Linux OPS note 20180002-Security hardening

About "Security hardening"

Safety is relative.

Reinforcement may involve all aspects of the system: (1) hardware. For example: Intel X86 Hardware vulnerability; (2) operating system. Run from installation to installation and (3) system services. The service itself installs the configuration, the system resources involved in the service, and the external access to the service (data exchange).

Example: Installation deployment, System configuration, system service settings for Rhel.

1. About the operating system

As far as possible, use the official release system;

Select the current "mainstream" version as much as possible.

For example: RHEL large version: 6. X 6.8 7.X 7.2, 7.5

1.1 about the installation of the operating system

(1) disk partition:/boot:200m/:10g swap: Memory

Deploying systems using logical volumes

/boot boot partition, you must use a physical partition

/swap using logical Volumes

/Use logical volumes

Simple deployment requires only the above three partitions, and other directories can be created independently:

(When the data flow is relatively large, the file system is prone to explode ...)

/var

/var/log

/home

/usr

/usr/local

/tmp

(User-defined directories can be mounted independently)

Both the parent directory and the following subdirectory can be mounted independently of the disk

Reassign a separate partition to the system directory

Action: Disk partition/Logical volume, file system Setup, mount & Uninstall, file move

Important: 1. The user can only manipulate the file system (read and write file operations)

2. File system cannot be detached from disk (data written on file system)

3. Mount (directory associated with file system: Enter file system via directory)

4. File move, keep attributes.

(2) Package customization

Desktop

Development Tools Group

(3) Viewing partitions and mounts after system installation

Df-th, Lvdisplay, Vgdisplay, LVs, VGS,

/etc/fstab

(4) Yum source

Do not specify the ISO file directly, you need to mount the image first

For example: Mount-o loop xxx.iso/mnt

Mount information at the same time, can write fstab but may affect system startup

Write to another file and write the Mount command to/etc/rc.local

Rc.local: After the system starts, it executes and is a script.

1.2 About RHEL6 root account password recovery

Boot, or interrupt the system to start

Edit kernel parameters, find startup Item, e edit--Select to Kernel (kernel line), E edit. --Add the parameter 1 or single at the end, enter confirm---Select to Kernell kernel line, b boot directly into single user mode no need to re-attach single user mode, go directly to system root, root account---> passwd Change password, reboot restart.

Prevent malicious passwords from being cracked

Grub needs to be encrypted to find the Grub configuration file:/etc/grub.conf

Add a row under Hiddenmenu passwd

1. PlainText Password password=123456

2.MD5 Encryption Password--MD5 encryption string

3.SHA Encryption Password--encrypted encryption string

How are cryptographic strings generated?

Command tool: Grub-crypt--Specifying the encryption algorithm

Use SHA-512 by default specifically using--help

This article to organize mainly from my side study Tao elder brother, Tao Brother married last week, thank Tao Elder brother to our small white guidance.

Linux OPS note 20180002-Security hardening