Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to strengthen linux security strategy", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to strengthen linux security strategy" this article.

Account management

I. password lockout policy

1. Perform a backup

(1) redhat performs backup:

# cp-p / etc/pam.d/system-auth / etc/pam.d/system-auth_bak

(2) SUSE9:

# cp-p / etc/pam.d/passwd / etc/pam.d/passwd.bak

(3) SUSE10:

# cp-p / etc/pam.d/common-password / etc/pam.d/common-password.bak

2. Modify the policy settings and edit the file / etc/pam.d/system-auth (SUSE:/etc/pam.d/passwd) by adding the following:

Auth required pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=180 # unlock_time in seconds

Account required pam_tally2.so # (pam_tally2.so is supported for redhat5.1 and above, pam_tally.so is used for other versions)

Second, password life cycle

1. Perform a backup:

# cp-p / etc/login.defs / etc/login.defs_bak

2. Modify the policy settings, edit the file / etc/login.defs (vi / etc/login.defs), and add the following to the file (modify it if it exists, or add it if it does not exist):

PASS_MAX_DAYS 90

PASS_MIN_DAYS 10

PASS_WARN_AGE 7

Third, password complexity

1. Redhat system

Edit the file / etc/pam.d/system-auth and find the following in the file:

Password requisite pam_cracklib.so, modify it to:

Password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=8 # contains at least one number, one lowercase letter, one uppercase letter, one special character, and the password length > = 8

2. Edit / etc/pam.d/passwd for suse9, edit / etc/pam.d/common-password above suse10, and add the following to the file (please comment out the lines of password first if there are lines in the file):

Password required pam_pwcheck.so nullok

Password requisite pam_cracklib.so dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=8 use_authtok

Password required pam_unix2.so nullok use_first_pass use_authtok

Delete or lock irrelevant accounts

1. If the following users (lp | sync | halt | news | uucp | operator | games | gopher | smmsp | nfsnobody | nobody) are not deleted or locked, you can use the following command to operate on them:

(1) Delete users:

# userdel username

(2) Lock the user:

# passwd-l username # locks users and can only be used by users with superuser privileges.

# passwd-d username # unlock the user. The original password becomes invalid after unlocking, and you can log in only if you set a new password.

# passwd-u username # after unlocking the user, the original password is still valid.

(3) modify the user's shell domain to / bin/false

# usermod-s / bin/false username # command to change the shell of the corresponding user to / bin/false, where [name] is the specific user name to be modified.

Passwd-l lp

Passwd-l sync

Passwd-l halt

Passwd-l news

Passwd-l uucp

Passwd-l operator

Passwd-l games

Passwd-l gopher

Passwd-l smmsp

Passwd-l nfsnobody

Passwd-l nobody

Usermod-s / bin/false lp

Usermod-s / bin/false sync

Usermod-s / bin/false halt

Usermod-s / bin/false news

Usermod-s / bin/false uucp

Usermod-s / bin/false operator

Usermod-s / bin/false games

Usermod-s / bin/false gopher

Usermod-s / bin/false smmsp

Usermod-s / bin/false nfsnobody

Usermod-s / bin/false nobody

Fifth, password repetition restriction

1. Perform a backup

# cp-p / etc/pam.d/system-auth / etc/pam.d/system-auth.bak

# cp-p / etc/pam.d/passwd / etc/pam.d/passwd.bak

# cp-p / etc/pam.d/common-password / etc/pam.d/common-password.bak

2. Create a file / etc/security/opasswd to store the old password and set permissions.

# touch / etc/security/opasswd

# chown root:root / etc/security/opasswd

# chmod 600 / etc/security/opasswd

3. Modify policy settings

# vi / etc/pam.d/system-auth ((SUSE9:/etc/pam.d/passwd, SUSE10 and above / etc/pam.d/common-password) add remember=5 at the end of lines similar to password sufficient pam_unix.so, separated by spaces. If not, add it, for example:

