Linux Security baselines

1. Physical protection

BIOS setup Password

Boot grub.conf Add password

2. System installation is minimized and only base services are installed

3. Application data partitioning and system isolation

4. Disable boot-up services that do not need to start

5. Hide System Information

6. Server and Internet time synchronization

7.sudo fine control of normal user privileges

8. Password Policy: Valid for 90 days complexity 16 bit

8.SSH Safety Reinforcement

9. Optimize the Linux kernel, add system file descriptor, stack and other configuration

10. Clear the unused default system account or group (not required)

11. File Permissions

Restrict global default permissions to 0750, folder Umask 027

Restrict sensitive files and use the chattr command to add immutable properties to the following files

# chattr +I/ETC/PASSWD

# chattr +i/etc/shadow

# chattr +i/etc/group

# chattr +i/etc/gshadow

# chattr +a bash_history avoid deleting. Bash_history or Redirect to/dev/null

# chattr +i. bash_history

# chmod 700/usr/bin Recovery chmod 555/usr/bin

# chmod 700/bin/ping Recovery chmod 4755/bin/ping

# chmod 700/usr/bin/vim Recovery chmod 755/usr/bin/vim

# chmod 700/bin/netstat Recovery chmod 755/bin/netstat

# chmod 700/usr/bin/tail Recovery chmod 755/usr/bin/tail

# chmod 700/usr/bin/less Recovery chmod 755/usr/bin/less

# chmod 700/usr/bin/head Recovery chmod 755/usr/bin/head

# chmod 700/bin/cat Recovery chmod 755/bin/cat

# chmod 700/bin/uname Recovery chmod 755/bin/uname

# chmod 500/bin/ps Recovery chmod 755/bin/ps

Restricting non-root user execution of system commands under/etc/rc.d/init.d/

# Chmod-r 700/etc/rc.d/init.d/*

# chmod-r 777/etc/rc.d/init.d/* Restore default settings

12. Disable the use of Ctrl+alt+del shortcut keys to restart the server

# Cp/etc/inittab/etc/inittabbak

# Vi/etc/inittab #注释下面两行

#start on Control-alt-delete

#exec/sbin/shutdown-r Now "Control-alt-delete pressed"

13. Do not upgrade the kernel when Yum update updates the system, only update the package

Due to system and hardware compatibility issues, it is possible to upgrade the kernel after the server does not start normally, there is no special need, it is recommended not to upgrade the kernel arbitrarily.

14. Resize the history and delete the MySQL record

15. Scheduled Tasks

16. Real-time monitoring

Querying system ports and service status

Web Service Port 8081

File monitoring

Check for files with suid, sgid permissions

# Find/-perm-4000-o-perm-2000

# Find files that have changed within 24 hours

Detecting rootkits

17. Application Baselines

KeepAlive 15 seconds

Error page redirection, for security reasons, to avoid leakage of sensitive information

Upload file size

18. Log Logstash

The usual log files are as follows:

Transmission of Access-log Record Http/web

Acct/pacct Record User Commands

Activities of the Aculog record modem

Btmp record of failed records

Lastlog records the most recent successful logon events and the last unsuccessful login

Messages Logging information from syslog (some links to syslog files)

Sudolog record commands with sudo

Use of the Sulog record using the SU command

Syslog logs information from a syslog (usually linked to a messages file)

Utmp record each user who is currently logged on

Wtmp a user's permanent record of each login entry and exit time

Xferlog Record FTP session

User logged in information, security and verification logs

Last, Lastb, Lastlog

The utmp file holds information about the users currently in the system.

The Wtmp file holds the successful information of the user who has logged in to the system.

The btmp file holds information about the login failure.

#使用last命令可以查看btmp文件: For example, "Last-f/var/log/btmp | More

#1, the current logged on user's information is recorded in the file utmp; ======who, w command

#2, login, and exit records in file wtmp; ========last command

#3, log on failed record in file btmp ========lastb command

#4, last login can use the Lastlog command

#5, messages====== log information from the Syslog

Note: Both the wtmp and utmp files are binary files.

