I. Linux hardening targets and objects
objective of the project strengthening: to solve the security problems of Linux servers identified by the company in the risk assessment work this year, and to promote the security status of Linux servers to a higher level of security, in combination with the requirements of the revised version of the Southern Power grid security baseline standard. Minimizing the security risks posed by Linux servers to the normal operation of the grid information business.
Project Reinforcement Object: This information security reinforcement object mainly includes the Linux system in the information system of Guizhou power grid ICT company. See Appendix "Linux System Host" for specific equipment
Two. Reinforcement Solutions
2.1 Device Management
2.1.1 Hardening content: Installing SSH
Description described: SSH is connected by encryption to improve the security of information transmission
steps: 1. Upload the SSH SSL rpm package.
2. Install SSL package: RPM–IVH openssl-xxxx.rpm
2. Install the RPM package: Rpm–ivh openssh-server-xxxx.rpm
Note: you need to install SSL before installing SSH
risk-free emergency measures: no risk, installation is not successful
Rpm–e openssh-server-xx.rpm Fallback
Whether to implement:
2.1.2 Hardening Content: Configuring access control with TCP wrapper
Description set access policy to prevent unauthorized access
steps: 1. Open the Hosts.allow file to add the IP that allows SSH login, add the line format as:
sshd:192.168.0.1 (single address)
sshd:192.168.0.0/255.255.255.0 (address segment)
2. Open the Hosts.deny file to add a reject all rows:
Sshd:all
Note: the address of the PC to be securely hardened must be in the allowed address list
there is a risk of emergency response measures: after setting up, not in the allowed address of the PC will not be able to log on to the server. Fallback method: Delete rows added in Hosts.allow and Hosts.deny files
Whether to implement:
2.2 User account and password security
2.2.1 Reinforcement Content: Limit the system useless default account login
Description Note: restricting unwanted accounts can prevent attackers from attacking through the default account
Step: Use the command lock useless account: #passwd –l account name, you need to lock the following account:
Daemon
Bin
Sys
Adm
Uucp
Lp
Nobody
Note: These accounts are locked by default and cannot be logged in
There are risk emergency measures: there is no risk. Fallback method: #passwd –u account name
Whether to implement:
2.2.2 Reinforcement content: Disable root telnet
Description : Disable root login to prevent remote access to the root
steps: 1. Modify the file/etc/ssh/sshd_config, uncomment the parameter Permitrootlogin No, and change "no" to "yes"
2. Restart sshd: #service sshd Restart
Precautions : None
there is a risk of emergency measures: after configuration, root cannot telnet, need to prepare a normal administrator account login and then switch to root. Fallback measures: Change the Permitrootlogin in/etc/ssh/sshd_config to Yes and restart sshd
Whether to implement:
2.2.3 Hardening Content: setting password policies
Description : setting Password policy can improve the security of account
Step: Modify File/etc/login.defs
pass_max_days 180 password is used for a maximum period of 180 days
Pass_min_days 1 password cannot be changed within 1 days
Pass_warn_age 28 password expires before 28 days prompt modification
Pass_min_len 8 Password Length minimum 8-bit characters
Note: When a password policy is modified, a password that does not conform to the standard will force the password to be changed when the user logs on
There are risk emergency measures: there is no risk. Fallback measures: Modify settings to pre-system hardening status based on account properties recorded prior to hardening
Whether to implement:
2.2.4 Hardening Content: Controlling User logon session time
Description : Setting Login timeout can control user logon session and improve system security
Step: set user 600 seconds after connection auto Disconnect
- Adding lines to the/etc/profile file
tmout=600
- Reread environment variables
#export/etc/profile
Precautions : None
risk response measures: no risk. Fallback method: Comment in/etc/profile file tmout=600
Whether to implement:
2.2.5 Hardening content: Prohibit the root user from using FTP
Description : prohibit root users from using FTP to prevent the transfer of files with high permissions
steps: 1. Add root to the/etc/ftpusers file
2. Restart the vsftpd. #service vsftpd Restart
Precautions : None
There are risk emergency measures: there is no risk. Fallback method: Delete root in/etc/ftpusers file and restart VSFTPD
Whether to implement:
2.3 Logs and audits
2.3.1 Hardening Content: Capturing Authpriv messages
Description Note: enable logging, can log, query attack behavior
steps: 1. Open the Syslog configuration file etc/syslog.conf Add line:
authpriv.*/var/log/secure
2. Restart SYSLOGD: #service syslogd restart
Note: The system saves Authpriv logs by default
There are risk emergency measures: there is no risk. Fallback method: Delete or comment The configuration file add lines and restart the SYSLOGD service.
Whether to implement:
2.3.2 Hardening Content: Logs are stored in the log server (optional)
Description Note: logs are stored in the log server, which can prevent attackers from deleting logs or keeping logs for long periods of time.
steps: 1. Configuration of the log server:
#vi/etc/sysconfig/syslog
Modify syslogd_options= "-M 0" to: syslogd_options= "-r-m 0"
-R indicates logging of remote hosts is enabled
2. Native configuration:
Modify the/etc/syslog.conf file
# vi/etc/syslog.conf
*. * @192.168.0.1 indicates that logs from this machine are logged to 192.168.0.1 on this server.
