Shulou(Shulou.com)06/02 Report--

Today, I will show you how to check and reinforce the safety compliance of Linux. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

1. Account and password 1.1 disable or delete useless accounts

Reduce the number of useless accounts and reduce the security risk.

Operation steps

Use the command userdel to delete unnecessary accounts. Use the command passwd-l to lock out unnecessary accounts. Use the command passwd-u to unlock the necessary accounts. 1.2 check special accounts

Check to see if there is an account with an empty password and root permissions.

Operation steps

Check the empty password and root account to confirm whether there is an abnormal account:

Use the command awk-F:'($2 accounts = ")'/ etc/shadow to view the empty password account. Use the command awk-F:'($3 percent zero) / etc/passwd to view accounts with zero UID.

Reinforce the empty password account:

Use the command passwd to set the password for the empty password account. The only account that confirms that UID is zero is the root account. 1.3 add password Policy

Enhance the complexity of the password and reduce the possibility of being guessed.

Operation steps

Use the command vi / etc/login.defs to modify the configuration file.

PASS_MAX_DAYS 90 # maximum password usage days for new users PASS_MIN_DAYS 0 # minimum password usage days for new users PASS_WARN_AGE 7 # days of advance reminders for password expiration for new users

Use the chage command to modify user settings.

For example, chage-m 0-M 30-E 2000-01-01-W 7 sets the maximum number of days to use this user's password to 30 and the minimum number of days to 0, and the password expires on January 1, 2000, warning the user seven days before expiration.

Set to enter the wrong password three times in a row, and the account will be locked for five minutes. Use the command vi / etc/pam.d/common-auth to modify the configuration file and add auth required pam_tally.so onerr=fail deny=3 unlock_time=300 to the configuration file.

1.4 restrict user su

Restrict users who can su to root.

Operation steps

Use the command vi / etc/pam.d/su to modify the configuration file and add lines to the configuration file. For example, if only test group users are allowed to su to root, add auth required pam_wheel.so group=test.

1.5 prohibit root users from logging in directly

Restrict root users from logging in directly.

Operation steps

Create an account with ordinary permissions and configure a password to prevent remote login; use the command vi / etc/ssh/sshd_config to modify the configuration file to change the value of PermitRootLogin to no, save it, and then restart the service using service sshd restart. two。 Service 2.1 turn off unnecessary services

Turn off unnecessary services (such as general services and xinetd services) to reduce risk.

Operation steps

Use the command systemctl disable to set that the service does not start automatically when it is powered on.

Note: for some older versions of the Linux operating system (such as CentOS 6), you can use the command chkconfig\-- level off to set the service not to start automatically when booting at the specified init level.

2.2 SSH service security

Carry on the security reinforcement to the SSH service to prevent the brute force crack successfully.

Operation steps

Use the command vim / etc/ssh/sshd_config to edit the configuration file.

The root account is not allowed to log in directly to the system.

Set the value of PermitRootLogin to no. Modify the version of the protocol used by SSH.

Set the version of Protocol to 2. Modify the number of allowed password errors (default 6 times).

Set the value of MaxAuthTries to 3.

After the modification of the configuration file is completed, the restart of the sshd service takes effect.

3. File system 3.1 sets the umask value

Set the default umask value to enhance security.

Operation steps

Use the command vi / etc/profile to modify the configuration file and add line umask 027, that is, the newly created file owner has read and write permissions, the same group of users have read and execute permissions, and other users do not have permission.

3.2 set login timeout

After setting the system login, the connection timeout is set to enhance security.

Operation steps

Use the command vi / etc/profile to modify the configuration file and set the comment on the line that begins with TMOUT= to TMOUT=180, that is, the timeout is three minutes.

4. Log 4.1 syslogd log

Enable logging and configure logging.

Operation steps

The following types of logs are enabled by default on the Linux system:

Syslog (default) / var/log/messagescron log (default) / var/log/cron security log (default) / var/log/secure

Note: some systems may use syslog-ng logs, and the configuration file is: / etc/syslog-ng/syslog-ng.conf.

You can configure detailed logs according to your needs.

4.2 record the login and operation logs of all users

Through the script code to record the login operation logs of all users to prevent the occurrence of security events without evidence.

Operation steps

1. Open the configuration file

[root@xxx /] # vim / etc/profile

two。 Enter the following in the configuration file:

HistoryUSER= `whoami`user _ IP= `who-u ami 2 > / dev/null | awk'{print $NF}'| sed-e's / [()] / / g``if ["$USER_IP" = ""]; thenUSER_IP= `hostname`fiif [!-d / var/log/history]; thenmkdir / var/log/historychmod 777 / var/log/historyfiif [!-d / var/log/history/$ {LOGNAME}] Thenmkdir / var/log/history/$ {LOGNAME} chmod 300 / var/log/history/$ {LOGNAME} fiexport HISTSIZE=4096DT= `date + "% Y%m%d_%H:%M:%S" `export HISTFILE= "/ var/log/history/$ {LOGNAME} / ${USER} @ ${USER_IP} _ $DT" chmod 600 / var/log/history/$ {LOGNAME} / * history* 2 > / dev/null

The run load configuration takes effect. [root@xxx /] # source / etc/profile

Note: / var/log/history is the location where logs are stored and can be customized.

With the above steps, you can create a new folder under the / var/log/history directory under the name of each user. After each user exits, a log file with user name, login IP, and time will be generated, including all the actions of this user (except the root user).

What is Linux system Linux is a free-to-use and free-spread UNIX-like operating system, is a POSIX-based multi-user, multi-task, multi-threaded and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

The above is how to carry out Linux safety compliance check and reinforcement of the whole content, more and how to carry out Linux safety compliance check and reinforcement related content can search the previous article or browse the following article to learn ha! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.