Shulou(Shulou.com)05/31 Report--

This article is to share with you about the 14 Linux system security tips, which are practical, so I share them with you. I hope you can get something after reading this article. Let's follow the editor to have a look.

Most users will think that Linux is safe by default, and sometimes this is a controversial topic. Linux does have a built-in security model by default. You need to open it and customize it in order to get a more secure system. Linux is harder to manage, but it is correspondingly more flexible and has more configuration options.

For system administrators, making the system of the product more secure and free from hackers and hackers has always been a challenge. Moreover, there are many cases of attacks on Linux in recent years, so how to build a secure, strong and solid Linux system has always been an explorable topic. Today, I will share with you from all aspects of the system how I build or strengthen the security of the Linux system in my daily work.

1. Physical security

This should be said to be the first step for server security.

Hardware server, first of all, professionals have to do professional maintenance. The second is to turn off the soft boot mode from CD/DVD and other aspects. At the same time, you can also set the BIOS password, and there should be policies to restrict access and all kinds of process control.

You can also disable USB devices for security purposes:

Vim / etc/modprobe.d/stopusb install usb-storage / bin/true

Or use the following command to remove the driver for USB

[root@rs-server ~] # mv / lib/modules/3.10.0-693.el7.x86_64/kernel/drivers/usb/storage/usb-storage.ko.xz

two。 Keep the system up-to-date

This means to ensure that there are no other loopholes in the system, such as: existing vulnerabilities should be repaired in a timely manner. Ensure that the system contains the latest versions of patches, security fixes, and available kernels.

Yum updates yum check-update

3. Principle of minimization

Whether you are installing a system or commonly used software, you must follow this principle: minimize installation and reduce the possibility of vulnerabilities.

For some unnecessary services and ports of the system, it is recommended to shut down.

[root@rs-server ~] # chkconfig-- list | grep "3:on" network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Then turn it off using the following command:

Chkconfig service-name off

4. Login and connection

For Linux servers, remote login (SSH) connection is generally used to log in. Therefore:

The first step is to stop using root users to log in except when it is not necessary, you can use sudo to lift rights, and then use system commands to lock the / etc/sudoers file (users other than root users do not have permission to modify).

Step 2: it is recommended to modify the SSH configuration file, such as the default port number 22, forbidding root password login (some users from the room can also directly disable root users to log in through SSH protocol) and so on.

[root@rs-server ~] # vim / etc/ssh/sshd_config # Port 22 can be modified to other port numbers. Migrant workers often use # PermitRootLogin yes to change yes to No # PermitEmptyPasswords no to open comments # AllowUsers username specifies specific users to connect remotely through SSH protocol.

5. User management

Linux is a system that can be operated by multiple users in parallel, so the system also divides users into super users and ordinary users. The two have different permissions, so what they can do is also different, so it is also a very important step for the management of users.

Set the user password:

This can be set by the system command passwd. It is generally recommended to use complex passwords, and different passwords are used by the same users on each system (which can be managed by using the manager on a daily basis).

[root@rs-server] # passwd mingongge Changing password for user mingongge. New password: Retype new password: passwd: all authentication tokens updated successfully.

Temporary user Management:

For this kind of temporary user management, it can be deleted after use, or it can be locked out after a period of time, and the permission can be turned on again the next time you need to log in.

Deleting a user is easy and can be deleted using the system command userdel-r username.

Locking a user is actually modifying the user's attributes:

[root@rs-server] # usermod-L mingongge

Let's open the terminal and try to log in:

At this time, it is found that the normal login connection is no longer possible, indicating that the configuration just now is correct. Wait until the next time you need to log in, you can unlock it using the following command:

[root@rs-server] # usermod-U mingongge #-L lock #-U unlock

6. Document management

File management here refers to the important files that store user information: / etc/passwd and / etc/shadow.

[root@rs-server ~] # stat / etc/passwd File:'/ etc/passwd' Size: 945 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 17135889 Links: 1 Access: (0644 root) Gid: (0 / root) Access: 2019-08-06 01Suzhou 1437.439994172 + 0800 Modify: 2019-08-06 01 Uid 1437.440994172 + 0800 Change: 2019-08-06 01 root 1437.440994172 + 0800 Change . 442994172 + 0800 Birth:-[root@rs-server ~] # stat / etc/shadow File:'/ etc/shadow' Size: 741 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 17135890 Links: 1 Access: (00000 root -) Uid: (0 / root) Gid: (0 / root) Access: 2019-08-06 01 Vantage 14 vets 37.445994172 + 0800 Modify: 2019-08-06 01 purse 1415 37.445994172 + 0800 Change: 2019 -08-06 01 Birth 1415 37.447994172 + 0800:-

Generally speaking, you can see from some of the above file attributes whether these files have been tampered with. Therefore, it is generally recommended that these two files be locked and users other than root users do not have permission to modify and access them.

7. Enable firewall

Use the firewall of the system to filter the inbound and outbound traffic, which is a good strategy to prevent attacks, and the rules of the system firewall can be set one by one, very powerful, strong split is recommended to open.

