As Caozuoxitong an open source, Linux servers for its safety, efficiency and stability of the significant advantages and can be widely applied, however, if unchecked, may not necessarily safe to go, this blog is mainly from the account security control price , system boot and logon control point of view, to the Linux system security optimization. And auxiliary tool to find security risks, operation and maintenance personnel in a timely manner so that we can take appropriate measures.
Security really need to pay attention more, from all aspects of this blog to write down, more trivial, also we need to be patient to see, to configure the security of the server as needed
First, the basic safety measures:
1, various redundant system account, such as "games" and so on, can be directly deleted, including some programs account, if the uninstall program, no account can be deleted, then we need to manually delete.
2, when the server user account has been fixed, no change, you can lock the account configuration files directly, lock, they would not add users and change user passwords:
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow #锁定文件
[root@localhost ~]# lsattr /etc/passwd /etc/shadow #查看是否锁定
----i----------- /etc/passwd
----i----------- /etc/shadow
[root@localhost ~]# chattr -i /etc/passwd /etc/shadow #解锁文件3, the password is valid control: To reduce the risk of password being guessed or brute force, you can set password expiration to limit the maximum number of days a password, user password has expired, you must reset the password at login, or they will refuse to log on .
[root@localhost ~]# vim /etc/login.defs #适用于新建的用户
........................
PASS_MAX_DAYS 30 #将该配置项默认的值“99999”改为所期望的值,如30天。
[root@localhost ~]# chage -M 30 lv #适用于已经存在的用户
[root@localhost ~]# chage -d 0 zhangsan #张三下次登录必须修改密码
4, command history, automatic logoff:
#适用于新登录用户
[root@localhost ~]# vim /etc/profile
................
HISTSIZE=200 #命令历史记录为200条
export TMOUT=600 #自动注销时间为600秒
#适用于当前用户
[root@localhost ~]# export HISTSIZE=200 #命令历史记录为200条
[root@localhost ~]# export TMOUT=600 #自动注销时间为600秒
Note that, when the long program code is compiled, system configuration changes and other time-consuming operation is being performed, it is best not to set TMOUT variables. You can perform "unset TMOUT" command to cancel TMOUT variable settings if necessary.
Second, the user how to provide the right to switch the control:
1, su command - switching users
By default, any user is allowed to use the su command, so that other users have the opportunity to try again and again (as root) login password, so there is a security risk, in order to avoid this, by means of pam_wheel authentication module, allowing only very su individual user command to switch. Implementation process is as follows: the user authorized to use the su command to add to the wheel group, modify /etc/pam.d/su authentication configuration to enable pam_wheel Certification:
[root@localhost ~]# gpasswd -a admin wheel #添加授权用户admin
正在将用户“admin”加入到“wheel”组中
[root@localhost ~]# grep wheel /etc/group #确认wheel组成员
wheel:x:10:lv,admin
[root@localhost ~]# vim /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
...................
auth required pam_wheel.so use_uid #去掉此行开头的 # 号
So far, only the wheel users in the group can use the su command, and use the su command to switch the user's operation will be recorded in the security log / var / log / secure file, you can view the following as required.
2, sudo command - to enhance execute permissions
Use the su command can easily switch to another user, but only if you must know the target user's login password. If you want to switch to the root user, then the user must know the root password for the production environment Linux servers, each one more person to know the root password, security risks will increase one point. So sudo command thus born.
Control of sudo simply add in / etc / sudoers configuration file to authorize, require the use of specialized tools visudo editor, vi can also be used, but must be performed when saving "w!" Command to save the mandatory, otherwise the system You will be prompted for the file read-only file and refused to save.
Configuration file / etc / sudoers, the basic configuration authorization record format is as follows:
user MACHINE=COMMANDS
Specific meanings in the following three parts:
- user: direct authorization specified user name, or in the form of "% Group name" (authentication of all users in the group).
- MACHINE: using the host name of the profile, and this part is common with a convenient sudoers file among a plurality of hosts, typically set to localhost or actual host name.
- COMMANDS: comma "," separated between allow authorized users to perform privileged commands via sudo must be filled absolute path command, multiple commands.
If the demand is now jerry user to execute ifconfig command, and the user group wheel without authentication password to execute any command , you can make the following modifications:
[root@localhost ~]# visudo
.........................
jerry localhost=/sbin/ifconfig
%wheel ALL=NOPASSWD:ALLWhen there are many more users use the same authorization, the authorization commands or aliases centrally defined may be employed. Such as: allow the user to user1, user2, user3 host smtp, pop performed rpm, yum command:
[root@localhost ~]# visudo
.........................
