Table of contents
Set the validity period and minimum length of passwords
Set the complexity of user passwords
Set the security policy for remote login of users
Operating system security hardening refers to various technical solutions to make the operating system safe and stable. Security hardening can be seen from the inside and outside of the operating system. Internally, it is the adjustment of operating system configuration and kernel parameters to strengthen internal management. Externally, the operating system can establish a secure network barrier by establishing a firewall, closing unnecessary open ports, and so on.
-
Password Security Policy
The operating system and database system management user identity authentication information should have the characteristics that are not easy to be used fraudulently, and the password should have complexity requirements and be changed regularly. Set an effective password policy to prevent attackers from cracking passwords.
Password-related security policies are mainly implemented through /etc/login.defs and pam_cracklib.so.
/etc/login.defs: only controls the validity period and minimum length of the account password. After the /etc/login.defs file is modified, it will take effect immediately, but it will only take effect for the users created after modification.
pam_cracklib.so: This module implements the complexity control of account passwords. The pam_cracklib.so module was used in the early days, and later changed to pam_pwquality.so, which is fully compatible with the old pam_cracklib.so module. The configuration file path corresponding to this module is in the /etc/pam.d/ directory.
查看空口令帐号并为弱/空口令帐号设置强密码
[root@localhost ~]# awk -F: '($2 == ""){print $1}' /etc/shadow
Set the validity period and minimum length of passwords
Modify vim /etc/login.defs configuration password cycle policy
[root@localhost ~]# vim /etc/login.defs
/etc/login.defs参数说明:
PASS_MAX_DAYS 90 #密码最大有效期,此处参数PASS_MAX_DAYS为90,表示90天后,密码会过期,99999表示永不过期。
PASS_MIN_DAYS 10 #两次修改密码的最小间隔时间,0表示可以随时修改账号密码
PASS_MIN_LEN 8 #密码最小长度,对于root无效
PASS_WARN_AGE 7 #密码过期前多少天开始提示
注:修改了 /etc/login.defs下参数时,会立即生效,但是它只对修改后创建的用户生效,以前的帐号还是按99999天周期时间来算
Set the complexity of user passwords
备份原有配置文件
[root@localhost ~]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
设置复杂度策略
[root@localhost ~]# vim /etc/pam.d/system-auth
找到包含pam_pwquality.so模块的行,将原有行注释并修改为如下的新配置,密码长度最少12位,至少包含一个大写字母,一个小写字母,一个数字,一个特殊符号。
password requisite pam_cracklib.so try_first_pass local_users_only retry=3 difok=2 authtok_type= minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
注释说明:
difok=2 #本次密码与上次密码至少不同字符数
minlen=12 #密码最小长度为8个字符。
lcredit=-1 #密码应包含的小写字母的至少一个
ucredit=-1 #密码应包含的大写字母至少一个
dcredit=-1 #将密码包含的数字至少为一个
retry=3 #重试多少次后返回密码修改错误
ocredit=-1 #设置其他符号的最小数量,例如@,#、! $%等,至少要有一个
enforce_for_root #确保即使是root用户设置密码,也应强制执行复杂性策略。
【注】这个设置对于root没有作用,只针对普通用户修改自己密码时起作用
If the password of the newly created user does not meet the password complexity, the prompt of BAD PASSWORD: it is based on a dictionary word will appear.
passwd ttt
Changing password for user ttt.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Create a new user for verification
-
Login Security Policy
The control strategy related to login security is mainly implemented through the pam_tally2.so module, such as how many times the failed login attempts will lock the user for how many minutes. Similarly, the configuration file path corresponding to this module is also in the vim /etc/pam.d/login directory.
