Linux system security cannot be ignored. However, system reinforcement is not very easy. The author briefly introduces the in-depth security reinforcement for Linux systems.
Deep security reinforcement for Linux systems
Author: ayazero drdos@163.com
Personal web -- http://overflow.nease.net
Team's site -- http://ph4nt0m.net
Note: The following content may not apply to some occasions. Please check your account
1. Installation and upgrade
Try to use the latest Linux release version. Unplug the network cable and disconnect the physical connection before installation. During installation, we recommend that you install software packages in the custom mode with a small number of packages, generally, there is no need to install X-windows on the server. Add password restrictions to the lilo/grub boot loader to prevent malicious users who are physically exposed from skipping this restriction because of the rescue mode of the Linux installation CD, therefore, you need to add a password to the bios or lock the server chassis/var,/home,/usr,/root and other directories with independent physical partitions to prevent the hard disk from filling up junk data and logs. o. S attack.
The root account gives a strong password.
Upgrade the system software with up2date or apt immediately after installation. Sometimes upgrading the kernel is also necessary, because of kernel problems, Apt is also a powerful package management tool in Debian GNU Linux and can be used in other versions of Linux.
2. Account
If there are many users in the system, you can edit/etc/login. defs and change the password policy.
Delete unnecessary accounts and groups in the system,
[root@ayazero /]# userdel -r username |
If anonymous ftp is not enabled, you can delete the ftp account.
The safest way is local maintenance. Unfortunately, it is not realistic, but you still need to restrict the remote access of the root user. The administrator can log on remotely with an ordinary account and then su to the root user, we can add su users to the wheel group to improve security.
Add the following two lines to the header of the/etc/pam. d/su file:
auth sufficient /lib/security/pam_rootok.so debugauth required /lib/security/pam_wheel.so group=wheel |
Then, put the users that can execute su into the wheel group.
[root@ayazero /]# usermod -G10 admin |
Edit/etc/securetty, comment out all the consoles that allow remote root logon, and disable all console programs,
[root@ayazero /]# rm -f /etc/security/console.apps/servicename |
Encrypted ssh is used for login. If the Administrator only logs on from a fixed terminal, the range of valid ssh clients should be limited to prevent sniffing and man-in-the-middle attacks.
Classify the command history as zero to hide what you have done as much as possible.
[root@ayazero /]# unset HISTFILESIZE |
3. Service
Minimum service principle. all unnecessary services are commented out.
In/etc/inetd. add "#" to the services not required in conf. In later versions, the inetd is no longer available, but the Xinetd is replaced. Cancel the Automatic startup of the service and set/etc/rc. in d/rc3.d, the first letter of the service that does not need to be run is changed to lowercase, or the service changes in the GUI interface started by the setup command
If you want to make it simple, you can use the/etc/host. allow,/etc/host. deny files. However, this article plans to use the iptables firewall, so we will not detail it here.
4. File System Permissions
Find all programs with "s" bits in the system, remove unnecessary "s" bits, or delete unnecessary ones directly.
[root@ayazero /]# find / -type f ( -perm -04000 -o -perm -02000 ) -exec ls -lg {}[root@ayazero /]# chmod a-s filename |
Preventing abuse and elevation of permissions by users
Add important files with unchangeable attributes
[root@ayazero /]# chattr +i /etc/passwd[root@ayazero /]# chattr +i /etc/shadow[root@ayazero /]# chattr +i /etc/gshadow[root@ayazero /]# chattr +i /etc/group[root@ayazero /]# chattr +i /etc/inetd.conf[root@ayazero /]# chattr +i /etc/httpd.conf |
Depending on the actual needs, I suspect that the current intruders know this command, and some exploit overflows to inetd. conf writes a statement to bind the shell to listen on a port. At this time, this command takes effect. The superficial intruders will think that the overflow will fail.
Find the file without a master in the system:
[root@ayazero /]# find / -nouser -o -nogroup |
Find the files and directories with write permissions for anyone:
[root@ayazero /]# find / -type f ( -perm -2 -o -perm -20 ) -exec ls -lg {}[root@ayazero /]# find / -type d ( -perm -2 -o -perm -20 ) -exec ls -ldg {} |
Prevent intruders from writing Trojan statements (such as a copy of a shell) to it or inheriting the master permission for illegal access
Find and reinforce files that have been used by intruders, such as. rhosts
Edit/etc/security/limits. conf and add or change the following lines:
* hard core 0* hard rss 5000* hard nproc 20 |
