Shulou(Shulou.com)05/31 Report--

This article mainly explains "the method of basic security configuration of linux server". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn the method of basic security configuration of linux server.

Installation attention

1. Delete the special user account of the system:

Disable all default accounts that are started by the operating system itself and are not needed. You should do this check when you install the system for the first time. Linux provides a variety of accounts, which you may not need. If you do not need this account, remove it. The more accounts you have, the more vulnerable you will be.

# to delete users on your system, use the following command: [root@c1gstudio] # userdel username # batch delete method # delete "adm lp sync shutdown halt mail news uucp operator games gopher ftp" account here # if you run services such as ftp, you can keep your ftp account. For i in adm lp sync shutdown halt mail news uucp operator games gopher ftp; do userdel $I; done

two。 Delete the special group account of the system

[root@c1gstudio] # groupdel groupname# batch deletion method for i in adm lp mail news uucp games dip pppusers popusers slipusers; do groupdel $I; done

3. User password settin

When installing Linux, the default minimum password length is 5 bytes, but this is not enough. Set it to 8 bytes. To modify the minimum password length requires editing the login.defs file # vi / etc/login.defs

Pass_max_days 99999 # # password setting maximum validity period (default) pass_min_days 0 # # password setting minimum validity pass_min_len 5 # # set the minimum password length, change 5 to 8pass_warn_age 7 # # how many days in advance to warn users that the password is about to expire. Then change the root password # passwd rootnew unix password:retype new unix password:passwd: all authentication tokens updated successfully.

4. Modify the time of automatic account cancellation

Log out of the account automatically. In the linux system, the root account has the highest privilege. If the system administrator forgets to log out of the root account before leaving the system, it will bring great security risks and the system should be allowed to log out automatically. This function can be achieved by modifying the "tmout" parameter in the account. Tmout is calculated in seconds. Edit your profile file (vi / etc/profile) and add the following line after "histsize=":

Tmout=300

300, which means 300 seconds, which means 5 minutes. In this way, if the logged-in user in the system does not act within 5 minutes, the system will automatically cancel the account.

5. Limit the size of shell command records

By default, bash shell stores up to 500 command records in the file $home/.bash_history (the default number of records varies depending on the system). There is one such file in the home directory of every user in the system. Here, the author strongly recommends that the size of the file be limited.

You can edit the / etc/profile file and modify the options as follows:

Histfilesize=30 or histsize=30#vi / etc/profilehistsize=30

6. Delete command record on logout

Edit the / etc/skel/.bash_logout file by adding the following line:

Rm-f $home/.bash_history

In this way, all users in the system delete their command records when they log out.

If you only need to set up for a specific user, such as a root user, you can just modify the / $home/.bash_history file under that user's home directory and add the same line.

7. Add the required user groups and user accounts with the following command

[root@c1gstudio] # groupadd for example: add the website user group, groupadd website then call the vigr command to see the added user group add the required user account [root@c1gstudio] # useradd username-g website / / add the user to the website group (as a normal administrator for webserver, not a root administrator) and then call the vipw command to view the added user to change the user password with the following command (enter at least an 8-digit alphanumeric password And record the password in a special document on the local computer in case you forget) [root@c1gstudio] # passwd username

8. Stop anyone from su as root

If you don't want anyone to be able to su as root, you can edit / etc/pam.d/su plus the following line:

# vi / etc/pam.d/suauth sufficient / lib/security/$isa/pam_rootok.so debugauth required / lib/security/$isa/pam_wheel.so group=website means that only users of the website group can su as root.

9. Modify the root login permissions of the ssh service

Modify the ssh service configuration file so that the ssh service does not allow direct use of root users to log in, thus reducing the chance of the system being attacked by malicious login.

# vi / etc/ssh/sshd_configpermitrootlogin yes

After removing the # in front of this line, modify it to:

Permitrootlogin no

10. Modify the sshd port of the ssh service

Ssh listens on port 22 by default. You can modify it to port 6022 to avoid regular scanning.

Note: an error in modifying the port may cause you not to connect to the server next time. You can turn on ports 22 and 6022 at the same time, and then turn off port 22.

Restarting sshd will not pop off your current connection. You can open another client to test the service.

