Linux system Security Hardening

1. Change the default SSH service port to prevent the root user from connecting remotely

[Email protected] ~]# cp/etc/ssh/sshd_config/etc/ssh/sshd_config.bak[[email protected] ~]# vim/etc/ssh/sshd_    Configport 10022 #ssh连接默认的端口PermitRootLogin No #root用户黑客都知道, disable it telnet [[email protected] ~]#/etc/init.d/sshd Reload #从新加载配置 [[email protected] ~]# netstat-lnt #查看端口信息 [[email protected] ~]# lsof-i tcp:10022

or directly modify it with the following command:

Cp/etc/ssh/sshd_config/etc/ssh/sshd_config.baksed-i "s/#PermitRootLogin yes/permitrootlogin no/"/etc/ssh/sshd_ Configsed-i "s/#Port 22/port 10022/"/etc/ssh/sshd_config

Note: This is done to prevent root user brute force, Port 22 is the default SSH port, we recommend using a different port

/etc/init.d/sshd Reload

Service sshd Restart && history-c #重启sshd服务

Demonstrate:

# SSH [email protected] 10022 This shows that the server has rejected the root user login.

2. Add a regular user and sudo authorization management

[Email protected] ~]# useradd cljj[[email protected] ~]# echo "123456" | passwd--stdin cljj && history–c # #这条命令历史记录要清除 [[email protected] ~]# Visudo under root all= (all) on this line, add the following CLJ J All= (All) all

Demonstrate:

[[email protected] home]$ sudo cat-n/etc/issue[sudo] password for CLJJ: #这里输入当前用户的密码, temporarily grant root user rights CLJJ is not in the SU  Doers file. This incident would be reported. [[email protected] home]$ sudo cat-n/etc/issue[sudo] password for Cljj:1centos release 6.8 (Final) 2Kernel \ r On an \m 3

Note: this way you can limit the permissions used to prevent system crashes from tampering with the system configuration file

3, when the normal user login, password input error three times, the system immediately locked the user for 10 minutes, the root user locked for 20 minutes

Edit/etc/pam.d/sshd (SSH login)

/etc/pam.d/login (terminal)

Cp/etc/pam.d/sshd/etc/pam.d/sshd.bak #在文件末添加如下行: Auth required pam_tally2.so deny=3 unlock_time=600 Even_d Eny_root root_unlock_time=1200

Explanation of each parameter:

Even_deny_root also restricts root users;

Deny sets the maximum number of consecutive error logins for regular users and root users, and the maximum number of times that the user is locked

Unlock_time set the normal user lock, how much time after unlocking, Unit is seconds;

Root_unlock_time Set the root user lock, how much time after the unlock, the unit is seconds;

View Login times:

To view a user's error login number:

Pam_tally–-user Users

For example, to view the number of error logins for cljj users:

Pam_tally–-user CLJJ

Empty a user error login number:

Pam_tally–-user User –-reset

For example, empty the cljj user's error login number,

Pam_tally–-user Cljj–-reset

Note: This approach can also protect against brute force user accounts

4. Lock critical File system

[[email protected] ~]# chattr +i/etc/passwd[[email protected] ~]# chattr +i/etc/inittab[[email protected] ~]# chattr +i /etc/group[[email protected] ~]# chattr +i/etc/shadow[[email protected] ~]# chattr +i/etc/gshadow

After using the chattr command, we need to rename it for security.

[[email protected] ~]#/bin/mv/usr/bin/chattr/usr/bin/any name

Note: restricting permissions on the profile of the user account password can also prevent malicious tampering.

5, Logout time limit 600 logout time, and Histsize =10000

Cp/etc/profile/etc/profile.bakecho export tmout=600 >>/etc/profile #增加10分钟超时退出echo export histtimeformat=\ '%F% T ' WhoAmI ' >>/etc/profile #记录操作历史记录的时间echo export histfilesize=10000 >>/etc/profileecho export hists ize=10000 >>/etc/profilesource/etc/profile

Note: Historical command history can effectively record the behavior of the user, on the one hand can be easily found, but also to see when the user did what action.

This article is from the "Ljohn" blog, make sure to keep this source http://ljohn.blog.51cto.com/11932290/1907249

Linux system Security Hardening