Six tricks to easily reinforce your CentOS System

Redhat is currently the most popular type of Linux in enterprises, and more hackers are attacking Redhat. How should we reinforce the security of such servers? I. account Security 1.1: run the command # cat/etc/passwd # cat/etc/shadow to check the account and password files, confirm unnecessary accounts with the system administrator. For some Reserved System pseudo accounts such as bin, sys, adm, uucp, lp, nuucp, hpdb, www, and daemon, you can lock the logon as needed. Backup method: # cp-p/etc/passwd/etc/passwd_bak # cp-p/etc/shadow/etc/shadow_bak reinforcement method: use the command passwd-l <User Name> to lock unnecessary accounts. Run passwd-u to unlock the account to be restored.Figure 1Risk: You need to confirm with the Administrator that this operation will not affect the login of the Business System 1.2 set the System Password Policy Check Method: Use the command # cat/etc/login. defs | grep PASS: cp-p/etc/login. defs/etc/login. defs_bak reinforcement method: # vi/etc/login. defs modify the configuration file PASS_MAX_DAYS 90 # maximum number of days for creating a user's password PASS_MIN_DAYS 0 # minimum number of days for creating a user's password PASS_WARN_AGE 7 # minimum number of days PASS_MIN_LEN 9 # Minimum Password length 9Figure 2Risk: no visible risk 1.3 forbidden root Super User Check Method: # cat/etc/passwd view password file, password file format: login_name: password: user_ID: group_ID: comment: home_dir: commandlogin_name: User Name password: encrypted user password user_ID: User ID, (1 ~ 6000) if the user ID is 0, the user has the superuser permission. Check whether multiple IDs are 0. Group_ID: User Group IDcomment: User's full name or other comments home_dir: user root directory command: backup method of the command executed after User Logon: # cp-p/etc/passwd/etc/passwd_bak reinforcement method: Use the command passwd-l <User Name> to lock unnecessary super accounts. Use the command passwd-u <User Name> to unlock the super account to be restored. Risk: check with the Administrator for the purpose of this super user. 1.4 restrict the methods for checking users whose su is root: # cat/etc/pam. d/su: Check whether there is a configuration item backup method such as auth required/lib/security/pam_wheel.so: # cp-p/etc/pam. d/etc/pam. d_bak reinforcement method: # vi/etc/pam. d/su is added to the header: auth required/lib/security/pam_wheel.so group = wheel, only users in the wheel group can su root # usermod-G10 test to add the test user to the wheel group.Figure 3Risk: The PAM package must be supported. The modification to the pam file should be carefully checked. Once an error occurs, the system cannot log on. The administrator can confirm with the Administrator which users need su. When a problem occurs during system verification, check the output information in/var/log/messages or/var/log/secure to determine whether the user account is valid.
. If the root user cannot log on because of a PAM verification failure, the single user or rescue mode can only be used for troubleshooting. 1.5 check the shadow empty password account: # awk-F: '($2 = "") {print $1}'/etc/shadow backup method: cp-p/etc/shadow/etc/shadow_bak reinforcement method: To lock an empty password account or add a passwordFigure 4Risk: Check whether the empty password account is associated with the application and whether adding a password will cause the application to be unable to connect. Ii. How to minimize service 2.1 to stop or disable service inspection unrelated to the bearer service: # who-r or runlevel to view the current init level # chkconfig -- list to view the status backup methods of all services: record the name reinforcement method to disable the service: # chkconfig -- level <Service name> on | off | reset sets whether to enable the Service at the init level. Figure 5Risk: Some applications require specific services and need to be confirmed with the administrator. Iii. Data Access Control 3.1 set reasonable initial File Permission check method: # cat/etc/profile to view umask value backup method: # cp-p/etc/profile/etc/profile_bak reinforcement method: # vi/etc/profileumask = 027 risk: the default permission of the new file is modified. If the server is a WEB application, this item is modified with caution. Iv. Network Access Control 4.1 Use SSH for management check: # ps-aef | grep sshd check whether this service backup method is available: reinforcement method: use the command to enable the ssh service # service sshd start risk: Change the Administrator's usage habits 4.2 set the access control policy restriction to manage the local IP address check method: # cat/etc/ssh/sshd_config to check whether AllowUsers statements have been backed up: # cp-p/etc/ssh/sshd_config/etc/ssh/sshd_config_bak reinforcement method: # vi/etc/ssh/sshd_config, add the following statement AllowUsers * @ 10. 