About "Security Hardening"
Safety is relative.
Hardening may involve all aspects of the system: (1) hardware. For example: Intel X86 hardware vulnerability; (2) operating system. From installation and deployment to post-installation operation; (3) system services. The installation and configuration of the service itself, the system resources involved in the service, and the external access to the service (data exchange).
For example: RHEL installation and deployment, system configuration, system service settings.
1. About the operating system
As much as possible, use the officially released system;
Choose the current "mainstream" version whenever possible.
For example: RHEL large version: 6.X 6.8 7.X 7.2, 7.5
1.1 About the installation of the operating system
(1) Disk partition: /boot: 200M /: 10G swap: memory*2
Deploy the system using logical volumes
/boot boot partition, must use physical partition
/swap uses logical volumes
/ use logical volumes
For simple deployment, only the above three partitions are needed, and other directories can be created independently:
(When the data flow is relatively large, the file system is easy to burst....)
/where
/ var / log
/home
/usr
/usr/local
/tmp
(User-defined directories can be mounted independently)
Both the upper-level directory and the following sub-directories can mount disks independently
Reallocate separate partitions for system catalogs
Operations: Disk Partition/Logical Volume, File System Creation, Mount & Unmount, File Move
Key points: 1. The user can only operate the file system (read and write file operations)
2. The file system cannot be detached from the disk (data is written on the file system)
3. Mount (the association between the directory and the file system: enter the file system through the directory)
4. The file moves, keeping the properties.
(2) Software package customization
Desktop
Development toolset
(3) View partition and mount after system installation
df -Th、lvdisplay、vgdisplay、lvs、vgs、
/etc/fstab
(4) yum source
Instead of specifying the iso file directly, you need to mount the image first
For example: mount -o loop xxx.iso /mnt
At the same time, mount information can be written to fstab but may affect system startup
Write to another file, write the mount command to /etc/rc.local
rc.local: After the system starts, it will be executed and it is a script.
1.2 About RHEL6 root account password recovery
Start up, or interrupt the system startup
Edit the kernel parameters, find the startup item, e edit --> select the kernel (kernel line), e edit. --> Add parameter 1 or single (single-user mode) at the end, press Enter to confirm --> select the kernel line of the kernel, b start --> start directly into single-user mode without remounting single-user mode, just enter directly System root, root account ---> passwd to change the password, reboot to restart.
Prevent malicious cracking of passwords
grub needs encryption to find the grub configuration file: /etc/grub.conf
Add a line of passwd under hiddenmenu
1. Plaintext password password=123456
2.MD5 encrypted password --md5 encrypted string
3.SHA encrypted password --encrypted encrypted string
How is the encrypted string generated?
Command tool: grub-crypt -- specify the encryption algorithm
Use SHA-512 by default to use --help
This article is mainly compiled from Brother Tao, who was studying around me. Brother Tao got married last week. Thank you Brother Tao for his guidance to our Xiaobai.