Linux Security compliance check and reinforcement

Brother of migrant workers 2021-01-22 14:02:07
linux security compliance check reinforcement


 picture

The purpose of this paper is to guide system managers or safety inspectors to carry out Linux Security compliance check and reinforcement of the operating system .14 individual Linux System security tips , There's always a way !

1. Account number and password

1.1 Disable or delete useless accounts

Reduce the number of useless accounts in the system , Reduce security risks .

Operation steps

  • Use command userdel < user name > Delete unnecessary accounts .
  • Use command passwd -l < user name > Lock out unnecessary accounts .
  • Use command passwd -u < user name > Unlock the necessary accounts .

1.2 Check special account number

Check for empty orders and root Authorized account number .

Operation steps

  1. Check the air orders and root Permission account , Confirm whether there is an abnormal account number :
  • Use command awk -F: '($2=="")' /etc/shadow Check your account number .
  • Use command awk -F: '($3==0)' /etc/passwd see UID Zero account number .
  1. No password account :
  • Use command passwd < user name > Set the password for the blank password account .
  • confirm UID Zero account number is only root account number .

1.3 Add password policy

Enhance the complexity of passwords, etc , Reduce the possibility of being guessed .

Operation steps

  1. Use command vi /etc/login.defs Modify the configuration file .
  • PASS_MAX_DAYS 90 # The maximum number of days a new user's password can be used
  • PASS_MIN_DAYS 0 # The minimum number of days to use a new user's password
  • PASS_WARN_AGE 7 # New user's password expiration reminder days in advance
  1. Use chage Command to modify user settings .
    for example ,chage -m 0 -M 30 -E 2000-01-01 -W 7 < user name > Indicates to set the maximum number of days for this user's password to 30, The minimum number of days is set to 0, password 2000 year 1 month 1 Date expired , Warn users seven days before expiration .
  2. Set the password to be entered incorrectly three times in a row , Account locked for five minutes . Use command vi /etc/pam.d/common-auth Modify the configuration file , Add... To the configuration file auth required pam_tally.so onerr=fail deny=3 unlock_time=300.

1.4 Restrict users su

Limiting energy su To root Users of .

Operation steps

Use command vi /etc/pam.d/su Modify the configuration file , Add lines to the configuration file . for example , Only test Group users su To root, Then add auth required pam_wheel.so group=test.

1.5  prohibit root Users log in directly

Limit root Users log in directly .

Operation steps

  1. Create a normal account and configure the password , Prevent failure to log in remotely ;
  2. Use command vi /etc/ssh/sshd_config Modifying the configuration file will PermitRootLogin Change the value of to no, And save , And then use service sshd restart Restart the service .

2. service

2.1 Shut down unnecessary services

Shut down unnecessary services ( Such as general service and xinetd service ), Reduce risk .

Operation steps

Use command systemctl disable < service name > Set the service not to start automatically when it is turned on .

explain : For some of the older versions of Linux operating system ( Such as CentOS 6), You can use commands chkconfig --level <init Level > < service name > off Set the service in the specified init It doesn't start automatically when it is powered on .

2.2 SSH Service security

Yes SSH Service for security reinforcement , Prevent violent cracking success .

Operation steps

Use command vim /etc/ssh/sshd_config Edit profile .

  • Don't allow root The account directly logs into the system .
    Set up PermitRootLogin The value of is no.
  • modify SSH Protocol version used .
    Set up Protocol The version is 2.
  • Modify the number of password errors allowed ( Default 6 Time ).
    Set up MaxAuthTries The value of is 3.

After the configuration file is modified , restart sshd Services take effect .

3. file system

3.1 Set up umask value

Set default umask value , Enhance security .

Operation steps

Use command vi /etc/profile Modify the configuration file , add rows umask 027, That is to say, the owner of the newly created file has read-write permission , Users in the same group have read and execute permissions , Other users do not have permission .

3.2 Set login timeout

After setting up the system login , Connection timeout , Enhance security .

Operation steps

Use command vi /etc/profile Modify the configuration file , Will be with TMOUT= Line comment at the beginning , Set to TMOUT=180, That is, the timeout is three minutes .

4. journal

4.1 syslogd journal

Enable logging , And configure logging .

Operation steps

Linux The following types of logs are enabled by default :

  • system log ( Default )/var/log/messages
  • cron journal ( Default )/var/log/cron
  • Security log ( Default )/var/log/secure

Be careful : Some systems may use syslog-ng journal , The configuration file is :/etc/syslog-ng/syslog-ng.conf.

You can configure detailed logs according to your needs .

4.2 Log in and operation logs of all users

Through the script code to record all users' login operation log , To prevent the occurrence of security incidents without evidence .

Operation steps

1. Open profile

[root@xxx /]# vim /etc/profile

2. Enter the following in the configuration file :

history
USER=`whoami`
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
USER_IP=`hostname`
fi
if [ ! -d /var/log/history ]; then
mkdir /var/log/history
chmod 777 /var/log/history
fi
if [ ! -d /var/log/history/${LOGNAME} ]; then
mkdir /var/log/history/${LOGNAME}
chmod 300 /var/log/history/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date +"%Y%m%d_%H:%M:%S"`
export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"
chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null
  1. Run the load configuration to take effect .
[root@xxx /]# source /etc/profile

Be careful :/var/log/history It's where the logs are stored , You can customize .

Go through the above steps , Can be in /var/log/history Create a new folder for each user in the directory , Each time a user logs out, a user name will be generated 、 Sign in IP、 Time log file , Contains all the actions of this user this time (root Except for users ).

author :William92
link : https://www.jianshu.com/p/7f6...

image

版权声明
本文为[Brother of migrant workers]所创,转载请带上原文链接,感谢
https://javamana.com/2021/01/20210122135648225L.html

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云