Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux (RHEL5) general optimization system security     - Add your own kernel and ramfs based on an existing Linux LiveCD (Linux)

- Repair after installing Ubuntu no boot device error (Linux)

- Linux system server network security management tips (Linux)

- How to install the Ruby runtime environment on Mac OS X (Linux)

- Linux system performance analysis and top command ps.pstree Comments (Linux)

- MongoDB Learning the notes (Database)

- C ++ virtual functions Classic Insights (Programming)

- RabbitMQ tutorial examples: RabbitMQ installation under Windows (Linux)

- RealVNC Server 5.2.3 Installation and Configuration In Fedora (Server)

- Linux port scanning (Linux)

- Java concurrent programming combat (using synchronized synchronization method) (Programming)

- Configuring s3c-linux-2.6.28.6-Real6410 appears Unable to find the QT3 installation (Linux)

- Linux Nginx installation and configuration instructions (Server)

- Using monitoring tool dsniff (Linux)

- Nginx load balancing configuration (http proxy) (Server)

- 5 steps to help you become a good Docker contributors (Linux)

- Oracle Linux 6.4 installed Oracle 11gR2 + RAC + ASM (Database)

- How to install or upgrade to the Linux kernel in Ubuntu 4.2 (Linux)

- Swift used in the application to add a local push at the specified time (Programming)

- MySQL function: group_concat () function (Database)

 
         
  Linux (RHEL5) general optimization system security
     
  Add Date : 2018-11-21      
         
         
         
  Basic safety measures

1. Remove or disable the system does not use the Users and Groups

# Passwd -l wang // disable accounts wang

# Passwd -u wang // unlock accounts wang

or

When # vi / etc / shadow // Save to: wq because the file is read-only!

Before the password characters plus two exclamation mark!

2. Verify login shell program, or service is not available

# Vi / etc / passwd // The user's login shell to / sbin / nologin

or

# Usermod -s / sbin / nologin wang

3. Restrict user's password expiration (maximum number of days)

# Vi /etc/login.defs // newly created user only effective

PASS_MAX_DAYS 30

or

# Chage -M 30 wang // only for existing users to effectively wang

4. Specify the User must change password at next logon

# Chage -d 0 wang

or

# Vi / etc / shadow

// LAST DAY domain user will wang shadow file (colon: Segmentation third column) value is set to 0

5. The minimum length limit users' passwords

# Vi /etc/pam.d/system-auth

password requisite pam_cracklib.so try_first_pass retry = 3 minlen = 12

retry retry minlen security level

6. Restrictions record number command history

# Vi / etc / profile

HISTSIZE = 50 (default is 1000)

# Echo "history -c" >> ~ / Clear Command History .bash_logout // logout

7. Set the idle timeout automatic logout terminal

# Vi / etc / profile

export TMOUT = 600 // add this line

Use SU switch user identity

su [-] Username

[-] the difference :

Use: the equivalent - -login, that the use of the target user's login shell environment, working directory, PATH variables, etc.

Do not use: used to maintain the original environment inconvenience

The case illustrates the use of su

Wang allows users to switch to root identity through su command to perform administrative tasks

Prohibit other users use the su command to switch identities used

(1) will allow users to join the wheel group

# Gpasswd -a wang wheel

# Id wang // View wang additional user groups

(2) modify the PAM settings, add pam_wheel certification

# Vi /etc/pam.d/su

auth required pam_wheel.so use_uid // remove the line number #

(3) Verify su permissions

? Elevate using sudo execute permissions

1./etc/sudoers profile --------- visudo

sudo command provides a mechanism to advance only in / etc / sudoers configuration file for authorization, which can allow a specific user to superuser (or other ordinary users) execute commands, and the user does not know the root password (or other user) password. Common syntax is as follows:

user MACHINE = COMMANDS

user: Specifies the user authorization

MACHINE Host: authorized users can use the host on which

COMMANDS command: sudo commands invoked by authorized users, a plurality of command, separated

