Shulou(Shulou.com)06/01 Report--

This article will explain in detail what are the 10 skills to strengthen Linux security. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have some understanding of the relevant knowledge after reading this article.

1. Identify unnecessary services

Obviously, not every service running on the server is useful. It is strongly recommended to check and turn off unwanted services to reduce risk (if you run one more service, you may have a few more vulnerabilities).

Query the list of services running on runlevel 3:

[afei@afei ~] # / sbin/chkconfig-- list | grep '3list' disable the specified service: [afei@afei ~] # chkconfig ip6tables off

Question: why inquire about the services of runlevel 3?

The Linux system has seven operating levels (runlevel), which are as follows:

Runlevel 0: system downtime state. The default running level of the system cannot be set to 0, otherwise it cannot start normally.

Runlevel 1: single user working status, root permission, for system maintenance, no remote login

Runlevel 2: multi-user status (no NFS)

Runlevel 3: full multi-user state (with NFS), enter console command line mode after login. This run-level service starts httpd, and the system provides web server services, so mainly view this run-level service

Runlevel 4: system not in use, reserved

Runlevel 5:X11 console, log in and enter graphic GUI mode

Runlevel 6: the system shuts down and restarts normally. The default runlevel cannot be set to 6, otherwise it cannot start normally.

two。 Check the listening network port

Through netstat naming, you can see all the ports that have been opened, and you can see which programs have opened them. If you find that something is necessary, it is recommended to turn it off:

[afei@afei~] # netstat-tulpnActive Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0 only servers 2181 0.0.0.0 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp * LISTEN 48983/javatcp 0 0 0.0.0.015 2182 0.0.0.0 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp * LISTEN 49051/java

3. Optimize CRON tasks

Linux's cron can perform some scheduled tasks. You can also use / etc/cron.allow and / etc/cron.deny to control which users can run JOB and which users can not run JOB. For example:

Allow user afei to allow JOB, execute the following command: echo afei > > / etc/cron.allow disables all users from accessing JOB, execute the following command: echo ALL > > / etc/cron.deny

4. Restrict users from using old passwords

The old password of the linux user is saved in the file / etc/security/opasswd:

[root@LAPP-V1159 ~] # cat / etc/security/opasswdafei:504:4:$1$ MVAi/EpJ$iXXkV5r3Hjc8AaK2b5KyQ/,$1$ AbpFPYaD$ZKj12lK6qaYUqgQnEdocd0,$1$ POabjmzY$F4Cp6aTwN6RRk1KjZWm8A/,$1 $LoHe5GHY$QjkLGqABANpLmlQsRB4WE. Check to see if you have enabled restrictions on the use of old passwords, and on the RHEL / CentOS / Fedora system, check the file: / etc/pam.d/system-auth. In the Ubuntu/Debian/Linux Mint system, to view the file: / etc/pam.d/common-password, you need the following two key lines, of which remember=4 means you can't use the last four passwords, or you will get an error: Password has been already used. Choose another.:auth sufficient pam_unix.so nullok try_first_passpassword sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=4

5. Check password expiration

The expiration attribute of the password can be viewed with the following command:

[root@root ~] # chage-l afeiLast password change: Sep 14, 2018Password expires: Nov 13, 2018Password inactive: neverAccount expires: neverMinimum number of days between password change: 0Maximum number of days between password change: 60Number of days of warning before password expires: 7 modify the expiration attribute of the password can execute the following command: chage-M 60-W 7 afei description:-M 60 means the password is valid for a maximum of 60 days. -W7 indicates that an alarm will be given when the password expires in 7 days.

6. Check for users with empty passwords

A blank password means that you can access it as long as you know the user name, which is very dangerous. Because the user and password information is saved in the file / etc/shadow, and the format is as follows:

The numbers after admin:$6 $YTSkre3DLd4SAZ$Jy9piv/gPezhLrLzMMeUleV8F5DNjP:17765:0:99:5:::afei:$6 $.vMcyE9ss96 $YNk2Q5qiS/SAeGCcyEFsmspkC5dr3OXfnN:17788:0:60:7::: are attribute information such as password expiration, which has been mentioned above. Therefore, to check the user whose password is empty, you only need to execute the following command. If such a user is found, the password can be forcibly modified by the root user executing passwd username: cat / etc/shadow | awk-F:'($2percent = ") {print $1}'

7. Lock & unlock the user

Unlike deleting a user account, this only restricts user login. You only need to execute the following password to lock & unlock the user:

[root@root ~] # passwd-l afeiLocking password for user afei.passwd: Success [root@root ~] # passwd-u afeiUnlocking password for user afei.passwd: Success

Description:

Parameter l indicates lock, that is, locking the user's password

Parameter u represents unlock, that is, unlocking the user password

8. Close IPv6

Now IPv6 is basically not in actual use, so we can turn it off and add the following two lines to the file / etc/sysconfig/network:

NETWORKING_IPV6=noIPV6INIT=no

9. Review log

Many activities on the Linux server will be logged. Simply list some of the following. If there are some illegal operations, you can create clues from these logs, such as illegal login, non-legal time tasks, and so on:

/ var/log/message-Where whole system logs or current activity logs are available./var/log/auth.log-Authentication logs./var/log/kern.log-Kernel logs./var/log/cron.log-Crond logs (cron job). / var/log/maillog-Mail server logs./var/log/boot.log-System boot log./var/log/mysqld.log-MySQL database server log file./var/log/secure-Authentication log./var/log/utmp or / var/log/wtmp : Login records file./var/log/yum.log: Yum log files.

10. Keep the system up to date

Always have the system update the newly released fix packs, as these fix packs fix some BUG:

Sudo apt-get upgradeyum check-updateyum upgrade on strengthening Linux security 10 skills are shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.