In a Linux system, if a process runs with root privileges or a user logs in as a root user, then its privileges no longer have any restrictions. Therefore, once root privileges are mastered by hackers, it will be a problem for the system Disaster. In this case, file system protection will become the last line of defense for the system. A reasonable setting of file system protection can minimize damage to the system caused by attacks.
Lock important files
If there are some very important files in the system, they can chattrbe locked by commands, so that even the root user cannot modify or delete the files. This command can modify file attributes under ext2, ext3, and ext4 file systems, and this command can only be executed by the root user. Correspondingly, it lsattrcan be used to query file attributes.
The syntax of the chattr command is as follows:
chattr [-RV] [-v version] [mode] /路径/文件
The main parameters are as follows:
- -R: modify all files and subdirectories recursively
- -V: display the modified content in detail and print it out
- mode:
- +: additional parameters
- -: Remove parameters
- =: update to the specified parameter
- a: append, after setting, you can only add data, but not delete data. Only the root user can set this attribute.
- c: compress, set whether the file is compressed before saving. It needs to be decompressed automatically when reading.
- i: immutable, the setting file cannot be written, modified, deleted, renamed, or set soft and hard links.
- s: Safely delete, recover all hard disk space after the file is deleted.
- u: Keep and delete, the system will keep its data block in order to restore the data.
The syntax of the lsattr command is as follows:
lsattr [-adiRvV] /路径/文件
The main parameters are as follows:
- -a: List all files, including those starting with "."
- -d: display the attributes of the specified directory
- -R: Recursively list the attributes of all files and subdirectories in the directory
- -v: Display the file or directory version.
The following files are recommended for protection:
$ chattr -R +i /bin /boot /lib/sbin
$ chattr -R +i /usr/bin /usr/include /usr/lib /usr/sbin
$ chattr +i /etc/passwd
$ chattr +i /etc/shadow
$ chattr +i /etc/hosts
$ chattr +i /etc/resolv.conf
$ chattr +i /etc/fstab
$ chattr +i /etc/sudoers
$ chattr +s /var/log/messages
$ chattr +s /var/log/stmp
Although protecting the file system can improve system security, it can also cause inconvenience in some cases. For example, when installing and upgrading some software, you may need to remove the immutable attribute and append-only attribute of the relevant directory, and set the log file Adding the append-only attribute may also cause log rotation (logrotate) to fail.
So before using chattr, you need to weigh how to set up protection in combination with the application environment of the server.
Moreover, the chattr command cannot protect directories such as /, /dev, /tmp, /var:
- If the root directory is set to an unmodifiable attribute, the system will not work
- When /dev is working, syslog needs to delete and re-establish the socket device under /dev/log
- /tmp There will be many programs and system programs to create temporary files in this directory
- /var is the log directory of the system and programs, if it is set to be unmodifiable, the system will not be able to record logs
File permission check
Incorrectly setting file permissions can cause security risks. Discovering these risks in time can prevent them.
Here are some ways to find insecure permissions:
- Find files and directories that any user in the system has write permission:
#对文件:
$ find / -type f -perm -2 -o -perm -20 |xargs ls -al
#对目录:
$ find / -type d -perm -2 -o -perm -20 |xargs ls -ld
- Find the program with "s" bit in the system:
$ find / -type f -perm -4000 -o -perm -2000 -print |xargs ls -al
- Find all suid and sgid files in the system
#suid
$ find / -user root -perm -2000 -print -exec md5sum () \;
#sgid
$ find / -user root -perm -4000 -print -exec md5sum () \;
- Check that there is no owner file in the system
$ find / -nouser -o -nogroup
/tmp, /var/tmp, /dev/shm security protection
In Linux systems, the directory /tmpand /var/tmpdirectory are used to store temporary files, but the temporary files are readable, writable and executable for all users, which leaves a security risk for system security. These directories may be left with malicious scripts by attackers. Conduct information gathering or disguise. But if you modify the read and write permissions of temporary files, it may affect the normal operation of the system and programs. Therefore, these directories need to be protected by special settings.
And /dev/shma shared memory device will be loaded by default at startup in Linux /dev/shm, /dev/shmat load time, using a tmpfs file system, and the tmpfs file system is a memory file system, the file system will be in all major file into memory. In this way, /dev/shmyou can directly control the system memory.
/tmpMethods of protection :
- If it
/tmpis an independent disk partition, modify/etc/fstabthe/tmpmount attribute in as follows:
LABEL=/tmp /tmp ext3 rw,nosuid,noexec,nodey 0 0
Among them,
* nosuid: no suid programs are allowed
* noexec: script programs are not allowed to execute
* nodev: device files do not exist
- If it is
/vara directory under the partition, you can/var/tmpmove the data in the/tmppartition to the partition first , and then/varmake a pointed/tmpsoft connection:
$ mv /vat/tmp/* /tmp
$ ln -s /tmp /var/tmp
- If it
/tmpis a directory under the root directory, you can use the loopback feature in the Linux kernel to mount the file system by creating a loopback file system/tmp, and then set the mount options when mounting:
$ dd if=/dev/zero of=/dev/tmpfs bs=1M count=10000
$ mke2fs -j /dev/tmpfs
$ cp -av /tmp /tmp.old
$ mount -o loop,noexec,nosuid,rw /dev/tmpfs /tmp
$ chmod 1777 /tmp
$ mv -f /tmp.old/* /tmp/
$ rm -rf /tmp.old
Then edit /etc/fstaband add the following:
/dev/tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0
After completion, it is recommended to verify whether the configuration takes effect, create a shell file in the tmp folder and try to execute it.
/dev/shmMethod of protection :
- /dev/shm is a device file, so it can also be
/etc/fstabimplemented by modifying it./etc/fstabModify the mount attribute as follows:
tmpfs /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0