CentOS7 operation and maintenance-make your Linux server more secure
1. Account security management
①Clean up system accounts
- Set the shell of non-login users to /sbin/nologin or /bin/falsh
usermod -s /sbin/nologin 用户名
- Lock accounts that have not been used for a long time
usermod -L 用户名 //锁定用户账户
passwd -l 用户名 //锁定用户密码
passwd -S 用户名 //查看用户状态
- Delete useless accounts
userdel -r 用户名 //删除用户及其宿主目录
- Clear an account password
passwd -d 用户名 //清空账户密码
- Lock account files passwd, shadow
chattr +i /etc/passwd /etc/shadow //锁定文件
lsattr /etc/passwd /etc/shadow //查看文件状态
chattr -i /etc/passwd /etc/shadow //解锁文件
- Prohibition of root user login
In Linux systems, the login program will read the /etc/securetty file to determine which terminals (secure terminals) the root user is allowed to log in to the system
vi /etc/securetty
#tty5
//想要不让在哪个终端登陆就在该终端前加注释#
tty6
- Forbid ordinary users to log in
- The login program will check whether the /etc/nologin file exists, and if it exists, it will refuse ordinary users to log in to the system (root users are not restricted)
touch /etc/nologin
//创建/etc/nologin文件即禁止普通用户登录
rm -rf /etc/nologin
//删除该文件即取消登录限制
②Password security control
chage -M 日期 用户 //设置用户密码有效期
chage -E xxxx-xx-xx //设置过期日期
[xxxx为年][xx为月]-[xx为日]
►Set the password validity period of the new user
vim /etc/login.defs //修改密码配置文件适用于新建用户
►Force a user to change the password the next time they log in
chage -d 0 用户 //强制在下次登陆时更改密码
③Prevent the leakage of historical records
Criminals will check the record entered last time, which may lead to the disclosure of important information such as the root password
►Reduce the number of recorded commands
vi /etc/profile //编辑全局变量配置文件
export HISTZIZE=200 //将内容插入最后一行
Only 200 output history records will be kept
►Automatically clean up history when logging in
vim ~/.bashrc
echo " " > ~/.bash_history //将内容插入最后一行
④Terminal automatic logout
Automatically log out when the terminal is idle for a period of time
vim /etc/profile //编辑全局变量配置文件
export TMOUT=600 //将内容插入最后一行
⑤su user switching command
The su command makes each user have to repeatedly try the login password of other users. If it is the root user, the risk is greater
- Add users allowed to use the su command to the wheel group
- Enable pam_wheel authentication module
vim /etc/pam.d/su
- The above two lines are in the default state (that is, open the first line and comment the second line). In this state, all users are allowed
suto switch using commands - Note also the two rows allows all users use the
sucommand, butrootthe use ofsuswitching to other common user password is required; if the first row does not comment isrootusedsuto switch the ordinary users do not need to enter a password
The main function of the pam_rootok.so module is to enable users whose uid is 0, that is, root users can directly pass authentication without entering a password
- If you turn on the second line, it means that only
rootusers and users in thewheelgroup can use thesucommand - If a comment the first line, second line open, said that only
wheelusers in the group to use thesucommand,rootthe user is also disabledsucommand
►The first column represents the PAM authentication module
type① auth: Identify the user's identity, if prompted to enter a password, determine whether it is root.
② account: Check various attributes of the account, such as whether it is allowed to log in to the system, whether the account has expired, whether it has reached the maximum number of users, etc.
③ password: Use user information to update data, such as changing user passwords.
④ session: Define the session operation management to be performed before login and after logout, such as login connection information, opening and closing of user data, and mounting the file system.
►The second column represents the PAM control flag
① required: It means that a success value needs to be returned. If the return fails, the failure result will not be returned immediately, but the next verification of the same type will continue. After all modules of this type are executed, Return to fail again.
② requisite: requiredSimilar, but if this module returns a failure, it will immediately return to failure and indicate that this type of failure has failed.
③ sufficient: If this module returns success, it will return success directly to the program, which means this type of success. If it fails, it will not affect the return value of this type.
④optional: return without success, verification is generally not used, but the display information (commonly used sessiontype).
⑤ include:It means to call other PAM configuration files during the verification process. For example, many applications /etc/pam.d/system-authimplement authentication through complete calls (mainly responsible for the authentication of the user's login system) without the need to rewrite configuration items one by one.
►The third column represents the PAMmodule, which is in the /lib64/security/directory by default. If it is not in the default path, fill in the absolute path.
►The fourth column represents PAMthe parameters of the module, which needs to be added according to the module used.
►Restrict users from switching user operations
vim /etc/pam.d/su
#auth required pam_wheel.so use_uid
//去除此段的#
►Give a user the authority to switch user operations
gpasswd -a fox wheel //将用户“fox”加入到whell组中
Two, PAM security certification
►It Linux-PAMis a linuxpluggable authentication module, a set of customizable and dynamically loadable shared libraries, so that the local system administrator can choose the authentication method of the program at will
► PAMuse /etc/pam.d/configuration files to manage the authentication of the program. Application invokes the appropriate PAM configuration file, to invoke the local authentication modules, placed /lib64/securityunder the form of authentication of dynamic loading. For example su, when using a command, the system will prompt for the rootuser's password. This is how the sucommand is PAMimplemented by calling the module
View the su operation record
security log file:/var/log/secure
cat /var/log/secure
①PAM authentication principle
►Authentication PAMgenerally follows the order: Service(service) → PAM(configuration file) → pam_*.so(authentication module)
► PAMCertification must first determine which services an application, and then load the appropriate PAM configuration file (located /etc/pam.dbelow), the last call authentication module (located /lib64/security/at) safety certification
►When a user accesses the server, a certain service program of the server sends the user's request to the PAM module for authentication. Different applications corresponding to the PAM module is different
if you want to see whether the program is to support PAMauthentication, can be used lsto view the command/etc/pam.d/
ls /etc/pam.d/ //PAM配置文件
ls /lib64/security/ //认证模块
Three, account authority management
vim /etc/sudoers //默认为只读,保存方式:wq!
或
visudo
①Single user authority
►Format 1: User host name = command program list
► Format 2: (User) host name = command program list
fox foxhome=/sbin/ifconfig //使fox拥有ifconfig权限
fox foxhome=!/sbin/reboot //使fox没有reboot权限
fox foxhome=/sbin/* //使fox拥有所有sbin权限
fox foxhome=/sbin/reboot,poweroff //加逗号自定义
►Forbid a user to switch the machine
② Alias group permissions
►User
alias User_Alias ►Host
alias Host_Alias ►Command alias Cmnd_Alias
User_Alias USERS=fox,cat
//用户的别名users包含fox和cat
Host_Alias HOSTS=foxhome,cathome
//主机别名hosts包括:foxhome和cathome
Cmnd_Alias CMNDS=/sbin/reboot,poweroff
//可执行的命令包括关机和重启
USERS HOSTS=CMNDS
//相当于:用户组 主机组 = 命令程序列表
Four, GRUB protection
Criminals will enter the BIOS interface to tamper with the contents of GRUB during the period of power on and off, and finally cause the server to fail to start normally
①Set GRUB password
►Use grub2-mkpasswd-pbkdf2 to generate the key
grub2-mkpasswd-pbkdf2
From grub to the end is the key, remember to save it,
remember to back it up before creating a login user
//对重要文件进行备份
cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
vim /etc/grub.d/00_header
