Introduction to 25 Linux Server security Tips

Source: Internet
Author: User
Tags auth config system log ssh password protection port number

Everyone thinks Linux is safe by default, and I'm generally accepted (this is a controversial topic). Linux does have a built-in security model by default. You need to open it and customize it in order to get a more secure system. Linux is more difficult to manage, but it is also more flexible and has more configuration options.

It has always been a challenge for system administrators to make the product's system more secure and free from hacker and hacker attacks. This article will introduce 25 useful tips and tricks to help you make your Linux system more secure. Hopefully, these tips and tricks will help you improve your system's security.

1. Security of physical systems

Configure BIOS, disable boot from CD/DVD, external device, floppy drive. Next, enable the BIOS password and enable Grub password protection, which limits physical access to the system.

2. Disk Partitioning

It is important to use a different partition, which guarantees higher data security for possible disasters. By dividing different partitions, the data can be grouped and isolated. When an accident occurs, only the data from the offending partition is corrupted, and the data for the other partitions can be preserved. You'd better have the following partitions, and third party programs are best installed under a separate file system/opt.

/

/boot

/usr

/var

/home

/tmp

/opt

3. Minimum package installation, minimum vulnerability

Do you really need to install all the services? It is recommended that you do not install unwanted packages to avoid vulnerabilities caused by these packages. This minimizes risk because a service vulnerability could jeopardize other services. Find and remove or stop unused services, minimizing system vulnerabilities. Use the ' chkconfig ' command to list all services running at level 3.

#/sbin/chkconfig--list |grep ' 3:on '

When you find that an unwanted service is running, use the following command to stop the service.

# chkconfig ServiceName off

Use the RPM Package Manager, such as the Yum or Apt-get tool, to list all installed packages and uninstall them using the commands below.

# yum-y Remove Package-name

# sudo apt-get remove package-name

4. Check the network listening port

With the help of the network command ' netstat ', you will be able to see all open ports and related programs. Use the ' chkconfig ' command I mentioned above to turn off unwanted network services in the system.

# NETSTAT-TULPN

5. Use SSH (Secure Shell)

The Telnet and rlogin protocols can only be used for plain text and cannot use encrypted formats, which may cause security vulnerabilities to occur. SSH is a security protocol that uses encryption when communicating with the server side of the client.

Never log on to the root account directly unless necessary. Use sudo to execute the command. Sudo is made by the/etc/sudoers file and can also be edited using the "Visudo" tool, which opens the configuration file through the VI editor.

It is also recommended that you change the default SSH 22 port number to a higher port number. Open the main SSH configuration file and make the following modifications to restrict user access.

# Vi/etc/ssh/sshd_config

Turn off root User login

Permitrootlogin No

Specific users through

Allowusers username

Using the second version of the SSH protocol

Protocol 2

6. Ensure the system is up to date

Always ensure that the system contains the latest version of patches, security fixes, and available kernels.

# Yum Updates

# yum Check-update

7. Lock Cron Task

Cron has its own built-in features that allow you to define who can not run the task. This is controlled through two files/etc/cron.allow and/etc/cron.deny. To lock in a cron user, you can simply write its name to Corn.deny, and allow the user to add the name to Cron.allow when running cron. If you want to prevent all users from using corn, you can add "all" as a row to the Cron.deny.

# echo All >>/etc/cron.deny

8. Prohibit USB detection

In many cases, we want to limit the user's use of USB to ensure system security and data disclosure. Create a file '/etc/modprobe.d/no-usb ' and use the following command to prevent the detection of USB storage.

Install Usb-storage/bin/true

9. Open SELinux

SELinux (Secure enhanced Linux) is a mandatory access control security mechanism provided by the Linux kernel. Disabling SELinux means that the system has lost its security mechanism. Before you get rid of SELinux, consider carefully if your system needs to be posted to the network and you want to access it on the public network, you need to pay more attention.

SELinux offers three basic operating modes:

Enforcement: This is the default mode, which is used to enable and enforce SELinux security Zollo.

Licensing mode: In this mode, SELinux does not enforce security Zollo, only warnings and log records. This pattern is useful when troubleshooting SELinux related issues.

Shutdown mode: SELinux is closed.

You can use the command line ' System-config-selinux ', ' getenforce ' or ' sestatus ' to browse the status of the current Seliux.

# Sestatus

If it is off mode, open SELinux with the following command

# Setenforce Enforcing

You can also use the configuration file '/etc/selinux/config ' to perform a selinux switch operation.

10. Remove KDE or GNOME desktop

It is not necessary to run the X Window desktop on a dedicated lamp server such as KDE and GNOME. You can remove or close them to improve system security and performance. Turn on/etc/inittab and then change the run level to 3 to close the desktops. If you remove it completely from the system, you can use the following command:

# yum Groupremove "X window System"

11. Close IPv6

If the IPV6 protocol is not used, it should be shut down because most applications and policies will not use IPV6, and it is not currently required by the server. You can turn it off by adding the following lines to your network configuration file.

# vi/etc/sysconfig/network

Networking_ipv6=no

Ipv6init=no

12. Restrict users from using old passwords

This is useful if you do not want users to continue using the old password. The old password file is located in/etc/security/opasswd. You can use the PAM module to implement it.

Open the '/etc/pam.d/system-auth ' file in Rhel/centos/fedora.

# Vi/etc/pam.d/system-auth

Open the '/etc/pam.d/common-password ' file in Ubuntu/debian/linux Mint.