/ Etc / sudoers configuration file in the user, host, commands are three parts to customize alias instead of the following format

User_Alias ​​OPERATORS = jerry, tom, tsengyia

Host_Alias ​​MAILSERVERS = smtp, pop

Cmnd_Alias ​​SOFTWARE = ​​/ bin / rpm, / usr / bin / yum

2. Run sudo

sudo -l: View the current used are authorized to use the sudo command

sudo -k: Clearing the timestamp timestamping, use the sudo command again to re-verify the password

sudo -v: re-update timestamp (if necessary, the system will ask the user password)

Case Description:

Heavy workload due to system management, user account management needs to work to specialized management team members responsible for

The establishment of the group account managers, each member of the group of authorized users can add, delete, change user accounts

(1) establish a management group account managers

# Groupadd managers

(2) the administrator account, such as wang managers join group

# Gpasswd -M wang.nan managers

(3) sudo configuration file, permissions for group managers open useradd, userdel user management commands, etc.

# Visudo

Cmns_Alias ​​USERADM = / usr / sbin / useradd, / usr / sbin / userdel, / usr / sbin / usermod

% Managers localhost = USERADM

(4) the use of wang account login, verify that you can delete him, adding users

# Su - wang

# Whoami

# Sudo -l

# Sudo / usr / sbin / useradd user1

# Sudo / usr / sbin / usermod -p "" user1

# Sudo / usr / sbin / userdel -r user1

File and file system security optimization

Optimized file system-level security

1. rational planning system partition

Recommendations into separate partitions directory

/ Boot: more than 200M bytes in size.

/ Home: This directory is the user's default home directory on a file in the same folder, if the server large number of users, usually can not predict the size of the disk space used by each user

/ Var: This directory is used to save the system log, run status, and other user's mailbox directory, file read and write frequently. Space may be more

/ Opt: install the server add-on applications and other optional tools to facilitate the expansion of the use of

2. Mount Options prohibit execution of set-bit programs, binaries

Execution so / var partition program file (x) permission failure to prohibit the direct execution of the binary partition

# Vi / etc / fstab

/ Dev / sdc1 / var ext3 defaults, noexec 1 2

# Mount -o remount / var

If you want to disallow suid or sgid bit file permissions from the file system level, the top of the noexec nosuid can be changed

3. Lock does not want to change the system files

Use the + i attribute locking service, passwd, grub.conf file (will not be added to normal system users)

# Chattr + i / etc / service / etc / passd /boot/grub.conf

+ Lock releasing property / etc / passwd file

# Lsattr / etc / passwd // view the properties of the state file

# Chattr -i / etc / passwd

? Applications and Services

1. Turn off unnecessary system services

2. Prohibition of ordinary users to run scripts in the init.d directory

# Chmod -R o-rwx /etc/init.d

or

# Chmod -R 750 /etc/init.d

3. prohibit ordinary users to run the console program

/etc/security/console.apps/ Directory under each corresponding to a file system program, if you do not want ordinary users to call these console program, you can remove the corresponding profiles

# Cd /etc/security/console.apps/

# Tar jcpvf /etc/conhlp.pw.tar.bz2 poweroff halt reboot - - remove

4. Remove the program files are unneeded set-uid or set-gid additional rights

Find a system set up set-uid or set-gid file permissions, combined with -exec option displays detailed permissions attributes of these files

# Find / -type f perm +6000 -exec ls -lh {} \;

suid remove program files / sgid permission bits

# Chmod a-s /tmp/back.vim

Write shell scripts, check your system for newly added files with suid or sgid permission bits

(1) when the system is in a clean state, the establishment of a list of legitimate suid / sgid file, as if there are additional suspicious files suid basis of comparison

# Find / -type f -prem +6000> / etc / sfilelist

# Chmod 600 / etc / sfilelist

(2) establish chksfile script file, compared with sfilelist, new output file with the suid / sgid attributes

