Cloud host server system reinforcement

System version information

Order:

lsb_release -a

Results of the:

Conclusion: The system version is CentOS 7.3 64-bit.

Create shadow password

Order:

ll /etc/shadow
cat /etc/shadow

Results of the:

Conclusion: A shadow password file already exists.

Create multiple account groups and assign user accounts to corresponding account groups

This step requires the corresponding application name to create.

Delete or lock potentially useless accounts

Order:

cat /etc/passwd

Results of the:

Conclusion: There are only root, system users, and pseudo-users in the system, and no other users exist.

Delete potentially useless user groups

Ditto.

Check for accounts with empty passwords

Order:

awk -F: '($2 == "") { print $1 }' /etc/shadow

Results of the:

Conclusion: No empty password user exists.

Set password policies to meet complexity requirements

Execution history:

#最小密码长度为8位
[root@Server-i-fzbwivul78 pam.d]# authconfig --passminlen=8 --update
[root@Server-i-fzbwivul78 pam.d]# grep "^minlen" /etc/security/pwquality.conf
minlen = 8
#在新密码中设置同一类的允许连续字符的最大数目4位
[root@Server-i-fzbwivul78 pam.d]# authconfig --passmaxclassrepeat=4 --update
[root@Server-i-fzbwivul78 pam.d]# grep "^maxclassrepeat" /etc/security/pwquality.conf
maxclassrepeat = 4
#在新密码中至少需要一个小写字符。
[root@Server-i-fzbwivul78 pam.d]# authconfig --enablereqlower --update
[root@Server-i-fzbwivul78 pam.d]# grep "^lcredit" /etc/security/pwquality.conf
lcredit   = -1
#在新密码中至少需要一个大写字符
[root@Server-i-fzbwivul78 pam.d]# authconfig --enablerequpper --update
[root@Server-i-fzbwivul78 pam.d]# grep "^ucredit" /etc/security/pwquality.conf
ucredit    = -1
#在新密码中至少需要一个数字
[root@Server-i-fzbwivul78 pam.d]#  authconfig --enablereqdigit --update
[root@Server-i-fzbwivul78 pam.d]# grep "^dcredit" /etc/security/pwquality.conf
dcredit     = -1
#密码包括至少一个特殊字符
[root@Server-i-fzbwivul78 pam.d]# authconfig --enablereqother --update
[root@Server-i-fzbwivul78 pam.d]# grep "^ocredit" /etc/security/pwquality.conf
ocredit      = -1
[root@Server-i-fzbwivul78 pam.d]#

Set the account password life cycle

Order:

#$DAYS为过期时间
chage -M $DAYS root

Results of the:

Note: You need to be careful when changing the password expiration time.

Set password history, cannot reuse the last 5 passwords

EDIT /etc/pam.d/system-auth, find the following line

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

change into:

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Restrict ROOT users from logging in remotely

vi /etc/ssh/sshd_config

Modify PermitRootLoginoptions to:

PermitRootLogin no

Check passwd, group file permission settings

Execute the following command:

Conclusion: Meets safety standards.

Delete the .netrc/.rhosts/.shosts file in the account directory

Order:

rm ~/.netrc ~/.rhosts ~/.shosts

Results of the:

Check if there is a user with UID 0 other than root

Check command:

awk -F: '($3 == 0) { print $1 }' /etc/passwd

Results of the:

Conclusion: There is no account with UID 0 other than root in the system.

Set account permissions

You need to set account permissions according to the actual situation.

Set command: usermod.

account lockout

The specified account needs to be locked according to the actual situation.

The command is as follows:

#锁定命令
passwd -l $account
#解锁账号命令
passwd -u $account
#禁止所有非root用户登录
touch /etc/nologin

Security of root user environment variables

Order:

#检查变量中是否含有父目录
echo $PATH | egrep '(^|:)(\.|:|$)'
#检查变量中的是否包含组目录权限为777的目录
find `echo $PATH | tr ':' ' '` -type d \( -perm -002 -o -perm -020 \) -ls

Results of the:

Security Configuration for Remote Connections

Remote login cancel telnet using ssh

Check /etc/securettyfor inclusion of the pts/0words:

grep "pts/0" /etc/securetty

Results of the:

Conclusion: The system has disabled telnet login.

IP configuration to restrict ssh connections

It needs to be configured according to the actual situation. The configuration files are: /etc/hosts.allow, /etc/hosts.deny.

Restrict system account FTP login

Order:

cat /etc/passwd|grep ftp

Results of the:

If there is a user in the ftp field, and the login shell is /sbin/nologinor /usr/sbin/nologin, it means that the FTP user cannot log in. If the login shell is not nologin, execute the following command:

#$account 为要修改的ftp用户名称
usermod -s $account

Conclusion: In this image, ftp account login has been disabled.

Configure IP ranges or hostnames that are allowed to access the inetd service

There is no inetd service in this base image system:

Set the number of consecutive authentication failures more than 6 times to lock the account

Edit the file /etc/pam.d/sshd, #%PAM-1.0below, that is, the second line, add the content, be sure to write it in the front, if it is written in the back, although the user is locked, as long as the user enters the correct password, he can still log in! , add the following:

auth       required     pam_tally2.so deny=6 unlock_time=300 even_deny_root root_unlock_time=10

The execution result is as follows:

The details of the parameters are as follows:

even_deny_root 也限制root用户；
deny 设置普通用户和root用户连续错误登陆的最大次数，超过最大次数，则锁定该用户;
unlock_time 设定普通用户锁定后，多少时间后解锁，单位是秒；
root_unlock_time 设定root用户锁定后，多少时间后解锁，单位是秒；

The pam_tally2 module is used here. If pam_tally2 is not supported, the pam_tally module can be used. In addition, different pam versions may have different settings. For specific usage methods, please refer to the usage rules of related modules.

