System Security reinforcement-Linux operating system (1), Harden linux

System Security reinforcement-Linux operating system (1), Harden linux

Recently preparing for the National Network Communications Commission Examination of information security professional, refer to the system security reinforcement manual, exercise reinforcement commands.

CentOS 7 is used in the operating system. Considering that the "destructive test" can be performed at any time, you can use snapshots to roll back errors on the vmvm.

First, in order to be familiar with the CLI, set the boot to not enter the graphic interface. The previous version was to modify the/etc/inittab file and change it to the following command in CentOS 7:

Systemctl set-default multi-user.target // set to command mode systemctl set-default graphical.tar get // set to graphic mode

In fact, the system performs the following operations:

Good! Go to the system and do not forget to take the initial snapshot first.

I. Account Management and authentication and authorization

The first part is mainly to reinforce user accounts and permissions. The main Commands used are mainly File Viewing and editing commands.

1. Files related to accounts, user groups, passwords, etc.

These files include:

/Etc/passwd

/Etc/shadow

/Etc/group

Brief description:

/Etc/passwdSome basic attributes of users in the system are recorded. The root is writable and all users are readable. The following information is displayed:

Each part separated by ":" indicates:

User name: Password: User ID: Group ID: annotation Description: main directory: logon Shell

The password is recorded in the/etc/shadow file due to security considerations. Therefore, the password is displayed as x.

/Etc/shadowResponsible for the passwords of all users:

Similar to the passwd file, each field is also separated by ":", which means:

Login Name: encrypted password: last modification time: minimum interval: maximum interval: warning time: inactive time: expiration time: flag (retained by the System)

Here are some Notes: (1) the "password" field stores the encrypted user password. If it is null, the corresponding user does not have a password. No Password is required during logon; asterisks indicate that the account is locked, and some systems are NP; Two exclamation points indicate that the password has expired. $6 $ indicates that $1 $ encrypted with SHA-512 indicates that $2 $ encrypted with MD5 is $5 $ encrypted with Blowfish. (2) "last modification time" indicates the number of days from a certain time point to the last password change time of the user. The start time may be different for different systems. For example, January 1, January 1, 1970. (All subsequent times start from this time point) (4) "minimum interval" refers to the minimum number of days required to change the password twice. (5) "maximum interval" indicates the maximum number of days for password to remain valid. (6) The "warning time" field indicates the number of days from when the system starts to warn the user to when the user password is officially invalid. (7) "No activity time" indicates the maximum number of days that the user has not logged on to the activity but the account remains valid. (8) The "expiration time" field shows an absolute number of days. If this field is used, the validity period of the corresponding account is given.

/Etc/groupResponsible user group attributes:

This file is relatively simple:Group Name: Password: Group ID: group user list

In the Group's user list, users are separated by commas.

To view information about a user group, you can use

id [user]

To view:

OK. The file description ends here. Let's do some practical work ~

2. Lock irrelevant accounts

You can use

passwd -l [user]

The principle is to add "!" to the password field in/etc/shadow. (Because of system differences, some systems Add "* LK *"), so that the user password is changed and login fails.

This is really simple and crude, but it also means that the account can be locked by modifying the password field of the shadow file at will.

The corresponding UNLOCK Command is

passwd -u [user]

3. Remote logon to super Administrator Account prohibited

Before doing this, you must first know the important content Linux-PAM (Linux pluggable authentication module ).

You can modify the configuration file/etc/pam. conf (RedHat and other systems also support another configuration method, that is, by configuring the directory/etc/pam. d/) modify the authentication mechanism, and configure the modules under/etc/security.

Due to the length of the relevant knowledge, you can use Baidu (a blog is recommended, which is very practical). Here we will only describe the content of this section.

1. PAM working mechanism: pass or fail results will be returned for each authentication module in the/lib/security directory. Some programs use the setting files in the/etc/security directory to determine the authentication method.
The application calls the PAM module authentication configuration and stores it in/etc/pam. d. The file name corresponds to the Application name. Each row in the file returns a verification or failure control flag to determine whether the user has access permissions. 2 PAM Authentication Type * auth verifies the identity of the user, prompting you to enter the account and password * the account is determined based on the user table, time, or password validity period to allow access * password prevents users from repeatedly logging on, when changing the password, perform password complexity control * session logging, or limit the number of user logins. The libpam function library can call one or all of the above services. 3 PAM verification Control type (Control Values) verification Control type can also be called Control Flags, used to return results of PAM verification type. * If the required verification fails, the system continues, but returns Fail (the user does not know where the verification fails). * If the requisite verification fails, the entire verification process is completed immediately. If Fail * sufficient is returned, the system returns immediately, do not continue. Otherwise, ignore the result and continue * optional will not be affected regardless of the verification result (usually used for session type

 

Open the/etc/pam. d/login file and you can see the following content:

Where

Auth [user_unknown = ignore success = OK ignore = ignore default = bad] pam_securetty.so

Or

Auth required pam_securetty.so

In the uncommented status, check that no pts/is found in/etc/securetty/X(XIs a decimal integer) or has been commented out

Make sure that the root user cannot connect to the host through telnet.

Check SSH again:

/Etc/ssh/sshd_config

Check whether the following row is set to no and the row is not commented out: PermitRootLogin

Then restart the ssh service:

service sshd stopservice sshd start

4. Modify user groups

Use usermod-g [group/GID] [username] to modify a user group. Nothing to say ,:

5. Password Policy

(1) Password Complexity and Validity Period

Modify/etc/login. defs. The file comment is clear and can be modified by yourself:

(2) set the password history. You cannot repeat the passwords that have been used for nearly N times (the method comes from the network)

For Linux Redhat series, view/etc/pam. d/system-auth

For Debian Linux, view/etc/pam. d/common-password

Add remember = N after the row

However, I have a question: the PAM OF THE remember = N statement verifies whether the control type should be sufficient rather than other types. But please kindly advise!

(3) set the number of consecutive Authentication failures to exceed N times to lock the account

Modify the second line of the/etc/pam. d/login file. Add the following command:

auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

6. Set file directory permissions

In User Logon, passwd, shadow, and group files are very important and file permissions must be strictly managed.

/Etc/passwd must be read by all users. the root user can write-rw-r-Permission value is 644.

/Etc/shadow only has the root readable-r -------- permission value of 400.

/Etc/group must be read by all users. the root user can write-rw-r-Permission value is 644.

Run the following command to modify permissions:

chmod 644 /etc/passwdchmod 400 /etc/shadowchmod 644 /etc/group

In addition, there is an important parameter umask, whose value determines the default permission for creating a directory file. Here we first provide the recommended value 027.

In permission settings, r = 4; w = 2; x = 1. For umask, umask = 777 (666)-Permission value, that is, permission value = 777 (666) -umask. For example, umask = 002, the default permissions for file and directory creation are 6 6 4 (666-2) and 7 7 5 (777-2), respectively ).

Why? For files, the maximum value of this number is 6. The system does not allow you to grant the execution permission when creating a text file. You must use the chmod command to add this permission after the creation. Directory allows you to set the execution permission. For the directory, the maximum number of umask numbers is 7.

If the recommended value umask = 027 is used, the permission for the file is 640, that is,-rw-r -----. For the directory, the permission is 750, that is,-rwxr-x ---

7. check whether there are users whose UID is 0 except root.

Use the following code to retrieve the passwd file:

awk -F ':' '($3==0){print $1)' /etc/passwd

Delete All retrieved non-root users using The userdel command.