Check whether password reuse is restricted

Forcing users not to reuse the latest password reduces the risk of password guessing attacks.

Reinforce the advice

/etc/pam.d/password-auth /etc/pam.d/system-auth password sufficient pam_unix.so The original content does not need to be changed, but remember=5 is added at the end.

Ensure that SSH LogLevel is set to INFO

Ensure that SSH LogLevel is set to INFO to record login and logout activities.

Reinforce the advice

Edit the /etc/ssh/sshd_config file to set the parameters as follows (uncommented):

LogLevel INFO
Copy the code

Example Set the SSH idle timeout duration

Setting the SSH idle timeout duration reduces the risk of unauthorized users accessing other users’ SSH sessions.

Reinforce the advice

Edit /etc/ssh/sshd_config to set ClientAliveInterval to 300 to 900 (5-15 minutes) and ClientAliveCountMax to 0-3.

ClientAliveInterval 600
ClientAliveCountMax 2
Copy the code

SSHD enforces the V2 security protocol

SSHD enforces the V2 security protocol.

Reinforce the advice

Edit the /etc/ssh/sshd_config file to set the parameters as follows:

Protocol 2
Copy the code

Make sure SSH MaxAuthTries is set to between 3 and 6

Setting a low Max AuthTrimes parameter reduces the risk of successful violent attacks on the SSH server.

Reinforce the advice

In /etc/ssh/sshd_config, disable the MaxAuthTries comment symbol # and set the maximum number of failed password attempts to 3-6 (4 is recommended).

MaxAuthTries 4
Copy the code

Set the minimum interval for changing a password

Set the minimum password change interval to prevent frequent password changes.

Reinforce the advice

In /etc/login.defs, set PASS_MIN_DAYS to 7-14. The recommended value is 7.

PASS_MIN_DAYS 7
Copy the code

Run the following command to set the password for the root user:

chage --mindays 7 root
Copy the code

Set the validity period of a password

This section describes how to set a password validity period to periodically change the password. This reduces password leakage and password guessing risks. Ignore this parameter when you use non-password login methods (such as key pairs).

Reinforce the advice

If you use a non-password login mode such as a key pair, ignore this item. In /etc/login.defs, set PASS_MAX_DAYS to a value between 60 and 180, for example:

PASS_MAX_DAYS 90
Copy the code

Run the following command at the same time to set the root password validity period:

chage --maxdays 90 root
Copy the code

Password Complexity Check

Check the password length and whether the password uses multiple character types.

Reinforce the advice

Edit/etc/security/pwquality. Conf, the minlen (minimum password length) is set to 9-32 bits, the minclass (at least contain lowercase letters, uppercase letters, Numbers, special characters and so on four kind characters medium class 3 or 4) is set to 3 or 4. Such as:

minlen=10
minclass=3
Copy the code

Make sure root is the only account with a UID of 0

All users with a UID of 0 other than root should be deleted or assigned a new UID.

Reinforce the advice

All users with a UID of 0 other than root should be deleted or assigned a new UID

View commands:

cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'|grep -v '^root$'
Copy the code

Enable address space layout randomization

It randomizes the address of the process memory space to make it more difficult for intruders to predict the destination address, thus reducing the risk of successful intrusion of the process.

Reinforce the advice

Execute command:

sysctl -w kernel.randomize_va_space=2
Copy the code

Set user permission Permission of the profile

Set user permission Permission of the profile.

Reinforce the advice

Run the following five commands

chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group  
chmod 0644 /etc/passwd  
chmod 0400 /etc/shadow  
chmod 0400 /etc/gshadow
Copy the code

Permission Settings for access control profiles

Permission Settings for access control profiles.

Reinforce the advice

Run the following four commands:

chown root:root /etc/hosts.allow 
chown root:root /etc/hosts.deny 
chmod 644 /etc/hosts.deny
chmod 644 /etc/hosts.allow
Copy the code

Ensure that the Rsyslog service is enabled

Ensure that the Rsyslog service is enabled and logs are logged for auditing.

Reinforce the advice

Run the following command to enable the rsyslog service:

systemctl enable rsyslog
systemctl start rsyslog
Copy the code

Ensure that password expiration warning days are 7 or more

Ensure that password expiration warning days are 7 or more.

Reinforce the advice

In /etc/login.defs, set PASS_WARN_AGE to between 7 and 14. The recommended value is 7:

PASS_WARN_AGE 7
Copy the code

Run the following command at the same time for the root user Settings to take effect:

chage --warndays 7 root
Copy the code

Do not allow SSH users with empty passwords to log in

Do not allow SSH users with empty passwords to log in.

Reinforce the advice

Edit the /etc/ssh/sshd_config file and set PermitEmptyPasswords to no:

PermitEmptyPasswords no
Copy the code

Check system empty password accounts

Check system empty password accounts.

Reinforce the advice

Set a non-empty password for the user, or execute the following command to lock the user

passwd -l <username>
Copy the code

Contact the author