Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞
Linux system security and optimization configuration 1. openssh security configuration this section focuses on SSH-related security configuration 1. 1. prohibit the root user from logging on only to normal users, and then switch to the root user using the su command. How to restrict the su command PermitRootLoginno1.2... linux system security and optimization configuration 1. openssh security configuration this section focuses on SSH-related security configuration 1.1. prohibit the root user from logging on only to normal users, and then switch to the root user using the su command. How to limit the su command PermitRootLogin no 1.2. the socket connection will be disconnected when the number of SSH verification retries exceeds 3. the effect is not obvious and can be used for a little bit. MaxAuthTries 3 1.3. it is very secure to disable certificate login, but it is very likely that normal users install a certificate for you without your knowledge, he may access your system at any time. any user with permissions can easily implant a certificate. pubkeyAuthentication noAuthorizedKeysFile/dev/null 1.4 in the ssh/authorized_keys file. is it self-contradictory to use a certificate instead of a password for authentication? This is the opposite of what we mentioned above. only key files can be used for login. PasswordAuthentication no is much safer than the password. The only thing you need to note is that the certificate is copied. we recommend that you add passphrase to the certificate. The passphrase of the certificate can be stripped by using the openssl tool. I have not tried the SSH certificate, but it works in almost the same way. 1.5. graphics window client memory password problems when you use XShell, Xftp, WinSCP, SecureCRT, SecureFX ...... when you log on to the software, the software provides the ability to remember the password, so that you do not need to enter the password next time you log on to the system. This is indeed very convenient, but have you ever wondered how dangerous your computer is once lost or accessed by others. I used to go to work with my laptop every day. I installed XShell on it and kept all my passwords in it. This makes me realize how terrible a computer is lost. Prohibit SSH clients from remembering passwords. do not ask others to do that. You cannot control it, and I finally found a solution. ChallengeResponseAuthentication yes, you are prompted to enter the password every time you log on. The password is also invalid. 1.6. disable GSSAPI GSSAPIAuthentication no # GSSAPIAuthentication yes # GSSAPICleanupCredentials yes # GSSAPIStrictAcceptorCheck yes # GSSAPIKeyExchange no 1.7. disable SSH Port Ing. do not use SSH to map als5 to the wall. do not use AllowTcpForwarding no 1.8. IP address restriction only allows access to the local machine through 192.168.2.1 and 192.168.2.2 # vim/etc/hosts. allowsshd: 192.168.2.1, 192.168.2.2 prohibit everyone from accessing the local machine # vim/etc/hosts. denysshd: add the whitelist policy to ALL. you can also use the blacklist policy. 2. Shell security 2.1 .. history file SA operation record problems through ~ /. Bash_history file records the operation records of the system administrator. bash_history format HISTSIZE = 1000 HISTFILESIZE = 2000 HISTTIMEFORMAT = "% Y-% m-% d-% H: % M: % S "export HISTTIMEFORMAT to check the actual effect $ history | head 1 2012-02-27-09:10:45 do-release-upgrade 2 2012-02-27-09:10:45 vim/etc/network/interfaces 3 2012-02-27-09:10:45 vi/etc/network/interfaces 4 2012-02-27-09:10:45 ping www.163.com 2.2. sudo Security questions/etc/sudoers Cmnd_Alias WEBMASTER =/srv/nginx/sb In/nginx,/srv/php/sbin/php-fpm ,! /Srv/mysql/bin/* www localhost = NETWORKING, SERVICES, DELEGATING, PROCESSES, WEBMASTER Cmnd_Alias Database =/usr/bin/mysqldump,/srv/mysql/bin/mysql, /u01/oracle/10. x. x/bin/sqlplusmysql localhost = NETWORKING, SERVICES, DELEGATING, PROCESSES, WEBMASTER, and Database use the www user test to log on. If no errors occur, modify the SSH configuration file and disable root login. Vim/etc/ssh/sshd_configPermitRootLogin no and then execute the command from www sudo in the test. nginx and php-fpm 2.3 may be successfully started. temporary file security temporary files should not have execution permission/tmp/dev/sda3/tmp ext4 nosuid, noexec, nodev, rw 0 0 and point/var/tmp to/tmp/dev/shm none/dev/shm tmpfs ULTS ults, nosuid, noexec, rw 0 0 2.4. the execution permission takes the database as an example. from the security perspective, we need to change chown mysql as follows: mysql/usr/bin/mysql * chmod 700/usr/bin/mysql * mysql users are DBA-specific users, and other users cannot execute commands such as mysql. 3. enabled 3.1. policy default INPUT, FORWARD, OUTPUT three are ACCEPT-p input ACCEPT-P FORWARD ACCEPT-P output accept from the security point of view, INPUT, FORWARD, OUTPUT three are the most secure DROP, however, configuration may cause a lot of unexpected troubles. -P input DROP-P FORWARD DROP-P output drop discount in the solution, is also the number of hardware firewall manufacturers using the solution, they are using the INPUT default disable all, OUTPUT default allow all, you only need to pay attention to the INPUT rules. -P input DROP-P FORWARD ACCEPT-P output accept 3.2. prevent stepping stone from blocking ports such as 22 and avoid mutual jump to iptables-a output-p tcp-m multiport -- dports 873,-j REJECT/etc/init. d/iptables saveiptables-L-n the web server prohibits the use of ssh. as a stepping stone, users cannot use ssh commands to log on to other computers. 