Shulou(Shulou.com)06/01 Report--

This article mainly introduces the Linux server security tips, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let Xiaobian take you to understand.

1. Security of physical system

Configure BIOS to disable booting from CD/DVD, external devices, floppy drives. Next, enable the BIOS password as well as password protection for GRUB, which restricts physical access to the system.

two。 Disk partition

It is important to use different partitions, which ensures higher data security in the event of a disaster. By dividing different partitions, the data can be grouped and isolated. When an accident occurs, only the data of the problem partition will be corrupted, and the data of other partitions can be retained. You'd better have the following partitions, and third-party programs are best installed on a separate file system / opt.

/

/ boot

/ usr

/ var

/ home

/ tmp

/ opt

3. Minimum package installation, minimum vulnerabilities

Do you really need to install all the services? It is recommended that you do not install useless packages to avoid vulnerabilities caused by these packages. This minimizes risk because a vulnerability in one service may compromise other services. Find and remove or stop unused services to minimize system vulnerabilities. Use the 'chkconfig' command to list all the services running at level 3.

# / sbin/chkconfig-- list | grep '3VON'

When you find an unwanted service running, use the following command to stop the service.

# chkconfig serviceName off

Use the RPM package manager, such as YUM or apt-get tools, to list all installed packages and use the command below to uninstall them.

# yum-y remove package-name

# sudo apt-get remove package-name

4. Check the network listening port

With the help of the network command 'netstat', you will be able to see all the open ports and related programs. Use the 'chkconfig' command I mentioned above to turn off unwanted network services on the system.

# netstat-tulpn

5. Use SSH (Secure Shell)

Telnet and rlogin protocols can only be used for plain text and cannot use encrypted formats, which may lead to security vulnerabilities. SSH is a security protocol that uses encryption technology when communicating between client and server.

Never log in directly to your root account unless necessary. Use "sudo" to execute the command. The sudo is defined by the / etc/sudoers file and can also be edited using the "visudo" tool, which opens the configuration file through the VI editor.

At the same time, it is recommended that you change the default SSH 22 port number to another higher port number. Open the main SSH configuration file and make the following changes to restrict user access.

# vi / etc/ssh/sshd_config

Turn off root user login

PermitRootLogin no

Specific users pass through

AllowUsers username

Use the second version of the SSH protocol

Protocol 2

6. Make sure the system is up to date

Always make sure that the system contains the latest patches, security fixes, and available kernels.

# yum updates

# yum check-update

7. Lock the Cron task

Cron has its own built-in feature, which allows you to define who can and who can't run tasks. This is controlled by two files / etc/cron.allow and / etc/ cron.deny. To lock users who are using Cron, you can simply write their names in corn.deny, while you can allow users to add their names to cron.allow when running cron. If you want to ban all users from using corn, you can add "ALL" to cron.deny as a line.

# echo ALL > > / etc/cron.deny

8. Prohibit USB detection

In many cases, we want to restrict users from using USB to ensure system security and data leakage. Create a file'/ etc/modprobe.d/no-usb' and use the following command to disable probing of USB storage.

Install usb-storage / bin/true

9. Open SELinux

SELinux (Security enhanced linux) is a mandatory access control security mechanism provided by the linux kernel. Disabling SELinux means that the system has lost its security mechanism. Think carefully before removing SELinux. If your system needs to be released to the network and accessed on the public network, you should pay more attention to it.

SELinux provides three basic modes of operation, they are:

Enforcement: this is the default mode and is used to enable and enforce SELinux security measures.

Licensing model: in this mode, SELinux will not enforce security measures, only warnings and logging. This mode is very useful when troubleshooting SELinux-related problems.

Off mode: SELinux is turned off.

You can use the command line 'system-config-selinux',' getenforce' or 'sestatus' to browse the current SEliux status.

# sestatus

If you are in off mode, turn on SELinux with the following command

# setenforce enforcing

You can also switch SELinux through the configuration file'/ etc/selinux/config'.

10. Remove KDE or GNOME desktops

There is no need to run X Window desktops such as KDE and GNOME on dedicated LAMP servers. They can be removed or turned off to improve system security and performance. Open / etc/inittab and change run level to 3 to close these desktops. If you remove it completely from the system, you can use the following command:

# yum groupremove "X Window System"

11. Close IPv6

If you don't use the IPv6 protocol, you should turn it off because most applications and policies don't use IPv6, and it's not currently required by the server. You can turn it off by adding the following lines to the network configuration file.

# vi / etc/sysconfig/network

NETWORKING_IPV6=no

IPV6INIT=no

twelve。 Restrict users from using old passwords

This is useful if you don't want users to continue to use old passwords. The old password file is located in / etc/security/opasswd. You can use the PAM module to implement.

Open the'/ etc/pam.d/system-auth' file in RHEL / CentOS / Fedora.

# vi / etc/pam.d/system-auth

Open the'/ etc/pam.d/common-password' file in Ubuntu/Debian/Linux Mint.

# vi / etc/pam.d/common-password

Add the following line to the 'auth' block.

Auth sufficient pam_unix.so likeauth nullok

Add the following line to the 'password' block to prevent users from reusing the last 5 passwords they used in the past.

Password sufficient pam_unix.so nullok use_authtok md5 shadow remember=5

The server records only the last five passwords. If you try to use any of the last five old passwords you have used, you will see the following error prompt.