# Vi/etc/pam.d/common-password

Add the following line to the ' auth ' block.

Auth sufficient pam_unix.so Likeauth Nullok

Add the following line to the ' password ' block to prevent users from reuse their last 5 passwords.

Password sufficient pam_unix.so Nullok Use_authtok MD5 Shadow remember=5

The server records only the last 5 passwords. If you try to use any of the last 5 old passwords you have used, you will see the following error message.

Password has been already used. Choose another.

13. How to check the user password expires?

In Linux, the user's password is stored in the '/etc/shadow ' file in an encrypted form. To check whether the user's password expires, you need to use the ' chage ' command. It will display the last modified date of the password and details of the password period. These details are the basis on which the system determines whether users must modify their passwords.

To view aging information for any existing user, such as expiration date and length, use the following command.

#chage-l username

To modify the password aging of any user, use the following command.

#chage-m username

#chage-M 60-m 7-w 7 userName

Parameters

-m set maximum number of days

-M set the minimum number of days

-W Set the number of days you want

14. Manually lock or Unlock user accounts

Lock and unlock functions are very useful, you can lock an account for a week or one months, instead of removing this account from the system. You can use the following command to lock a specific user.

# passwd-l AccountName

Tip: This locked user is still visible only to the root user. This lock is replaced by (!) by replacing the encrypted password. To achieve. If a person wants to use this account to enter the system, he will get a hint similar to the following error.

# Su-accountname

This are currently not available.

When unlocking a locked account, use the following command. This command will be replaced by (!) Password to change back.

# passwd-u AccountName

15. Enhanced Password

A significant number of users use very retarded passwords, and their passwords can be compromised through dictionary attacks or brute force attacks. The ' pam_cracklib ' module is stored in Pam, which forces the user to set a complex password. Open the following file through the editor.

# Vi/etc/pam.d/system-auth

Add one line to the file, using authentication parameters (Lcredit, Ucredit, Dcredit, or ocredit for lowercase letters, uppercase letters, numbers, and other characters)

/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

16. Enable Iptable (firewall)

It is highly recommended that you enable Linux firewalls to prevent illegal program access. Use iptable rules to filter inbound, outbound, and forwarded packets. We can allow and deny access to specific UDP/TCP ports for source and destination addresses.

17. Prohibit Ctrl+alt+delete reboot

In most Linux distributions, pressing ' ctrl-alt-delete ' will allow your system to reboot. Just say on the production server This is not a good practice, which can lead to misoperation.

This configuration is in the '/etc/inittab ' file, and if you open this file, you can see a similar paragraph below. The default line has been commented out. We must comment him out. This particular button will cause the system to reboot.

# Trap Ctrl-alt-delete

#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now

18. Check the blank password account

Any empty password account means that this can be accessed by any unauthorized user on the web, a security threat to the Linux server. So, make sure all the users have a complex password and

No privileged users exist. The empty password account is the security risk, may be easy to conquer. You can use the following command to check whether a blank password account exists.

# Cat/etc/shadow | Awk-f: ' ($2== "") {print $} '

19. Show SSH prompts before login

The use of a legal and security alert is a good idea at the time of SSH authentication.

20. Monitoring user Behavior

If you have a lot of users, it is important to collect information about each user's behavior and the consumption of their processes. User analysis can then be performed with some performance optimization and security issues.

But what if you monitor and collect user behavior information?

There are two very useful tools, ' psacct ' and ' acct ', that can be used to monitor the behavior and processes of users in the system. These tools run in the background of the system and constantly record the behavior of each user in the system and the resource consumption of each service such as Apache, MySQL, SSH, FTP, etc.

21. Check the log regularly

Moving logs to a dedicated log server prevents intruders from easily changing local logs. The following are the default log files for common Linux and their usefulness:

/var/log/message– records the system log or the current activity log.

/var/log/auth.log– identity authentication log.

/var/log/kern.log– kernel log.

/var/log/cron.log–crond log (cron Task).

/var/log/maillog– Mail server log.

/var/log/boot.log– system boot log.

/var/log/mysqld.log–mysql the database server log.

/var/log/secure– certification log.

/var/log/utmp or/var/log/wtmp: Login log.

/var/log/yum.log:yum log.

22. Important File Backup

In a production environment, for disaster recovery, it is necessary to back up important files and keep them in a secure remote tape vault, remote site, or offsite hard drive.

NIC Bindings

There are two types of NIC binding modes that need to be used at the binding interface.

mode=0– round robin Mode

mode=1– Activation and Backup mode

NIC bindings can help us avoid single points of failure. In NIC bindings, we bind two or more network adapters together, providing a virtual interface that sets the IP address and sessions with other servers. This will enable our network to remain available when a NIC card is down or unavailable for other reasons.

24. Keep/boot Read-only

The Linux kernel and all of his related files are stored under/boot and can be read and write by default. Setting it up for read-only can reduce the risk of illegal modification of important boot files.

# Vi/etc/fstab

Add the following line at the end of the file and save

Label=/boot/boot ext2 Defaults,ro 1 2

If you need to upgrade the kernel in the future, you need to go back to read and write mode.

25. Non-bird ICMP and broadcast requests

Add the following lines to the/etc/sysctl.conf to block out Ping and broadcast requests.

Ignore ICMP Request:

Net.ipv4.icmp_echo_ignore_all = 1

Ignore Broadcast Request:

Net.ipv4.icmp_echo_ignore_broadcasts = 1

Run the following line to load the modification or update:

#sysctl-P

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.