Linux O & M Security Summary

This article focuses on O & M security and is not very specific. It is mainly a keyword summary. Take CentOS as an example:
0x01Physical protection
1. Guide grub. conf to add a password

Title xxx linux server root (hd0, 0) password 123321 // plaintext title xxx linux server root (hd0, 0) is displayed at ease of startup) password -- md5 $1 $ xxxxxxxxxxxxxxx // Recommended Configuration

MD5 is generated using grub-md5-crypt 123321
2. Use vlock to secure screen lock
3. Set the BIOS password and disable the U port.
 

0x02 Real-time Monitoring
Query System port and service status
Netstat-tnl
View the server corresponding to the port
Lsof-I: 22 // view the sshd service corresponding to port 22
Query service running level
Chkconfig -- list
GUI setting service commands
Ntsysv
Adjust service running level
Take the kudzu service as an example. // check the hardware replacement service.
Chkconfig -- level 3 kzdzu on
Chkconfig -- level 2345 kzdzu off
Top monitoring running status
Who and w view online account information
Iostat monitors disk I/O Conditions
Meminfo and free memory information
Uptime boot time
Tcpdump-I eth0
Tcpdump-I eth0 src host hostname
Tcpdump-I eth0 dst host hostname
Tcpdump tcp port 80 host 210.27.xx.xx
Set up and configure Nagios to comprehensively monitor server services

0x03 Log Analysis
Log configuration file/etc/syslog. conf
The default location is in the/var/log directory.
Mail email sendmail, qmail, and other information
News group server
User and user information
Syslog internal log information
Auth is also the user login information, security and validation log
Uucp is the UNIX-TO-UNIX copy protocol information
Log Level:
The emerg system is unavailable and its level is urgent.
Alert, which must be handled and resolved immediately
The crit will occur and must be prevented. Event is about to happen
Warnig warning.
Err error message, common error message
Notice reminder information, very important information
Info notification information, which is general information
Debug debugging information
* Record all information and send it to all users
/Var/log/secure logging into the system
Including sshd telnet pop
Recommended tools:
Http://swatch.sourceforge.net/

0x04 File Permission
Find suid Program
Find/-perm-4000-ls
Find the Sgid Program
Find/-perm-2000-ls
Find the t-Permission Program (because it is only valid for the directory, you can view the Directory)
Find/-type d-permb-1000-ls
Directory t attribute. After the directory T attribute is set, only the owner and root of the directory can delete the directory. For example, the/tmp directory is drwxrwxrwt.
Delete chattr + I
Delete chattr-I from firefighting
Third-party apps can be installed to prevent the root user from canceling the reverse deletion attribute.
Lsattr query attributes

0x05 Security Configuration
Securely configure mysql, nginx, php, apache, snmp, and other services
Sshd Service
/Etc/ssh/sshd_config
Modify the port and set to allow only some accounts to log on
Prevent brute-force cracking: fail2ban \ denyhosts
Ssh-keygen-t rsa generates a public/private key and performs password-free certificate logon.
Web Service (Apache Example )
Modify the default Banner
Modify default pages such as HTTP status response code 404,503
Password. htaccess is required to access a special directory.
Disable the index directory options-related des
Disable the CGI executable program options-ExecCGI
View and disable some system modules: httpd-l list
Set the permission to allow directory execution
Dns Service
If no dns service is available, bind the Security dns and enable the dns service to disable domain transfer.
Ftp Service
Most of them run vsftpd and prevent
1. Remote Overflow (Update Program)
2. Local Elevation of Privilege
3. brute-force cracking
4. sniffer
If not necessary, use sftp to transfer files
Restrict user access to directories
Chroot_list_enable = YES
Chroot_list_file =/etc/vsftpd. chroot_list
Disguise vsftpd as a Microsoft FTP Service
Only specific users are allowed to log on
/Etc/pam. d/ftp
Sense = allow file =/etc/ftpusers
Explosion Proof:
Fail2ban
Pptp (vpn) Service
Protect Against Man-in-the-middle attacks and weak vpn passwords

0x06 Firewall Configuration
Remove hardware firewalls: Cisco's PIX series,
Netscreen,
Secpath of H3C
Most use iptables software firewalls
Iptables-a input-p imcp-j
Drop)
ACCPET (accept)
REJECT (bounce back)
LOG)
IPTABLES-t
Indicates
Three types of nat filteter (default) mangle (service quality, etc)
Iptables
-A adds A rule.
-D. delete a rule.
-R replacement (replace on specified rows)
-I insert
-L display all rules
-F: delete all rules.
-P default policy
-- Line-numbers: display the row number
-P indicates the protocol used
! No. Exclusion
-- Src Source IP Address
-- Dst Destination Address
-- In-interface: select the NIC
-- Fragment packet segmentation
-- Sport Source Port
-- Dport destination port
-- State (RELATED, ESTABLISHED)
Demo: Anti-ping
Iptables-a input-p imcp-j DROP
 
 
Demo: restrict a port
Iptables-a input-p tcp-d 192.168.0.1-dport 21-j DROP
 
 

0x07 Timed backup
Directory to be backed up
/Home
/Etc
/Var/spool/mail
/Usr/local
Website content
Database Backup

Demo: Back up the hard disk
Dd if =/dev/hda1 | gzip> data1.gz
Recover Hard Disk
Gzip-dc data1.gz | dd of =/dev/hda1

Demo: tar Backup Directory
Tar cvzf-/home>/tmp/backup. tgz
Create a backup package in the root directory
Tar-zcvpf/home/fullbackup.tar.gz/-- exclude =/mnt/* -- exclude =/proc /*

Demo: Incremental Backup
Tar-g snapshot-czvf aa.tar.gz/var
Incremental backup after change
Tar-g snapshot-czvf aa.tar.gz. 1/var

Demo: mysqldump back up the entire database
Mysqldump-uroot-p-opt database> backupfile. SQL
Restore database
Mysql-uroot-p database <backupfile. SQL

0x08 Other references
Pam module
Cdn acceleration settings: squid/Haproxy/
Varnish
Update kernel/app
The article published in the heart of the sword; reprinted Please retain the original link: http://upker.net /? Post = 21