8. Management of software packages

For the software installed on the system, we use the RPM package manager to manage. For the software listed using the yum or apt-get command, when removing or uninstalling it, be sure to use the following command:

Yum-y remove software-package-name sudo apt-get remove software-package-name

9. Disable Crtl+Alt+Del restart

After pressing the Crtl+Alt+Del key combination, most servers will use the server to restart. This is an absolutely unfriendly security factor for online servers and must be prohibited, otherwise a misoperation will have a great impact.

# CentOS6 disable Ctrl+Alt+Del restart function # method 1: vi / etc/init/control-alt-delete.conf # start on control-alt-delete # comment this line # method 2: mv / etc/init/control-alt-delete.conf / etc/init/control-alt-delete.conf.bak # Note: both methods take effect without restarting the system

For CentOS7, the approach is different:

[root@rs-server ~] # cat / etc/inittab # inittab is no longer used when using systemd. # # ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM. # # Ctrl-Alt-Delete is handled by / usr/lib/systemd/system/ctrl-alt-del.target # # systemd uses' targets' instead of runlevels. By default, there are two main targets: # # multi-user.target: analogous to runlevel 3 # graphical.target: analogous to runlevel 5 # # To view current default target, run: # systemctl get-default # # To set a default target, run: # systemctl set-default TARGET.target #

The relevant introduction has been explained in this document.

After testing, if you comment out the configuration in the above file, the reboot command will not take effect:

[root@rs-server] # ll / usr/lib/systemd/system/ctrl-alt-del.target lrwxrwxrwx. 1 root root 13 Mar 14 17:27 / usr/lib/systemd/system/ctrl-alt-del.target-> reboot.target

This ctrl-alt-del.target, this is the soft link of reboot.target. So, in the end, the right way is to move this file to another directory, and then reload the configuration file to use something else to take effect, and if you need this feature, you just need to add the software link again.

10. Monitor user behavior

If you have a large number of users in your system, it is important to collect information about each user's behavior and the consumption of their processes. User analysis can be performed later with some performance optimization and security issues. But what about monitoring and collecting information about user behavior? There are two useful tools' psacct' and 'acct'' that can be used to monitor the behavior and processes of users in the system.

[root@rs-server ~] # yum install psacct-y

The method of use is as follows:

Ac statistics user connection time ac # display total user connection time ac-p # display each user connection time ac-d # display total daily user connection time ac silence # display specified user connection time ac-d silence # display specified user connection time sa output user activity information sa # show all user execution command information Case sa-u # display command execution by user sa-m # display command execution by process sa-p # display command execution by usage lastcomm output recent execution command information lastcomm # display all execution commands lastcomm silence # display specified user execution commands lastcomm ls # display specified command execution other last # check Look at the recent user login success list last-x # shows that the system is powered off, Restart and other information last-a # displays IP in the last column last-d # domain name resolution for IP last-R # does not show IP column last-n 3 # shows the last 3 lastb # to view a list of recent user login failures

Specific examples of use:

[root@rs-server] # ac-p root 71.88 total 71.88 [root@rs-server] # sa-u root 0.00 cpu 1043k mem 0 io accton root 0.00 cpu 3842k mem 0 io systemd-tty-ask root 0.03 cpu 72576k mem 0 io pkttyagent root 0.00 cpu 32112k mem 0 io systemctl root 0.00 cpu 2674k mem 0 io systemd-cgroups root 0.07 cpu 37760k mem 0 io ps root 0.00 cpu 28160k mem 0 io grep root 0.00 cpu 1080k mem 0 io ac root 0 .14 cpu 0k mem 0 io kworker/u256:0 * root 0.10 cpu 0k mem 0 io kworker/0:0 * root 0.02 cpu 0k mem 0 io kworker/0:2 * [root@rs-server ~] # lastcomm sa sa root pts/0 0.00 secs Tue Aug 6 02:15 [root@rs-server] # last-x root pts/0 192.168.1.14 Tue Aug 6 00:48 still logged in root tty1 Tue Aug 6 00:48 still logged in [root@rs- Server ~] # lastb mingongg ssh:notty 192.168.1.14 Tue Aug 6 01:11-01:11 (00:00) mingongg ssh:notty 192.168.1.14 Tue Aug 6 01:11-01:11 (00:00) btmp begins Tue Aug 6 01:11:27 2019

11. Check the log regularly

Save the system and its important logs on a professional log server other than this server, so as to prevent hackers from invading the system and applications by analyzing logs. The following are common log files:

twelve。 Data backup

It is very important to know this, especially the important production data, which must be backed up and saved locally, in different places and on different media. at the same time, we also need to check the integrity and availability of the data regularly.

13. Safety tool

For the system, common security scanning tools are necessary, such as scanning open port nmap. For WEB applications in the system, you can use some open source tools: IBM AppScan, SQL Map, etc., and there are many such commercial products, so I won't introduce them here (no advertising fee for me).

For files, there are file encryption tools, for the system, there are some intrusion detection, vulnerability scanning tools, whether open source or commercial, can decide which tool to use according to the actual needs and enterprise costs.

14. management

For safety management, a good process and management system is also necessary, otherwise, the basic role of the above 13:00 is 0, there is a method, there is no system to let the method be implemented on the ground!

These are the 14 Linux system security tips, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.