CentOS operating system security reinforcement

1. Disable or delete useless accounts

Delete the account ：userdel name

Lock account ：passwd -l name

Unlock account ：passwd -u name

2. Check for empty orders and root Authorized account number

Check your account number ： awk -F: '($2=="")' /etc/shadow

see UID by 0 Account number ：awk -F: '($3==0)' /etc/passwd, confirm UID by 0 Your account number is only root

Set the password for the blank password account ：passwd name

3.  Enhance the complexity of passwords, etc , Reduce the possibility of being guessed

3.1 Modify the configuration file /etc/login.defs

vim /etc/login.defs
PASS_MAX_DAYS 90    #  The maximum number of days a new user's password can be used 
PASS_MIN_DAYS 0     #  The minimum number of days to use a new user's password 
PASS_WARN_AGE 7     #  New user's password expiration reminder days in advance 

3.2  Use chage Command to modify user settings

Indicates to set the maximum number of days for this user's password to 30, The minimum number of days is set to 0, password 2000 year 1 month 1 Date expired , Warn users seven days before expiration .

chage -m 0 -M 30 -E 2000-01-01 -W 7

Set the password to be entered incorrectly three times in a row , Account locked for five minutes .

vim /etc/pam.d/common-auth 
#  Modify the configuration file , Add... To the configuration file  
auth required pam_tally.so onerr=fail deny=3 unlock_time=300

4.  Limiting energy su To root Users of

vi /etc/pam.d/su
#  Modify the configuration file , Add lines to the configuration file .
#  for example , Only test Group users su To root, Then add 
auth required pam_wheel.so group=test

5. prohibit root Users log in directly

5.1 Create a normal account and configure the password , Prevent failure to log in remotely ;

5.2 Use command  vi /etc/ssh/sshd_config  Modifying the configuration file will PermitRootLogin Change the value of to no, And save , And then restart sshd service .

6. Shut down unnecessary services

Use command systemctl disable Set the service not to start automatically when it is turned on .

explain ： For some of the older versions of Linux operating system （ Such as CentOS 6）, You can use commands chkconfig \--level off Set the service in the specified init It doesn't start automatically when it is powered on .

7. SSH Service security reinforcement

Use command  vim /etc/ssh/sshd_config  Edit profile .

• Don't allow root The account directly logs into the system .
  Set up PermitRootLogin The value of is no.
• modify SSH Protocol version used .
  Set up Protocol The version is 2.
• Modify the number of password errors allowed （ Default 6 Time ）.
  Set up MaxAuthTries The value of is 3.

After the configuration file is modified , restart sshd Services take effect .

8. file system

8.1 Set up umask value

Set default umask value , Enhance security .

Use command  vim /etc/profile  Modify the configuration file , add rows  umask 027, That is to say, the owner of the newly created file has read-write permission , Users in the same group have read and execute permissions , Other users do not have permission .

8.2 Set login timeout

After setting up the system login , Connection timeout , Enhance security .

Use command  vim /etc/profile  Modify the configuration file , Will be with  TMOUT= Line comment at the beginning , Set to TMOUT=180, That is, the timeout is three minutes .

9. journal

9.1 syslogd journal

Enable logging , And configure logging .

Linux The following types of logs are enabled by default ：

• system log （ Default ）/var/log/messages
• cron journal （ Default ）/var/log/cron
• Security log （ Default ）/var/log/secure

Be careful ： Some systems may use syslog-ng journal , The configuration file is ：/etc/syslog-ng/syslog-ng.conf.

Detailed logs can be configured according to requirements .

9.2 Log in and operation logs of all users

Through the script code to record all users' login operation log , To prevent the occurrence of security incidents without evidence .

In profile  /etc/profile Enter the following at the end ：

history
USER=`whoami`
USER_IP=`who -u 2>/dev/null | awk '{print NF}'|sed -e 's/[()]//g'`
if [ "USER_IP" = "" ]; then
    USER_IP=`hostname`
fi

if [ ! -d /var/log/history ]; then
    mkdir /var/log/history
    chmod 777 /var/log/history
fi

if [ ! -d /var/log/history/{LOGNAME} ]; then
    mkdir /var/log/history/{LOGNAME}
    chmod 300 /var/log/history/{LOGNAME}
fi

export HISTSIZE=4096
DT=`date +"%Y%m%d_%H:%M:%S"`
export HISTFILE="/var/log/history/{LOGNAME}/{USER}@{USER_IP}_DT"
chmod 600 /var/log/history/{LOGNAME}/*history* 2>/dev/null

Run the load configuration to take effect source /etc/profile

Be careful ： /var/log/history It's where the logs are stored , You can customize .

Go through the above steps , Can be in /var/log/history Create a new folder for each user in the directory , Each time a user logs out, a user name will be generated 、 Sign in IP、 Time log file , Contains all the actions of this user this time （root Except for users ）.