1. Set the permissions of the user rights profile
Execute the following 5 commands:
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
annotation:
/etc/group User group information file
/etc/passwd user information file
/etc/shadow user password file
/etc/gshadow group password file
2. Prohibit SSH empty password users from logging in
Uncheck in /etc/ssh/sshd_configPermitEmptyPasswords noComment symbol#
annotation:
/etc/ssh/sshd_config ssh remote login configuration file
PermitEmptyPasswords no Parameter meaning: No empty password is allowed to log in
3. Set the password expiration time
Use non-password login methods such as key pair, please ignore this item. In /etc/login.defs addPASS_MAX_DAYSThe parameter is set between 60-180, such as PASS_MAX_DAYS 90. You need to execute the command at the same time to set the root password expiration time:chage --maxdays 90 root
annotation:
For newly added users under Linux, the user password expiration time is extracted from PASS_MAX_DAYS in /etc/login.defs. The default is 99999 for common systems,
and 90 for some security operating systems. Change here only to change the default password expiration time of the newly created user, and the password expiration time of the existing user will remain unchanged.
chage --maxdays 90 root Set the password validity period of the root account to 90 days
or: chage -M 90 root
-M: The maximum number of days the password will remain valid
-m: The minimum number of days that the password can be changed. A time of zero means the password can be changed at any time.
4. Set the minimum interval for password modification
In /etc/login.defs addPASS_MIN_DAYSThe parameter is set between 5-14, and it is recommended to be 7:
PASS_MIN_DAYS 7 You need to execute the command at the same time to set it for the root user:
chage --mindays 7 root
annotation:
PASS_MAX_DAYS 90 #Maximum password expiration days
PASS_MIN_DAYS 80 #Password minimum expiration days
chage --mindays 7 rootSet the root password at least seven days to change
or chage -m 7 root
5. Make sure SSH LogLevel is set to INFO
Edit the /etc/ssh/sshd_config file to set the parameters as follows (uncomment):
LogLevel INFO
annotation:
LogLevel INFO: Set the level of logging sshd log messages to INFO
6. SSHD enforces the V2 security protocol
Edit the /etc/ssh/sshd_config file to set the parameters as follows:Protocol 2
annotation:
Protocol 2: Set the protocol version to SSH2, the first version of centos7 has been rejected by default, because SSH1 has loopholes and defects
7. Set SSH idle timeout and exit time
Edit /etc/ssh/sshd_config and setClientAliveIntervalSet to 300 to 900, i.e. 5-15 minutes, willClientAliveCountMaxSet to 0.
ClientAliveInterval 900
ClientAliveCountMax 0
annotation:
ClientAliveInterval 900 means to send an "empty packet" to the client every 300 seconds to maintain the connection to the client. This option is only available for protocol version 2.
ClientAliveCountMax 0 indicates how many "empty packets" are sent in total before disconnecting them
The above two lines of configuration mean: the set idle timeout interval is 900 seconds, the ssh session will be terminated, and even send will not keep alive packets