Linux Server Security Configuration _linux

The first part: RedHat Linux Chapter
1. Overview
Linux Server version: RedHat Linux as
For an open operating system---Linux, system security settings include minimizing system services, restricting remote access, hiding important data, patching security vulnerabilities, adopting security tools, and regular safety checks. This paper mainly from the user settings, how to open the service, system optimization and other aspects of the system security configuration to achieve a more secure and stable Linux server.
2. User Management
In a Linux system, a user account is a user's identity flag, which consists of a username and a user password. The system stores the username entered in the/etc/passwd file and stores the password entered in an encrypted form in the/etc/shadow file. Under normal circumstances, these passwords and other information are protected by the operating system and can only be accessed by Superuser (root) and some applications of the operating system. However, this information can be obtained by ordinary users if it is improperly configured or if some systems are running incorrectly. In turn, malicious users can use a kind of tool called "password cracking" to get the password before encryption.
2.1 Delete the System special user account and group account number:
#userdel username
Userdel Adm.
Userdel LP
Userdel Sync
Userdel shutdown
Userdel Halt
Userdel News
Userdel UUCP
Userdel operator
Userdel Games
Userdel Gopher
The above deleted users are created by default for the system, but some accounts are not used in common servers, but these accounts are often used by hackers and attacking servers.
#groupdel username
Groupdel Adm.
Groupdel LP
Groupdel News
Groupdel UUCP
Groupdel Games
Groupdel Dip
Similarly, the above deletion is the system installation is the default created by some group accounts. This reduces the chance of being attacked.
2.2 User Password settings:
When installing Linux, the default password minimum length is 5 bytes, but that's not enough to set it to 8 bytes. Modifying the minimum password length requires editing the Login.defs file (vi/etc/login.defs)
Pass_max_days 99999 # #密码设置最长有效期 (default)
Pass_min_days 0 # #密码设置最短有效期
Pass_min_len 5 # #设置密码最小长度
Pass_warn_age 7 # #提前多少天警告用户密码即将过期.
2.3 Modify the automatic cancellation account time:
Automatic logoff of account login, in Linux system root account is the highest privilege. If the system administrator forgets to log out of the root account before leaving the system, it will pose a significant security risk and should be automatically logged off. This functionality can be achieved by modifying the "tmout" parameter in the account. Tmout is counted in seconds. Edit your profile file (vi/etc/profile) and add the following line after "histsize=":
tmout=300
300, which means 300 seconds, which means 5 minutes. This allows the system to automatically log out of the account if the user logged on in the system does not move in 5 minutes.
2.4 The user name password for the system to store the file lock:
Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/gshadow
Chattr +i/etc/group
Note: chattr is the command to change the file attributes, and parameter I represents no arbitrary changes to the file or directory, where I is not modifiable bit (immutable). How to view: lsattr/etc/passwd
3. Service Management
In the Linux system of service management, if you want to do the best security services, which is the main upgrade of the software version of the service itself, the other is to shut down the system does not use services, to minimize the service.
3.1 Turn off services not used by the system:
CD/ETC/INIT.D # #进入到系统init进程启动目录
Here are two ways to turn off the services in the Init directory, one, the init directory of the file name MV into the *.old class file name, that is, to modify the file name, the role is to start the system when the service can not find the startup file. Second, use the Chkconfig system command to turn off the system boot level service.
Note: When using any of the following methods, check to see if the service you want to shut down is a service that the server specifically needs to start supporting to prevent the service from shutting down.
