For Internet IT practitioners, more and more work will be gradually transferred to the Linux system, which should be deeply experienced in development, operation and maintenance, and testing. A technical survey website W3Techs released a survey report in November 2018. The report showed that the utilization rate of Linux in the system of the website server was as high as 37.2%. This data also shows that the Linux system is widely used. In fact, in addition to applications in website servers, Linux systems are also used in DNS domain name resolution servers, e-mail servers, and some open source software applications (big data applications: According to the research of the Linux Foundation, 86% of enterprises have used Linux to operate The system carries out cloud computing, construction of big data platform ) on the server , etc.
Most users will assume that Linux is secure by default, and sometimes this claim is indeed a controversial topic. Linux does have a built-in security model by default. You need to turn it on and customize it to get a more secure system. Linux is harder to manage, but also more flexible, with more configuration options.
For system administrators, making a product's system more secure from hackers and hackers has always been a challenge. Moreover, there have been many cases of attacks on Linux in recent years, so how to build a safe, powerful and solid Linux system has always been an exploratory topic. Today, brother migrant workers will share with you how I build or strengthen the security of Linux systems in my daily work from all levels of the system.
This should be said to be the first step in server security.
Hardware servers must first be professionally maintained by professionals. The second is to turn off the soft-start mode from CD/DVD and so on. At the same time, a BIOS password can also be set, and there must be policies to restrict access and various process control.
You can also disable USB devices for security purposes:
vim /etc/modprobe.d/stopusb
install usb- storage / bin / true
Or use the following command to delete the USB driver
[root@rs-server ~] # mv /lib/modules/3.10.0-693.el7.x86_64/kernel/drivers/usb/storage/usb-storage.ko.xz
2. Keep the system up to date
This means to ensure that there are no other loopholes in the system, such as: existing loopholes should be repaired in time. Ensure that the system contains the latest versions of patches, security fixes, and available kernels.
yum updates
yum check - update
This requires administrators to always pay attention to information about the latest vulnerabilities and patch releases at home and abroad.
3. Minimize processing principle
Whether it is an installation system or commonly used software, this principle must be followed: Minimize installation and reduce the possibility of vulnerabilities.
For some unnecessary services and ports in the system, it is recommended to close them.
[root@rs-server ~] # chkconfig --list |grep "3:on"
network 0 : off 1 : off 2 : on 3 : on 4 : on 5 : on 6 : off
Then use the following command to close:
chkconfig service-name off
For Linux servers, remote login (SSH) connections are generally used to log in. therefore:
The first step is to avoid using the root user to log in unless it is not necessary. You can use sudo to perform privilege escalation operations, and then use system commands to lock the /etc/sudoers file (users other than the root user have no permission to modify).
Step 2: It is recommended to modify the SSH configuration file, such as the default port number 22, prohibit root password login (some users can also directly disable root user login through SSH protocol) and so on.
[root@rs-server ~]# vim /etc/ssh/sshd_config
# Port 22
can be modified to other port numbers. Migrant workers often use a mixture of IP+22
# PermitRootLogin yes Change
yes to No
# PermitEmptyPasswords no
Open the comment
# AllowUsers username
specifies a specific user to connect remotely through the SSH protocol
Linux is a system that can be operated by multiple users in parallel, so the system also divides users: super users and ordinary users. The permissions of the two are different, so the things they can do are also different, so it is also a very important step for user management.
This can be set through the system command passwd. Generally, it is recommended to use a password with a relatively complex strength, and the same user in each system uses a different password (the manager can be used for daily management).
[root@rs-server ~] # passwd mingongge
Changing password for user mingongge.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Temporary user management:
For this kind of required temporary user management, it can generally be deleted after use, or it can be locked after a period of time so that it cannot log in again, and the permissions can be opened again when the next login is required.
Deleting a user is easy and can be done with the system command userdel -r username.