User_Alias OPERATORS=user1,user2,user3 #定义用户名列表
Host_Alias MAILSVRS=smtp,pop #定义主机列表
Cmnd_Alias PKGTOOLS=/bin/rpm,/usr/bin/yum #定义命令列表
OPERATORS MAILSVRS=PKGTOOLS #使定义的列表关联起来sudo configuration record command section can use wildcards "*", negation symbol "!", you can also enable logging for sudo to prepare for the operation and maintenance personnel to view, especially useful when all command or cancel the order in which the individual requires authorization under a directory . For example: authorized users can perform other zhangsan command / sbin / directory in addition to ifconfig, route, and enable logging:
[root@localhost ~]# visudo
.........................
zhangsan localhost=/sbin/*,!/sbin/ifconfig,!/sbin/route #通配符及取反符的应用。
Defaults logfile = "/var/log/sudo" #启用日志记录
Note the use of the sudo command:
1, the first execution command, the command must be performed by the user's own sudo password authentication is performed thereafter sudo command again, as long as the time interval before operation sudo less than 5 minutes, the verification need not be repeated.
2, if you want to see what sudo authorized users get their own, you can do "sudo -l", if there has been (ALL) ALL words sudo permissions list of a user, it means the authorization error, this time, the user has authority to execute all commands. If visudo command to edit the list of authorized no errors, then you need to look at whether to add the user to the wheel group, and enabled pam_wheel certification.
Third, the control terminal and log in:
1, prohibits root user login:
The login program is by reading the / etc / securetty file to decide to allow root user login from which terminals, to prohibit the root user from tty5, tty6 login, simply comment out the line corresponding to the file can be :
[root@localhost ~]# vim /etc/securetty
.........................
#tty5
#tty6
2, prohibit ordinary user login:
When you are debugging a server, do not want to have a new user login system, you can build / etc / nologin file to , login program checks the / etc / nologin file exists, if there is, then refused to ordinary users login system (root user does not Restricted). This method is recommended only for temporary use during server maintenance, when manually delete the / etc / nologin file or reboot the host, you can return to normal , as follows:
[root@localhost ~]# touch /etc/nologinFourth, the safety control switch
1, adjust bios boot settings, to set the BIOS password, and enable;
2, prohibit Ctrl + Alt + Del shortcut to restart the host:
[root@localhost ~]# systemctl mask ctrl-alt-del.target #注销ctrl-alt-del服务
Created symlink from /etc/systemd/system/ctrl-alt-del.target to /dev/null.
[root@localhost ~]# systemctl daemon-reload #重载systemd配置To re-open the ctrl-alt-del shortcuts, you simply need to do the following:
[root@localhost ~]# systemctl unmask ctrl-alt-del.target
Removed symlink /etc/systemd/system/ctrl-alt-del.target.
[root@localhost ~]# systemctl daemon-reload 3, limiting change GRUB boot parameters:
When a Linux system at boot time, to the following screen, press the "e" you can enter the GRUB boot menu, and by the modified configuration, without any password to access the system environment, this loophole obviously Server is a great threat , you can perform the following operations, set a password for grub menu, only provide the correct password are allowed to modify the boot parameters:
[root@localhost ~]# grub2-mkpasswd-pbkdf2 #根据提示指定密码
输入口令: #设置密码为“111111”
Reenter password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F7169053E0A4C582D0D65D3181CBDF7306E56AAB4D5F6910A576FA42CAD66DE8A28019CC403E8A0A75C56B517325A10D63DF85BD018FEF345359677B403F9FE4.C1E18CA9FFB54BF3AAE7EC0A03B41DD384A5ECB38A42F651C9467442EB41F7319BF4B3C600EC8CC7562C3AF188DB77BDA5FDE4E978E72BD715A77F965CC9EFBD #经过加密的密码字符串
#为了防止更改grub菜单错误,所以先将相关文件进行备份
[root@localhost ~]# cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg.bak
[root@localhost ~]# cp /etc/grub.d/00_header /etc/grub.d/00_header.bak
[root@localhost ~]# vim /etc/grub.d/00_header
#将以下内容添加到文件中的最后
cat << EOF
set superusers="change"
password_pbkdf2 change grub.pbkdf2.sha512.10000.F7169053E0A4C582D0D65D3181CBDF7306E56AAB4D5F6910A576FA42CAD66DE8A28019CC403E8A0A75C56B517325A10D63DF85BD018FEF345359677B403F9FE4.C1E18CA9FFB54BF3AAE7EC0A03B41DD384A5ECB38A42F651C9467442EB41F7319BF4B3C600EC8CC7562C3AF188DB77BDA5FDE4E978E72BD715A77F965CC9EFBD
[root@localhost ~]# grub2-mkconfig -o /boot/grub2/grub.cfg #生成新的grub.cfg文件
Generating grub configuration file ...
/etc/grub.d/00_header: line 361: warning: here-document at line 359 delimited by end-of-file (wanted `EOF')
Found linux image: /boot/vmlinuz-3.10.0-514.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-514.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-095dca7b09764ecf91e366075c160144
Found initrd image: /boot/initramfs-0-rescue-095dca7b09764ecf91e366075c160144.img
doneNow restart the server, entering grub menu, press e will not modify the boot parameters, to modify, grub needs to enter the correct user name and password (according to the above operation, where users need to enter the name "change", the password is "111111"):
Assorted write so much, there are two auxiliary tool did not write, well, this blog stop right now, two aids are weak password scanning and port scanning, or written another blog post in it! You can click on the following link to view:
https://blog.51cto.com/14154700/2408106