First: How to modify file names
cd/etc/init.d/
MV APMD Apmd.old # #笔记本需要
MV Netfs Netfs.old # # NFS Client
MV Yppasswdd yppasswdd.old # # NIS server, this service has a lot of vulnerabilities
MV Ypserv ypserv.old # # NIS server, this service has a lot of vulnerabilities
MV DHCPD dhcpd.old # # DHCP service
MV Portmap Portmap.old # #运行rpc (111 port) service required
MV LPD Lpd.old # #打印服务
MV NFS Nfs.old # # NFS Server, very many vulnerabilities
MV SendMail Sendmail.old # #邮件服务, a lot of holes
MV Snmpd Snmpd.old # # SNMP, remote users can get a lot of system information from
MV RSTATD Rstatd.old # #避免运行r服务, remote users can get a lot of information from
MV ATD Atd.old # #和cron很相似的定时运行程序的服务
Second: Use the Chkcofig command to turn off unused system services
Chkconfig? Clevel APMD off
Chkconfig? Clevel Netfs off
Chkconfig? Clevel Yppasswdd off
Chkconfig? Clevel Ypserv off
Chkconfig? Clevel DHCPD off
Chkconfig? Clevel Portmap off
Chkconfig? Clevel LPD off
Chkconfig? Clevel NFS Off
Chkconfig? Clevel SendMail off
Chkconfig? Clevel snmpd off
Chkconfig? Clevel rstatd off
Chkconfig? Clevel ATD Off
Note: The 3 and 5 of the above Chkcofig commands are the type of system startup, 3 represents the system's multiple-use startup mode, and 5 represents the system's X-boot mode.
3.2 Lock the system service Port list file
Primary role: Prevent unauthorized deletion or addition of services
Chattr +i/etc/services
3.3 Modify the root login permission for the SSH service
Modify the SSH service profile so that the SSH service does not allow you to log in directly using the root user, thus building the system's chances of a malicious login attack.
Vi/etct/ssh/sshd_config
Permitrootlogin Yes
Remove this line before the #, modified to: Permitrootlogin No
4. System File Permissions
The security of the Linux file system is primarily achieved by setting permissions on the file. Each Linux file or directory has 3 sets of properties that define the owner of the file or directory, user groups, and other people's permissions (read only, writable, executable, allow suid, allow sgid, etc.). Special attention, permissions for suid and Sgid executable files, in the process of running, will give the process to the owner of the permissions, if the hacker found and exploited will cause harm to the system.
4.1 Modify init directory File Execution permissions:
Chmod-r 700/etc/init.d/*
4.2 Modify the Suid and Sgid permissions for some system files:
chmod a-s/usr/bin/chage
chmod a-s/usr/bin/gpasswd
chmod a-s/usr/bin/wall
chmod a-s/USR/BIN/CHFN
chmod a-s/usr/bin/chsh
chmod a-s/usr/bin/newgrp
chmod a-s/usr/bin/write
chmod a-s/usr/sbin/usernetctl
chmod a-s/usr/sbin/traceroute
chmod a-s/bin/mount
chmod a-s/bin/umount
chmod a-s/bin/ping
chmod a-s/sbin/netreport
4.3 Modifying system boot files
chmod 600/etc/grub.conf
Chattr +i/etc/grub.conf
5. System optimization
5.1 Virtual Memory Optimization:
In general, the physical memory of Linux is almost completely used. This is a very big difference from windows, and its memory management mechanism takes full advantage of the system's memory, not windows, no matter how much memory is going to use some virtual memory.
Three digits in/proc/sys/vm/freepages are the current system: Minimum memory blank page, minimum memory blank page, and maximum memory blank.
Note that the principle of using virtual memory here is to use disk swap space if the number of blank pages falls below the maximum blank page setting. Memory Exchange is used when the minimum blank page setting is reached. Memory is typically allocated in 4k bytes per page. The Minimum Memory blank page setting is twice times the amount of memory in the system; The minimum memory blank page setting is 4 times times the amount of memory; The maximum memory blank page setting is 6 times times the system memory.
The following example modifies the system default virtual memory parameter size in 1G memory:
echo "2048 4096 6444" >/proc/sys/vm/freepages
6. Log Management
6.1 System boot log:
Dmesg
Use the DMESG command to quickly see the boot log of the last system boot. Usually it's
There is a lot of content, so you tend to want to transfer it to a reader by pipeline.
6.2 System Run LOG:
A, the Linux log is stored in the/var/log directory. There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can be read only by root, but only if you modify the file's access rights to make them readable.