Password has been already used. Choose another.

13. How do I check the expiration of a user's password?

In Linux, the user's password is stored in an encrypted form in the'/ etc/shadow' file. To check whether the user's password has expired, you need to use the 'chage' command. It will display the details of the last modification date and duration of the password. These details are the basis on which the system determines whether users must change their passwords.

To view aging information about any existing user, such as expiration date and duration, use the following command.

# chage-l username

To modify the password aging of any user, use the following command.

# chage-M 60 username

# chage-M 60-m 7-W 7 userName

Parameters.

-M sets the maximum number of days

-m sets the minimum number of days

-W sets the number of days you want

14. Manually lock or unlock user accounts

Locking and unlocking is so useful that you can lock an account for a week or a month instead of removing it from the system. You can use the following command to lock down a specific user.

# passwd-l accountName

Tip: this locked user is still visible only to root users. This lock is done by replacing the encrypted password with (!) To make it happen. If someone wants to use this account to access the system, he will get an error similar to the following.

# su-accountName

This account is currently not available.

Use the following command when unlocking a locked account. This command will be replaced with (!) Change your password back.

# passwd-u accountName

15. Enhanced password

A considerable number of users use mentally retarded passwords, and their passwords can be broken through dictionary attacks or brute force attacks. The pam_cracklib' module is stored in PAM and can force users to set complex passwords. Open the following file through the editor.

# vi / etc/pam.d/system-auth

Add a line to the file, using authentication parameters (lcredit, ucredit, dcredit or ocredit for lowercase letters, uppercase letters, numbers and other characters)

/ lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

16. Enable Iptable (firewall)

It is highly recommended to enable linux Firewall to prohibit access to illegal programs. Use iptable rules to filter inbound, outbound, and forwarded packets. We can grant and deny access to specific udp/tcp ports for source and destination addresses.

17. Prohibit Ctrl+Alt+Delete restart

In most linux distributions, pressing 'CTRL-ALT-DELETE' will cause your system to restart. Just say that this is not a good practice on the production server, which can lead to misoperation.

This configuration is in the'/ etc/inittab' file, and if you open this file, you can see a similar paragraph below. The default line has been commented out. We have to comment him out. This specific button will cause the system to restart.

# Trap CTRL-ALT-DELETE

# ca::ctrlaltdel:/sbin/shutdown-T3-r now

18. Check the empty password account

Any account with an empty password means that this can be accessed by any unauthorized user on the Web, which is a security threat to the linux server. So, make sure that all users have a complex password and

There are no privileged users. An empty password account is a security risk and can be easily overcome. You can use the following command to check whether an empty password account exists.

# cat / etc/shadow | awk-F:'($2 million = "") {print $1}'

19. Display SSH prompt before login

It is a good idea to use a legal and security alert for ssh certification.

20. Monitor user behavior

If you have a large number of users, it is important to collect information about each user's behavior and the consumption of their processes. User analysis can be performed later with some performance optimization and security issues.

But what about monitoring and collecting information about user behavior?

There are two useful tools' psacct' and 'acct'' that can be used to monitor the behavior and processes of users in the system. These tools are executed in the background of the system and constantly record the behavior of each user in the system and the resource consumption of various services such as Apache, MySQL, SSH, FTP and so on.

21. Check the log regularly

Move the log to a dedicated log server to prevent intruders from easily changing the local log. Here are the default log files for common linux and their uses:

/ var/log/message-record the system log or current activity log.

/ var/log/auth.log-Authentication log.

/ var/log/kern.log-Kernel log.

/ var/log/cron.log-Crond log (cron task).

/ var/log/maillog-Mail server log.

/ var/log/boot.log-system boot log.

/ var/log/mysqld.log-MySQL database server log.

/ var/log/secure-Authentication log.

/ var/log/utmp or / var/log/wtmp: login log.

/ var/log/yum.log: Yum log.

twenty-two。 Backup of important files

In a production environment, for disaster recovery, it is necessary to back up and save important files in a secure remote tape vault, remote site, or remote hard drive.

23. NIC binding

There are two types of NIC binding modes that need to be used in the binding interface.

Mode=0-round robin mode

Mode=1-Activation and backup mode

NIC binding can help us avoid a single point of failure. In NIC binding, we bind two or more network cards together to provide a virtual interface that sets the ip address and talks to other servers. In this way, our network will remain available when a NIC card down is dropped or cannot be used for other reasons.

24. Keep / boot read-only

The linux kernel and its related files are saved in the / boot directory and can be read and written by default. Making it read-only can reduce some of the risks caused by illegal modifications to important boot files.

# vi / etc/fstab

Add the following line at the end of the file and save

LABEL=/boot / boot ext2 defaults,ro 1 2

If you need to upgrade the kernel in the future, you need to change it back to read-write mode.

25. No ICMP and Broadcast requests.

Add the following lines to / etc/sysctl.conf to block out ping and broadcast requests.

Ignore ICMP request:

Net.ipv4.icmp_echo_ignore_all = 1

Ignore Broadcast request:

Net.ipv4.icmp_echo_ignore_broadcasts = 1

Run the following line to load changes or updates:

# sysctl-p

Thank you for reading this article carefully. I hope the article "what are the Linux server security tips" shared by the editor will be helpful to you? at the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.