The/var/log/messages includes overall system information, which also contains logs during system startup. In addition, content such as Mail,cron,daemon,kern and Auth is also recorded in the Var/log/messages log.

The/VAR/LOG/DMESG contains kernel buffering information (kernel ring buffer). When the system starts, many hardware-related information is displayed on the screen. You can view them with DMESG.

/var/log/auth.log contains system licensing information, including user login and use of the permissions mechanism.

/var/log/boot.log contains the log at system startup.

The/var/log/daemon.log contains various system daemon log information.

/var/log/dpkg.log includes the installation or DPKG command to clear the log of the package.

/var/log/kern.log contains the logs generated by the kernel to help resolve problems when customizing the kernel.

/var/log/lastlog records the most recent information for all users. This is not an ASCII file, so you need to use the Lastlog command to view the content.

/var/log/maillog/var/log/mail.log contains the log information of the system running the e-mail server. For example, SendMail log information is all sent to this file.

/var/log/user.log logs all levels of user information.

/var/log/xorg.x.log the log information from X.

/var/log/alternatives.log Update replacement information is recorded in this file.

/VAR/LOG/BTMP Logs all failed login information. Use the last command to view the Btmp file. For example, "Last-f/var/log/btmp | More ".

/var/log/cups A log that involves all printing information.

/var/log/anaconda.log when installing Linux, all installation information is stored in this file.

The/var/log/yum.log contains package information that is installed with Yum.

/var/log/cron each time the cron process starts a job, the information is recorded in this file.

The/var/log/secure contains authentication and authorization aspects information. For example, SSHD will record all information (including failed logins) here.

/var/log/wtmp or/var/log/utmp contains login information. Use Wtmp to find out who is logging into the system, who uses the command to display this file or information, and so on.

/var/log/faillog contains user logon failure information. In addition, the error login command is also recorded in this file.

In addition to the above log files,/var/log also contains the following subdirectories based on system-specific applications:

/var/log/httpd/or/var/log/apache2 contains server Access_log and error_log information.

The/var/log/lighttpd/contains light httpd access_log and Error_log.

/var/log/mail/This subdirectory contains additional logs for the mail server.

/var/log/prelink/contains the information that the. So file was PreLink modified.

/var/log/audit/contains information stored by the Linux audit daemon.

The/var/log/samba/contains information stored by Samba.

The/var/log/sa/contains the SAR files that are collected daily by the Sysstat package.

/var/log/sssd/is used for daemon security services.

In addition to manually archiving and clearing these log files, you can use Logrotate to automatically delete files after they reach a certain size. You can try to view these log files with commands such as Vi,tail,grep and less.

19. Patch Updates

20. Scheduled backups

21. Firewalls

Juniper's NetScreen

H3C's Secpath

Huawei USG6390

IPTABLES

Server Disable Ping

# echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

SELINUX

# Machines with extranet IP to turn on configuration firewall, configure SELinux

Facl

Tcp_wrappers Application-level firewall

# vi/etc/host.conf), add the following line:

# Lookup names via DNS first then fall back to/etc/hosts.

Order Bind,hosts

# We have a machines with multiple IP addresses.

Multi on

# Check for IP address spoofing.

Nospoof on

The first setting resolves the IP address through DNS and then resolves it through the Hosts file. The second setting detects if the host in the "/etc/hosts" file has more than one IP address (for example, multiple Ethernet port cards). The third setting illustrates the need to be aware of unauthorized electronic spoofing of the machine.

Intrusion detection

Ids

HIDS:OSSEC Host Intrusion Detection system

Nids:snort Network Intrusion Detection system

Filesystem:tripware

AIDE (adevanced intrusion Detection environment, advanced intrusion detection environment

Ips

IDS + Firewall

This article is from "Meteor Studio" blog, please make sure to keep this source http://redone.blog.51cto.com/5382451/1962343

Linux Security baselines