The following are common system log file names and their descriptions:
Lastlog record user last successful logon time
Loginlog Bad landing attempt record
Messages records output to the system console and messages generated by the SYSLOG system service Program
Utmp log each user currently logged in
UTMPX Extended Utmp
WTMP Records history information for each user logon and logoff wtmpx extended wtmp
Vold.log record errors using external media
Xferkig Record FTP Access Sulog record the use of the SU command
Acct record the commands that each user has used
Aculog dial out automatic call log
B,/var/log/messages
The messages log is the core system log file. It contains the boot message when the system starts, and other status messages when the system is running. IO errors, network errors, and other system errors are recorded in this file. Other information, such as a person's identity switch to root, is also listed here. If the service is running, such as a DHCP server, you can observe its activity in the messages file. Typically,/var/log/messages is the first file you want to see when you troubleshoot.
C,/var/log/xfree86.0.log
This log records the results of the last execution of the Xfree86 xwindows server. If you are having problems booting to graphics mode, you will generally find the reason for the failure in this file.
D, in the/var/log directory, there are some files that end with a number, which are the archived files that are already in circulation. Log files can become particularly large and unwieldy. Linux provides a command to cycle through these logs so that your current log information is not submerged in old irrelevant information. Logrotate are usually run automatically at timed intervals, but they can also be run manually. When executed, Logrotate will get the current version of the log file, and then append a ". 1" to the file name. Other earlier rounds of the file are ". 2", ". 3", and so on. The larger the number after the filename, the older the log.
You can configure logrotate automatic behavior by editing the/etc/logrotate.conf file. Learn all the details of logrotate through man logrotate.
which
# Rotate log Files Weekly
Weekly
This means that each log file is circulated once a week, and a log file holds one weeks of content.
# Keep 4 weeks worth of backlogs
Rotate 4
The number of log loops represented here is 4 times, that is, 4 log files can be saved.
E, custom log
You can configure their behavior by editing/et/syslog.conf and/etc/sysconfig/syslog to customize the storage path and log generation level of the system log.
6.3 System User Operation log:
Last
Executes the last instruction separately, it reads the file named Wtmp in the/var/log directory, and displays the user list of the login system for the content record of the file.
History
The history command is able to save the most recently executed command. If the command saved by the root command is in the/root/.bash_history file, if it is an ordinary user, the operation is ordered to be stored in the user's own directory, that is, the general/home/username/.bash_history. The saved value of this history can be set, edit the/etc/profile file, where the value of the histsize=1000 is the history saved value.
7. Firewall
7.1 Iptables Type firewall:
7.1.1 Iptables Concept:
Iptalbes (IP packet filter management) is used to set up, maintain, and check the IP packet filtering rules of the Linux kernel.
You can define different tables, each of which contains several internal chains, and can contain user-defined chains. Each chain is a list of rules that match the corresponding package: Each rule specifies how the package that matches it should be handled. This is called ' target ', or it can jump to a user-defined chain within the same table.
By using user space, you can build your own custom rules, which are stored in the packet filtering table in the kernel space. These rules have goals that tell the kernel what to do with packets coming from certain sources, going to certain destinations, or having certain protocol types. If a packet matches a rule, the use of target ACCEPT allows the packet to pass. You can also use target DROP or REJECT to block and kill packets. There are many other goals for other operations that can be performed on the packet.
Depending on the type of packets processed by the rule, you can group the rules in a chain. The rules for processing inbound packets are added to the INPUT chain. The rules for handling outbound packets are added to the OUTPUT chain. The rules for processing the packets being forwarded are added to the FORWARD chain. These three chains are the default main chains built into the basic packet filtering table. In addition, there are many other types of chains available (such as prerouting and postrouting), as well as providing a user-defined chain. Each chain can have a policy that defines the default target, which is the default action to perform, when the packet does not match any of the rules in the chain.
After setting up the rules and putting the chain in place, you can start the real packet filtering process. This is where kernel space takes over from user space. When the packet arrives at the firewall, the kernel first checks the packet's header information, especially the packet's destination. We refer to this process as routing.
