Linux security reinforcement

1. Account Security 1.1 lock the user-created account in the system to view the account: # cat/etc/passwd # cat/etc/shadow to view the account and password file, and confirm the unnecessary account with the system administrator. For some Reserved System pseudo accounts such as bin, sys, adm, uucp, lp, nuucp, hpdb, www, and daemon, you can lock the logon as needed. Back up before modification. Save the problem: backup method: # cp-p/etc/passwd/etc/passwd_bak # cp-p/etc/shadow/etc/shadow_bak reinforcement method: use the command passwd-l <User Name> to lock unnecessary accounts. Run passwd-u to unlock the account to be restored. Risk: You need to confirm with the Administrator that this operation will not affect the login of the Business System 1.2 set the system password policy view password policy settings: cat/etc/login. defs | Backup before grep PASS modification: cp-p/etc/login. defs/etc/login. defs_bak: vi/etc/login. description of parameters in the defs file: PASS_MAX_DAYS 90 # maximum number of days for creating a user's password PASS_MIN_DAYS 0 # minimum number of days for creating a user's password PASS_WARN_AGE 7 # days for creating a new user's password to be reminded in advance PASS_MIN_LEN 0 # Minimum Password Length 0PASS_MAX_LEN # the maximum password length is 91.3. If the root user is disabled, view the password file: cat/etc/passwd attribute explanation: login_name: User Name password: encrypted user password user_ID: User ID, (1 ~ 6000) if the user ID is 0, the user has the superuser permission. Check whether multiple IDs are 0. Group_ID: User Group IDcomment: User's full name or other comments home_dir: user root directory command: the reinforcement method for Executing command after user logon is the same as that for reinforcing command 1.1! 1.4 restrict/etc/pam modification by su root users. d/su file backup: cp-p/etc/pam. d/su/etc/pam. d/su_bak is added to the header: auth required/lib/security/pam_wheel.so group = wheel # Only the wheel group can su Add the test user to the wheel group: usermod-G wheel test troubleshooting method: when system verification fails, check the output information in/var/log/messages or/var/log/secure to determine the validity of the user account. If the root user cannot log on because of a PAM verification failure, the single user or rescue mode can only be used for troubleshooting. 2. Minimize service 2.1 stop or disable services unrelated to the bearer service view the current init level who-r or runlevel view the status of all services chkconfig-list to set whether the service is started on an init level start chkconfig-level <service name> on | off | reset note: to install chkconfig, radhat comes with it! 3. Modify the umask value in data access control to change the Security Attribute backup of the new file: cp-p/etc/profile/etc/profile_bak modify umask = 027: Set umask value, you can set the default permission risk for newly created files and directories: the default permission for new files will be modified. If the server is a WEB application, this option is modified with caution. Explanation: Baidu .... 4. Use SSH to manage network access control 4.1. Check whether the service is enabled: ps-aef | grep sshd. enable the service: service sshd start. Disable the service: service sshd stop. Restart the service: service sshd restart4.2 sets the access control policy to limit the ability to manage the local IP address first back up the file: cp-p/etc/ssh/sshd_config/etc/ssh/sshd_config_bak Modify file: Add: allowUsers * @ 10. 138. *. * # Only allow all users in the 10.138.0.0/16 CIDR block to access and save the files through ssh, and restart ssh. 4.3 prevent the root user from remotely modifying the file/etc/ssh/sshd_config by Using ssh to change PermitRootLogin to yes. Remember to back up the file before modifying it. 4.4 restrict the trusted host to modify/etc/hosts. allow, add the code: sshd: 192.168.0.100: allow // allow IP address 192.168.0.100 to log on to sshd: 192.168.10.: allow // allow IP 192.168.10. network Segment logon modification/etc/hosts. deny, add the code sshd: all: deny // disable all other IP addresses to log on to 4.5 prevent false use Ctrl + Alt + Del restart system modification/etc/init/control-alt-delete.conf file, comment out the last line: exec/sbin/shutdown-r now "Control-Alt-Delete pressed". 5. Set the account for user identification 5.1. Lock the number of Logon failures, lock time modification file/etc/pam. d/system-auth: Add the following line: auth required pam_tally.so onerr = fail deny = 6 unlock_time = 300 # Set the password to be locked six times consecutively due to a wrong password. After the user locks for 300 seconds, unlock: faillog-u <User Name>-r risk: the PAM package must be supported. The modification to the pam file should be carefully checked. If an error occurs, the system cannot log on. When the system verification fails, check the output information in/var/log/messages or/var/log/secure and determine the validity of the user account based on the information. 5.2 modify the TMOUT value of the account and set the automatic logout time. Modify the/etc/profile file and add the following line after "HISTFILESIZE =" to add: TMOUT = 600 # indicates to automatically exit 600 after 5.3 seconds without operation. Set the number of retained History commands in Bash to modify the value of HISTSIZE in the/etc/profile file, set your own 6. Audit Policy 6.1 configure the system log policy configuration file to check whether syslog is started: ps-aef | grep syslog view the configuration of rsyslogd, and check whether the log file exists: cat/etc/rsyslog. conf6.2 audit the generated data is allocated with a reasonable storage space and storage time. view the system polling configuration: cat/etc/logrotate. conf attributes: the number of log files stored in rotate 4 is 4. When 5th logs are generated, the earliest log size is deleted. The size of each log is 100 k.

Append a text version:
Http://www.bkjia.com/uploadfile/2013/0703/20130703010806803.rar