For Internet IT practitioners, more and more work is gradually transferred to Linux system, this point, whether IT is development, operation and maintenance, testing should be deeply experienced. W3Techs, a technology research website, released a survey report in November 2018, which showed that Linux was used as high as 37.2% of web server systems. This data also shows that Linux is widely used. In fact, in addition to the application in the web server, Linux system is also used in DNS domain name server, email server, some open source software applications (big data applications: according to the Linux Foundation research, 86 percent of enterprises have used Linux operating system for cloud computing, big data platform construction) server.
Most users will assume that Linux is secure by default, and this is sometimes a controversial issue. Linux does have a built-in security model by default. You need to open it up and customize it to get a more secure system. Linux is harder to manage, but it is also more flexible and has more configuration options.
It has always been a challenge for system administrators to make product systems more secure from hackers and hackers. Moreover, in recent years, there are a lot of attacks on Linux, so how to build a secure, powerful and solid Linux system has been an exploratory topic. Today, I will share with you how I build or harden Linux system security in my daily work from all aspects of the system. I hope these methods are helpful to you, the code word is not easy, if it is helpful, please forward to share a point in see support the migrant elder brother.
1. Physical security
This should be the first step towards server security.
Hardware server, the first professional to do professional maintenance. The second is to turn off soft boot from CD/DVD and so on. You can also set the BIOS password, restrict access policies, and manage various flows.
USB devices can also be disabled for security purposes:
vim /etc/modprobe.d/stopusb
install usb-storage /bin/trueCopy the code
Or use the following command to remove the USB driver
[root@rs-server ~]# mv/lib/modules / 3.10.0-693. The el7. X86_64 / kernel/drivers/usb/storage/usb - storage. Ko. XzCopy the code
2. Keep the system up to date
This means to ensure that there are no other vulnerabilities in the system, such as: existing vulnerabilities to timely repair. Make sure your system includes the latest patches, security fixes, and available kernels.
yum updates
yum check-updateCopy the code
This requires the administrator to pay close attention to the latest system vulnerabilities and patch release information at home and abroad:
Review of the first half of 2018: Five major threats to network security!
The nGINx security breach left more than 14 million servers vulnerable to DoS attacks
Build an efficient and secure Nginx Web server
3. Principle of minimization
Whether installing systems or common software, follow this principle: minimize installation and also reduce the possibility of vulnerabilities.
You are advised to disable unnecessary services and ports.
[root@rs-server ~]# chkconfig --list |grep "3:on"
network 0:off 1:off 2:on 3:on 4:on 5:on 6:offCopy the code
Then use the following command to close:
chkconfig service-name offCopy the code
4. Login and connection
For Linux servers, remote login (SSH) is used to log in. Therefore:
Step 1: Do not use root to log in to the /etc/sudoers file unless necessary. Use sudo to lock the /etc/sudoers file.
Step 2: You are advised to modify the SSH configuration file. For example, the default port number is 22. You are advised to disable the root user from logging in using the password.
[root@rs-server ~]# vim /etc/ssh/sshd_config
#Port 22Can be changed to other port number, migrant elder brother commonly used IP+22 mixed use#PermitRootLogin yesChange yes to No#PermitEmptyPasswords noJust open comments#AllowUsers usernameSpecify a specific user for remote connection over SSHCopy the code
For servers in production, we can also use fortnite to limit connections:
Build Jumpserver from 0 to secure your server.
5. User management
Linux is a system that allows multiple users to operate in parallel, so the system also divides users into power users and ordinary users. They have different permissions, so what they can do is different, so the management of users is also a very important step.
Set user password:
You can run the passwd command to set the password. It is recommended to use complex passwords. The same users in different systems use different passwords (you can use the manager to manage passwords).
[root@rs-server ~]# passwd mingongge
Changing password for user mingongge.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.Copy the code
Temporary User management:
For such temporary user management, users can be deleted after use, or locked after a period of time to prevent them from logging in again, and permissions can be enabled again when they need to log in next time.
To delete a user, run the userdel -r username command.