If the packet originates from outside and goes to the system, and the firewall is open, the kernel passes it to the INPUT chain of the kernel Space packet filter table. If the packet originates from another source within the system or on the internal network to which the system is connected, and if the packet is to go to another external system, the packet is passed to the OUTPUT chain. Similarly, packets originating from the external system and going to the external system are passed to the FORWARD chain.
7.1.2 Iptables Instance 1:
#!/bin/sh
# Prohibit the forwarding package function of the system
echo 0 >/proc/sys/net/ipv4/ip_forward
# clear Iptables the original rules and set iptables default rules
Iptables-t nat-f postrouting
Iptables-t nat-f prerouting
Iptables-t nat-f OUTPUT
Iptables-f
Iptables-p INPUT DROP
Iptables-p FORWARD ACCEPT
Iptables-p OUTPUT ACCEPT
# TCP, UPD ports that need to be opened in the input rule
Iptables-a input-j accept-p TCP--dport 80
Iptables-a input-j accept-p TCP--dport 22
Iptables-a input-j accept-p TCP--dport 25
Iptables-a input-j accept-p TCP--dport 1352
Iptables-a input-p UDP--destination-port 53-j ACCEPT
# in the input rule the status is: State RELATED packets are accepted
Iptables-a input-m State--state established,related-j ACCEPT
# Enable the system IP forwarding function
Echo 1 >/proc/sys/net/ipv4/ip_forward
<--end-->
7.1.3 Iptables Instance 2:
Note: In this instance, you only need to set the TCP, UDP port and server network segment IP range, others have been set up by default.
#!/bin/sh
# Make:yongzhang
# time:2004-06-18
# e-mail:yongzhang@wiscom.com.cn
Path=/sbin:/bin:/usr/sbin:/usr/bin
# #tcp Allow ports
tports= "80 22"
# #udp Allow ports
Uports= "53"
# #internal SERVER_IP Range
server_ip= "172.18.10.0/24"
# #disable Forwarding
echo 0 >/proc/sys/net/ipv4/ip_forward
# #reset Default Policies
Iptables-p INPUT ACCEPT
Iptables-p FORWARD ACCEPT
Iptables-p OUTPUT ACCEPT
Iptables-t nat-p prerouting ACCEPT
Iptables-t nat-p postrouting ACCEPT
Iptables-t nat-p OUTPUT ACCEPT
# #del All iptables rules
Iptables-f INPUT
Iptables-f FORWARD
Iptables-f OUTPUT
# #clean All Non-default chains
Iptables-x
Iptables-t Nat-x
# #iptables Default Rules
Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT ACCEPT
# #allow Ping Packets
Iptables-a input-p icmp-s 0/0--icmp-type 0-j
Iptables-a input-p icmp-s 0/0--icmp-type 3-j
Iptables-a input-p icmp-s 0/0--icmp-type 5-j
Iptables-a input-p icmp-s 0/0--icmp-type 8-j
Iptables-a input-p icmp-s 0/0--icmp-type 11-j
#iptables-A input-p icmp-s 0/0--icmp-type 11-m limit--limit 5/s-j-ACCEPT
Iptables-a forward-p icmp-j ACCEPT
# #enable Forwarding
Iptables-a forward-m State--state established,related-j ACCEPT
# #STATE RELATED for router
Iptables-a input-m State--state established,related-j ACCEPT
# #accept internal packets on the internal i/f
Iptables-a input-s $SERVER _ip-p tcp-j ACCEPT
# #open ports on router for server/services
# #TCP PORTS
For ATP in $TPORTS
Todo
Iptables-a INPUT! -S $SERVER _ip-d $SERVER _ip-p tcp--destination-port $ATP-j ACCEPT
Iptables-a forward-p TCP--destination-port $ATP-j ACCEPT
Done
# #UDP PORTS
For AUP in $UPORTS
Todo
Iptables-a input-p UDP--destination-port $AUP-j ACCEPT
Iptables-a forward-p UDP--destination-port $AUP-j ACCEPT
Done
# #bad_packets Chain
# #drop INVALID Packets immediately
Iptables-a input-p all-m State--state invalid-j DROP
# #limit SYN Flood
#iptables-A input-f-M limit--limit 100/s--limit-burst 100-j ACCEPT
#iptables-A forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT
# #deny All ICMP Packets,eth0 is external net_eth
#iptables-A input-i eth0-s 0.0.0.0/0-P icmp-j DROP
# #allow Loopback
Iptables-a input-i lo-p all-j ACCEPT
Iptables-a output-o lo-p all-j ACCEPT
# #enable Forwarding
Echo 1 >/proc/sys/net/ipv4/ip_forward
<--end-->
7.2 IPChains Type firewall:
7.2.1 IPChains Concept:
IPChains is used to install, maintain, and inspect the Linux kernel's firewall rules. Rules can be divided into four categories: IP input chain, IP output chain, IP forward chain, user defined chain.
