Everyone thinks Linux is safe by default, and I'm generally accepted (this is a controversial topic). Linux does have a built-in security model by default. You need to open it and customize it in order to get a more secure system. Linux is more difficult to manage, but it is also more flexible and has more configuration options.
It has always been a challenge for system administrators to make the product's system more secure and free from hacker and hacker attacks. This article will introduce 25 useful tips and tricks to help you make your Linux system more secure. Hopefully, these tips and tricks will help you improve your system's security.
1. Security of physical systems
Configure BIOS, disable boot from CD/DVD, external device, floppy drive. Next, enable the BIOS password and enable Grub password protection, which limits physical access to the system.
2. Disk Partitioning
It is important to use a different partition, which guarantees higher data security for possible disasters. By dividing different partitions, the data can be grouped and isolated. When an accident occurs, only the data from the offending partition is corrupted, and the data for the other partitions can be preserved. You'd better have the following partitions, and third party programs are best installed under a separate file system/opt.
/
/boot
/usr
/var
/home
/tmp
/opt
3. Minimum package installation, minimum vulnerability
Do you really need to install all the services? It is recommended that you do not install unwanted packages to avoid vulnerabilities caused by these packages. This minimizes risk because a service vulnerability could jeopardize other services. Find and remove or stop unused services, minimizing system vulnerabilities. Use the ' chkconfig ' command to list all services running at level 3.
#/sbin/chkconfig--list |grep ' 3:on '
When you find that an unwanted service is running, use the following command to stop the service.
# chkconfig ServiceName off
Use the RPM Package Manager, such as the Yum or Apt-get tool, to list all installed packages and uninstall them using the commands below.
# yum-y Remove Package-name
# sudo apt-get remove package-name
4. Check the network listening port
With the help of the network command ' netstat ', you will be able to see all open ports and related programs. Use the ' chkconfig ' command I mentioned above to turn off unwanted network services in the system.
# NETSTAT-TULPN
5. Use SSH (Secure Shell)
The Telnet and rlogin protocols can only be used for plain text and cannot use encrypted formats, which may cause security vulnerabilities to occur. SSH is a security protocol that uses encryption when communicating with the server side of the client.
Never log on to the root account directly unless necessary. Use sudo to execute the command. Sudo is made by the/etc/sudoers file and can also be edited using the "Visudo" tool, which opens the configuration file through the VI editor.
It is also recommended that you change the default SSH 22 port number to a higher port number. Open the main SSH configuration file and make the following modifications to restrict user access.
# Vi/etc/ssh/sshd_config
Turn off root User login
Permitrootlogin No
Specific users through
Allowusers username
Using the second version of the SSH protocol
Protocol 2
6. Ensure the system is up to date
Always ensure that the system contains the latest version of patches, security fixes, and available kernels.
# Yum Updates
# yum Check-update
7. Lock Cron Task
Cron has its own built-in features that allow you to define who can not run the task. This is controlled through two files/etc/cron.allow and/etc/cron.deny. To lock in a cron user, you can simply write its name to Corn.deny, and allow the user to add the name to Cron.allow when running cron. If you want to prevent all users from using corn, you can add "all" as a row to the Cron.deny.
# echo All >>/etc/cron.deny
8. Prohibit USB detection
In many cases, we want to limit the user's use of USB to ensure system security and data disclosure. Create a file '/etc/modprobe.d/no-usb ' and use the following command to prevent the detection of USB storage.
Install Usb-storage/bin/true
9. Open SELinux
SELinux (Secure enhanced Linux) is a mandatory access control security mechanism provided by the Linux kernel. Disabling SELinux means that the system has lost its security mechanism. Before you get rid of SELinux, consider carefully if your system needs to be posted to the network and you want to access it on the public network, you need to pay more attention.
SELinux offers three basic operating modes:
Enforcement: This is the default mode, which is used to enable and enforce SELinux security Zollo.
Licensing mode: In this mode, SELinux does not enforce security Zollo, only warnings and log records. This pattern is useful when troubleshooting SELinux related issues.
Shutdown mode: SELinux is closed.
You can use the command line ' System-config-selinux ', ' getenforce ' or ' sestatus ' to browse the status of the current Seliux.
# Sestatus
If it is off mode, open SELinux with the following command
# Setenforce Enforcing
You can also use the configuration file '/etc/selinux/config ' to perform a selinux switch operation.
10. Remove KDE or GNOME desktop
It is not necessary to run the X Window desktop on a dedicated lamp server such as KDE and GNOME. You can remove or close them to improve system security and performance. Turn on/etc/inittab and then change the run level to 3 to close the desktops. If you remove it completely from the system, you can use the following command:
# yum Groupremove "X window System"
11. Close IPv6
If the IPV6 protocol is not used, it should be shut down because most applications and policies will not use IPV6, and it is not currently required by the server. You can turn it off by adding the following lines to your network configuration file.
# vi/etc/sysconfig/network
Networking_ipv6=no
Ipv6init=no
12. Restrict users from using old passwords
This is useful if you do not want users to continue using the old password. The old password file is located in/etc/security/opasswd. You can use the PAM module to implement it.
Open the '/etc/pam.d/system-auth ' file in Rhel/centos/fedora.
# Vi/etc/pam.d/system-auth
Open the '/etc/pam.d/common-password ' file in Ubuntu/debian/linux Mint.
# Vi/etc/pam.d/common-password
Add the following line to the ' auth ' block.