# vi / etc/ssh/sshd_config# add modification # port 22 # close port 22 port 6022 # add port 6022 # restart sshd service service sshd restart check whether the listening port of sshd is netstat-lnp | grep ssh#iptables open port sshd port 6022 vi / etc/sysconfig/iptables# add-ar h-firewall-1-input-m state-- state new-m tcp-p tcp-- dport 6022-j accept# or iptables- An input-p tcp-- dport 6022-j acceptiptables-an output-p udp-- sport 6022-j accept

Restart the iptables service

Service iptables restart# tests whether both ports can be connected, and then delete port 22.

Detailed reference:

Default port 22 modification method for ssh under linux operating system

11. Turn off services that are not used by the system:

Cd / etc/init.d # goes to the system init process startup directory

There are two ways to shut down the service in the init directory

First, mv the file name under the init directory to the file name of the * .old class, that is, modify the file name, which means that the startup file for this service cannot be found when the system starts.

Second, use chkconfig system commands to shut down the service at the startup level of the system.

Note: when using any of the following methods, please first check whether the service that needs to be shut down is a service that this server specifically needs to start to support, in case of shutting down the service that is in normal use.

Use the chkcofig command to turn off unused system services (2 minus signs before level) to know how many services are running before modifying the startup script, type:

Ps aux | wc-l

Then, after modifying the startup script, restart the system and enter the above command again to calculate how many services have been reduced. The fewer services are running, the better the security. Also run the following command to see how many services are still running:

Netstat-na-- ip

Stop the service in batch mode first

For i in acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmai

L setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd; do service $I stop;done

Turn off the startup service

For i in acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmai

L setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd; do chkconfig $I off;done

The following is the manual method and explanation. There is no need to execute the batch mode.

Chkconfig-- level 345 apmd off # # notebook requires chkconfig-- level 345 netfs off # # nfs client chkconfig-- level 345 yppasswdd off # # nis server, this service has many vulnerabilities chkconfig-level 345 ypserv off # # nis server, this service has many chkconfig-level 345 dhcpd off # # dhcp service chkconfig-level 345 portmap off # # necessary for rpc service chkconfig-level 345 lpd off # print service chkconfig-level 345 nfs off # # nfs server There are many chkconfig-- level 345 sendmail off # # mail service, many chkconfig-- level 345 snmpd off # # snmp, from which remote users can get a lot of system information chkconfig-- level 345 rstatd off # # avoid running r services, and remote users can get a lot of information from chkconfig-- level 345 atd off # # and cron services similar to timed running programs Note: 3 and 5 of the above chkcofig commands are the type of system startup. The following numbers mean 0: boot (please do not switch to this level) 1: text interface in single user mode 2: text interface in multi-user mode, without network file system (nfs) function 3: text interface in multi-user mode With network file system (nfs) function 4: some distributions of linux use this level to enter x windows system5: some distributions of linux use this level to enter x windows system6: restart

If you do not specify-- level uses on and off switches alone, the system default is only valid for run-level 3pm 4pm 5

Chkconfig cups off # Printer chkconfig bluetooth off # Bluetooth chkconfig hidd off # Bluetooth chkconfig ip6tables off # ipv6chkconfig ipsec off # vpnchkconfig auditd off # user Space Monitor chkconfig autofs off # CD-ROM floppy disk and other automatic loading services chkconfig avahi-daemon off # is mainly used for zero configuration networking, generally it is useless to shut down chkconfig avahi-dnsconfd off # mainly for zero configuration networking. As above, it is recommended to shut down chkconfig cpuspeed off # process of dynamically adjusting cpu frequency. On the server system, this process recommends turning off the chkconfig isdn off # isdnchkconfig kudzu off # hardware automatic monitoring service, chkconfig nfslock off # nfs document locking. Document sharing support, do not need to be able to turn off chkconfig nscd off # responsible for password and group query, when there is a nis service needs chkconfig pcscd off # smart card support, if there is no chkconfig yum-updatesd off # yum update chkconfig acpid offchkconfig autofs offchkconfig firstboot offchkconfig mcstrans off # selinuxchkconfig microcode_ctl offchkconfig rpcgssd offchkconfig rpcidmapd offchkconfig setroubleshoot offchkconfig xfs offchkconfig xinetd offchkconfig messagebus offchkconfig gpm off # mouse chkconfig restorecond off # selinuxchkconfig haldaemon offchkconfig sysstat offchkconfig readahead_early offchkconfig anacron off

Services that need to be retained

Crond, irqbalance, microcode_ctl, network, sshd, syslog

Because some services are already running, you need to restart after setting up

Chkconfig/*

Syntax: chkconfig [--add] [--del] [--list] [system Services] or chkconfig [--level] [system Services] [on/off/reset]

Note: this is a program developed by red hat in accordance with gpl rules, which can query which system services are performed by the operating system at each execution level, including various resident services.

