This paper is participating in the30 years of Linux”Topic essay activity
preface
When cloud computing restructures the IT industry, IT also gives enterprises new growth opportunities. By taking full advantage of the power of cloud computing, companies can free up more energy to focus on their own business. Cloud computing has greatly reduced the cost of enterprise digital transformation, released more efficiency for business innovation, cloud computing brings infinite possibilities for enterprise business innovation. But when people enjoy the convenience brought by the use of cloud computing at the same time, server security can not be ignored.
Linux is a unix-like operating system that is free to use and spread freely. As an open source operating system, Linux server is widely used with its significant advantages of security, efficiency and stability. However, the security of Linux system will not be better guaranteed if the proper distribution of permissions is not done.
However, after security hardening, The Linux system can reach the security level of B1. I believe that most students have the experience of server being hacked. In this paper, the Linux system is hardened from different dimensions to increase the security of the system to a certain extent and build a more solid security barrier.
I. Identification
1.1 Password Security Policies
Operating system and database system management user identity information should not be easily used, password complexity requirements and regular change.
Set effective password policies to prevent attackers from cracking passwords
- View air command accounts and set strong passwords for weak/air command accounts
# awk -F: '($2 == ""){print $1}' /etc/shadow
Copy the code
You can use offline cracking, brute force dictionary cracking, or password websites to check whether the password of the account key is weak
- Modify the password periodic policy using the vi /etc/login.defs command
! [image-20210623141920629](/Users/xuel/Library/Application Support/typora-user-images/image-20210623141920629.png)
This policy takes effect only for accounts created after the policy is implemented. The period for previous accounts is 99,999 days.
- /etc/pam.d/system-auth Configure password complexity:
password requisite pam_cracklib.so retry=3 difok=2 minlen=8 lcredit=-1 dcredit=-1
Copy the code
Parameter meanings are as follows:
Difok: The current password must be different from the previous one
Minlen: minimum password length, which takes precedence over PASS_MAX_DAYS in login.defs
Ucredit: Minimum uppercase letters
Lcredit: minimum lowercase letters
Dcredit: minimum number
Retry: Indicates how many times a password change error is returned
Note The password period and password complexity are not affected when you use root to change other accounts.
1.2 Login Failure Policies
You can enable the login failure processing function to end a session, limit the number of illegal logins, and automatically log out.
In case of password cracking, temporarily lock the account to reduce the possibility that the password can be guessed
-
/etc/pam.d/login Set SSH in /etc/pam.d/ SSHD
Add the following information to the second line of /etc/pam.d/ SSHD
auth required pam_tally2.so deny=5 lock_time=2 even_deny_root unlock_time=60
Copy the code
# pam_tally2 –user root
Unlock the user
# pam_tally2 -r -u root
Even_deny_root also restricts user root (root is locked by default); Deny Indicates the maximum number of consecutive login attempts of the common user and root user. If the login attempts exceed the maximum number, the user will be locked. Unlock_time Indicates the time for the common user to be unlocked, in seconds.
Root_unlock_time Specifies the timeout period for user root to be unlocked, in seconds.
1.3 Secure Remote Management Mode
When managing servers remotely, take necessary measures to prevent authentication information from being eavesdropped during network transmission.
This prevents sensitive information such as passwords from being eavesdropped during remote management
Run the following statement to check whether the Telnet service is running
Prohibit Telnet operation and boot, as shown below:
Ii access control
2.1 Account and Password
Delete unnecessary or expired accounts in a timely manner to avoid sharing accounts.
Delete or disable temporary, expired, or suspicious accounts to prevent unauthorized use.
This account is a common account created by the administrator, for example, test
#Usermod -l user Disable the account, the account cannot be logged in, and the second column of /etc/shadow displays "! At the beginning
#Userdel user Deletes user
#Userdel -r user will delete user and the user directory in /home
Copy the code
2.2 Checking Special Accounts
Check whether there is an account with empty command and root permission.
steps
- Check the air command and root permission accounts to check whether abnormal accounts exist:
- Using the command
awk -F: '($2=="")' /etc/shadow
Check the empty command account. - Using the command
awk -F: '($3==0)' /etc/passwd
View the account whose UID is 0.
- Using the command
- Hardened air command Account:
- Using the command
Passwd < username >
Set a password for the air command account. - Ensure that the root account is the only one whose UID is 0.
- Using the command
2.3 Adding a Password Policy
Strengthen the complexity of password, reduce the possibility of being guessed.
steps
-
Using the command
vi /etc/login.defs Copy the code
Modify the configuration file.
PASS_MAX_DAYS 90 # Specifies the maximum number of days that a new user can use the password
PASS_MIN_DAYS 0 # Specifies the minimum password validity period for a new user
PASS_WARN_AGE 7 # Specifies the number of days to notify new users of password expiration
-
Use the chage command to modify user Settings. For example, chage-m 0-M 30-e 2000-01-01-w 7 < user name > indicates that the maximum number of days that the password is used is 30, the minimum number of days that the password is used is 0, and the password expires on January 1, 2000. The user is warned seven days before the expiration.