# Vi / usr / sbin / chksfile

#! / Bin / bash

OLD_LIST = / etc / sfilelist

for i in `find / -type -prem +6000`

do

grep -F "$ i" $ OLD_LIST> / dev / null

[$? -ne 0] && ls -lh $ i

done

# Chmod 700 / usr / bin / chkfile

(3) the implementation of chkfile script to check for new suid / sgid files

# Cp / bin / touch / bin / mytouch // Create a test file

# Chmod 4755 / bin / mytouch

# Chksfile // execute script, output inspection results

Optimize system boot and login security

Safety control switch

1. Adjust the BIOS Boot Settings

The first priority boot device to the current system where the hard disk, another guide is set to Disabled. As BIOS administrator password is set, adjust the security level setup

2. To prevent the user to reboot the system hotkey Ctrl + Alt_Del

# Vi / etc / inittab

# Ca:: ctrlaltdel: / sbin / shutdown -t3 -r now // comment out the line

# Init -q // make configuration files take effect immediately

? GRUB boot menu Encryption

Setting passwords in plain text in the file grub.conf

# Vi /boot/grub/grub.conf

When the password 123456 // only need to change the grub boot parameter password is required

tiltle Red Enterprise Linux Server (2.6.18-8.el5)

         root (hd0,0)

password 1234 // password is entered into the system

Setting md5 encrypted password string in the grub.conf file

# Vi mima

wang

wang

# Grub-md5-crypt < mima >> /boot/grub/grub.conf

Login control terminal

1. Instant prohibit ordinary users download

# Touch / etc / nologin // via / etc / nologin file immediate ban ordinary user login system

2. Open tty terminal control server

# Vi / etc / inittab

1. Control allow root user login tty terminal

# Vi / etc / securetty

1. Change the system login prompt, hide kernel version information

By modifying /etc/issue,/etc/issue.net file (corresponding to the local login, network login)

# Vi / etc / issue

Welcome to server

# Cp -f / etc / issue /etc/issue.net

2. Use pam_access user login authentication control location

Pam_access read /etc/security/access.conf authentication configuration file, which consists of a privilege, users, origin, composition, separated by a colon

Permissions: plus + or minus - and each is allowed, denied

User: user name part, a plurality of user names separated by a space, use the form @ group group name indicates. ALL means that all users

Source: Which means that the user terminal or remote login from multiple sources locations separated by a space

Example: The user is prohibited except root login system from tty1 terminal

# Vi /etc/pam.d/login // login in the PAM configuration file to add authentication support

account required pam_access.so

# Vi /etc/security/access.conf

-: ALL EXCEPT root: tty1

Example: Disable root user from 192.168.1.0/24, 172.16.0.0/8 remote login

# Vi /etc/pam.d/sshd // add authentication support in sshd PAM configuration file in

account required pam_access.so

# Vi /etc/security/access.conf

-: Root: 192.168.1.0/24 172.16.0.0/8
     
         
         
         
  More:      
 
- Sturdy build secure Linux server (Linux)
- The Concept and Semantics of Java Memory Model (Programming)
- File sharing and fork function (Programming)
- How to set IonCube Loaders in Ubuntu (Linux)
- Httpclient4.4 of principle (Http execution context) (Programming)
- Based Docker build stand-alone high-availability cluster Hadoop2.7.1 Spark1.7 (Server)
- How to use the on-screen keyboard in Linux (Linux)
- To compile and install MySQL 5.7.7 RC under CentOS 7.1 (Database)
- Inject script commands manually annotated summary (Linux)
- Ubuntu install Wireshark (Linux)
- C # and JavaScript arrays to re-summary (Programming)
- Linux command find (Linux)
- Linux-du and df command (Linux)
- Two kinds of agents of Spring AOP (Programming)
- Java implementation chain store binary search tree (recursive method) (Programming)
- Add local search to your Android app (Programming)
- Configuring a Linux operating system security management services (Linux)
- The user of fedora is not in the sudoers file method to solve (Linux)
- Java reflection by calling the class method (Programming)
- shell script: MySQL startup script simple (Database)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.