Password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5

=

Password policy

I. default permission control of files and directories

1. First, back up / etc/profile:

# cp / etc/profile / etc/profile.bak

2. Edit the file / etc/profile and add the following at the end of the file:

Umask 027

3. Execute the following command to make the configuration effective:

# source / etc/profile

Second, user minimum authority control

1. Give users minimum permissions for relevant account files.

# chmod 644 / etc/passwd

# chmod 400 / etc/shadow

# chmod 644 / etc/group

# chmod 644 / etc/services

# chmod 600 / etc/xinetd.conf

# chmod 600 / etc/security

3. Modify the Banner warning message of SSH

1. If this inspection is not compliant, perform the following steps to repair it.

Execute the following command to create the ssh banner information file:

# touch / etc/ssh_banner

# chown bin:bin / etc/ssh_banner

# chmod 644 / etc/ssh_banner

# echo "Authorized only. All activity will be monitored and reported" > / etc/ssh_banner

The contents of the file can be modified according to the actual needs.

2. Modify the / etc/ssh/sshd_config file and add the following line:

Banner / etc/ssh_banner

3. Restart the sshd service:

# / etc/init.d/sshd restart

Fourth, set the properties of key files

1. Change the attributes of the date file.

# chattr + a / var/log/messages # ignore if it doesn't exist

=

Authentication authorization

1. Enable remote logging function

1 、 linux

Edit the file / etc/syslog.conf or / etc/rsyslog.conf by adding the following:

*. * @

2 、 suse

Edit the file / etc/syslog-ng/syslog-ng.conf by adding the following:

Destination logserver {udp ("192.168.56.168" port (514);}

Log {source (src); destination (logserver);}

# Log server ip is determined according to the actual situation.

3. Restart the syslog service

# / etc/init.d/syslog stop

# / etc/init.d/syslog start

2. Record security event log

1. Edit / etc/syslog.conf before redhat5.x, and add the following to the file:

* .err;kern.debug;daemon.notice / var/adm/messages, where / var/adm/messages is a log file.

(1) if the file does not exist, create the file with the command:

# touch / var/adm/messages

(2). The permission to modify is 666, and the command is:

# chmod 666 / var/adm/messages

(3) restart the log service:

# / etc/init.d/syslog restart

2. Redhat6.x edit etc/rsyslog.conf and add the following to the file:

* .err;kern.debug;daemon.notice / var/adm/messages, where / var/adm/messages is a log file.

(1) if the file does not exist, create the file with the command:

# touch / var/adm/messages

(2). The permission to modify is 666, and the command is:

# chmod 666 / var/adm/messages

(3) restart the log service:

# / etc/init.d/syslog restart

3. SUSE edit the file / etc/syslog-ng/syslog-ng.conf and add the following to the file:

Filter f_msgs {level (err) or facility (kern) and level (debug) or facility (daemon) and level (notice);}

Destination msgs {file ("/ var/adm/msgs");}

Log {source (src); filter (f_msgs); destination (msgs);}; where / var/adm/msgs is the log file.

(1) if the file does not exist, create the file with the command:

# touch / var/adm/msgs

(2). The permission to modify is 666, and the command is:

# chmod 666 / var/adm/msgs

(3) restart the log service:

# / etc/init.d/syslog restart

=

System service

1. Restrict root users from logging in remotely by SSH

1. Perform a backup:

# cp-p / etc/ssh/sshd_config / etc/ssh/sshd_config_bak

2. Create a new ordinary user and set a strong password (to prevent remote access when only root users are available on the device):

# useradd username

# passwd username

3. Prohibit root users from logging in to the system remotely.

(1), edit the file / etc/ssh/sshd_config (vi / etc/ssh/sshd_config), change the PermitRootLogin value to no and remove the comments.

PermitRootLogin no # prohibits root from logging in from ssh.

(2) restart SSH service

# / etc/init.d/sshd restart

4. Modify the SSH protocol version

(1), edit the file / etc/ssh/sshd_config (vi / etc/ssh/sshd_config), change the value of Protocol to 2 and remove the comments.

