Linux operation and maintenance of security
Documentation will be updated at any time, last updated on: 20190901
This document is a possible practice of real-time updates of Linux operation and maintenance of security implementation-related inventory for> Implementation> Check the operation and maintenance of linux-related security plans> Improved
1 safety principles
Some provisions of the basic safety principles before implementing security measures, so that the hearts of Vals, looks as mountains and rivers
- Defense Information and System Security is multifaceted defense in depth, in order from the outer to the inner layer, including five layers: physical security defense> network security defense> Host Security Defense> application security defense> Data Security
- Least privilege rule, give the user, only minimal rights program, the system to perform its function
- Try to use a whitelist instead of black list
- Use intrusion detection systems for early detection of hacker attacks
- Regular vulnerability scanning system, Rootkit, virus
- Security awareness training operation and maintenance personnel, operation and maintenance of the security document written in unified security norms
2 Physical security defense
Defense is the physical layer of the first layer of defense, regardless of the size of the room should pay attention
- Room locked the door and into the room to avoid someone took a sledgehammer smashed servers, routers, switches, air conditioning
- Use UPS, prevent server downtime caused by power failure
Network security defense
The network is able to touch the most direct tentacle your server, you need to guard against
- Using a network firewall, use a hardware firewall such as juniper, cisco and other brands of hardware firewall at the network edge, use a software firewall such as iptables in the operating system layer, fine-grained network access control
- For public cloud deployment to network security defense, to try to minimize the number of cloud servers and ports exposed, using a secure server group set up network access control
- Use bastion machine, such as open source jumpserver
- DDos attack prevention, DDos defense service using the cloud vendors, using the CDN to increase the carrying capacity
- Set up a VPN, connect different areas of the network or server for teleworkers to use, or to connect different local area networks
- Network security analysis tool, you can use tcpdump, wireshark
3 host security defense
Broke through the defense network of tentacles reach your server, do not let him go on
3.1 Linux User Security Management
- Prohibit the root user login ssh server, ssh for the establishment of a separate user login, password instead of using a key landing
- To ensure that the user's password complexity to eliminate weak passwords, weak passwords or hydra John ther ripper tool to check for weak passwords
- Security configuration sudo, given different user needs of least privilege
- Defining a user can use su prevent unauthorized users to root and
3.2 File System Security
- Use change sXid monitor SUID and SGID types of files
- Use to recover deleted files extundelete
- Srm and use the dd command to securely erase sensitive files
4 Linux application security
Linux application security including security-related settings of the application installed on Linux, according to a survey of the most common sites of high-risk vulnerability is cross-site scripting attacks, SQL injection, PHP error information leakage, database run-time errors
- Open source web firewall (WebApplication Firewll, WAF), Apache can use ModSecurity, Nginx can use NAXSI, with a total of firewall can buy cloud WAF
- Avoid using HTTPS middle attacks and prevent sniffing on the network,
- PHP Security Configuration
- Note vulnerabilities PHP development framework
- Configuration file error message display ban
- Prohibit PHP remote file open
- PHP remote file include prohibiting
- Set "HTTPonly" attribute and a series of security configuration in the Cookie
- Tomcat Security Configuration
- Delete the default application under the webapps directory
- A dedicated launch customer for the Tomcat
- Turn off automatically deploy the WAR
- Custom Error Pages
- MySQL Security
- Only deployed on the network server
- Can access only Web server through the firewall settings
- Use separate ordinary users to run MySQL service
- After the installation delete the test database
- Users authorize the use of the principle of minimizing the authorization
- Regular backups of data, prevent data loss
Using Linux security scanning tools
- Use network scanning tools masscan, nmap scanning and discovery and opening the port corresponding to the port identification applications
- The use of open-source Web vulnerability scanning tools such as Nikto2, OpenVAS vulnerability scanning Web
- SQLMap use SQL injection penetration testing
Deployment of intrusion detection system
- Open source intrusion detection system OSSEC or commercial intrusion detection system ivy cloud, Ann Knight
- Use Kippo set up SSH honeypot intrusion record
Linux RootKit virus and Trojan checks
- Use Chkrootkit, Rkhunter Rootkit scanning and checking critical system files
- Trojan virus scanning using ClamAV
- Use LDM check Webshell
Security log collection
- Build security log Syslog-ng to collect remote server
Threat intelligence gathering
- By threat intelligence website collects threat intelligence, more well-known micro-step online threat intelligence community, 360 threat intelligence centers, IBM threat intelligence center
After the intrusion detection
If all means of defense fails, after being attacked in a timely manner to deal with the investigation
- Commonly used to detect whether the program is replaced, there is repair
- Rootkit scan using chkrootkit and rkhunter
- Scan for viruses using ClamAV
- Detection of hidden directories and files
- See recent Record of Landing
- See if there is an abnormal process, hide processes, files and view port abnormal process open
- Check network connections and listening ports, particular attention is connected to an external address season of active connection
- Check arp record is normal
- Check the security logs, application logs, bash_history
- Check for Webshell
- Reinstall the system, to change the original password