Wechat official account: Operation and development story, author: Wanger
LINUX System Hardening
1. Modify the SSH configuration file to prohibit direct login by the root user
vim /etc/ssh/sshd_config
PermitRootLogin no
systemctl restart sshd
Copy the code2. Modify the password policy configuration file to ensure that the password contains at least eight characters
vim /etc/login.defs
PASS_MIN_LEN 8
Copy the codeOther Policy explanations
PASS_MAX_DAYS 99999 # Specifies the maximum password validity period, 99999: Permanently valid PASS_MIN_DAYS 0 # Specifies whether the password can be changed. 0 can be changed. Non-0 Specifies how many days to change the password. PASS_WARN_AGE 7 # How many days before the password expires to notify the user to change the passwordCopy the codeThe preceding command cannot be forcibly changed. Minlen indicates the minimum password length
vim /etc/pam.d/system-auth
password requisite pam_pwquality.so minlen=8 try_first_pass local_users_only retry=4 authtok_type=
Copy the codeOther Policy explanations
Difok =N: The new password must be different bits from the old password. Dcredit =N: N>0 Maximum number of digits in a password: N<0 Minimum number of digits in a password lcredit=N: number of lowercase letters ucredit=N: number of uppercase letters Credit =N: number of special letters minclass=N: password composition (large and small letters, digits, and special characters)Copy the code3. Ensure that the account is locked for five minutes after three incorrect login attempts
vim /etc/pam.d/system-auth
auth required pam_tally2.so deny=2 lock_time=300
Copy the codeUnlocking a User
[root@node2 pam.d]# pam_tally2 -r -u test1
Login Failures Latest failure From
test1 1 04/21/20 22:37:54 pts/4
Copy the codeThe above only restricts users from logging in from tty, not from remote logins, and changing the SSHD file will do that
[root@node2 pam.d]# pam_tally2 -r -u test1
Login Failures Latest failure From
test1 1 04/21/20 22:37:54 pts/4
Copy the codeThe above only restricts users from logging in from tty, not from remote logins, and changing the SSHD file will do that
vim /etc/pam.d/sshd
auth required pam_tally2.so deny=2 lock_time=300
Copy the code4. Do not allow the SU user to gain unauthorized rights. Only the root user and the wheel group user can access the root user
Vim /et/pam.d/su auth required pam_wheel.so group=wheel # Add new line or auth required pam_wheel.so use_uid # UncommentCopy the code
5. Do not respond to ICMP requests
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Copy the code
6. Set the login timeout period to 10 minutes
export TMOUT=600
Copy the code
7. End the illegal login user
pkill -9 -t pts/0
Copy the code
8. Configure Firewalld to enable only the firewall
firewall-cmd --zone=public --add-port=22/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
Copy the code
Windows server consolidation
1. Modify port 3389
Port 3389 is the service port for the Remote desktop of the Windows Server. You can connect to the remote desktop through this port. This is a security risk for the system security. On the premise of neither office nor security being affected, we adopt the method of modifying port 3389 to harden the system. Click [Start] — [Run], enter regedit, open the registry, and click to enter the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\TerminalServer\ WDS \ RDPWD \Tds\ TCP \ find the PortNumber value on the right, default is 3389, select decimal, To 5433. See the following figure: Follow the path to find the PortNumber:
Modify the value of PortNumber, as shown in the figure:
2. Set the security policy to forbid anonymous enumeration of SAM accounts, SAM accounts, and shares
Choose “Start menu”, “Administrative Tools”, “Domain Security Policy”
3. Set the group policy to block access to the registry editing tool
Enter gpedit. MSC in the Run text box. The Group Policy page is displayed. On the group Policy page, double-click User Configuration, administrative Templates, System, and Block Access to the Registry Editor tool.
4. The access to the audit object is enabled. Start the audit directory service access, success or failure; Enable audit of system events, success and failure
On the Audit Policy page of the local policy, double-click Audit Object Access.
5. Disable port 445 vulnerability
Select “Local Connection” in “Network Connection” and check off the “File and printer sharing for Microsoft network” button in the local Connection screen
6. Set the screen saver to use password protection during recovery
Right-click on the desktop and select the “Properties” button. The “Properties” dialog box will appear. In the interface, click “Screen Saver” and select “Use password protection during recovery”.
7. Set the Windows password policy: Ensure that the password meets the requirements of complexity. Set the minimum length of the password to eight characters and the maximum password lifetime to 30 days.
On the Password Policy page of local Security Policy, double-click Maximum Password Lifespan. Enter 30 in the maximum Password Lifespan. Note
8. After reset the account lock counter to 30 minutes, set the account lock period to 30 minutes, and set the account lock threshold to 6 invalid logins.
Domain Security Policy under Administrative Tools in the Start Menu
9. Enable the Windows firewall, disable ping, and enable services such as 3389 and 80
On the Windows Firewall page, select Enable
