Shulou(Shulou.com)06/01 Report--

This article will explain in detail the example analysis of Linux/CentOS server security configuration. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Linux is an open system, many ready-made programs and tools can be found on the network, which is convenient not only for users, but also for hackers, because they can easily find programs and tools to sneak into Linux systems or steal important information from Linux systems. However, as long as we carefully set the various system functions of Linux and add the necessary security measures, we can make it impossible for hackers to take advantage of.

Generally speaking, the security settings of Linux system include canceling unnecessary services, restricting remote access, hiding important data, repairing security vulnerabilities, using security tools and frequent security checks.

This article is a practical operation for reference, does not involve principles such as IP spoofing, and security problems can not be prevented by a few lines of command.

This is only the basic security reinforcement method on the Linux system, and new content will be added later.

Note: all files should be backed up before modification, such as

Cp / etc/passwd {, .dist}

1. Linux disables users who are not in use

Note: it is not recommended to delete directly. When you need a user, it will be troublesome to re-add it yourself. You can also lock usermod-L or passwd-l user.

Backup cp / etc/passwd {, .bak} before modification

Vi / etc/passwd editing user, preceded by # comment this line

User name of the comment:

# cat / etc/passwd | grep ^ # # adm:x:3:4:adm:/var/adm:/sbin/nologin#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown#halt:x:7:0:halt:/sbin:/sbin/halt#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin#operator:x:11:0:operator:/ Root:/sbin/nologin#games:x:12:100:games:/usr/games:/sbin/nologin#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin#nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin#postfix:x:89:89::/var/spool/postfix:/sbin/nologin

Groups of Linux comments:

# cat / etc/group | grep ^ # # adm:x:4:adm,daemon#lp:x:7:daemon#uucp:x:14:#games:x:20:#gopher:x:30:#video:x:39:#dip:x:40:#ftp:x:50:#audio:x:63:#floppy:x:19:#postfix:x:89:

2. Linux shuts down unused services

# chkconfig-- list | grep '3von'

Mail service, using the company mail server:

Service postfix stopchkconfig postfix-level 2345 off

General unix printing service, useless to the server:

Service cups stopchkconfig cups-level 2345 off

Adjust cpu speed to save power, usually on Laptop:

Service cpuspeed stopchkconfig cpuspeed-level 2345 off

Bluetooth wireless communication, useless to the server:

Service bluetooth stopchkconfig bluetooth-level 2345 off

The system is initially set up after installation, but it is useless after starting the system for the first time:

Service firstboot stopchkconfig firstboot-level 2345 off

Linux shuts down the nfs service and client:

Service netfs stopchkconfig netfs-level 2345 offservice nfslock stopchkconfig nfslock-level 2345 off

If you want to restore a service, you can do the following:

Service acpid start & & chkconfig acpid on

You can also use the setup tool to set

3. Linux disables IPV6

IPv6 is to solve the problem of IPv4 address exhaustion, but our servers generally do not need it, but disabling IPv6 will not only speed up the network, but also help reduce administrative overhead and improve the level of security. The following steps completely disable ipv6 on CentOS.

Linux forbids loading of IPv6 modules:

Let the system not load ipv6-related modules, which requires modifying the modprobe-related settings file. For convenience of management, we create a new configuration file / etc/modprobe.d/ipv6off.conf, which contains the following contents

Alias net-pf-10 offoptions ipv6 disable=1

Linux disables IPv6-based networks so that they are not triggered to start:

# vi / etc/sysconfig/networkNETWORKING_IPV6=no

Linux disables the Nic IPv6 setting to run only in IPv4 mode:

# vi / etc/sysconfig/network-scripts/ifcfg-eth0IPV6INIT=noIPV6_AUTOCONF=no

Linux shuts down ip6tables:

# chkconfig ip6tables off

Restart the system and verify that it works:

# lsmod | grep ipv6# ifconfig | grep-I inet6

If there is no output, the IPv6 module is disabled, otherwise it is enabled.

