Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Basic measures to ensure the Security of Linux Server

2025-01-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/03 Report--

As an open source operating system, Linux server is widely used because of its remarkable advantages of security, efficiency and stability. However, if it is not controlled, it may not be safe. This blog article mainly optimizes the security of Linux system from the perspective of account security control, system boot and login control. And use auxiliary tools to find security risks, so that we can take corresponding measures in time.

Basic security measures:

1. All kinds of redundant accounts in the system, such as "games", can be deleted directly, including some program accounts. if the account cannot be deleted after uninstalling the program, we need to delete it manually.

2. When the user account in the server is fixed and no longer changes, you can directly lock the account configuration file. After locking, you cannot add users and change user passwords:

[root@localhost ~] # chattr + I / etc/passwd / etc/shadow # lock file [root@localhost ~] # lsattr / etc/passwd / etc/shadow # check whether to lock-I-/ etc/passwd----i- / etc/shadow [root@localhost ~] # chattr-I / etc/passwd / etc/shadow # unlock the file

3. Password validity control: in order to reduce the risk of password being violently cracked or guessed, you can set the password validity period to limit the maximum number of days of password validity. For users whose password has expired, the password must be reset when logging in, otherwise login will be refused.

[root@localhost ~] # vim / etc/login.defs # is applicable to new users. After configuration, the new user is 30 days. PASS_MAX_DAYS 30 # changes the default value of the configuration item "99999" to the expected value, such as 30 days. [root@localhost ~] # chage-M 30 zhangsan # is applicable to existing users. Specify existing users for 30 days [root@localhost ~] # chage-d 0 zhangsan # Zhang San must change his password the next time he logs in

4. Command history, automatic logout:

[root@localhost ~] # vim / etc/profile # applies to new login users. HISTSIZE = 200 # command history is 200 export TMOUT=600 # automatic logout time is 600 seconds # applicable to current user [root@localhost ~] # export HISTSIZE=200 # Command history is 200 [root@localhost ~] # export TMOUT=600 # automatic logout time is 600 seconds

Note: when you are performing time-consuming operations such as compiling program code or modifying system configuration, it is best not to set the TMOUT variable. You can unset the TMOUT variable by executing the "unset TMOUT" command if necessary.

Control user switching and rights raising:

1. Su command-- switch users

By default, any user is allowed to use the su command, thus having the opportunity to try the login passwords of other users (such as root) repeatedly, thus creating a security risk. In order to avoid this situation, only a very few users are allowed to switch using the su command with the help of the pam_wheel authentication module. The implementation process is as follows: add users authorized to use the su command to the wheel group, and modify the / etc/pam.d/su authentication configuration to enable pam_wheel authentication:

[root@localhost ~] # gpasswd-an admin wheel # add authorized user admin is adding user "admin" to the "wheel" group [root@localhost ~] # grep wheel / etc/group # confirm wheel group member wheel:x:10:admin [root@localhost ~] # vim / etc/pam.d/su#%PAM-1.0auth sufficient pam_rootok.so .auth required pam_wheel.so use_uid # remove the # sign at the beginning of this line

Then only users in the wheel group can use the su command, and the operation of switching users with the su command will be recorded in the security log / var/log/secure file and can be viewed as needed.

2. Sudo command-- enhance the execution permission

Using the su command, you can easily switch to another user, but only if you know the login password of the target user. If you want to switch to a root user, you must know the root user's password, and for a Linux server in a production environment, each additional person who knows the root password increases the security risk. So the sudo command came into being.

The control of the sudo command only needs to add authorization to the / etc/sudoers configuration file, edit it with a special visudo tool, or use vi, but you must execute "w!" when saving. Command to force a save, otherwise the system will prompt the file to be read-only and refuse to save.

In the configuration file / etc/sudoers, the basic configuration format of the authorization record is as follows:

User MACHINE=COMMANDS

The specific meaning is as follows:

User: directly authorize the specified user name, or in the form of "% group name" (authorize all users in a group).

MACHINE: use the host name of this configuration file. This part is mainly to facilitate the sharing of the same sudoers file among multiple hosts, which is generally set to localhost or the actual host name.

COMMANDS: a privileged command that allows authorized users to execute through sudo. You need to fill in the absolute path of the command, and multiple commands are separated by commas.

[root@localhost ~] # visudo .zhangsan localhost=/sbin/ifconfig%wheel ALL=NOPASSWD:ALL

The above configuration allows users to execute ifconfig commands, while users of the wheel group can execute any commands without verifying their passwords.