To lock a user is to modify the user’s attributes:
[root@rs-server ~]# usermod -L mingonggeCopy the code
Let’s open the terminal and try to log in.
In this case, it is found that the login and connection cannot be normal, indicating that the configuration is correct. The next time you need to log in, you can use the following command to unlock:
[root@rs-server ~]# usermod -U mingongge
#-L lock
#-U unlockCopy the code
6. Document management
File management refers to the two important files that store user information: /etc/passwd and /etc/shadow.
[root@rs-server ~]# stat /etc/passwdFile: '/etc/passwd' Size: 945 Blocks: 8 IO Block: 4096 Regular File Device: FD00h /64768d Inode: 17135889 Links: 1 Access: (0644/-rw-r--r--) Uid: (0 / root) Gid: (0 / root) Access: 2019-08-06 01:14:33.439994172 +0800: 2019-08-06 01:14:37.440994172 +0800 Change: 2019-08-06 01:14:37.442994172 +0800 Birth: - [root@rs-server ~]# stat /etc/shadowFile: '/etc/shadow' Size: 741 Blocks: 8 IO Block: 4096 Regular File Device: FD00h /64768d Inode: 17135890 Links: 1 Access: (0000/----------) Uid: (0 / root) Gid: (0 / root) Access: 2019-08-06 01:14:37.445994172 +0800: What will we do as a Birth? -Copy the code
In general, some file properties above can tell whether these files have been tampered with. Therefore, it is recommended to lock these two files for users other than root without permission to modify and access.
7. Enable the firewall
Using the firewall of the system to filter the traffic in and out of the station is a good strategy to prevent attacks. Moreover, the rules of the firewall of the system can be set one by one, which is very powerful. It is recommended to enable strong cracking.
This section describes how to configure the Iptables service for Linux
8. Software package management
For the software installed in the system, we use the RPM package manager to manage. For the software listed by the yum or apt-get command, you must use the following commands to delete and uninstall it:
yum -y remove software-package-name
sudo apt-get remove software-package-nameCopy the code
9. Disable Crtl+Alt+Del to restart
Most servers will restart the server after pressing the Crtl+Alt+Del key combination. This is an extremely unfriendly security factor for online servers and must be prohibited, otherwise a misoperation will cause a large impact.
#CentOS6 Disable Ctrl+Alt+Del restart
# Method 1:
vi /etc/init/control-alt-delete.conf
#start on control-alt-delete # comment this line
# Method 2:
mv /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.bak
Note: Both methods take effect without restarting the systemCopy the code
For CentOS7, the approach is different:
[root@rs-server ~]# cat /etc/inittab
# inittab is no longer used when using systemd.
#
# ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM.
#
# Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target
#
# systemd uses 'targets' instead of runlevels. By default, there are two main targets:
#
# multi-user.target: analogous to runlevel 3
# graphical.target: analogous to runlevel 5
#
# To view current default target, run:
# systemctl get-default
#
# To set a default target, run:
# systemctl set-default TARGET.target
#Copy the code
After testing, the reboot command does not take effect if you comment out the configuration in the above file:
[root@rs-server ~]# ll /usr/lib/systemd/system/ctrl-alt-del.target
lrwxrwxrwx. 1 root root 13 Mar 14 17:27 /usr/lib/systemd/system/ctrl-alt-del.target -> reboot.targetCopy the code
This ctrl-alt-del.target is the soft link to reboot. Target. So, in the end, the right thing to do is: move the file to another directory, then reload the configuration file to use something else, and if you need this functionality again, just add the software link again.
10. Monitor user behavior
If you have many users on your system, it is important to collect information about each user’s behavior and their process consumption. User analysis can then be performed with some performance tuning and security issues addressed. But what about monitoring and gathering information about user behavior? There are two useful tools’ PSACCt ‘and’ ACCT ‘that can be used to monitor the behavior and progress of users in the system.