Protocol 2

(2) restart ssh service

# / etc/init.d/sshd restart

=

File permissions

I. setting of login timeout

1. Perform a backup

# cp-p / etc/profile / etc/profile_bak

2. Add the following two lines to the / etc/profile file (modify it if it exists, otherwise add it manually):

# vi / etc/profile

TMOUT=300 # TMOUT calculated by second

Export TMOUT

II. System core dump status

1. Edit the file / etc/security/limits.conf (vi / etc/security/limits.conf) and add the following two lines at the end of the file (modify it if it exists, and add it if it doesn't exist):

* soft core 0

* hard core 0

2. Edit the file / etc/profile (vi / etc/profile) and comment it out as follows:

# ulimit-S-c 0 > / dev/null 2 > & 1

3. Modify the Banner information of SSH

1. Modify the contents of the file / etc/motd. If there is no such file, create it:

# touch / etc/motd

2. Use the following command to add banner information to the file / etc/motd.

# echo "Authorized users only. All activity may be monitored and reported" > / etc/motd

The contents of the file can be modified according to the actual needs.

IV. It is forbidden to shut down the computer with the key combination.

Edit the file / etc/inittab to delete, comment, or change this line:

Ca::ctrlaltdel:/sbin/shutdown-r-t 4 now

Modified to:

Ca::ctrlaltdel:/bin/true

Fifth, prohibit ICMP redirection

1. Back up files

# cp-p / etc/sysctl.conf / etc/sysctl.conf_bak

2. Edit the file / etc/sysctl.conf and change the value of net.ipv4.conf.all.accept_redirects to 0.

3. Make the configuration effective # sysctl-p

6. Use the PAM authentication module to prohibit users outside the wheel group from having su as root.

1. Edit the file (vi / etc/pam.d/su)

(1), redhat4.x (32-bit) add the following two lines at the beginning of the file (modify it if you have it, add it if you don't):

Auth sufficient / lib/security/$ISA/pam_rootok.so

Auth required / lib/security/$ISA/pam_wheel.so use_uid

# Note that auth and sufficient are separated by two tab, and sufficient and dynamic library path are separated by a tab.

(2), redhat4.x (64-bit) add the following two lines at the beginning of the file (modify it if you have it, add it if you don't):

Auth sufficient / lib64/security/$ISA/pam_rootok.so

Auth required / lib64/security/$ISA/pam_wheel.so use_uid

# Note that auth and sufficient are separated by two tab, and sufficient and dynamic library path are separated by a tab.

(3), redhat5.x and redhat6.x add the following two lines at the beginning of the file (modify it if you have it or add it if you don't):

Auth sufficient pam_rootok.so

Auth required pam_wheel.so use_uid

# Note that auth and sufficient are separated by two tab, and sufficient and dynamic library path are separated by a tab.

Note: (this indicates that only users in the wheel group can use the su command to become root users. You can add a user to the wheel group so that it can become a root user using the su command.)

Add method:

# usermod-G wheel username # username is the account name that needs to be added to the wheel group.

VII. Disable IP source routing

1. If this check fails, execute the following command to fix it:

For f in / proc/sys/net/ipv4/conf/*/accept_source_route

Do

Echo 0 > $f

Done

8. Change the order of host resolution addresses

1. Edit / etc/host.conf file

# vi / etc/host.conf, add the following three lines in the margin:

The first setting of order hosts,bind # first resolves the IP address through DNS and then through the hosts file.

The second setting of multi on # detects whether the host in the "/ etc/hosts" file has multiple IP addresses (for example, multiple Ethernet port NICs).

The third setting of nospoof on # states that you should pay attention to unauthorized IP spoofing on the native machine.

IX. Order to change history

1. Edit the file / etc/profile and add the following two lines to the file (modify it if it exists):

HISTFILESIZE=5

HISTSIZE=5

2. Execute the following command to make the configuration effective

# source / etc/profile

The above is all the content of the article "how to strengthen linux Security Policy". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.