Locking a user is actually modifying the attributes of the user:
[root@rs-server ~] # usermod -L mingongge
Let's open the terminal and try to log in to see:
At this time, it was found that the normal login connection was no longer possible, indicating that the configuration just now was correct. Wait until the next time you need to log in, you can use the following command to unlock:
[root@rs-server ~] # usermod -U mingongge
#-L lock
#-U unlock
File management here refers to important files that store user information: /etc/passwd and /etc/shadow.
[root@rs-server ~] # stat / etc / passwd
File : '/ etc / passwd '
Size : 945 Blocks : 8 IO Block : 4096 regular file
Device : fd00h / 64768d Inode : 17135889 Links : 1
Access : ( 0644 / -rw-r--r--) Uid : ( 0 / root) Gid : ( 0 / root)
Access :2019-08-06 01 :14 :37.439994172 + 0800
Modify : 2019-08-06 01 :14 :37.440994172 + 0800
Change : 2019-08-06 01 :14 :37.442994172 + 0800
@Birth : ~
[root ] # stat / etc / shadow
File : '/ etc / shadow '
Size : 741 Blocks : 8 IO Block : 4096 regular file
Device : fd00h / 64768d Inode : 17135890 Links : 1
Access : ( 0000 /----------) Uid : ( 0 / root) Gid : ( 0 / root)
Access : 2019-08-06 01 :14 :37.445994172 + 0800
Modify : 2019-08-06 01 :14 :37.445994172 + 0800
Change : 2019-08-06 01 :14 :37.447994172 + 0800
Birth : -
Generally, it can be seen from the above file attributes that these files have been tampered with. Therefore, it is generally recommended to lock these two files for users other than the root user without permission to modify and access them.
Using the system firewall to filter inbound and outbound traffic is a good strategy to prevent attacks, and the rules of the system firewall can be set one by one, which is very powerful and is strongly recommended to be enabled.
8. Software package management
For the software installed on the system, we use the RPM package manager to manage it. For the software listed by the yum or apt-get command, when deleting or uninstalling it, be sure to use the following commands:
yum -y remove software-package-name
sudo apt - get remove software-package-name
9. Disable Crtl+Alt+Del restart
Most servers will use the server restart after pressing the Crtl+Alt+Del key combination. This is an absolutely unfriendly security factor for online servers and must be prohibited, otherwise a misoperation will have a great impact.
# CentOS6 disable Ctrl+Alt+Del restart function #Method 1: vi /etc/init/control-alt-delete.conf # start on control-alt-delete #Comment this line
# Method 2: mv /etc/init/control -alt-delete.conf /etc/init/control-alt-delete.conf.bak #Note : Both methods can take effect without restarting the system
For CentOS7, the approach is different:
[root@rs-server ~]# cat /etc/inittab
# inittab is no longer used when using systemd.
#
# ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM.
#
# Ctrl-Alt-Delete is handled by /usr/ lib/systemd/system/ctrl-alt-del.target
#
# systemd uses 'targets' instead of runlevels. By default, there are two main targets:
#
# multi-user.target: analogous to runlevel 3
# graphical.target: analogous to runlevel 5
#
# To view current default target, run:
# systemctl get-default
#
# To seta default target, run:
# systemctl set -default TARGET.target
#
This document has already explained the relevant introduction.
After testing, if the configuration in the above file is commented out, the reboot command will not take effect:
[root@rs-server ~]# ll /usr/lib/systemd/ system /ctrl-alt-del.target
lrwxrwxrwx. 1 root root 13 Mar 14 17 : 27 /usr/lib/systemd/ system /ctrl-alt- del.target -> reboot.target
This ctrl-alt-del.target is a soft link to reboot.target. Therefore, the final correct method is: move this file to another directory, and then reload the configuration file to use other to take effect. If you need this function again, you only need to re-add this software link.
10. Monitor user behavior
If you have a lot of users on your system, it's important to collect information about each user's behavior and their process consumption. User analysis can be done later and when some performance optimizations and security issues are dealt with. But what about monitoring and collecting user behavior information? There are two useful tools 'psacct' and 'acct' that can be used to monitor user behavior and processes on the system.