A firewall rule specifies the format and destination of the package. When a package comes in, the core uses the input chain to determine its fate. If it passes, then the core determines where the package should be sent next (this step is called routing). If it is sent to another machine, the core uses the forward chain. If it does not match, enter the next chain specified by the target value, it may be a user defined chain, or a specific value: Accept,deny,reject,masq,redirect,return.
Accept means that the packet is allowed to pass, the deny throws the package as if it had not been, reject also throws the packet, but (if it is not an ICMP packet) generates an ICMP reply telling the employer that the destination address is unreachable (note that DENY and reject are the same for ICMP packets).
Masq told the core camouflage this package, it only on the forward chain and user defined chain, to make it work, compile the core must let IP masquerading function.
Redirect only works on the input chain and the user defined chain. It tells the core to change the package to a local port wherever it should be sent. Only the TCP and UDP protocols can use this designation. Any use of '-j REDIRECT ' to specify a port (first name or number) allows the packet sent to be redirected to a particular port, even if it is marked for delivery to another port. To make it work, you have to make config_ip_transparent_proxy work when you compile the kernel.
The last goal specified is return, which skips over all the rules below it until the end of the chain.
Any other target specifies a chain that represents a user-defined custom. The package will pass in that chain. If the chain does not determine the fate of this package, then the transmission in that chain is complete, and the package passes through the next rule in the current chain.
7.2.2 IPChains Example:
# #清除input规则的规则, and change the input default rule chain policy for reject
-F Input
-P Input REJECT
# #以下是允许input规则链的tcp端口为: 80 81 22 123
-A input-s 0/0-D 0/0 80-p tcp-y-j ACCEPT
-A input-s 0/0-D 0/0 81-p tcp-y-j ACCEPT
-A input-s 0/0-D 0/0 22-p tcp-y-j ACCEPT
-A input-s 0/0-D 0/0 123-p udp-j ACCEPT
# #设置除了以上允许的input规则链以为, Deny 0-1023, 2049, 6000-6009, 7100 TCP and UPD ports,
-A input-p tcp-s 0/0-D 0/0 0:1023-y-j REJECT
-A input-p tcp-s 0/0-D 0/0 2049-y-j REJECT
-A input-p udp-s 0/0-D 0/0 0:1023-j REJECT
-A input-p udp-s 0/0-D 0/0 2049-j REJECT
-A input-p tcp-s 0/0-D 0/0 6000:6009-y-j REJECT
-A input-p tcp-s 0/0-D 0/0 7100-y-j REJECT
# #允许系本身统网卡上发生的所有包通过
-A input-s 0/0-D 0/0-I lo-j ACCEPT
-A input-s 0/0-D 0/0-I eth0-j ACCEPT
-A input-s 0/0-D 0/0-I eth1-j ACCEPT
# #清除output规则的规则, and change output the default rule chain policy is accept
-F Output
-P Output ACCEPT
# #清除forward规则的规则 and change forward the default rule chain policy is deny, and the forward rule chain allows packets to be forwarded to 10.10.11.0/24 network segments and be camouflaged.
-F Forward
-P forward DENY
-A forward-s 10.10.11.0/24-j MASQ