Parameters:

-- add adds the specified system service so that the chkconfig instruction can manage it, and at the same time adds relevant data to the narrative file started by the system. -- del deletes the specified system service, is no longer managed by the chkconfig instruction, and deletes the relevant data in the narrative file started by the system. -- level specifies in which execution level the read system service should be turned on or off * /

twelve。 Prevent the system from responding to any external / internal ping requests

Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command to / etc/rc.d/rc.local to run automatically after each startup.

Echo 1 > / proc/sys/net/ipv4/icmp_echo_ignore_all# you don't have to do this

13. Modify the "/ etc/host.conf" file

"/ etc/host.conf" shows how to resolve addresses. Edit the "/ etc/host.conf" file (vi / etc/host.conf) and add the following line: # lookup names via dns first then fall back to / etc/hosts.order hosts,bind# we have machines with multiple ip addresses.multi on# check for ip address spoofing.nospoof on

The first setting first resolves the ip address through dns and then through the hosts file. The second setting detects whether the host in the "/ etc/hosts" file has multiple ip addresses (for example, multiple Ethernet port NICs). The third setting states that we should pay attention to the unauthorized electronic deception of the local machine.

14. Root login from different consoles is not allowed

The "/ etc/securetty" file allows you to define which tty device root users can log in from. You can edit the "/ etc/securetty" file and no longer need to log in to the tty device with a "#" flag to disable root login from the tty device.

In the / etc/inittab file, there is the following paragraph:

# run gettys in standard runlevels1:2345:respawn:/sbin/mingetty tty12:2345:respawn:/sbin/mingetty tty2#3:2345:respawn:/sbin/mingetty tty3#4:2345:respawn:/sbin/mingetty tty4#5:2345:respawn:/sbin/mingetty tty5#6:2345:respawn:/sbin/mingetty tty6

By default, the system can use six consoles, that is, alt+f1,alt+f2..., add "#" before 3Jing 4pm 5J 6 and annotate this sentence, so that there are only two consoles available now, and it is best to keep two. Then restart the init process, and the changes will take effect!

15. Disable the control-alt-delete keyboard shutdown command

Comment out the following line in the "/ etc/inittab" file (using #): ca::ctrlaltdel:/sbin/shutdown-T3-r now change to: # ca::ctrlaltdel:/sbin/shutdown-T3-r now in order for this change to work, enter the following command: # / sbin/init Q

16. Use the chattr command to add an immutable attribute to the following file.

[root@c1gstudio] # chattr + I / etc/passwd [root@c1gstudio] # chattr + I / etc/shadow [root@c1gstudio] # chattr + I / etc/group [root@c1gstudio] # chattr + I / etc/gshadow

[note: chattr is a command to change the attributes of a file. Parameter I means that the file or directory must not be changed arbitrarily. Here I is the immutable. View method: lsattr / etc/passwd, revoked to chattr-I / etc/group]

Additional note: this directive changes the file or directory properties stored on the ext2 file system. There are eight modes for these attributes:

A: let the file or directory be used for additional purposes only. B: the last access time of the file or directory is not updated. C: compress the file or directory and store it. D: exclude files or directories from the dump operation. I: files or directories shall not be changed arbitrarily. S: delete files or directories in secret. S: update files or directories immediately. U: delete outside of prevention.

Parameters:

-r Recursive processing, processing all files and subdirectories under the specified directory together. -v sets the file or directory version. -v shows the instruction execution process. + Open this property of the file or directory. -turn off this property of the file or directory. = specifies the property of the file or directory.

17. Lock the system service port list file

Main role: prevent unauthorized deletion or addition of services

Chattr + I / etc/services [View method: lsattr / etc/services, revoke to chattr-I / etc/services]

18. System file permissions modification

The security of linux file system is mainly achieved by setting the permissions of files. Each linux file or directory has three sets of attributes that define the rights of the owner of the file or directory, user groups, and others (read-only, writeable, executable, suid allowed, sgid allowed, etc.). Pay special attention to the executable files with permissions of suid and sgid, which will give the owner permission to the process during the process of running the program. If found and used by hackers, it will cause harm to the system.