4. linux system resource allocation 4.1. /etc/security/limits. * soft nofile 65535 * hard nofile 65535 written in many conf files is a lazy task, which may cause many problems. if your server is attacked due to your settings, the system will consume your resources until there is no response. you may encounter keyboard input problems. you have to restart the server, but you will find that The restart can only last for a few minutes and will become unresponsive again. Nobody soft nofile 4096 nobody hard nofile 8192 why is it set as a nobody user? After the root user starts the system, the web server will use the nobody user to create a sub-process. The socket connection is actually being processed by the nobody user. Root is only a daemon parent process. Mysql soft nofile 2048 mysql hard nofile 2048 imposes restrictions on mysql, prompting that nofile is the number of opened files, which is closely related to socket, in linux, any device is regarded as a file (character device). you can connect to a mouse, keyboard, camera, or hard disk to open a device file, therefore, 1024 by default is far from enough. 4.2. disabling the I/O function of writing to a disk does not need to record the file access time for some files. in this environment with highly concurrent IO intensive operations, two parameters can be used to implement noatime, nodiratime reduces unnecessary system IO resources. Edit/etc/fstab to add noatime, nodiratime parameter/dev/sdb1/www ext4 noatime, nodiratime 0 0 5. PAM plugin authentication and reinforcement configuration file ls/etc/pam. d/chfn crond login passwd remote runuser-l smtp ssh-keycat sudo-I system-auth-acchsh fingerprint-auth newrole password-auth run_init smartcard-auth smtp. postfix su-lconfig-util fingerprint-auth-ac other password-auth-ac runuser smartcard-auth-ac sshd sudo system-auth authentication plug-in ls/lib64/s Ecurity/5.1. pam_tally2.so the function of this module is to log on to the module three times by mistake and automatically unban the module five minutes later. you cannot log on when you enter the correct password. In the configuration file/etc/pam. add auth required pam_tally2.so deny = 3 onerr = fail unlock_time = 300 to the top of d/sshd to view Failures # reset Failures Latest failure Fromroot 14 07/12/13 15:44:37 192.168.6.2neo 8 07/12/13 15:45:36 192.168.6.2 # pam_tally2-r-u rootLogin Failures Latest failure Fromroot 14 07/12/13 15:44:37 192.168.6.2 # pam_tally2-r-u neoLogin Failures Latest failure Fromneo 8 07/12/13 15:45:36 192. The 168.6.2 pam_tally2 counter log is saved in/var/log/tallylog. Note that this is a binary file Example 1. /etc/pam. d/sshd-pam_tally2.so # cat/etc/pam. d/sshd # % PAM-1.0auth required pam_tally2.so deny = 3 onerr = fail unlock_time = 300 auth required users include password-authaccount required users include password-authpassword include password-auth # pam_selinux.so close shocould be first session rulesession req Uired configure closesession required failed # Restrict open shocould only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession optional configure force revokesession include password-auth and above configuration root users are not, to restrict the root user, see auth required pam_tally2.so deny = 3 unlock_time = 5 even_deny_root root_unlock_time = 1800 5.2. pam _ Listfile. so add the following line to/etc/pam. in d/sshd, the whitelist method is used here, you can also blacklist auth required pam_listfile.so item = user sense = allow file =/etc/ssh/whitelist onerr = fail to add users allowed to log on to/etc/ssh/whitelist, other users cannot log on to your system via ssh # cat/etc/ssh/whitelistneowww example 2. /etc/pam. d/sshd-pam_listfile.so # cat/etc/pam. d/sshd # % PAM-1.0auth required pam_listfile.so item = user sense = allow file =/etc/ssh/whitelist onerr = failauth Required pam_tally2.so deny = 3 onerr = fail unlock_time = 300 auth required users include password-authaccount required users include password-authpassword include password-auth # Please close shocould be the first session rulesession required enough closesession required pam_loginuid.so # pam_selinux.so open shoshould only be followed by sessions to be executed I N the user contextsession required pam_selinux.so open env_paramssession optional pam_keyinit.so force revokesession include password-auth sense = allow whitelist method, sense = deny blacklist method auth required pam_listfile.so item = user sense = deny file =/etc/ssh/blacklist onerr = fail for more details, please refer to the manual $ man pam_listfile 5.3. pam_access.so edit/etc/pam. d/sshd file, add the following account required pam_access.so to save the file, restart the sshd process Editing/etc/security/ac Cess. conf file cat>/etc/security/access. conf <EOF-: root: ALL privileges T 192.168.6.1EOF can only be logged in through 192.168.6.1, add multiple IP addresses-: root: ALL privileges T 192.168.6.1 192.168.6.2 to test whether 5.4 takes effect. pam_wheel.so restrict normal users to escalate permissions to root through the su command. only users in the wheel group can switch to the root user through su to edit/etc/pam. d/su file, remove the following annotation auth required pam_wheel.so use_uid to modify the user group and add it to the wheel group # usermod-G wheel www # id wwwuid = 501 (www) gid = 501 (www) groups = 501 (www), 10 (w Heel) when a user who has not joined the wheel group uses su, the system will prompt that the password is incorrect. $ Su-rootPassword: su: incorrect password
This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or
reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or
complaint, to firstname.lastname@example.org. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
and provide relevant evidence. A staff member will contact you within 5 working days.