Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux system security norms     - Oracle 11g forget approach SYS and SYSTEM password (Database)

- History of the most complex validation e-mail address regular expression (Linux)

- Reason C ++ program running under Linux a segmentation fault core dumped in (Programming)

- Ubuntu way of decompressing files (Linux)

- Getting Started with Linux system to learn: how to check memory usage of Linux (Linux)

- The oh-my-zsh into true my zsh (Linux)

- Java Concurrency: synchronized (Programming)

- ORA-600 [kcbz_check_objd_typ] Error Handling (Database)

- Java Concurrency - multiple threads of HelloWorld (Programming)

- echo command (Linux)

- Developing a Web server yourself (Server)

- Git / Github use notes (Linux)

- Linux systems for entry-learning - Install Go language in Linux (Linux)

- MongoDB Learning the notes (Database)

- CentOS install Memcached (Server)

- Java factory pattern (Factory mode) (Programming)

- Optimized to minimize the installation of CentOS 5.8 (Linux)

- Father of Python: Why Python zero-based index (Programming)

- How linux network security configuration (Linux)

- Achieve single backup of MySQL by innobackupex (Database)

 
         
  Linux system security norms
     
  Add Date : 2017-01-08      
         
       
         
  Basic principles:. A timely update all the services, in order to prevent the latest threats
b. Linux system to use as security protocol
c. as far as possible to provide only one service each machine
d. Strict monitoring of all machines and found that malicious behavior
e. subscription system related security mailing list

One. Account and password
(I) The account
1. Maintenance personnel to establish a separate account for each ordinary privileges system, established to monitor machine monitor
Account, respectively, for routine maintenance and system monitoring;
2. FTP server configuration virtual account number;
3. In addition to prohibiting the root account, the system maintains all accounts other than the use of personnel accounts and account monitoring machine
SHELL authority;
4. Lock all install the system automatically created an account;
. A system to find out unlocked accounts: egrep -v '*: \ * |:.! \' / Etc / shadow | awk -F: '{print $ 1}'
. B Lock: usermod -L
(II). Password
1. Strength: a 10 bits or more; includes letters (uppercase and lowercase), numbers and special characters; not contain English words;.
. B: Configure in the file /etc/pam.d/system-auth;
password requisite /lib/security/$ISA/pam_cracklib.so retry = 3 minlen = 10 lcredit = -1 ucredit = -1 dcredit = -1 ocredit = -1)
2. Changing frequency: a 120 days;.
. B configure the new account's default frequency of changes: Set pass_max_days in the file /etc/login.defs = 120
c modify the current user to change the frequency:. chage -M 120
3. History: a 10 times.
. B: Configure in the file /etc/pam.d/system-auth
password requisite /lib/security/$ISA/pam_cracklib.so retry = 3 minlen = 10 lcredit = -1 ucredit = -1 dcredit = -1 ocredit = -1 difok = 3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember = 10)
4. The recommended method for choosing a password: come up with a sentence, which in line with the first letter of each word and contains letters and replace it with a similar number or symbol to generate a password;
5. Good password example: Zhongguoliantong10010))), Beijingquhao010));!!!

Two. Remote Login
(I). SSH
1. Only supports SSH v.2;
2. Do not directly use the root account to log in, only allows the use of ordinary privileges account log in directly;
3. Change the default port (to 22222);
(II). Login banner
1. Join Login Warning / etc / issue file
#cat> / etc / issue << EOF
=======================================
Warning: The system is owned by xxxxxx,
Unauthorized access to this system is prohibited !!!
=======================================
2. Add the login successful warning in / etc / motd file
#cat> / etc / motd << EOF
=======================================
Warning: The system is owned by xxxxxx,
What you do will be monitored and logged !!!
=======================================

Three. Kernel parameters
1. Adjust the following kernel parameters to improve the ability of the system to prevent IP spoofing and DOS attacks:
net.ipv4.ip_forward = 0 # For LVS, gateway or VPN server must be set in
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1 # for LVS back-end server,
# To set to 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
kernel.sysrq = 0
kernel.core_uses_pid = 1

four. File system
1. mount options: / ro # first / root directory to / home / root
/ Boot ro
/ Usr ro
/ Var noexec, nosuid
/ Tmp noexec, nosuid
2. SUID, SGID file: run a cron job every day to see if there are new SUID / SGID files appear,
If so, send e-mail to the maintenance personnel;
3. Everyone can write directory: run a cron job every day, to see if there are new owners
Write directory appears. If so, send e-mail to the maintenance personnel;
4. ACL: When assigning permissions to a file or directory for multiple users, modify user belongs prohibited
Implementation, use ACL to achieve;
5. umask: configured for 0022 or 0055 (in / etc / bashrc configured);

