table of Contents
Set from the following aspects
Preface
In the previous three years of work, there was no summary of the security and optimization of the new system. I just remembered a few aspects and did not do too much sorting, which led to being asked in the interview, although it is simply said A few. So take advantage of today to sort out the technology in this area.
Set from the following aspects
1) Forbid root user to log in remotely
[root@hya ~]# vim /etc/ssh/sshd_config
#PermitRootLogin yes 改为 PermitRootLogin no
[root@hya ~]# systemctl restart sshd.service #重启sshd服务2) Modify the ssh port
[root@hya ~]# vim /etc/ssh/sshd_config
Port 66 #更改端口
[root@hya ~]# systemctl restart sshd.service3) Prohibit ping scanning
[root@hya ~]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
1代表关闭 0代表开启
[root@hya ~]# iptables -I INPUT -p icmp -j DROP
4) Set the minimum interval for password changes, and limit password changes too frequently
[root@hya ~]# vim /etc/login.defs
PASS_MIN_DAYS 7 #参数设置7-14之间,建议为7
# 须同时执行命令为root用户设置
[root@hya ~]# chage --mindays 7 root5) Set ssh idle timeout and exit time
#设置SSH空闲超时退出时间,可降低未授权用户访问其他用户ssh会话的风险
[root@hya ~]# vim /etc/ssh/sshd_config
#将ClientAliveInterval 设置为300到900,即5-15分钟,将ClientAliveCountMax设置为0-3之间
ClientAliveInterval 600
ClientAliveCountMax 26) Password complexity check
#检查密码长度和密码是否使用多种字符类型
[root@hya ~]# vim /etc/security/pwquality.conf 把minlen(密码最小长度)设置为9-32位,把minclass(至少包含小写字母、大写字母、数字、特殊字符等4类字符中等3类或4类)设置为3或4。
minlen = 10
minclass = 37) Check whether password reuse is restricted (identity authentication)
#强制用户不重用最近使用的密码,降低密码猜测攻击风险
[root@hya ~]# vim /etc/pam.d/password-auth
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
[root@hya ~]# vim /etc/pam.d/system-auth
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
## 只是在password sufficient pam_unix.so
这行的末尾配置remember参数为5-24之间,原来的内容不用更改,只在末尾加了remember=58) Check system empty password account (identity authentication)
[root@hya ~]# passwd -l root
锁定用户 root 的密码 。
passwd: 操作成功
#设置非空密码9) Forbid ssh users to log in with empty passwords
[root@hya ~]# vim /etc/ssh/sshd_config
PermitEmptyPasswords no 取消注释10) Set password expiration time (identity authentication is not recommended)
#设置密码失效时间,强制定期修改密码,减少密码被泄漏和猜测风险,使用非密码登陆方式(如密钥对)请忽略此项
[root@hya ~]# vim /etc/login.defs
PASS_MAX_DAYS 90 #将 PASS_MAX_DAYS 参数设置为 60-180之间
[root@hya ~]# chage --maxdays 90 root #需同时执行命令设置root密码失效时间。11) Ensure that the number of password expiration warning days is 7 or more (identity authentication)
[root@hya ~]# vim /etc/login.defs # 确保密码到期警告天数为7或更多
PASS_WARN_AGE 7
[root@hya ~]# chage --warndays 7 root #同时执行命令使root用户设置生效12) Ensure that SSH MaxAuthTries is set between 3 and 6 (SSH service configuration)
#设置较低的Max AuthTrimes参数将降低SSH服务器被暴力攻击成功的风险。
[root@hya ~]# vim /etc/ssh/sshd_config #设置最大密码尝试失败次数3-6,建议为4
MaxAuthTries 413) Ensure that the rsyslog service is enabled | (security audit)
#确保rsyslog服务已启用,记录日志用于审计
[root@hya ~]# systemctl enable rsyslog
[root@hya ~]# systemctl start rsyslog
[root@hya ~]#
14) Make sure SSH LogLevel is set to INFO (service configuration)
#确保SSH LogLevel设置为INFO,记录登录和注销活动
[root@hya ~]# vim /etc/ssh/sshd_config
LogLevel INFO15) Access control configuration file permissions settings | (file permissions)
#访问控制配置文件的权限设置
[root@hya ~]# chown root:root /etc/hosts.allow
[root@hya ~]# chown root:root /etc/hosts.deny
[root@hya ~]# chmod 644 /etc/hosts.deny
[root@hya ~]# chmod 644 /etc/hosts.allow 16) Enable randomization of address space layout (intrusion prevention)
#它将进程的内存空间地址随机化来增大入侵者预测目的地址难度,从而降低进程被成功入侵的风险
[root@hya ~]# vim /etc/sysctl.conf
kernel.randomize_va_space = 2
[root@hya ~]# sysctl -w kernel.randomize_va_space=2
kernel.randomize_va_space = 2
17) Ensure that root is the only account with UID 0 (identity authentication)
#除root以外其他UID为0的用户都应该删除,或者为其分配新的UID
[root@hya ~]# cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'|grep -v '^root$'
[root@hya ~]# to sum up
As for system security optimization, there are many, many more, here I just wrote a few simple, we can also use third-party tools to prevent brute force cracking, attacks and other issues.