4. Linux iptables rules

Enable linux Firewall to disable access to illegal programs. Use iptable rules to filter inbound, outbound, and forwarded packets. We can grant and deny access to specific udp/tcp ports for source and destination addresses.

For the setting rules of the firewall, please refer to the blog article iptables setting example.

5. Linux SSH security

If possible, the first thing to do is to change ssh's default port 22 to a larger port such as 20002, which will greatly increase the security factor and reduce the possibility that ssh will crack the login.

Create recognizable application users such as crm and system management user sysmgr

# useradd crm-d / apps/crm# passwd crm# useradd sysmgr# passwd sysmgr

5.1 Linux only allows su switching for users of wheel user groups

# usermod-G wheel sysmgr# vi / etc/pam.d/su# Uncomment the following line to require a user to be in the "wheel" group.auth required pam_wheel.so use_uid

When other users switch root, they will prompt su: incorrect password even if they enter the right password.

5.2 Linux login timeout

If the user is online for 5 minutes without operation, he / she will be disconnected during the timeout and add to / etc/profile:

Export TMOUT=300readonly TMOUT

5.3 Linux prohibits root from directly logging in remotely

# vi / etc/ssh/sshd_configPermitRootLogin no

5.4 Linux limits the number of login failures and locks

Add after / etc/pam.d/login

Auth required pam_tally2.so deny=6 unlock_time=180 even_deny_root root_unlock_time=180

Login failed to lock up 5 times for 180 seconds, set whether to include root as needed.

5.5 Linux login IP restrictions

(not set yet because you want to bind to a fixed IP or IP segment)

A more stringent restriction is to allow ssh users and source ip in sshd_config:

# # allowed ssh users sysmgrAllowUsers sysmgr@172.29.73.* or use tcpwrapper:vi / etc/hosts.denysshd:allvi / etc/hosts.allowsshd:172.29.73.23sshd:172.29.73.

6. Linux configuration can only log in using key file

Using key files instead of ordinary simple password authentication will also greatly improve security:

[dir@username ~] $ssh-keygen-t rsa-b 2048Generating public/private rsa key pair.Enter file in which to save the key (/ root/.ssh/id_rsa): / / default path, enter Enter passphrase (empty for no passphrase): / / enter your key phrase Log in using Enter same passphrase again: Your identification has been saved in / root/.ssh/id_rsa.Your public key has been saved in / root/.ssh/id_rsa.pub.The key fingerprint is:3e:fd:fc:e5:d3:22:86:8e:2c:4b:a7:3d:92:18:9f:64 root@ibpak.tp-link.netThe key's randomart image is:+-- [RSA 2048]-+ | |... | | o++o..oo..o | +-+ |

Rename the public key to authorized_key:

$mv ~ / .ssh/id_rsa.pub ~ / .ssh/authorized_keys$ chmod 600 ~ / .ssh/authorized_keys

Download the private key file id_rsa locally (to make it easier to identify, rename it to hostname_username_id_rsa) and save it to a safe place. In the future, username users must use this private key to log in to this host with a passphrase (no longer use the username user's own password)

In addition, the / etc/ssh/sshd_config file will be modified.

Open comment

RSAAuthentication yesPubkeyAuthentication yesAuthorizedKeysFile .ssh / authorized_keys

We require that username users (who can switch to other users, especially root) must log in using the ssh key file, while other ordinary users can log in with a direct password. So you need to add the following at the end of the sshd_config file:

Match User itsection PasswordAuthentication no

Restart the sshd service

# service sshd restart

Another reminder, this pair of public and private keys must be saved separately on another machine. The loss of the public key on the server or the loss of the private key (or key phrase) on the connection side may lead to the inability to log in to the server to obtain root privileges!

7. Linux reduces history command records

The more historical commands that have been executed, to some extent, it will be easy to maintain, but it will also be accompanied by security problems.

Vi / etc/profile

Find HISTSIZE=1000 and change it to HISTSIZE=50.

