Linux Security Settings

Article Title: linux system security settings. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

1. Disable Ctrl + Alt + Delete to restart the machine command

Modify the/etc/inittab file and comment out the line "ca: ctrlaltdel:/sbin/shutdown-t3-r now.

2. Do not log on directly with root under ssh

Edit the/etc/ssh/sshd_config file

Remove "#" in front of PermitRootLogin yes and change "yes" to "no"

There are many other security settings for ssh logon. For more information about ssh security configuration, see my SSH service introduction.

3. Restrict the su list

Edit the/etc/pam. d/su file and add:

Auth required/lib/security/$ ISA/pam_wheel.so use_uid

(In many linux releases, the path of the pam_wheel.so file may be omitted. To save space, the path may be omitted below, but it is not wrong to use the absolute path !)

Run the following statement to add user1 to the wheel group:

# Gpasswd-a user1 wheel

This allows users in the wheel group to execute the su command, with the exception of root.

Auth sufficient/lib/security/$ ISA/pam_wheel.so trust use_uid

The user in this exercise of the wheel group does not need to enter a password when executing the su operation, which is convenient, but dangerous !! Use it with caution!

Note: pam_wheel.so is a special su module used to prevent non-specified group members from executing su. The default value is GID 0. You can use option group = group_name to specify that users in a group can su, or add the deny option to "reverse" to prohibit some groups from using su. The preceding "use_uid" is defined in the system. The specific description in the/etc/pam. d/su file is as follows.

4. Restrict the ssh user list

Edit the/etc/pam. d/sshd file, where/etc/ssh_users is the name of the user list file)

Auth required pam_listfile.so item = user sense = allow file =/etc/ssh_users onerr = fail

Create the/etc/ssh_users file and execute the following statement:

Echo user1>/etc/ssh_users

Only users listed in the/etc/ssh_users file can log on to the host using ssh.

Note:

The item option indicates the data type in the specified file. Available values: user, group, tty, shell, ruser, and rhost. Generally, user or group is used. The four values are not commonly used and you are interested in testing them yourself.

The sense option indicates the access permission to the data in the specified file. The available values are deny and allow.

The file option indicates the file location where the data is stored.

Onerr = fail indicates that the pam module has encountered any authentication error, and Access Denied is returned. Note: The returned value is not "Access failed", and "Access Denied" may not be able to block or allow users to log on, but also the parameters of the Second Field. In this example, required is used. If the returned value is access denied, the user is directly prevented from logging on.

This module is often used for ssh, rlogin, ftp, and other authentication:

Ssh: directly add the/etc/pam. d/sshd file.

Rlogin:/etc/pam. d/rlogin,/etc/pam. d/remote,/etc/pam. d/login. Pay attention to the following When configuring rlogin! (This is the official response of redhat. The test shows that you do not need to modify the login file)

Two pam instances have been mentioned above. The following describes the parameters of the Second Field in the pam Configuration File:

Sufficient if this module allows users to access, it skips any other modules in the stack and returns the authentication success value to the service.

If this module rejects access, requisite returns the authentication failure value to the service and skips other modules in the stack.

Required this module must allow access to make the entire authentication process successful.

If optional does not have other modules, the result of this module is used to determine whether access is allowed.

The first two keywords are easy to understand. They allow or deny access directly and immediately terminate the authentication process. This module must have one module that allows access and other required modules do not reject the access, in order to make the entire authentication process successful. The last two keywords indicate whether the authentication is basic and necessary. If the executed modules in the stack do not reject or allow access, the success of authentication is determined by the results of the comprehensive and all required modules. If at least one of the modules is allowed and no other modules are rejected, the authentication is successful. If the required module does not reach a clear decision, use the Optional module.

For example, the first few lines of the/etc/pam. d/rlogin file are as follows:

Auth required pam_nologin.so

Auth required pam_securetty.so

Auth required pam_env.so

Auth required pam_listfile.so item = user sense = allow file =/etc/rlogin_users onerr = fail

Auth sufficient pam_rhosts_auth.so

Or

Auth required pam_nologin.so

Auth required pam_securetty.so

Auth required pam_env.so

Auth sufficient pam_rhosts_auth.so

Auth required pam_listfile.so item = user sense = allow file =/etc/rlogin_users onerr = fail

This is very different. If the latter is used,/etc/hosts will be available on the server. equiv file, which contains the client host name, the last sentence will not allow all users on the client to log on! Even if the user is listed in the/etc/rlogin_users file, because the previous statement indicates that "as long as the remote host is in the trusted host list, the following authentication will not continue and the user will be allowed directly !"

5. logon terminal settings

The/etc/securetty file specifies the tty device that allows root login, which is read by the/bin/login program,

The format is a list of allowed names. You can edit/etc/securetty and comment out the following rows.

# Tty1

In this case, root cannot log on to the tty1 terminal.