Linux system basic safety measures:
1) System Account Cleanup:
Common non-logged-in user includes bin, daemon, adm, lp, mail, nobody, apache, mysql, dbus, ftp, gdm like.
To ensure system security, the user's login shell is usually / sbin / nologin, terminal login is disabled
There are rarely used part of the user, such as news, uucp, games, gopher, these users can be considered redundant account can be deleted directly.
For Linux servers without user accounts and long-term, it can not be determined whether it should remove, temporarily lock it.
eg: lock, unlock zqq user account:
If the server user account has been fixed and no longer be modified, can be used to lock the account configuration files.
Using the chattr command, respectively, combined with "+ i", "- i" option to lock, unlock the file, use the lsattr command to view the file locking situation.
[Root @ abctest ~] # chattr + i / etc / passwd / etc / shadow
[Root @ abctest ~] # lsattr / etc / passwd / etc / shadow
The case of the account file is locked, its content will not be allowed to change.
2) control of password security:
In order to reduce the password is guessed or brute risk, users should develop the habit of regularly change passwords.
The administrator can restrict the user's password on the server side of the effective maximum number of days for a user password has expired, login will be required to re-set, or they will refuse to log on.
eg: the password expiry to 30 days, chage is used to set a password Timeframe:
3) command history, automatic logout:
Command Mechanism shell environment to provide users with a great convenience, but it also gives users a great deal of risk.
Bash terminal environment, the number of records the history command HISTSIZE controlled by the variable, the default is 1000. By modifying the / etc / profile file HISTSIZE variable values can affect all users of the system.
eg: Set the history command only records the number of records up to 150:
[Root @ abctest ~] # vim / etc / profile-- apply to new user login
In addition, you can also modify the user's home directory ~ / .bash_logout file, add empty The operations statement.
eg: when the user exits logged Bash environment, delete the command history recorded:
[Root @ abctest ~] # vim ~ / .bash_logout
Bash terminal environment, you can set an idle time, when more than the specified time without any operation will automatically log off the terminal.
TMOUT idle timeout is controlled by the variable default seconds.
When the lengthy operation is in progress to compile the code, modify the system configuration, avoid setting TMOUT variable, use the "unsetTMOUT" command cancel TMOUT variable if necessary.
User Switching and provide the right to:
Most Linux servers do not recommend that users directly to the root user login.
One can reduce the damage caused by misuse; it also reduces the risk of privileged passwords in an insecure network is compromised.
1) su command - switch users:
Use su command to switch to another user formulated so as to have all the permissions of the user.
eg: root user is currently logged on, switch to zqq users:
Note: "-" is equivalent to "--login" or "-l" indicates after switching to the target user's login shell environment. If this option is missing only the identity switch, do not switch user environment.
In order to enhance the use of the su command control, you can aid pam_wheel authentication modules, allowing only very few users use the su command to switch.
Implementation process: the user authorized to use the su command to add to the wheel group, edit /etc/pam.d/su authentication configuration to enable pam_wheel certification.
After authentication is enabled pam_wheel, other users will not join in the group can use the su command, will try to "incorrect password" to deal with in accordance with the time switch.
Use su command to switch the user's operation will be recorded to record the security log / var / log / secure file.
2) sudo command - elevated privileges:
Elevate using sudo execute permissions, however, you need to be authorized in advance by the administrator to specify which users are allowed to root or another user to execute which commands.
Add authorized in the configuration file / etc / sudoers in:
sudo mechanism configuration file located in / etc / sudoers, 440 is the default file permissions, use special visudo tool for editing.
Format: user MACHINE = COMMANDS
Including the user, host, command of three parts, namely, who authorized what commands executed on which host.
User (user): authorized user name, or use "% group name" form (for all authorized users of a group)
Host (MACHINE): Use the host name for this profile. This option is mainly to facilitate share the same copy of sudoers files among multiple hosts.
Command (COMMANDS): Allows authorized users privileged commands via sudo manner, the need to fill in the full path to the command procedures between multiple commands with a comma "," separated.
eg: zqq authorized users can execute ifconfig command to modify the IP address:
What sudo authorized to view yourself to get, you can perform "sudo-l" command:
Authorized users can perform under wzx / sbin directory command of all other programs except ifconfig, route of:
By default, the operations performed by sudo approach is not recorded. To enable sudo logging to prepare administrators to view, should be increased "Defaultslogfile" provided in the / etc / sudoers file:
System boot and logon control:
Safety control switch:
1. Adjust the BIOS boot setting:
The first priority boot device (FirstBootDevice) set to the current system where the disk;
Prohibit booting the system from other devices (such as CD, U disk, network, etc.), the corresponding entry is set to "Disabled"
The security level of the BIOS to "setup", and set the admin password to prevent unauthorized modification.
2. Prohibition of the hotkey Ctrl + Alt + Del to restart:
Linux5.2 presence of a triple bond reboot:
Linux6.0 system does not have this problem.
3. Restrictions on Changing GRUB boot parameters:
Add to the first title before:
Re-enter the GRUB boot menu, press e will not modify the boot parameters
To obtain permission to edit, you must press p and follow the prompts to enter the correct password GRUB
Terminal and login control:
Linux servers, enabled by default six tty terminal, allowing any user to log on locally.
1) modify the login prompt:
System login prompt /etc/issue,/etc/issue.net information stored in the file, including the type of operating system, kernel version and so on.
For production servers, it is recommended to modify the above configuration file, to hide or disguise login prompt.
2) reduce the number of open tty terminal:
Modify the initial configuration file / etc / inittab, in order to reduce the number of open tty terminal.
eg: open only tty1, tty2, tty3 three terminals:
3) prohibit root user login:
In the Linux system, login program reads / etc / securetty file to allow root user login system determines which security from the terminal.
eg: disable the root user from tty3, tty4 login, you can modify / etc / securetty file, tty3, tty4 commented:
4) prohibit ordinary users download:
When the server being backed up or debugging maintenance work, you do not want to have a new user login system.
Simply need to establish / etc / nologin file, login program checks / etc / nologin file exists, if there is denied ordinary user login system --root unrestricted.
How it works: the use of shutdown delay shutdown limit, this is only recommended for temporary use during server maintenance.
Manually delete the / etc / nologin file or restart the host, returned to normal.