Linux system security Standard specification

Source: Internet
Author: User
Tags md5 file permissions strong password

First make sure that all the software in the Linux system you are using is installed to the latest version.

The vulnerability under Linux is called a non-canonical roughly as follows:

User login, OpenSSL, CA certificate, grub encryption, SMB Password never expires, no files owned by user group, file permissions are 777, software used to severe lag, TCP Timstamp, database open access, ICMP Redirection, IP forward,

Default settings for umask values, weakness of disk partitions

1. Log in at the terminal using the root user.

Sed-i '/^tty[0-9]$/d '/etc/securetty

Sed-i '/^vc\/[0-9]$/d '/etc/securetty

2. Root Login with SSH protocol

Sed-i ' s/#PermitRootLogin \ yes/permitrootlogin\ no/'/etc/ssh/sshd_config

Sed-i ' s/#PermitRootLogin \ without-password/permitrootlogin\ no/'/etc/ssh/sshd_config

3. ICMP redirection problem

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

4. Open access for the database

Use Iptables to enhance access authentication for the database. Trusted host access, by setting the user host name in the database does not use% to match all hosts.

5. Certificate protocol used by SSL

Use a certificate of at least 2048bit or more without using a generic domain name certificate

The subject ' s common name (CN) field in the certificate should is fixed to reflect the name of the entity presenting The certificate (e.g, the hostname). This is do by generating a new certificate usually signed by a certification authority (CA) trusted by both the client A nd server.

Configure the server to require clients to use TLS version 1.2 using authenticated encryption with associated Data (aead) Capable ciphers.

There is no server-side mitigation available against the BEAST attack. The only option was to disable the affected protocols (SSLv3 and TLS 1.0). The only fully safe configuration was to use authenticated encryption with associated Data (aead), e.g. AES-GCM, aes-ccm in TLS 1.2.

Send the HTTP response headers with x-frame-options This instruct the browser to restrict framing where it was not allowed.

Configure the server to disable support for 3DES suite.




6. Problems with TCP timestamp responses

Net.ipv4.tcp_timestamps=0

7. IP Source Routing

The host is a configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet Shoul D take on the the-the-it destination (and on the the-back). Source routing is originally designed to is used when a host does not has proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.

Disable IP Source Routing

For Linux systems ensure the following SYSCTL value is set:

Net.ipv4.conf.all.accept_source_route=0

It is also advised this packet forwarding be disabled, unless there are a legitimate reason not to, by setting the Followin G Sysctl Values:

Net.ipv4.conf.all.forwarding=0

Net.ipv6.conf.all.forwarding=0

Net.ipv4.conf.all.mc_forwarding=0

Net.ipv6.conf.all.mc_forwarding=0

More Linux information can is found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ Security_guide/sect-security_guide-server_security-disable-source-routing.html

8. Set the GRUB password

Enable GRUB Password

Configuration Remediation Steps



Set a password in the GRUB configuration file. This is often located in one of the several locations, but can really be anywhere:

/etc/grub.conf
/boot/grub/grub.conf
/boot/grub/grub.cfg
/boot/grub/menu.lst

For all files mentioned above ensure, a password is set or so the files do not exist.

To set a plain-text password, edit your GRUB configuration file and add the following line before the first uncommented Li Ne

Password <password>

To set a encrypted password, run Grub-md5-crypt and use it output when adding the following line before the first Uncomm Ented Line:

Password--md5 <encryptedpassword>

For either approach, choose an appropriately strong password.

9. How to mount the disk partition add Nodev parameter

Partition Mounting weakness

Configuration Remediation Steps



The specific-Modify the partition mount options varies from system to system. Consult your operating system ' s manual or Mount man page.

The following issues were discovered:
/boot partition does not has ' nodev ' option set.
/data partition does not has ' nodev ' option set.


10. General optimization of kernel parameters

Net.core.rmem_default = 2569600

Net.core.rmem_max = 2569600

Net.core.wmem_default = 2569600

Net.core.wmem_max = 2569600

Net.ipv4.tcp_timestamps = 0

Net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

Net.ipv4.tcp_keepalive_time = 600

Kernel.sem = 500 64000 200 256

Fs.file-max = 65536

Net.ipv4.ip_local_port_range = 1024 65000

Net.ipv4.ip_forward = 0

Net.ipv4.conf.default.rp_filter = 1

KERNEL.SYSRQ = 0

Kernel.core_uses_pid = 1

Net.ipv4.tcp_syncookies = 1

Net.ipv4.tcp_max_syn_backlog = 2048

Net.ipv4.tcp_synack_retries = 2

Net.ipv4.conf.all.accept_source_route = 0

Net.ipv4.conf.lo.accept_source_route = 0

Net.ipv4.conf.default.accept_source_route = 0

Net.ipv4.conf.all.rp_filter = 1

Net.ipv4.conf.lo.rp_filter = 1

Net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

Net.ipv4.conf.all.secure_redirects=0

Net.ipv4.conf.default.secure_redirects=0

Net.ipv4.tcp_timestamps=0


Iptables anti-attack

-A Forward-p TCP--syn-m limit--limit 1de>de >/sde> de >--limit-burst 5-j ACCEPT limit 5 new connections per second de>

-A Forward-p TCP--tcp-flags syn,ack,fin,rst rst-m limit--limit 1de>de >/sde> de >-j ACCEPT anti-port scan de>

-A forward-p ICMP--icmp-de>de >typede> de >echode>de >-request-m limit--limit 1de>de >/sde> De >-j ACCEPT de> prevent flood attacks


Linux system security Standard specification

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.