Linux Security Reinforcement

I. Account security

1.1 Lock the redundant self-built account in the system

Check method:

Execute command

#cat/etc/passwd

#cat/etc/shadow

Check the account, password file, and the system administrator to confirm the unnecessary account. For some reserved system pseudo accounts such as: Bin, sys,adm,uucp,lp, nuucp,hpdb, www, daemon, etc. can be locked to login as needed.

Backup method:

#cp-P/etc/passwd/etc/passwd_bak

#cp-P/etc/shadow/etc/shadow_bak

Reinforcement method:

Use command Passwd-l < username > lock unnecessary accounts.

Use command Passwd-u < username > Unlock account that needs to be restored.

1.2 Setting the System password policy

Check method:

Using commands

#cat/etc/login.defs|grep Pass to view password policy settings

Backup method:

Cp-p/etc/login.defs/etc/login.defs_bak

Reinforcement method:

#vi/etc/login.defs Modify configuration file

Pass_max_days #新建用户的密码最长使用天数

Pass_min_days 0 #新建用户的密码最短使用天数

Pass_warn_age 7 #新建用户的密码到期提前提醒天数

Pass_min_len 9 #最小密码长度9

1.3 Disabling Superuser Beyond root

Check method:

#cat/etc/passwd View password file, password file format is as follows:

Login_name:password:user_ID:group_ID:comment:home_dir:command

Login_name: User Name

Password: Encrypted user password

USER_ID: User ID, (1 ~ 6000) If the user id=0, the user has Superuser's privileges. See if there are multiple id=0 here.

GROUP_ID: User Group ID

Comment: Full name of the user or other annotation information

Home_dir: User root directory

Command: Execute command after user logs in

Backup method:

#cp-P/etc/passwd/etc/passwd_bak

Reinforcement method:

Use command Passwd-l < username > lock unnecessary super account.

Use command Passwd-u < username > Unlock the super account that needs to be restored.

Risk: The use of this superuser needs to be confirmed with the administrator.

1.4 Limits the ability to Su-root users

Check method:

#cat/etc/pam.d/su to see if there are any configuration entries such as Auth required/lib/security/pam_wheel.so

Backup method: #cp-P/etc/pam.d/etc/pam.d_bak

Reinforcement method:

#vi/etc/pam.d/su

Add in head:

Auth required/lib/security/pam_wheel.so Group=wheel

This way, only users of the wheel group can su to root

#usermod-g10 test to add the test user to the wheel group

When the system verifies the problem, first should check the output information in the/var/log/messages or/var/log/secure, according to the information to judge the validity of the user account

Of If it is due to a PAM validation failure and the root is not logged in, it can only be done using single user or rescue mode.

1.5 Check Shadow Hollow password account

Check method:

#awk-F: ' (= = "") {print} '/etc/shadow

Backup method: Cp-p/etc/shadow/etc/shadow_bak

Reinforcement method: The blank password account is locked, or require additional password

　　Second, the minimization of services

2.1 Stop or disable services unrelated to the hosting business

Check method:

To view the current init level #who –r or RunLevel

#chkconfig--list View the status of all services

Backup method: Log The name of the service you want to turn off

Reinforcement method:

#chkconfig--level < service name > On|off|reset set Service to boot at init level

　　Third, data access control

3.1 Set Reasonable initial file permissions

Check method:

#cat/etc/profile to view umask values

Backup method:

#cp-P/etc/profile/etc/profile_bak

Reinforcement method:

#vi/etc/profile

umask=027

Risk: The default permissions for the new file are modified, and this is carefully modified if the server is a Web application.

　　Four, network access control

4.1 Using SSH for Administration

Check method:

#ps –AEF | grep sshd to see if there is no such service

Backup method:

Reinforcement method:

Open SSH service with command

#service sshd Start

Risk: Changing administrator usage habits

4.2 Setting access control policies to restrict the ability to manage IP addresses on this computer

Check method:

#cat/etc/ssh/sshd_config to view statements with or without allowusers

Backup method:

#cp-P/etc/ssh/sshd_config/etc/ssh/sshd_config_bak

Reinforcement method:

#vi/etc/ssh/sshd_config, add the following statement

Allowusers *@10.138.*.* This sentence means: Only allow all users of the 10.138.0.0/16 network segment to access through SSH

Reboot SSH service after saving

#service sshd Restart

Risk: Need and administrator to identify IP segments that can be managed

4.3 Prohibit remote login of root user

Check method:

#cat/etc/ssh/sshd_config to see if Permitrootlogin is no

Backup method:

#cp-P/etc/ssh/sshd_config/etc/ssh/sshd_config_bak

Reinforcement method:

#vi/etc/ssh/sshd_config

Permitrootlogin No

Reboot SSH service after saving

Service sshd Restart

4.4 Qualifying Trusted Hosts

Check method:

#cat/ETC/HOSTS.EQUIV View the hosts

#cat/$HOME/.rhosts View the hosts

Backup method:

#cp-P/etc/hosts.equiv/etc/hosts.equiv_bak

#cp-P/$HOME/.rhosts/$HOME/.rhosts_bak

Reinforcement method:

#vi/etc/hosts.equiv Remove unnecessary hosts

#vi/$HOME/.rhosts Remove unnecessary hosts

Risk: In a multiple-computer environment, the IP trust of other hosts needs to be preserved.