Set the security policy for remote login of users
Execute the command # vim /etc/pam.d/login to add the following line
[root@localhost ~]#vim /etc/pam.d/login
在字符终端下,实现某一用户连续错误登陆N次后,就锁定该用户X分钟
执行 vim /etc/pam.d/login
在#%PAM-1.0 下新起一行,加入
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=10
如果不限制root用户,则可以写成
auth required pam_tally2.so deny=3 unlock_time=5
说明:
even_deny_root=n #root用户失败登录次数超过deny=n次后拒绝访问
deny=n #设置普通用户和root用户连续错误登陆的最大次数,超过最大次数,则锁定该用户;
unlock_time=n #设定普通用户锁定后,多少时间后解锁,单位是秒;
root_unlock_time=n #与even_deny_root相对应的选项,如果配置该选项,则root用户在登录失败次数超出限制后被锁定指定时间。
解锁用户:
pam_tally2 --user <username> #查看用户登录失败次数记录
[root@localhost ~]# pam_tally2 --user root
pam_tally2 --user <username> --reset #清空失败次数记录,即解锁用户
或者[root@localhost ~]# pam_tally2 -r -u root
Secure Remote Management
When remotely managing the server, necessary measures should be taken to prevent authentication information from being eavesdropped during network transmission.
Prevent sensitive information such as passwords from being eavesdropped during remote management
Prohibit telnet from running, and prohibit booting
关闭telnet有两种方法
方法一: vi /etc/xinetd.d/telnet 将disable = no 改为 disable = yes
方法二: chkconfig telnet off
重启服务生效 service xinetd restart
删除包 rmp -e telnet-server --nodeps
vim /etc/services 注释掉23端口
Access control
Redundant and expired accounts should be deleted in time to avoid the existence of shared accounts.
Delete or disable temporary, expired and suspicious accounts to prevent illegal use.
It is mainly an ordinary account created by the administrator, such as: test
usermod -L user 禁用帐号,帐号无法登录,/etc/shadow第二栏显示为!开头
userdel user 删除user用户
userdel -r user 将删除user用户,并且将/home目录下的user目录一并删除
Restrict root user login
First create a common user test2, then configure su authorization, use su authorization to execute commands when necessary, and restrict root users from directly logging in to the server.
创建普通用户test2
[root@localhost ~]# useradd test2
[root@localhost ~]# passwd test2
为普通用户test2添加su授权
[root@localhost ~]# vim /etc/sudoers
root ALL=(ALL) ALL
test2 ALL=(ALL) ALL
Log in to test2 common user authentication
Modify the root user to prohibit ssh from logging into the system
执行指令
[root@localhost ~]# vim /etc/ssh/sshd_config
PermitRootLogin no
[root@localhost ~]# systemctl restart sshd 重启ssh服务
Logging in with the root user again is restricted
After you can log in as a normal user, su switches to the root user
Modify ssh port 22
[root@localhost ~]# vim /etc/ssh/sshd_config
Port 2022
[root@localhost ~]# systemctl restart sshd 重启
verify
Set login timeout
通过命令查看cat /etc/profile grep TMOUT
vim /etc/profile
添加export TMOUT=600 --600秒超时
-
Restrict IP access
By setting, SSH only allows specific users to log in from specific IPs, and other unauthorized users and IPs cannot log in.
[root@localhost ~]# vim /etc/hosts.allow
sshd:192.168.2.*:allow #允许访问的网段
sshd:192.168.3.10:allow #允许访问的IP
Add sshd: ALL to restrict access to all ip addresses
[root@localhost ~]# vim /etc/hosts.deny
-
security audit
Audit Policy On
The audit scope should cover every operating system user and database user on the server and important clients;
Enable the audit policy, and if there is a system failure or security incident in the future, you can view the system log files, troubleshoot, track down the information of the intruder, etc.
查看rsyslog与auditd服务是否开启
[root@localhost ~]# systemctl status rsyslog
[root@localhost ~]# systemctl status auditd
Log property settings
Audit records should be protected from unexpected deletion, modification or overwriting.
Prevent important log information from being overwritten
Dump the log file for one month and keep the information for 6 months. Check the current configuration first.
[root@localhost ~]# vim /etc/logrotate.conf
把原始配置修改成 rotate 6
[root@localhost ~]# more /etc/logrotate.conf | grep -v "^#\|^$"
-
View system login log
[root@localhost ~]# lastlog #查看登录用户、端口和登录时间等信息
[root@localhost ~]# last –x #查看系统关闭、用户登录和退出的信息
[root@localhost ~]# lastb #查看尝试登录的失败信息
[root@localhost ~]# tail -f /var/log/messages #查看系统日志
[root@localhost ~]# last #参看账号登录情况