table of Contents
- 1. Delete specific users and user groups
- 2. Turn off unneeded services system
- 3. Reasonable use the sudo command
- 4. deletion of system login information
- 5. ssh remote login security
- 6. rational use of history
- 7. Firewall
- 8. Lock system critical files
- 9. / tmp, / var / tmp, / dev / shm security setting
- 10. After the attack server roadmap
1. Delete specific users and user groups
After system installation is complete, the system default settings unnecessary users and groups of users, if some users and groups of users that we do not need and should be removed immediately, because the more users, the more insecure system, hackers may use these accounts threat servers.
Linux system can remove the default user and user groups as follows:
- Users can be deleted: adm, lp, sync, shutdown, halt, news, uucp, operator, games, etc.
- You can delete a user group: adm, lp, news, uucp , games, dip , etc.
delete user commanduserdel
, the command to delete a user groupgroupdel
.
In addition, if some users do not need to log function, we need to ban this user login function:
usermod -s /sbin/nologin 用户
2. Turn off unneeded services system
The server, the more services the more unsafe, so we can turn off unneeded services to improve the safety performance of the server.
Service can be shut down by chkconfig
the command to achieve, for example:
chkconfig --level 345 apach off #重启服务器后生效,关闭 apach 服务
For the system to function properly, it is recommended to start the service in the following table:
service name | Service Content |
---|---|
acpid | For power management, the proposed open |
apmd | Advanced Power Management can monitor the battery performance |
kudzu | Detect whether the hardware changes |
crond | Regular tasks |
etc | Disposable timing task |
keytables | For loading a keyboard image, the option of starting |
iptables | Firewall, must start |
xinetd | Support core network services daemon |
xfs | Using the X Window System desktops must start |
network | Start networking services, must be started |
sshd | Provide remote management ssh |
syslog | System logging service, must be started |
3. Reasonable use the sudo command
sudo
Commands can be assigned to ordinary users some reasonable authority, so that ordinary users can perform some of the root user privileges to perform, such as rebooting the system, add users, configure the system files, which is why we should be rational use of sudo
command, and sudo
to authorize . To sudo
authorize the need to use the /etc/sudoers
file, you can add the relevant configuration parameters in the file.
E.g:
#例 1 普通用户 Bob 只能在 Server1 这台主机上执行 reboot,shutdown 命令
Bob Server1=/usr/sbin/reboot,/usr/sbin/shutdown
#例 2 普通用户 Bob 能在 任何主机上执行 reboot,shutdown 命令
Bob ALL=/usr/sbin/reboot,/usr/sbin/shutdown
#例 2 Bob 可以在任何主机上执行所有命令,且不需要密码登录,还能切到root用户下(sudo su-)
Bob ALL=(ALL) NOPASSWD: ALL
#Bob 可以在任何主机上提权到 root 下执行chown 命令,不用密码,但执行 useradd 要密码
Bob ALL=(root) NOPASSWD: /bin/chown,/usr/sbin/useradd
#例 3 user 用户组的用户以 root 权限修改其他用户密码,这里表示组要用百分号%
%users ALL=(root) /usr/bin/passwd
4. deletion of system login information
There are four file systems, /etc/issue
, /etc/issue.net
, /etc/redhat-release
and /etc/motd
they record the version number of the system are some of the relevant information we can to ensure information security system version by deleting or changing.
When the user through a local terminal or local virtual console login system displays /etc/issue
the contents, when the user ssh
remote login system, will show /etc/issue.net
content, by default issue.net
not displayed, if you want to display can /etc/ssh/sshd_config
add the following code file:
Banner /etc/issue.net
/etc/redhat-release
File also records the system name and version number, it proposed to delete.
/etc/motd
File is a system bulletin information, after each time a user login, /etc/motd
file contents will be displayed, use this document can publish something about software, hardware upgrades and information system maintenance information.
5. ssh remote login security
Related to ssh
the corresponding profile is /etc/ssh/sshd_config
, here are a few questions about security configuration.
- Port 22: to set the listening port, for safety, we usually change the default port 22
- Protocol 2: Set to use version SSH2, SSH1 version because there are deficiencies here with Protocol 2
- KeyRegenerationInterval 1h: If you use the Key, this setting is automatically generated keys to prevent theft after long
- PermitRootLogin no: Set the root user can not ssh login, root remote login is very dangerous
- PrintMotd yes: to set the display
/etc/motd
the information - MaxStartups 5: while allowing five are not logged online, but not connected to the ssh password belonging to online
- MaxAuthTries 3: The maximum number of login failures allowed retries is three times
- AllowUsers <username>: Specifies the user via remote access, multiple users separated by spaces
- AllowGroups <Group Name>: Specifies the user group via remote access, multi-user groups separated by a space
- DenyUsers <username>: Specifies the user has disabled access, multiple users separated by spaces
- DenyGroups <User Group>: disable access to specified groups of users, groups of users separated by spaces
6. rational use of history
By history
command we can see the user's operating history, shell command operation records stored in the .hash_history
file, but after a hacker attack server will delete this file, making it impossible to audit, therefore, we need reasonable protection back up the file, the following is a history
log file security configuration.