When there are more users using the same authorization, or when there are more authorized commands, you can use a centrally defined alias. For example, allow users user1, user2, user3 to execute rpm and yum commands in host smtp and pop:

[root@localhost ~] # visudo

User_Alias OPERATORS=user1,user2,user3 # define user name list Host_Alias MAILSVRS=smtp,pop # define host list Cmnd_Alias PKGTOOLS=/bin/rpm,/usr/bin/yum # define command list OPERATORS MAILSVRS=PKGTOOLS # associate defined lists

The command part of the sudo configuration record can use the wildcard character "*" and reverse the symbol "!" You can also enable sudo logging for operators to view, which is especially useful when you need to authorize all commands in a directory or cancel individual commands. For example, the authorized user zhangsan can execute other commands in the / sbin/ directory except ifconfig and route, and enable logging:

The application of [root@localhost] # visudozhangsan localhostbinqqbinqqr and reversals. Defaults logfile = "/ var/log/sudo" # enable logging

Note:

1. The first time you execute a command through the sudo command, you must verify it with the user's own password, and then execute the sudo command again. As long as the interval between the previous sudo operation and the previous sudo operation is not more than 5 minutes, there is no need to repeat verification.

2. If you want to see which sudo authorizations the user has obtained, you can execute "sudo-l". If the word (ALL) ALL appears in the sudo permission list of a user, it means that the authorization is incorrect. At this time, the user has the right to execute all commands. If there is no error in the authorization list edited by the visudo command, you need to see if the user has been added to the wheel group and pam_wheel authentication is enabled.

Terminal and login control:

1. Prohibit root users from logging in:

The login program reads the / etc/securetty file to determine which terminals root users are allowed to log in from. To prohibit root users from logging in from tty5 and tty6, simply release the corresponding line comments in the file:

[root@localhost ~] # vim / etc/securetty # tty5#tty6

2. Prohibit ordinary users from logging in:

When you are debugging the server and do not want any new users to log in to the system, you can establish a / etc/nologin file. The login program will check whether the / etc/nologin file exists, and if so, refuse ordinary users to log in to the system (root users are not restricted). This method is only recommended for temporary use during server maintenance. When the / etc/nologin file is manually deleted or the host is restarted, it can return to normal. (valid only for users who log in after the file is created):

[root@localhost ~] # touch / etc/nologin

Switch safety control:

1. Adjust the bios boot settings, set the password for BIOS, and enable

2. Disable the Ctrl+Alt+Del shortcut key to restart the host:

[root@localhost ~] # systemctl mask ctrl-alt-del.target # Log out of ctrl-alt-del service Created symlink from / etc/systemd/system/ctrl-alt-del.target to / dev/null. [root@localhost ~] # systemctl daemon-reload # reload systemd configuration

To turn on the ctrl-alt-del shortcut function again, simply perform the following:

[root@localhost ~] # systemctl unmask ctrl-alt-del.target Removed symlink / etc/systemd/system/ctrl-alt-del.target. [root@localhost ~] # systemctl daemon-reload

3. Limit the change of GRUB boot parameters:

When the Linux system is started, you can enter the GRUB boot menu by pressing "e" in the following interface, and after modifying the configuration, you can enter the system environment without any password. This vulnerability is obviously a great threat to the server, so you can do the following to set a password for the grub menu, and only the correct password is allowed to modify the boot parameters:

[root@localhost ~] # grub2-mkpasswd-pbkdf2 # enter the password according to the prompt: # set the password to "123456" Reenter password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F7169053E0A4C582D0D65D3181CBDF7306E56AAB4D5F6910A576FA42CAD66DE8A28019CC3E8A0A75C56B517325A10D63DF85BD018FEF345359677B403F9FE4.C1E18CA9FFB54BF3AAE7EC0A03B41DD384A5ECB38A42F651C9467442EB41F7319BF4B3C600EC8CC7562C3AF188DB77BDA5FDE4E978E72BD715A77F965CC9EFBD # encrypted password string # in order to prevent changing the grub menu error So first back up the related files [root@localhost ~] # cp / boot/grub2/grub.cfg / boot/grub2/grub.cfg.bak [root@localhost ~] # cp / etc/grub.d/00_header / etc/grub.d/00_ header.bak [root @ localhost ~] # vim / etc/grub.d/00_header# add the following contents to the last cat in the file

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report