Auth sufficient pam_unix.so Likeauth Nullok
Add the following line to the ' password ' block to prevent users from reuse their last 5 passwords.
Password sufficient pam_unix.so Nullok Use_authtok MD5 Shadow remember=5
The server records only the last 5 passwords. If you try to use any of the last 5 old passwords you have used, you will see the following error message.
Password has been already used. Choose another.
13. How to check the user password expires?
In Linux, the user's password is stored in the '/etc/shadow ' file in an encrypted form. To check whether the user's password expires, you need to use the ' chage ' command. It will display the last modified date of the password and details of the password period. These details are the basis on which the system determines whether users must modify their passwords.
To view aging information for any existing user, such as expiration date and length, use the following command.
#chage-l username
To modify the password aging of any user, use the following command.
#chage-m username
#chage-M 60-m 7-w 7 userName
Parameters
-m set maximum number of days
-M set the minimum number of days
-W Set the number of days you want
14. Manually lock or Unlock user accounts
Lock and unlock functions are very useful, you can lock an account for a week or one months, instead of removing this account from the system. You can use the following command to lock a specific user.
# passwd-l AccountName
Tip: This locked user is still visible only to the root user. This lock is replaced by (!) by replacing the encrypted password. To achieve. If a person wants to use this account to enter the system, he will get a hint similar to the following error.
# Su-accountname
This are currently not available.
When unlocking a locked account, use the following command. This command will be replaced by (!) Password to change back.
# passwd-u AccountName
15. Enhanced Password
A significant number of users use very retarded passwords, and their passwords can be compromised through dictionary attacks or brute force attacks. The ' pam_cracklib ' module is stored in Pam, which forces the user to set a complex password. Open the following file through the editor.
# Vi/etc/pam.d/system-auth
Add one line to the file, using authentication parameters (Lcredit, Ucredit, Dcredit, or ocredit for lowercase letters, uppercase letters, numbers, and other characters)
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
16. Enable Iptable (firewall)
It is highly recommended that you enable Linux firewalls to prevent illegal program access. Use iptable rules to filter inbound, outbound, and forwarded packets. We can allow and deny access to specific UDP/TCP ports for source and destination addresses.
17. Prohibit Ctrl+alt+delete reboot
In most Linux distributions, pressing ' ctrl-alt-delete ' will allow your system to reboot. Just say on the production server This is not a good practice, which can lead to misoperation.
This configuration is in the '/etc/inittab ' file, and if you open this file, you can see a similar paragraph below. The default line has been commented out. We must comment him out. This particular button will cause the system to reboot.
# Trap Ctrl-alt-delete
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now
18. Check the blank password account
Any empty password account means that this can be accessed by any unauthorized user on the web, a security threat to the Linux server. So, make sure all the users have a complex password and
No privileged users exist. The empty password account is the security risk, may be easy to conquer. You can use the following command to check whether a blank password account exists.
# Cat/etc/shadow | Awk-f: ' ($2== "") {print $} '
19. Show SSH prompts before login
The use of a legal and security alert is a good idea at the time of SSH authentication.
20. Monitoring user Behavior
If you have a lot of users, it is important to collect information about each user's behavior and the consumption of their processes. User analysis can then be performed with some performance optimization and security issues.
But what if you monitor and collect user behavior information?
There are two very useful tools, ' psacct ' and ' acct ', that can be used to monitor the behavior and processes of users in the system. These tools run in the background of the system and constantly record the behavior of each user in the system and the resource consumption of each service such as Apache, MySQL, SSH, FTP, etc.
21. Check the log regularly
Moving logs to a dedicated log server prevents intruders from easily changing local logs. The following are the default log files for common Linux and their usefulness:
/var/log/message– records the system log or the current activity log.
/var/log/auth.log– identity authentication log.
/var/log/kern.log– kernel log.
/var/log/cron.log–crond log (cron Task).
/var/log/maillog– Mail server log.
/var/log/boot.log– system boot log.
/var/log/mysqld.log–mysql the database server log.
/var/log/secure– certification log.
/var/log/utmp or/var/log/wtmp: Login log.
/var/log/yum.log:yum log.
22. Important File Backup
In a production environment, for disaster recovery, it is necessary to back up important files and keep them in a secure remote tape vault, remote site, or offsite hard drive.
NIC Bindings
There are two types of NIC binding modes that need to be used at the binding interface.
mode=0– round robin Mode
mode=1– Activation and Backup mode
NIC bindings can help us avoid single points of failure. In NIC bindings, we bind two or more network adapters together, providing a virtual interface that sets the IP address and sessions with other servers. This will enable our network to remain available when a NIC card is down or unavailable for other reasons.
24. Keep/boot Read-only
The Linux kernel and all of his related files are stored under/boot and can be read and write by default. Setting it up for read-only can reduce the risk of illegal modification of important boot files.
# Vi/etc/fstab
Add the following line at the end of the file and save
Label=/boot/boot ext2 Defaults,ro 1 2
If you need to upgrade the kernel in the future, you need to go back to read and write mode.
25. Non-bird ICMP and broadcast requests
Add the following lines to the/etc/sysctl.conf to block out Ping and broadcast requests.
Ignore ICMP Request:
Net.ipv4.icmp_echo_ignore_all = 1
Ignore Broadcast Request:
Net.ipv4.icmp_echo_ignore_broadcasts = 1
Run the following line to load the modification or update:
#sysctl-P