4.5 Screen Login Banner information

Check method:

#cat/etc/ssh/sshd_config to see if banner fields exist in the file, or banner field none

#cat/ETC/MOTD View the contents of the file, which will be displayed as banner information to the logged-in user.

Backup method:

#cp-P/etc/ssh/sshd_config/etc/ssh/sshd_config_bak

#cp-P/etc/motd/etc/motd_bak

Reinforcement method:

#vi/etc/ssh/sshd_config

Banner NONE

#vi/ETC/MOTD

Delete all content or update to what you want to add

Risk: No visible risk

4.6 Prevent misuse of Ctrl+alt+del reboot system

Check method:

#cat/etc/inittab|grep Ctrlaltdel See if the input line is commented

Backup method:

#cp-P/etc/inittab/etc/inittab_bak

Reinforcement method:

#vi/etc/inittab

Add an annotation symbol "#" at the beginning of a line

#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now

　　V. User identification

5.1 Set account lockout logon failed lock count, lockout time

Check method:

#cat/etc/pam.d/system-auth to view settings for Auth required pam_tally.so entries

Backup method:

#cp-P/etc/pam.d/system-auth/etc/pam.d/system-auth_bak

Reinforcement method:

#vi/etc/pam.d/system-auth

Auth Required pam_tally.so onerr=fail deny=6 unlock_time=300 set to password continuous error 6 lock, lockout time 300 seconds

Unlock user faillog-u < user name >-r

Risk: Need PAM package support, the modification of Pam file should be carefully checked, once the error will result in no landing;

When the system verifies the problem, first should check the output information in/var/log/messages or/var/log/secure, according to the information to judge the validity of the user account.

5.2 Modify the Account Tmout value, set the automatic logoff time

Check method:

#cat/etc/profile to view settings with no Tmout

Backup method:

#cp-P/etc/profile/etc/profile_bak

Reinforcement method:

#vi/etc/profile

Increase

tmout=600 no operation 600 seconds after automatic exit

Risk: No visible risk

5.3 Grub/lilo Password

Check method:

#cat/etc/grub.conf|grep Password to see if grub sets a password

#cat/etc/lilo.conf|grep Password See if Lilo sets a password

Backup method:

#cp-P/etc/grub.conf/etc/grub.conf_bak

#cp-P/etc/lilo.conf/etc/lilo.conf_bak

Strengthening method: Setting a password for grub or Lilo

Risk: etc/grub.conf is usually linked to/boot/grub/grub.conf

5.4 Restrict FTP logins

Check method:

#cat/etc/ftpusers confirm that the user name is included and that the user name is not allowed to log on to the FTP service

Backup method:

#cp-P/etc/ftpusers/etc/ftpusers_bak

Reinforcement method:

#vi/etc/ftpusers Add rows, each row contains a username, the added user will be prevented from logging on to the FTP service

Risk: No visible risk

5.5 Set the number of bash retention history commands

Check method:

#cat/etc/profile|grep histsize=

#cat/etc/profile|grep histfilesize= View the number of bars for a reserved history command

Backup method:

#cp-P/etc/profile/etc/profile_bak

Reinforcement method:

#vi/etc/profile

Modify histsize=5 and histfilesize=5 to keep the most recently executed 5 commands

　　Vi. Audit Strategies

6.1 Configuring the System log policy configuration file

Check method:

#ps –AEF | grep Syslog confirms that the syslog is enabled

#cat/etc/syslog.conf View the configuration of the syslogd and confirm that the log file exists

System log (default)/var/log/messages

Cron log (default)/var/log/cron

Security log (default)/var/log/secure

Backup method:

#cp-P/etc/syslog.conf

6.2 Allocate reasonable storage space and storage time for the data generated by audit

Check method:

#cat/etc/logrotate.conf to view the system polling configuration, with or without

# Rotate log Files Weekly

Weekly

# Keep 4 weeks worth of backlogs

Configuration of Rotate 4

Backup method:

#cp-P/etc/logrotate.conf/etc/logrotate.conf_bak

Reinforcement method:

#vi/etc/logrotate.d/syslog

Increase

Rotate 4th log File save number is 4, when the 5th generation, delete the oldest logs

Size 100k per Log

The reinforcement should resemble the following:

/var/log/syslog/*_log {

Missingok

Notifempty

Size 100k # Log files would be rotated when they grow bigger that 100k.

Rotate 5 # would keep the logs for 5 weeks.

Compress # log files would be compressed.

Sharedscripts

Postrotate

/etc/init.d/syslog condrestart >/dev/null 2>1 | | True

Endscript

}