-
If you enter a wrong password for three consecutive times, the account will be locked for five minutes. Run the vi /etc/pam.d/common-auth command to modify the configuration file and add auth required pam_tally.so onerr=fail deny=3 unlock_time=300 to the configuration file.
2.4 Restricting users who can su to root and disabling root login
Run the vi /etc/pam.d/su command to modify the configuration file and add lines to the configuration file. For example, if only group test users are allowed to su to root, add auth required pam_wheel.so group=test.
Disable root login directly.
- Create a common permission account and configure a password to prevent remote login failures.
- Using the command
vi /etc/ssh/sshd_config
Modify the configuration file to change the value of PermitRootLogin to no, save it, and useservice sshd restart
Restart the service.
Iii. Security Audit
3.1 Audit Policy enabled
The audit scope should cover every operating system user and database user on the server and important client.
If the audit policy is enabled, you can view system logs to rectify faults and trace intruders in case of future system faults or security accidents.
Check whether the rsyslog and auditd services are enabled
Rsyslog is generally enabled. If auditd is not enabled, run the following command:
# systemctl start auditd
Copy the code
The auditd service starts upon startup
# systemctl start auditd
Copy the code
3.2 Setting Log Properties
Audit records should be protected from unanticipated erasure, modification, or overwriting.
Prevent important log information from being overwritten
Dump the log files for one month, keep the information for six months, check the current configuration first,
# more /etc/logrotate.conf | grep -v "^#\|^$"
Copy the code
3.3 enable syslog
Enable and configure the logging function.
steps
The following types of logs are enabled by default in Linux:
- System log (default) /var/log/messages
- Cron logs (default) /var/log/cron
- Security log (default) /var/log/secure
Note: Some systems may use syslog-ng logs. The configuration file is /etc/syslog-ng/syslog-ng.conf.
You can configure detailed logging as required.
Iv Intrusion Prevention
The OPERATING system (OS) follows the principle of minimum installation. Only required components and applications are installed and system patches are updated in a timely manner by setting the update server.
Disable unnecessary or irrelevant services to reduce the risk of the system being attacked or penetrated by hackers.
Disabling bluetooth Service
# systemctl stop bluetooth
Copy the code
System resource control
5.1 Access Control
You must set terminal access mode and network address range to restrict terminal login.
You can prevent unauthorized intrusions by limiting the IP addresses and modes of access servers.
- Allow and /etc/hosts.deny files to configure access restrictions
The best policy is to prevent ALL hosts from adding “ALL:ALL@ALL, PARANOID” to the /etc/hosts.deny file, and then add the list of hosts that are allowed to access to the /etc/hosts.allow file. The operations are as follows:
Edit the hosts.deny file (vi /etc/hosts.deny) and add it to the following line:
# Deny access to everyone.
ALL: ALL@ALL, PARANOID
Copy the code
Allow file (vi /etc/hosts.allow) to add hosts to the list of allowed hosts, for example:
FTP: 202.54.15.99 foo.com //202.54.15.99 is the IP address allowed to access the FTP service
//foo.com is the name of the host allowed to access the FTP service.
- You can also use iptables for access control
5.2 Timeout lock
The terminal login timeout lock must be set based on the security policy.
Setting the login timeout period releases system resources and improves server security.
Add the following line to /etc/profile
Exprot TMOUT=900 //15 minutes # source /etc/profileCopy the code
After changing this setting, you must log out of the user and then log in with that user to activate the feature.
If necessary, enable the screen saver
Set screen saver: Settings -> System Settings -> Screen saver
Best practices
It is helpful to improve the security of Linux system.
6.1 DOS Attack Defense
Prevent denial of service attacks
TCP SYN protection mechanism
- Open syncookie:
# echo1 >/proc/sys/net/ipv4/tcp_syncookies // The default value is 1
Copy the code
SYN Cookies are enabled. When SYN overflow occurs, cookies are enabled to prevent a small number of SYN attacks. The default value is 0, indicating that the SYN wait queue is disabled.
- Anti-syn attack optimization
Use vi to edit /etc/sysctl.conf and add the following line:
net.ipv4.tcp_max_syn_backlog = 2048
Copy the code
6.2 History Commands
Add the LOGIN IP address and command execution time for a historical command
- Save 10,000 commands
# sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
Copy the code
- Add the following lines to the end of the /etc/profile file:
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}' |sed -e 's/[()]//g'`if [ "$USER_IP" = "" ]thenUSER_IP=`hostname`fiexport HISTTIMEFORMAT="%F %T $USER_IP `whoami` "shopt -s histappendexport PROMPT_COMMAND="history -a"
Copy the code