The default history
command can only view operational records, did not record the operating time, so you need to edit /etc/bashrc
the file:
HISTFILESIZE=4000 #定义在.bash_history文件保留命令的记录总数
HISTSIZE=4000 #定义 history 命令输出的记录总数
HISTTIMEFORMAT='%F %T' #定义时间格式,与命令 date +%F %T 输出一样
export HISTTIMEFORMAT
To prevent hackers delete .bash_history
files, we can record the user's history kept in a safe place for audit, the following code will be added to /etc/profile
the file when the user logs can implement this feature.
USER_IP=`who am i 2>/dev/null |awk -F"[()]" '{print $2}'`
HISTDIR=/usr/share/.history
if [ -z $USER_IP ]
then
USER_IP=`hostname`
fi
if [ ! -d $HISTDIR ]
then
mkdir -p $HISTDIR
chmod 777 $HISTDIR
fi
if [ ! -d $HISTDIR/$LOGNAME ]
then
mkdir -p $HISTDIR/$LOGNAME
fi
export HISTSIZE=4000
DT=`date +%Y%m%d_%H%M`
export HISTFILE="$HISTDIR/$LOGNAME/$USER_IP.history.$DT"
export HISTFORMAT=“[%Y.%m.%d %H:%M:%S]”
chmod 600 $HISTDIR/$LOGNAME/*.history* 2>/dev/null
This code of each user's shell command history is stored in /usr/share/.history
the directory, a folder for each user, and folder records login IP and shell operation time.
7. Firewall
2 Linux firewall itself, through IP filtering mechanisms iptables
to achieve a first level of protection, iptables
by monitoring the health system, the blocking malicious network attacks, the protection system. By the first protective layer is tcp_wrappers
a protective layer, and tcp_wrappers
may be implemented to provide certain services in an open or closed in the system, thereby protecting the system.
7.1 iptables
7.1.1 iptables Overview
The default iptables
rule table are:
- fileter table (filtering rule table)
- nat table (address conversion rule table)
- mangle table (data modifying rule table flag)
- Table raw (trace rule table data sheet)
Each rule table contains a plurality of data link:
- The INPUT (inbound data filtering)
- OUTPUT (outbound data filtering)
- The FORWARD (forwarding data filtering)
- The PREROUTING (former route filtering)
- The POSTROUTING (filtered route)
Fire rules need to use these specific data link.
The following is a framework for filtering firewall:
- If the external host sends data to the firewall, data will pass
PREROUTING
andINPUT
data link - If the firewall host computer sends data to an external host computer, the data will go through
OUTPUT
and thePOSTROUTING
data link - If the firewall is responsible for forwarding routing, data will pass
FORWARD
andPOSTROUTING
data link
7.1.2 iptables syntax
usage:iptables [-t 表名] {-A | -D | -I | -F | -L | -Z | -P} 链名 rule-specification
Options | Explanation |
---|---|
-t | Specify the rules table, do not add -t default fileter table |
-A | Additional firewall rules |
-D | Delete firewall rules |
-I | Insert firewall rules |
-F | Empty firewall rules |
-L | Firewall rules list |
-R | Replace firewall rules |
-WITH | Empty firewall data table statistics |
-P | Set chain default rule |
Matching parameters are as follows:
parameter | Explanation |
---|---|
[!] -p | Match protocol! It represents negated |
[!] -s | 匹配源地址 |
[!] -d | 匹配目标地址 |
[!] -i | 匹配如站网卡接口 |
[!] -o | 匹配出站网卡接口 |
[!] --sport | 匹配源端口 |
[!] --dport | 匹配目标端口 |
[!] --src-range | 匹配源地址范围 |
[!] --dst-range | 匹配目标地址范围 |
[!] --Mac-source | 匹配 mac 地址 |
[!] --state | 匹配状态(INVALID、ESTABLISHED、NEW、RELATED) |
触发动作如下:
动作 | 解释 |
---|---|
ACCEPT | 允许数据包通过 |
DROP | 丢弃数据包 |
REJECT | 拒绝数据包通过 |
LOG | 将数据包信息记录 syslog 日志 |
DNAT | 目标地址转换 |
SNAT | 源地址转换 |
iptables
具体使用示例如下:
#查看fileter表的所有规则
iptables -nL
#查看 nat 表所有规则
iptables -t nat -nL
#清空 fileter 表中所有规则
