Linux Server operating system hardening methods
- 2020-06-23 02:38:35
- OfStack
1. Account and password
1.1 Disable or delete useless accountsReduce system useless accounts, reduce security risks.
steps
Using the commanduserdel <用户名>
Delete unnecessary accounts.
Using the command
passwd -l <用户名>
Lock down unnecessary accounts.
Using the command
passwd -u <用户名>
Unlock the necessary accounts.
1.2 Check special accounts
Check for the presence of an account with void command and root permissions.
steps
Check the password and root authorization account to confirm whether there are abnormal accounts: Using the commandawk -F: '($2=="")' /etc/shadow
Check your account number.
Using the command
awk -F: '($3==0)' /etc/passwd
View an UID account with zero.
Account no. :
Using the command
passwd <用户名>
Set a password for your account.
Confirm that the UID account with zero is the root account only.
1.3 Add password policy
To strengthen the complexity of passwords and reduce the probability of being guessed.
steps
Using the commandvi /etc/login.defs
Modify the configuration file.
PASS_MAX_DAYS 90 #新建用户的密码最长使用天数
PASS_MIN_DAYS 0 #新建用户的密码最短使用天数
PASS_WARN_AGE 7 #新建用户的密码到期提前提醒天数
Use the chage command to modify user Settings.
For example,
passwd -l <用户名>0
It means to set the maximum usage days of this user to 30 and the minimum usage days to 0. The password will expire on January 1, 2000, and the user will be warned 7 days before expiration.
Set the password to be mistyped 3 times in a row, and the account will be locked for 5 minutes. Using the command
vi /etc/pam.d/common-auth
Modify the configuration file to add to it
auth required pam_tally.so onerr=fail deny=3 unlock_time=300
.
1.4 Limit user su
Limit su to root users.
steps
Using the command
vi /etc/pam.d/su
Modify the configuration file to add lines to the configuration file. For example, if you only allow test group users su to root, add
auth required pam_wheel.so group=test
.
Restrict root users from logging in directly.
steps
Create ordinary permission account and configure password to prevent remote login; Using the commandvi /etc/ssh/sshd_config
Modify the configuration file to change the value of PermitRootLogin to no, save, and then use
service sshd restart
Restart the service.
2. The service
2.1 Turn off unnecessary servicesReduce risk by shutting down unnecessary services such as regular services and xinetd services.
steps
Using the command
chkconfig --level <init级别> <服务名> on|off|reset
Sets whether the service starts at the specified init level.
Security reinforcement for SSH service to prevent successful brute force cracking.
steps
Using the command
vim /etc/ssh/sshd_config
Edit the configuration file.
Set the value of PermitRootLogin to no. Modify the protocol version used by SSH.
Set Protocol version 2. Change the number of allowed password errors (default: 6).
Set the value of MaxAuthTries to 3.
After the configuration file changes are complete, restart the sshd service to take effect.
3. File systems
3.1 Set the umask valueSet the default value of umask to enhance security.
steps
Using the command
vi /etc/profile
Modify the configuration file to add lines
passwd -u <用户名>0
, that is, the newly created file belongs to the owner with read and write execution permissions, the same group of users with read and execute permissions, and other users without permissions.
Set the connection timeout after system login to enhance security.
steps
Using the command
vi /etc/profile
Modify the configuration file that will be set to
TMOUT=
Opening line comment, set to
TMOUT=180
, the timeout is 3 minutes.
4. Log
4.1 syslogd logEnable logging and configure logging.
steps
The Linux system enables the following types of logging by default:
System log (default) /var/log/messages cron log (default) /var/log/cron Security log (default) /var/log/secureNote: Some systems may use es132EN-ES133en logs with configuration file: /etc/ ES135en-ES136en/ES137en-ES138en.conf.
You can configure detailed logs as required.
4.2 Log in and operation of all usersLog the login operation of all users through script code to prevent the occurrence of security incidents without any evidence.
steps
1. Run [root@xxx /]# vim /etc/profile to open the configuration file.
2. Enter the following in the configuration file:
history
USER=`whoami`
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
USER_IP=`hostname`
fi
if [ ! -d /var/log/history ]; then
mkdir /var/log/history
chmod 777 /var/log/history
fi
if [ ! -d /var/log/history/${LOGNAME} ]; then
mkdir /var/log/history/${LOGNAME}
chmod 300 /var/log/history/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date +"%Y%m%d_%H:%M:%S"`
export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"
chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null
3. Run [root@ES159en /]# source /etc/profile load configuration into effect.
Note: /var/log/history is the location for logging and can be customized.
Through the above steps, you can create a new folder under the /var/log/history directory under the name of each user. After each user exits, a log file will be generated with the user name, login to IP, and time, including all the actions of this user (except root users).
It is also recommended that you use the OSS service to collect storage logs.