About "Security hardening"
Safety is relative.
Reinforcement may involve all aspects of the system: (1) hardware. For example: Intel X86 Hardware vulnerability; (2) operating system. Run from installation to installation and (3) system services. The service itself installs the configuration, the system resources involved in the service, and the external access to the service (data exchange).
Example: Installation deployment, System configuration, system service settings for Rhel.
1. About the operating system
As far as possible, use the official release system;
Select the current "mainstream" version as much as possible.
For example: RHEL large version: 6. X 6.8 7.X 7.2, 7.5
1.1 about the installation of the operating system
(1) disk partition:/boot:200m/:10g swap: Memory
Deploying systems using logical volumes
/boot boot partition, you must use a physical partition
/swap using logical Volumes
/Use logical volumes
Simple deployment requires only the above three partitions, and other directories can be created independently:
(When the data flow is relatively large, the file system is prone to explode ...)
/var
/var/log
/home
/usr
/usr/local
/tmp
(User-defined directories can be mounted independently)
Both the parent directory and the following subdirectory can be mounted independently of the disk
Reassign a separate partition to the system directory
Action: Disk partition/Logical volume, file system Setup, mount & Uninstall, file move
Important: 1. The user can only manipulate the file system (read and write file operations)
2. File system cannot be detached from disk (data written on file system)
3. Mount (directory associated with file system: Enter file system via directory)
4. File move, keep attributes.
(2) Package customization
Desktop
Development Tools Group
(3) Viewing partitions and mounts after system installation
Df-th, Lvdisplay, Vgdisplay, LVs, VGS,
/etc/fstab
(4) Yum source
Do not specify the ISO file directly, you need to mount the image first
For example: Mount-o loop xxx.iso/mnt
Mount information at the same time, can write fstab but may affect system startup
Write to another file and write the Mount command to/etc/rc.local
Rc.local: After the system starts, it executes and is a script.
1.2 About RHEL6 root account password recovery
Boot, or interrupt the system to start
Edit kernel parameters, find startup Item, e edit--Select to Kernel (kernel line), E edit. --Add the parameter 1 or single at the end, enter confirm---Select to Kernell kernel line, b boot directly into single user mode no need to re-attach single user mode, go directly to system root, root account---> passwd Change password, reboot restart.
Prevent malicious passwords from being cracked
Grub needs to be encrypted to find the Grub configuration file:/etc/grub.conf
Add a row under Hiddenmenu passwd
1. PlainText Password password=123456
2.MD5 Encryption Password--MD5 encryption string
3.SHA Encryption Password--encrypted encryption string
How are cryptographic strings generated?
Command tool: Grub-crypt--Specifying the encryption algorithm
Use SHA-512 by default specifically using--help
This article to organize mainly from my side study Tao elder brother, Tao Brother married last week, thank Tao Elder brother to our small white guidance.
Linux OPS note 20180002-Security hardening