3. Restart 2 server Log Services
/etc/init.d/syslog restart
Note: If no log server this item does not strengthen
risk Mitigation measures: Deleting or commenting on configuration files adding lines and restarting the log service
Whether to implement:
2.3.3 Reinforcement Content: Logs must be kept for 6 months or 180 days
Description Note: The log is saved for a long time and can be queried for a longer period of time
Step: None
Note: The system default log save time is permanent, this item does not do the reinforcement
There are risks to the emergency treatment measures:
Whether to implement:
2.3.4 Hardening Content: Log System Profile Protection
Description log File Protection, which prevents an attacker from accessing the log configuration file
Step: Modify log profile only Administrator readable
chmod 400/etc/syslog.conf
Precautions: None
risk response measures: no risk. Fallback measures: chmod 644/etc/syslog.conf
Whether to implement:
2.4 Service Optimization
2.4.1 Reinforcement content: Close xinetd Control Service
Description : turning off unwanted services can improve the security of the system or optimize the system.
Step: Modify the configuration files for each service under/etc/xinetd.d/:
Change disable = No to Yes
Save exit, restart XINETD
#service xinetd Restart
Services that need to be closed:
Telnet klogin Kshell Ntalk tftp
Note: Ntalk may not have
There are risk emergency measures: there is no risk. Fallback action: Disable = yes to No in config file, restart xinetd service
Whether to implement:
2.4.2 Hardening content: Turn off FTP service (optional)
Description : turning off unwanted services can improve system security
step: 1. Closed FTP Service:
Service VSFTPD Stop
2. Disable boot start:
Chkconfig vsftpd off
Precautions : None
There are risk emergency measures: there is no risk. 1. Start FTP service: Service VSFTPD start 2. Set up boot FTP service: Chkconfig vsftpd on
Whether to implement:
2.4.3 Reinforcement content: Turn off SendMail service (optional)
Description : shutting down the SendMail service prevents attacks on the system with this service.
steps: 1. Close the SendMail service:
Service SendMail Stop
2. Disable Boot start:
Chkconfig SendMail off
Note: The system will not receive mail after the SendMail is closed
risk response measures: no risk. Fallback operation: 1. Service SendMail Stop
2. Chkconfig SendMail off
Whether to implement:
2.4.4 Reinforcement content: Turn off POP3, IMAP services
Description : turning off unwanted services can improve system security
steps: 1. Close the Dovecot service:
#service Dovecot Stop
2. Disable Boot start:
#chkconfig Dovecot off
Note: Linux POP3 and IMAP are managed by Dovecot, but the system is not installed by default Dovecot
There are risk contingency measures: The service cannot be closed on the mail server. Fallback method:
1. Start Dovecot Service: #service dovecot start
2. Set Boot Dovecot service: #chkconfig dovecot on
Whether to implement:
2.4.5 Reinforcement content: Turn off the graphical window service
Description If you do not need to be able to shut down to prevent potential attack behavior
steps: 1. Turn off Graphics:
#init 3
2. Set the boot not to start graphical
#vi/etc/inittab
Modify Boot RunLevel to 3
Id:3:initdefault
Note: the power on after reboot will not start the graphical
There are risk emergency measures: there is no risk. Fallback method: #init 5
Whether to implement:
2.4.6 Reinforcement content: Turn off normal service
Description : turning off unwanted services can improve the security of the system or optimize the system.
steps: 1. Use service < service name > stop services
2. Use the command "Chkconfig--level <init level > < service name > off" Setting up the service does not boot at each init level
3. You can use Chkconfig–list to view service boot status
4. The service needs to be closed:
NFS, Nfslock, AutoFS, Ypbind
Ypserv, Yppasswdd, Portmap
SMB, Netfs, LPD, Apache
httpd, Tux, SNMPD, named
PostgreSQL, Mysqld, Webmin,
Kudzu, squid, cups, ip6tables
Iptables, PCMCIA, Bluetooth
Nsresponder, APMD, Avahi-daemon
Canna, Cups-config-daemon
Freewnn, GPM, Hidd, etc.
Considerations : NFS, httpd, iptables may be used. Some services are not installed by default
there is a risk of emergency treatment measures: none. Fallback method:
Start Services: Service name start
Set up Boot service: Chkconfig service name on
Whether to implement:
2.5 Safety Protection
2.5.1 Reinforcement Content: Set umask value
Description Set Umask value to define access rights for new files
Step: Add line in/etc/profile: umask=022
Precautions : None
risk response measures: when modified, the new file permission defaults to 644. Fallback method: Change/etc/profile file to pre-hardening state
Whether to implement:
2.5.2 Reinforcement Content: Security for sensitive files
Description : prevents attackers from attacking critical files
Steps: Modify permissions for the following files:
#chmod 644/etc/passwd
#chmod 644/etc/group
#chmod 400/etc/shadow
Precautions:
there is a risk of emergency treatment measures: none. Modify the permissions of the file to the pre-hardening permissions.
Whether to implement:
Linux Hardening Targets and objects