Or clean up history,history-c every time you exit

8. Linux enhances special file permissions

Add immutable attributes to the following files to prevent unauthorized users from gaining permissions

Chattr + I / etc/passwdchattr + I / etc/shadowchattr + I / etc/groupchattr + I / etc/gshadowchattr + I / etc/services # locks the system service port list file to prevent unauthorized deletion or addition of services chattr + I / etc/pam.d/suchattr + I / etc/ssh/sshd_config

Display the properties of the file

Lsattr / etc/passwd / etc/shadow / etc/services / etc/ssh/sshd_config

Note: after performing the above chattr permission changes, you will not be able to add or delete users.

If you want to add and delete users again, you need to cancel the above settings and wait for the user to add and delete before performing the above actions, such as canceling the read-only permission chattr-I / etc/passwd. (remember to reset read-only)

9. Linux prevents general network attacks

Cyber attacks cannot be avoided with a few lines of setup. Here are some simple ways to minimize the possibility, increase the difficulty of the attack, but not stop it completely.

9.1 Linux bans ping

Block ping if no one can ping your system, security is naturally increased, which can effectively prevent ping flooding. To do this, add the following line to the / etc/rc.d/rc.local file:

# echo 1 > / proc/sys/net/ipv4/icmp_echo_ignore_all

Or use iptable to disable ping:

Iptables-An INPUT-p icmp--icmp-type 0-s 0 DROP 0-j DROP

Ping other hosts are not allowed:

Iptables-An OUTPUT-p icmp--icmp-type 8-j DROP

9.2. Linux prevents IP spoofing

Edit the / etc/host.conf file and add the following lines to prevent IP spoofing attacks.

Order hosts,bind # name interpretation order multi on # allows hosts to have multiple IP addresses nospoof on # prohibits IP address spoofing

9.3 Linux prevents DoS attacks

Setting resource limits on all users of the system can prevent DoS type attacks, such as the maximum number of processes and memory usage.

You can add the following lines to / etc/security/limits.conf:

* soft core 0 * soft nproc 2048 * hard nproc 16384 * soft nofile 1024 * hard nofile 65536

Core 0 forbids the creation of core files; nproc 128limits the maximum number of processes to 20. Nofile 64 means limiting the maximum number of files that a user can open at the same time to 64. * indicates all users who log in to the system, excluding root

Then you must edit the / etc/pam.d/login file to check that the following line exists.

Session required pam_limits.so

The value of the limits.conf parameter needs to be adjusted according to the situation.

10. Linux fixes known security vulnerabilities

Occasionally, destroyer-level vulnerabilities such as udev, heartbleed, shellshock, ghost and so on will be exposed on linux. If the server is exposed to the public network, it must be repaired in time.

11. Linux does log security checks regularly.

Move the log to a dedicated log server to prevent intruders from easily changing the local log. Here are the default log files for common linux and their uses:

/ var/log/message-record the system log or current activity log. / var/log/auth.log-Authentication log. / var/log/cron-Crond log (cron task). / var/log/maillog-Mail server log. / var/log/secure-Authentication log. / var/log/wtmp historical login, logout, startup, downtime log and, the lastb command can view the log of user information currently logged in by the failed user / var/run/utmp, and the information of the w and who commands is derived from this / var/log/yum.log Yum log.

Refer to depth parsing CentOS to check intrusions through logs.

11.1 Linux installation logwatch

Logwatch is a log analysis tool developed using Perl. Be able to analyze the log files of Linux and automatically send mail to relevant processors, customizing requirements.

The mail function of Logwatch sends mail with the help of the mail server that comes with the host system, so the system needs to install mail server, such as sendmail,postfix,Qmail, etc.

For installation and configuration methods, please see the blog linux log monitoring logwatch.

12.Linux web server security

When configuring server programs such as apache or tomcat, if there are security problems, you can consult the documentation for security reinforcement. There will be time to add new articles later.

This is the end of the article on "sample Analysis of Linux/CentOS Server Security configuration". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.