138. *. * Only allow all users in the 10.138.0.0/16 CIDR block to access and save through ssh, and then restart the ssh service # service sshd restart risk: you need to confirm with the Administrator that the IP segment 4.3 can be managed to prevent the root user from remotely logging on to the check method: # cat/etc/ssh/sshd_config check whether PermitRootLogin is no backup method: # cp-p/etc/ssh/sshd_config/etc/ssh/sshd_config_bak reinforcement method: # vi/etc/ssh/sshd_configPermitRootLogin no save and restart ssh service sshd restartFigure 6Risk: the root user cannot log on remotely. After logging on to the server with a common account, su4.4 limits the trusted host check method: # cat/etc/hosts. equiv view the host # cat/$ HOME /. rhosts: # cp-p/etc/hosts. equiv/etc/hosts. equiv_bak # cp-p/$ HOME /. rhosts/$ HOME /. rhosts_bak reinforcement method: # vi/etc/hosts. equiv Delete unnecessary hosts # vi/$ HOME /. removing unnecessary host risks in rhosts: In the multi-host mutual backup environment, you need to retain the trusted IP addresses of other hosts. 4.5 check the banner information with blocking: # cat/etc/ssh/sshd_config check whether the Banner field exists in the file, or the banner field is NONE # cat/etc/motd check the file content, the content is displayed as the banner information to the logon user. Backup method: # cp-p/etc/ssh/sshd_config/etc/ssh/sshd_config_bak # cp-p/etc/motd/etc/motd_bak reinforcement method: # vi/etc/ssh/sshd_configbanner NONE # vi/etc/motd: no visible risk 4.6 prevent accidental use of Ctrl + Alt + Del to restart the system check method: # cat/etc/inittab | grep ctrlaltdel check whether the input row is annotated with the backup method: # cp-p/etc/inittab/etc/inittab_bak reinforcement method: # vi/etc/inittab Add the comment symbol "#" at the beginning of the line # ca: ctrlaltdel: /sbin/shutdown-t3-r nowFigure 7Risk: no visible risk
5. User Identification 5.1 set the number of failed logon attempts to lock the account and check the lock time: # cat/etc/pam. d/system-auth check whether there is auth required pam_tally.so. The backup method is # cp-p/etc/pam. d/system-auth/etc/pam. d/system-auth_bak reinforcement method: # vi/etc/pam. d/system-authauth required pam_tally.so onerr = fail deny = 6 unlock_time = 300 set the password to be locked for 6 consecutive errors, the lock time is 300 seconds to unlock the user faillog-u <username>-r risk: the PAM package must be supported. The modification to the pam file should be carefully checked. Once an error occurs, the user cannot log in; when a problem occurs during system verification, check the output information in/var/log/messages or/var/log/secure to determine whether the user account is valid.
. 5.2 modify the TMOUT value of the account and set the automatic logout time check method: # cat/etc/profile to check whether TMOUT is available. The backup method is as follows: # cp-p/etc/profile/etc/profile_bak reinforcement method: # vi/etc/profile added TMOUT = 600 no operation 600 seconds after automatic exit risk: no visible risks 5.3 Grub/Lilo password check method: # cat/etc/grub. conf | grep password check if grub has a password # cat/etc/lilo. conf | grep password check whether lilo sets the password backup method: # cp-p/etc/grub. conf/etc/grub. conf_bak # cp-p/etc/lilo. conf/etc/lilo. conf_bak reinforcement method: Set Password risk for grub or lilo: etc/grub. conf is usually linked to/boot/grub. conf5.4 restrict FTP login check method: # cat/etc/ftpusers check whether the user name is included. These user names are not allowed to log on to the FTP service backup method: # cp-p/etc/ftpusers/etc/ftpusers_bak reinforcement method: # vi/etc/ftpusers Add rows. Each row contains a user name. The added user is prohibited from logging on to the FTP service. Risk: no visible risk 5.5 set the number of retained Bash History commands to check the method: # cat/etc/profile | grep HISTSIZE = # cat/etc/profile | grep HISTFILESIZE = backup method for viewing the number of retained History commands: # cp-p/etc/profile/etc/profile_bak reinforcement method: # vi/etc/profile modify HISTSIZE = 5 and HISTFILESIZE = 5 to retain the Latest Five CommandsFigure 8Risk: no visible risk 6. Audit Policy 6.1 configure the System Log Policy Configuration File Check Method: # ps-aef | grep syslog check whether syslog is enabled # cat/etc/syslog. check syslogd configuration in conf and check whether the log file contains system logs (default)/var/log/messagescron logs (default)/var/log/cron security logs (default) /var/log/secure backup method: # cp-p/etc/syslog. confFigure 96.2 how to allocate reasonable storage space and storage time for audit data: # cat/etc/logrotate. check the system polling configuration in conf. If there is no # rotate log files weeklyweekly # keep 4 weeks worth of backlogsrotate 4 configuration backup method: # cp-p/etc/logrotate. conf/etc/logrotate. conf_bak reinforcement method: # vi/etc/logrotate. d/syslog increase the number of log files stored in rotate 4 to 4. After 5th logs are generated, delete the earliest log size 100 k and reinforce the size of each log. The content should be similar to the following: /var/log/syslog/* _ log {
Missingok
Notifempty
Size 100 k # log files will be rotated when they grow bigger that 100 k.
Rotate 5 # will keep the logs for 5 weeks.
Compress # log files will be compressed.
Sharedscripts
Postrotate
/Etc/init. d/syslog condrestart>/dev/null 2> 1 | true
Endscript
}Figure 10Risk: no visible risk