(1) modify the execution permissions of init directory files:

Chmod-r 700 / etc/init.d/* (recursive processing, owner with rwx,group none, others none)

(2) modify the permissions of suid and sgid of some system files:

Chmod Amurs / usr/bin/chagechmod Amurs / usr/bin/gpasswdchmod Amurs / usr/bin/wallchmod Amurs / usr/bin/chfnchmod Amurs / usr/bin/chshchmod Amurs / usr/bin/newgrpchmod Amurs / usr/bin/writechmod Amurs / usr/sbin/usernetctlchmod Amurs / usr/sbin/traceroutechmod Amurs / bin/mountchmod Amurs / bin/umountchmod Amurs / sbin/netreport

(3) modify the system boot file

Chmod 600 / etc/grub.confchattr + I / etc/grub.conf [View method: lsattr / etc/grub.conf, revoke to chattr-I / etc/grub.conf]

19. Add dns

# vi / etc/resolv.confnameserver 8.8.8.8 # google dnsnameserver 8.8.4.4

20.hostname modification

# Note: first disable mysql, postfix and other services such as 1.hostname servername2.vi / etc/sysconfig/networkservice network restart3.vi / etc/hosts

21.selinux modification

Enabling selinux can increase security, but you may encounter some strange problems when installing the software

Here is how to turn it off

# vi / etc/selinux/config

Change it to disabled

twenty-two。 Close ipv6

Echo "alias net-pf-10 off" > > / etc/modprobe.confecho "alias ipv6 off" > > / etc/modprobe.conf#vi / etc/sysconfig/networknetworking_ipv6=no

Restart the service

Service ip6tables stopservice network restart

Turn off automatic start

Chkconfig-level 235 ip6tables off

23. Set up iptables

Iptables default security rule script

Restart the system

Most of the above settings can be done by running scripts. Linux Security Settings Quick script

Restart the system after the setup is complete

Other setting items

The method of adjusting system time Zone / time by linux

Make a soft link between the corresponding time zone in / usr/share/zoneinfo and / etc/localtime. For example, the time of using Shanghai time zone: ln-s / usr/share/zoneinfo/asia/shanghai / etc/localtime if you want to use utc timing mode, you should change the setting of utc=true time in / etc/sysconfig/clock file: use the date command to add s parameters to modify, note that the time format of linux is "month, day, hour and year", or you can only modify the time date-s 22:30:20, if you modify the year, day, day and time, the format is "month, day, hour and year." Seconds, 2007-03-1811: 01:56 should be written as "date-s 031811012007.56 hardware time and current time update: hwclock-- systohc if the hardware timing uses utc, it is hwclock-- systohc-- utc."

The method of adjusting system time Zone / time by linux

1) find the appropriate time zone file

/ usr/share/zoneinfo/asia/shanghai

Replace the current / etc/localtime file with this file.

Step: cp-I / usr/share/zoneinfo/asia/shanghai / etc/localtime

Select overlay

2) modify the / etc/sysconfig/clock file to:

Zone= "asia/shanghai" utc=falsearc=false

3)

The order with the time set for August 30, 2005 is as follows:

# date-s 08Compact 30Universe 2005

The command to set the system time to 06:40:00 is as follows:

# date-s 18:40:00

4) synchronize the bios clock and force the system time to be written to cmos. The command is as follows:

# clock-w

Install ntpd

# yum install ntp#chkconfig-- levels 235 ntpd on#ntpdate ntp.api.bz # manual calibration # service ntpd start

Set language

English language, Chinese support

# vi / etc/sysconfig/i18nlang= "en_us.utf-8" supported= "zh_cn.utf-8:zh_cn:zh" sysfont= "latarcyrheb-sun16"

Tmpwatch timing cleanup

Suppose the server customizes the session and upload directories of php

# vi / etc/cron.daily/tmpwatch adds-x / tmp/session-x / tmp/upload#mkdir / tmp/session#mkdir / tmp/upload#chown nobody:nobody / tmp/upload#chmod 0770 / tmp/upload before 240th / tmp. I believe you have a better understanding of "basic security configuration of linux server". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.