Fives. Journal
1. Log stored centrally to the log host, locally saved four weeks of log backup;
2. Log client configuration: Reference << linux system specifications >> 8. Configuring the system log;
3. Log host configuration: Reference << linux log host Configuration Guide >>;

six. application
(I). MySQL
1. Mysql user to run MySQL;
2. To rename the administrator account root (ht-mysql-admin);
3. Administrator account to set a strong password key;
4. Delete the database test;
5. Delete unwanted accounts MySQL automatically created during installation,
Create an account ban not absolutely necessary;
6. Prohibit any plain text passwords stored in the database;
7. Prohibition choose passwords from the dictionary;
8. Strict control of user rights: to give users the minimum permissions required to complete their work only;
Prohibit granting PROCESS, SUPER, FILE privilege to non-administrative account;
9. Prohibited granted to outside users read and write permissions mysql MySQL data directory other OS users;
10. Subscribe to the mailing list: MySQL Announcements;
(II). Resin
1. Users running resin with resin;
2. APACHE integrated with the use of prohibited operation to provide WEB services directly in standalone mode;
(III). Apache
1. Compile just the modules must be used;
2. Daemon daemon user group to run APACHE;
3. Close all diagnostic pages and automatic directory indexing service;
4. Remove cgi-bin directory and manul directory;
5. Do not expose his true identity as far as possible;
6. Use chrooting apache restrict access to the file system (in the case of a centralized storage
More difficult to achieve);
7. Installation modsecurity module;
8. The use of identity-based authentication to control access to the host management page;
9. Logs centralized storage and analysis;
10. Subscribe to the mailing list: Apache HTTP Server Announcements List;

Seven. Firewall
(I) Software: iptables
(II) Rules
1. Loading important iptables module: ip_tables, iptable_filter, ip_conntrack,
ip_conntrack_ftp;
2. Press the network interface cards (eth0, eth1, ...) and packet type (TCP, UDP, ICMP)
Custom rule sets;
3. Configure each rule set policy to ACCEPT, but be sure to match any explicitly DROP the rule set at the end of each rule set, but does not allow packets (iptables -A -j DROP);
4. DROP invalid data packet, IP spoof packets;
5. Open only to meet the business needs of the least-port;
(III). Configuration
Reference << linux system specifications >> 10. Configuring security 3) firewall;

Eight. Intrusion detection and prevention
1. Tools: OSSEC;
2. Strategy: installed on a server OSSEC HIDS server needs to be installed in OSSEC HIDS Agent on a host intrusion detection and prevention, and file integrity testing server, the agent will send information to the HIDS server, which unified analysis and processing;
3. Configuration;

Nine. security audit
-------------------------------------------------- -------------
Audit Object tool frequency
-------------------------------------------------- ---------
Linux system nmap 1 month
Nessus 3 months
Automatic real-time log analysis
Artificial log analysis, if necessary
Password file John the ripper 3 months
APACHE nikto 6 months
Appscan 6 months
     
         
       
         
  More:      
 
- Nginx + uWSGI + Django + Python Application Architecture Deployment (Server)
- TeamCity continuous integration in the Linux installation (Linux)
- Ubuntu install Lighttpd + Mono support .net (Linux)
- GitLab issued Merge Request return error 500 when the two solutions log (Linux)
- Android using shape drawable material production (Programming)
- The Hill sorting algorithm (Programming)
- 10 tips daily Docker (Server)
- Linux kernel RCU (Read Copy Update) lock Brief (Linux)
- C language - Traverse pci device (Programming)
- MySQL migration tool used in the production environment (Database)
- Ora-14450: attempt to access ah transactional temptable already in use (Database)
- Laravel configuration PhpStorm + Xdebug + Chrome settings Debug Environment (Server)
- Install Ubuntu 14.04 and Windows 8 / 8.1 dual-boot in UEFI mode (Linux)
- Boost - Memory Management - smart pointers (Programming)
- Node.js developers must know four JavaScript concepts (Programming)
- OpenWrt modify flash size (Linux)
- Python 2 Chinese garbage problem solved (Linux)
- Java string equal size comparison (Programming)
- Use Python automatically cleared Android Engineering excess resources (Programming)
- A script to make your Ubuntu 14.04 Memory screen brightness (Linux)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.