[root@rs-server ~] # yum install psacct -y
The method of use is as follows:
ac count user connection time
ac #Display the total connection time of all users
ac -p #Display the connection time of each user
ac -d #Display the total connection time of all users every day
ac silence #Display the connection time of the specified user
ac -d silence #Display the specified user Daily connection time
sa output user activity information
sa #Display the command execution status of all users
sa -u #Display command execution status by user
sa -m #Display command execution status by process
sa -p #Display command execution status by usage
lastcomm output the latest Execution command information
lastcomm #Display all execution commands
lastcomm silence #Display specified user execution commands
lastcomm ls #Display specified command execution status
other
last #View recent user login success list
last -x #Display system shutdown, restart and other information
last-a #Display IP in the last column
last -d #Do domain name resolution for IP
last -R #Do not display IP column
last -n 3 #Display the last 3
lastb #View the list of recent user login failures
[root@rs-server ~] # ac -p
root 71 .88
total 71 .88
[root@rs-server ~] # sa -u
root 0 .00 cpu 1043k mem 0 io accton
root 0 .00 cpu 3842k mem 0 io systemd-tty - ask
root 0.03 cpu 72576k mem 0 io pkttyagent root 0.00 cpu 32112k mem 0 io systemctl
root 0 .00 cpu 2674k mem 0 io systemd-cgroups
root 0 .07 cpu 37760k mem 0 io ps
root 0 .00 cpu 28160k mem 0 io grep
root 0 .00 cpu 1080k mem 0 io ac
root 0 .14 cpu 0k mem 0 io kworker / u256 : 0 *
root 0.10 cpu 0k mem 0 io kworker / 0 :0 *
root 0 .02 cpu 0k mem 0 io kworker / 0 :2 *
[root@rs-server ~] # lastcomm sa
sa root pts / 0 0 .00 secs Tue Aug 6 02 : 15
[root@rs-server ~] # last -x
root pts / 0 192 .168 .1 .14 Tue Aug 6 00 :48 still logged in
root tty1 Tue Aug 6 00 :48 still logged in
[root@rs-server ~] # lastb
mingongg ssh :notty 192 .168 .1 .14 Tue Aug 6 01 :11 - 01 :11 ( 00 : 00 )
mingongg ssh :notty 192 .168 .1 .14 Tue Aug 6 01 :11 - 01:11 ( 00:00 ) btmp begins Tue Aug 6 01:11:27 2019 _ _ _ _ _
11. Regularly check the log
Save the system and its important logs on a professional log server other than this server, so as to prevent hackers from invading the system and applications by analyzing the logs. The following are common log files:
Needless to say, this is very important, especially important production data, which must be backed up and stored locally, off-site, and on different media, and at the same time, the integrity and availability of data need to be checked regularly.
For the system, common security scanning tools are necessary, such as: scanning open ports nmap. For WEB applications in the system, you can use some open source tools: IBM AppScan, SQL Map, etc. There are also many commercial products of this type, so I won't introduce them here (and don't give me advertising fees).
There are file encryption tools for files, and some intrusion detection and vulnerability scanning tools for systems. Whether it is open source or commercial, you can decide which tool to use based on actual needs and enterprise costs.
For safety management, a good process and management system are also necessary. Otherwise, the basic function of the above 13 points is 0. There is a method, but there is no system to implement the method! !
Therefore, no matter for small enterprises or large enterprises, the process and management system always precede all processing methods. Talent is the most uncontrollable factor in the world! !
Source: Migrant workers' technology road
Due to the recent changes in the push rules of the WeChat public platform, many readers reported that they did not see the updated articles in time. According to the latest rules, it is recommended to click "recommended reading, sharing, collection", etc. to become frequent readers.
Recommended reading:
Please click [Watching] to add chicken legs to the editor