Check the number of user login failures:

pam_tally2 --user root

Unlock the specified user:

# $account为被锁定的账号账号
pam_tally2 -r -u $account

User's umask security configuration

To view the umask of the current year, execute the command:

umask

Results of the:

It needs to be modified to 077, and it will take effect permanently, modify /etc/profilethe file, and modify the umask to 077:

vi /etc/profile

Modify as follows:

Test Results:

Find and delete unauthorized SUID/SGID files

Order:

for PART in `grep -v ^# /etc/fstab | awk '($6 != "0") {print $2 }'`; do find $PART \( -perm -04000 -o -perm -02000 \) -type f -xdev -print ; done

If there is an unauthorized file, it is below the security requirements and needs to be deleted. It is recommended to regularly compare the list of suid/sgid files so that suspicious backdoor programs can be found in time .

Results of the:

Conclusion: There are no unauthorized SUID/SGID files in this base image.

Check if anyone has write permission on the file

Order:

for PART in `awk '($3 == "ext2" || $3 == "ext3") \
{ print $2 }' /etc/fstab`; do find $PART -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print; done

If the return value is non-null, the safety requirement is lower.

Results of the:

Conclusion: The result is empty, there are no files in this base image that anyone has write permission to.

Check exception hidden files

Order:

find  /  -xdev -name "..*"  -print
find  /  -xdev -name "...*"  -print |cat -v

Results of the:

Conclusion: There are no abnormal hidden files in the image.

Permission settings for important directories and files

Order:

ls  -l  /etc/ls  -l  /etc/rc.d/init.d/ls  -l  /tmpls  -l  /etc/inetd.confls  -l  /etc/passwdls  -l  /etc/shadowls  -l  /etc/groupls  -l  /etc/securityls  -l  /etc/servicesls  -l  /etc/rc*.d

If the permissions are too low, the security requirements are lower.
For important directories, it is recommended to do something similar to the following:

chmod -R 750 /etc/rc.d/init.d/*
This way only root can read, write and execute scripts in this directory.

Check for files or directories without owners

To locate a file without an owner in the system use the following command:

for PART in `grep -v ^# /etc/fstab | awk '($6 != "0") {print $2 }'`; do find $PART -nouser -o -nogroup -print; done

Results of the:

Finding a file without an owner often means that a hacker has broken into your system. A file without an owner cannot be allowed to exist. If a file or directory without an owner is found on the system, check its integrity first, and if everything is OK, give it an owner. Sometimes the uninstaller may show some files or directories without owners, in this case, these files and directories can be deleted.

Disable unnecessary services

Check out the command to automatically start the service:

systemctl list-unit-files  |grep enabled

It needs to be adjusted according to the actual situation. Disable command:

#$service为服务名称
systemctl disable $service

Disable unnecessary inetd services

The inetd service does not exist in the base image.

Turn off IP forwarding

Edit the file /etc/sysctl.confand add the following:

net.ipv4.ip_forward=0

Then execute:

sysctl -p

Turn off forwarding source routed packets

Same as above.

Increase the maximum number of half connections to prevent SYN attacks

Edit the file /etc/sysctl.confand add the following:

net.ipv4.tcp_max_syn_backlog = 2048

Then execute:

sysctl -p

Turn off ICMP redirection

Edit the file /etc/sysctl.confand add the following:

net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0

Then execute:

sysctl -p

Turn off responding to echo broadcasts

Order:

sysctl -a |grep echo_ignore_broadcasts

Results of the:

The echo broadcast has been closed. If it is not closed, modify the /etc/sysctl.conffile and add the following content:

net.ipv4.icmp_echo_ignore_broadcasts = 1

Turn off response address mask and timestamp broadcast

Not present on CentOS systems, only a few operating systems will respond in response, these systems include ULTRIX OpenVMS, Windows 95/98/98 SE/ME, NT below SP 4, and SUN Solaris machines.

Enable inetd logging

There is no inetd service in this base image.

syslog log event logging

Order:

cat /etc/rsyslog.conf |grep "authpriv.*"

Results of the:

Conclusion: The basic image already has a log audit record rule.

Enhanced Linux log configuration and syslog system event auditing

The base image already exists, execute cat /etc/rsyslog.conf, the base image configuration is as follows:

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

Record FTP logs

There is no FTP application service in the base image.

Setting up a remote log server

Deploy according to the actual situation and modify the file as /etc/rsyslog.conf.

Check system log file permissions

Order:

cd /var/log && ll messages secure maillog cron spooler boot.log

Results of the:

Disable GUI login

The graphical interface is disabled by default in cloud hosting. Please cancel the GUI installation when installing the system on the client server.

Character interactive interface account timeout automatic logout and system timeout logout

Edit /etc/profilethe file and append the following:

export TMOUT=180

Set the auto-lock time to 180 seconds.

System vulnerability patch

Based on the results of the security vulnerability scan of the public cloud host, patch and upgrade the vulnerabilities:

The upgrade history command is as follows:

yum update libnl3 sudo wget dnsmasq gnutls  libtasn1  openssh kernel curl bash -y