNAME, name. sysname); // The operating system name, such as linux
Print_element (PRINT_NODENAME, name. nodename); // host name
Print_element (PRINT_RELEASE, name. release); // release version, for example, 2.4.20-18
Print_element (PRINT_VERSION, name. version );//
Print_element (PRINT_MACHINE, name. machine); // machine type, such as i686
Print_element (PRINT_PROCESSOR, processor); // processor type
　　
Can be modified
Print_element (PRINT_SYSNAME, "HP-UX ");
.......
Replace/bin/uname after compilation
　　
For modification of other services and programs, you can check the configuration file or source code. Otherwise, it will cause great trouble for system management.
　　
　　 6. Iptales firewall rules
Assume that our server server1 is running apache, sshd (sshd can be modified without running on the standard port) eth0 Nic is connected to the Internet, and eth1 is connected to the LAN, the Administrator logs on to server2 at home by dialing (the private network IP address is 192.168.0.12 ), log on to server1 [roor @ ayazero root] # iptables-a input-I eth1-s 192.168.0.12-p tcp -- dport 22-j ACCEPT to prevent IP spoofing, you can also bind server2 NIC address: sh-2.05b # iptables-a input-I eth1-s 192.168.0.12 -- mac-source 01: 68: 4B: 91: CC: b7-p tcp -- dport 22-j ACCEPT, but few intruders seem to be able to do this, and there is no value to exploit it.
　　
[Root @ ayazero root] # iptables-a input-I eth0-p tcp -- dport 80-j ACCEPT
[Root @ ayazero root] # iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
[Root @ ayazero root] # iptables-a input-j DROP
　　
Anyone who knows about the attack knows the wonderful combination of "port redirection + reverse Pipeline" to cross the firewall. This technique has been used too widely, the harm is very high against this difficult-to-defend attack, we must sacrifice some usability at the cost of [root @ ayazero root] # iptables-a output-o eth0-p tcp -- syn-j DROP rules above will block TCP from the inside out active connection In addition, it is also common to use tftp or other clients to obtain files in reverse direction. Because tftp and other tools depend on UDP, so now we need to completely erase it [root @ ayazero root] # iptables-a output-o eth0-p udp-j DROPPS: when updating the system and debugging the network, these two rules need to be removed temporarily because the essence of intrusion is to get the shell of the target operating system through the standard or non-standard port through the text or graphic interface. Therefore, this not only blocks the reverse pipeline itself, but also immune to a lot of intrusion Techniques For general system administrators, this is too harsh!
　　
Iptables attack Countermeasures
Syn-flood protection:
[Root @ ayazero foo] # iptables-a forward-p tcp -- syn-m limit -- limit 1/s-j ACCEPT
　　
Furtive port Detail:
[Root @ ayazero foo] # iptables-a forward-p tcp -- tcp-flags SYN, ACK, FIN, RST-m limit -- limit 1/s-j ACCEPT
　　
Ping of death:
[Root @ ayazero foo] # iptables-a forward-p icmp -- icmp-type echo-request-m limit -- limit 1/s-j ACCEPT
　　
In addition, iptables can be configured to allow some scanning behaviors, such as nmap failure rules. It should be noted that the firewall is not omnipotent. When an attacker is crazy enough, do not expect your firewall to withstand DDoS floods.
For more information about iptables, see Rusty Russell's Packet Filtering HOWTO.
　　
　　 7. Integrity Verification
Tripwire is a famous tool that helps you determine