iptables -F
#往 fileter 表中添加新规则,丢弃 192.168.1.1 发来的数据包
iptables -A INPUT -s 192.168.1.1 -j DROP
#往 fileter 表中插入规则,拒绝 192.168.1.1ping 防火墙本机
iptables -A INPUT -s 192.168.1.1 -p icmp -j REJECT
#查看 fileter 表中规则编号
iptables -nL --line-number
#删除 filter 表中INPUt 链第一条规则
iptables -D INPUT 1
#将 192.168.1.1 主机发给防火墙本机 22端口的数据包信息记录到 messages 日志
iptables -I INPUT -s 192.168.1.1 -p tcp --dport 22 -j LOG
在 Linux 系统中我们可以在/etc/services
文件中找到各个服务与对应的标准端口号。
防火墙规则默认保存在/etc/sysconfig/iptables
文件下。
7.2 tcp_wrappers
Linux中某个服务是否可以使用 tcp_wrappers
防火墙,取决于服务是否应用了 libwrapped 库文件,如果应用则可以使用。系统中一些服务默认可以使用的有:sshd、vsftpd、tcpd、xinetd、sendmail 等。
tcp_wrapper
防火墙的实现是通过/etc/hosts.allow
和/etc/hosts.deny
两个文件完成的,使用格式如下:
service:host [:action]
参数含义:
- service:服务名,如 sshd、vsftpd 等
- host:主机名或 IP 地址,可以是多个
- action:复合条件采取的动作
配置文件常用关键字:
- ALL:所有服务或所有 IP
- ALL EXCEPT:所有服务或 IP 除了这项指定的
例:
ALL:ALL EXCEPT 192.168.1.1 #除了 192.168.1.1 其余主机可以使用所有服务
针对/etc/hosts.allow
和/etc/hosts.deny
两个文件,Linux 会先判断/etc/hosts.allow
后判断/etc/hosts.deny
,前者满足则不会在去判断后者。如果想要sshd
服务只能在某些主机使用则可以用以下配置:
#etc/hosts.allow文件中写入
sshd: 172.20.190.51
sshd: 172.20.190.52
sshd: www.pdca.net
#/etc/hosts.deny文件写入
sshd: ALL
8. 锁定系统重要文件
Linux 系统中通过chattr
命令可以修改文件或目录的属性,此文件要 root 用户执行,从而提高安全性,通过lsattr
命令可以查看文件的属性,下面是对这两个命令的详解。
chattr
命令格式如下:
chattr [-RV] [-v version] [mode] 文件或目录
主要参数解释:
- -R:递归修改所有文件及其子目录
- -V:详细显示修改内容,打印输出
以下是chattr
命令常用参数,用来控制文件属性
参数 | 解释 |
---|---|
+ | 在原有参数基础上追加参数 |
- | 在原有参数基础上移除参数 |
= | 更新为指定参数 |
a | 设定此参数,只能向文件中添加数据,而不能删除,常用于服务器日志文件安全 |
c | 即 compress,设定文件是否压缩后存储,读取时需要经过自动解压操作 |
i | 即 immutable,设定文件不能修改,删除,重命名,设连接 |
s | 安全的删除文件或目录,即删除后的文件后,收回硬盘空间 |
u | 与 s 相反,删除后的文件系统保留其数据块以便以后恢复 |
这些参数中经常用到a
,i
,其中 i
参数不允许任何用户进行操作,即使 root 也不行。
以下是lsattr
命令格式:
lsattr [-adlRvV] 文件或目录
常用参数解释:
参数 | 解释 |
---|---|
-a | 列出目录所有文件,包括隐藏文件 |
-d | 显示指定目录属性 |
-R | 递归显示目录及其下面文件和子目录的属性值 |
-v | 显示文件目录版本 |
对于一些重要的目录和文件可以加上i
,a
属性,例如:
chattr -R -i /bin /boot /lib /sbin
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/hosts
chattr +i /etc/resolv.conf
chattr +i /etc/fstab
chattr +i /etc/sudoers
chattr +a /var/log/messages
9. /tmp、/var/tmp、/dev/shm 安全设定
Some attackers will use /tmp
, /var/tmp
catalog trojaned, due to the normal operation of the system on this directory will affect some programs, we can not perform read and write permissions to modify directory, /dev/shm
is a shared memory device, if the hacker through this file directly to the operating system memory consequences disastrous.
For /tmp
a separate disk partition, we can modify the /etc/fstab
file /tmp
to mount the partition of property, plus nosuid
, noexec
, nodev
three options, amend as follows:
LABLE=/tmp /tmp ext4 rw,nosuid,noexec,nodev 0 0
Which nosuid
, noexec
, nodev
the option is not allowed any suid programs can not execute any script in this district, as well as device file does not exist.
After setting the property is complete, re-mount the partition into force.
10. After the attack server roadmap
- Cut off network
- Find attack source
by analyzing the system log and log in the log files, view suspicious information while viewing port is open, the operation process, analyze suspicious programs. - Analysis of the invasion of the causes and ways to
analyze the invasion was to identify vulnerabilities or bugs attack way, attack to find the source - Backup user data
after a server attack, you need to immediately back up user data on the server, while viewing these data, there is no attack, if there is to be completely removed. - Reinstall the system
reinstall the system is a good way to completely remove the source of the attack