Shulou(Shulou.com)06/01 Report--

This article shows you how to strengthen the Linux system, the content is concise and easy to understand, it can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

1. Account number and password

1.1 disable or delete useless accounts

Reduce the number of useless accounts and reduce the security risk.

Operation steps

Use the command userdel to delete unnecessary accounts.

Use the command passwd-l to lock out unnecessary accounts.

Use the command passwd-u to unlock the necessary accounts.

1.2 check special accounts

Check to see if there is an account with an empty password and root permissions.

Operation steps

1. Check the empty password and root account to confirm whether there is an abnormal account:

Use the command awk-F:'($2 accounts = ")'/ etc/shadow to view the empty password account.

Use the command awk-F:'($3 percent zero) / etc/passwd to view accounts with zero UID.

two。 Reinforce the empty password account:

Use the command passwd to set the password for the empty password account.

The only account that confirms that UID is zero is the root account.

1.3 add password Policy

Enhance the complexity of the password and reduce the possibility of being guessed.

Operation steps

1. Use the command vi / etc/login.defs to modify the configuration file.

PASS_MAX_DAYS 90 # maximum number of days of password usage for newly created users

PASS_MIN_DAYS 0 # minimum number of days to use the password of the newly created user

PASS_WARN_AGE 7 # days of advance reminder of password expiration for newly created users

two。 Use the chage command to modify user settings.

For example, chage-m 0-M 30-E 2000-01-01-W 7 sets the maximum number of days to use this user's password to 30 and the minimum number of days to 0, and the password expires on January 1, 2000, warning the user seven days before expiration.

3. Set to enter the wrong password three times in a row, and the account will be locked for five minutes. Use the command vi / etc/pam.d/common-auth to modify the configuration file and add auth required pam_tally.so onerr=fail deny=3 unlock_time=300 to the configuration file.

1.4 restrict user su

Restrict users who can su to root.

Operation steps

Use the command vi / etc/pam.d/su to modify the configuration file and add lines to the configuration file. For example, if only test group users are allowed to su to root, add auth required pam_wheel.so group=test.

1.4 prohibit root users from logging in directly

Restrict root users from logging in directly.

Operation steps

1. Create an account with normal permissions and configure a password to prevent remote login

two。 Use the command vi / etc/ssh/sshd_config to modify the configuration file to change the value of PermitRootLogin to no, save it, and then restart the service using service sshd restart.

two。 Service

2.1 turn off unnecessary services

Turn off unnecessary services (such as general services and xinetd services) to reduce risk.

Operation steps

Use the command systemctl disable to set that the service does not start automatically when it is powered on.

Note: for some older versions of the Linux operating system (such as CentOS 6), you can use the command chkconfig\-- level off to set the service not to start automatically when booting at the specified init level.

2.2 SSH service security

Carry on the security reinforcement to the SSH service to prevent the brute force crack successfully.

Operation steps

Use the command vim / etc/ssh/sshd_config to edit the configuration file.

The root account is not allowed to log in directly to the system.

Set the value of PermitRootLogin to no.

Modify the version of the protocol used by SSH.

Set the version of Protocol to 2.

Modify the number of allowed password errors (default 6 times).

Set the value of MaxAuthTries to 3.

After the modification of the configuration file is completed, the restart of the sshd service takes effect.

3. File system

3.1 set the umask value

Set the default umask value to enhance security.

Operation steps

Use the command vi / etc/profile to modify the configuration file and add line umask 027, that is, the newly created file owner has read and write permissions, the same group of users have read and execute permissions, and other users do not have permission.

3.2 set login timeout

After setting the system login, the connection timeout is set to enhance security.

Operation steps

Use the command vi / etc/profile to modify the configuration file and set the comment on the line that begins with TMOUT= to TMOUT=180, that is, the timeout is three minutes.

4. Journal

4.1 syslogd Log

Enable logging and configure logging.

Operation steps

The following types of logs are enabled by default on the Linux system:

Syslog (default) / var/log/messages

Cron log (default) / var/log/cron

Security log (default) / var/log/secure

Note: some systems may use syslog-ng logs, and the configuration file is: / etc/syslog-ng/syslog-ng.conf.

You can configure detailed logs according to your needs.

4.2 record the login and operation logs of all users

Through the script code to record the login operation logs of all users to prevent the occurrence of security events without evidence.

Operation steps

1. Open the configuration file

[root@xxx /] # vim / etc/profile

two。 Enter the following in the configuration file:

History USER= `whoami`USER_IP= `who-u ami 2 > / dev/null | awk'{print $NF}'| sed-e's / [()] / / g``if ["$USER_IP" = ""]; then USER_IP= `hostname`fi if [!-d / var/log/history]; then mkdir / var/log/history chmod 777 / var/log/history fi if [!-d / var/log/history/$ {LOGNAME}] Then mkdir / var/log/history/$ {LOGNAME} chmod 300 / var/log/history/$ {LOGNAME} fi export HISTSIZE=4096 DT= `date + "% Y%m%d_%H:%M:%S" `export HISTFILE= "/ var/log/history/$ {LOGNAME} / ${USER} @ ${USER_IP} _ $DT" chmod 600 / var/log/history/$ {LOGNAME} / * history* 2 > / dev/null

3. The run load configuration takes effect.

[root@xxx /] # source / etc/profile

Note: / var/log/history is the location where logs are stored and can be customized.

The above content is how to strengthen the Linux system. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.