[root@rs-server ~]# yum install psacct -yCopy the code
The usage method is as follows:
Ac Indicates the user connection time acDisplay total connection time for all users
ac -p Display the connection time for each user
ac -d Display the total amount of time that all users are connected each day
ac silence # display the specified user connection time
ac -d silence # display the connection time of the specified user every daySa Displays user activity sa# Display all user commands executed
sa -u Display command execution by user
sa -m Display command execution by process
sa -p Display command execution by usageLastcomm The lastcomm command is displayedDisplay all execution commands
lastcomm silence # display the command executed by the specified user
lastcomm ls # Displays the execution of the specified commandOther lastView the list of recent login successes
last -x Display system shutdown, restart, etc
last -a Display IP in the last column
last -d Resolve domain names for IP addresses
last -R The IP column is not displayed
last -n 3 # Display the last three entries
lastb View a list of recent login failuresCopy the code
Specific usage examples:
[root@rs-server ~]# ac -pRoot 71.88 total 71.88 [root@rs-server ~]# sa -uRoot 0.00 CPU 1043K mem 0 IO Accton root 0.00 CPU 3842K mem 0 IO Systemd-tty - Ask root 0.03 CPU 72576K mem 0 IO Pkttyagent root 0.00 CPU 32112K mem 0 IO systemctl root 0.00 CPU 2674k mem 0 IO systemd-cgroups root 0.07 CPU 37760K mem 0 IO ps root 0.00 CPU 28160K mem 0 IO grep root 0.00 CPU 1080K mem 0 IO AC root 0.14 CPU 0K mem 0 IO kworker/ U256:0 * Root 0.10 CPU 0k mem 0 IO kworker/0:0 * root 0.02 CPU 0k mem 0 IO kworker/0:2 * [root@rs-server ~]# lastcomm saSa root PTS /0 0.00 secs Tue Aug 6 02:15 [root@rs-server ~]# last -xRoot PTS /0 192.168.1.14 Tue Aug 6 00:48 Still loggedin
root tty1 Tue Aug 6 00:48 still logged in
[root@rs-server ~]# lastbMingongg SSH :notty 192.168.1.14 Tue Aug 6 01:11-01:11 (00:00) Mingongg SSH :notty 192.168.1.14 Tue Aug 6 01:11-01:11 (00:00) btmp begins Tue Aug 6 01:11:27 2019Copy the code
11. Check the log regularly
The system and important logs are saved on a professional log server other than the local server to prevent hackers from invading the system and applications by analyzing logs. The following are common log files:
12. Data backup
This is very important to know without saying, especially for important production data, which must be backed up and saved locally, remotely and in different media. At the same time, data integrity and availability need to be checked regularly.
Xtrabackup implements data backup and recovery
MySQL database backup solution:….
Data deletion recovery: rm -f was accidentally executed, so don’t run away!
13. Safety tools
Common security scanning tools are necessary for the system, such as scanning open ports nMAP. For WEB applications in the system, you can use some open source tools: IBM AppScan, SQL Map, etc. There are also many commercial products of this kind, so I will not introduce them here (and do not give me advertising fees).
There are file encryption tools for the file, and some intrusion detection and vulnerability scanning tools for the system. Whether open source or commercial, you can decide which tool to use according to the actual demand and enterprise cost.
14. Management methods
For safety management, good process and management system is also necessary, otherwise, the above 13 basic role is 0, there is a method, there is no system to let the method landing implementation!!
Therefore, no matter for small enterprises or large enterprises, the process and management system always precedes all the processing methods. Talent is the most uncontrollable factor in the world!!
Don’t fall, don’t take the blame! The most comprehensive server security management specification ever opened source
I hope these methods are helpful to you, the code word is not easy, if it is helpful, please forward to share a point in see support the migrant elder brother. Above is combined to summarize some experience of the elder brother of migrant workers, may not fully may also be not straight, if you have a different understanding or way to strengthen the system security and share out please leave a message behind the article, we explore, together with communication, jointly build a more powerful, safe and reliable Linux environment.
Pay attention to the micro channel public number of migrant brother technology road, in the background reply keyword: 1024 can get a latest collated technical dry goods.