14 Linux system security tips, there is always a trick!


For Internet IT practitioners, more and more work will gradually be transferred to the Linux system. This point, whether it is development, operation and maintenance, or testing, should be deeply understood. There was a technology survey website W3Techs released a survey report in November 2018. The report showed that the utilization rate of Linux in the website server system was as high as 37.2%. This data also shows that the Linux system is widely used. In fact, in addition to the application in the website server, the Linux system is also used in the application of DNS domain name resolution server, email server, and some open source software (big data application: according to the research of the Linux Foundation, 86% of enterprises have used Linux to operate The system carries out cloud computing, big data platform construction) on the server, etc.

Most users agree that Linux is secure by default, and sometimes this statement is indeed a controversial topic. Linux does have a built-in security model by default. You need to open it and customize it for a more secure system. Linux is more difficult to manage, but it is also correspondingly more flexible, with more configuration options.

For system administrators, making a product’s system more secure from hackers and hackers has always been a challenge. Moreover, there have been many cases of Linux being attacked in recent years, so how to build a safe, powerful and firm Linux system has always been an exploratory topic. Today, Brother Migong will share with you how I build or strengthen the security of Linux systems in my daily work from all levels of the system. I hope these methods are helpful to you. Code words are not easy. If it is helpful, please forward, share and add points to watch to support Migong.

1. Physical security

This should be said to be the first step in server security.

Hardware servers, first of all, need professionals to do professional maintenance. The second is to turn off the soft boot method from these aspects such as CD/DVD. At the same time, the BIOS password can also be set, and there must be policies to restrict access and various process controls.

You can also disable USB devices for security purposes:

vim /etc/modprobe.d/stopusb
install usb-storage /bin/true

Or use the following command to delete the USB driver

[[email protected] ~]# mv /lib/modules/3.10.0-693.el7.x86_64/kernel/drivers/usb/storage/usb-storage.ko.xz

2. Keep the system up to date

This means to ensure that there are no other vulnerabilities in the system, for example: existing vulnerabilities must be repaired in a timely manner. Ensure that the system contains the latest versions of patches, security fixes and available kernels.

yum updates
yum check-update

This requires administrators to pay close attention to domestic and foreign information about the latest system vulnerabilities and patch releases:

3. The principle of minimum processing

Whether it is installing the system or commonly used software, you must abide by this principle: to minimize the installation, but also to reduce the possibility of loopholes.

For some unnecessary services and ports in the system, it is recommended to close them.

[[email protected] ~]# chkconfig --list |grep "3:on"
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Then close it with the following command:

chkconfig service-name off

4. Login and connection

For Linux servers, the remote login (SSH) connection is generally used for login operations. therefore:

Step 1: Do not use the root user to log in except in unnecessary cases. You can use sudo to perform privilege escalation operations, and then use system commands to lock the /etc/sudoers file (users other than the root user have no permission to modify it).

Step 2: It is recommended to modify the SSH configuration file, such as the default port number 22, prohibit root password login (some self-owned computer rooms can also directly disable the root user to log in through the SSH protocol), etc.

[[email protected] ~]# vim /etc/ssh/sshd_config
#Port 22
It can be modified to other port numbers, migrant workers often use IP+22 mixed
#PermitRootLogin yes
change yes to no
#PermitEmptyPasswords no
Just open the note
#AllowUsers username
Designate a specific user to connect remotely through the SSH protocol

For the server in production, we can also use the bastion host to limit the connection:

Teach you how to build Jumpserver from scratch to protect server security!

5. User management

Linux is a system that can be operated by multiple users in parallel. Therefore, the system also divides users: super users and ordinary users. The permissions of the two are different, so the things they can do are also different, so it is also a very important step for user management.

Set user password:

This can be set through the system command passwd. It is generally recommended to use a password with a relatively complex strength, and the same user in each system uses a different password (you can use the manager to manage it daily).

[[email protected] ~]# passwd mingongge
Changing password for user mingongge.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Temporary user management:

For this kind of required temporary user management, it can generally be deleted after use, or it can be locked after a period of time to prevent it from logging in again, and the permission is enabled again when it needs to log in next time.

Deleting a user is very simple, you can use the system command userdel -r username to delete.

Locking a user is actually modifying the user’s attributes:

[[email protected] ~]# usermod -L mingongge

Let’s open the terminal and try to log in to see:

14 Linux system security tips, there is always a trick!

At this time, it is found that the login connection cannot be performed normally, indicating that the configuration just now is correct. When you need to log in next time, you can use the following command to unlock:

[[email protected] ~]# usermod -U mingongge
#-L lock
#-U unlock

6. File management

The file management here refers to important files that store user information: /etc/passwd and /etc/shadow.

[[email protected] ~]# stat /etc/passwd
File: ‘/etc/passwd’
Size: 945 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 17135889 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2019-08-06 01:14:37.439994172 +0800
Modify: 2019-08-06 01:14:37.440994172 +0800
Change: 2019-08-06 01:14:37.442994172 +0800
Birth: -
[[email protected] ~]# stat /etc/shadow
File: ‘/etc/shadow’
Size: 741 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 17135890 Links: 1
Access: (0000/----------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2019-08-06 01:14:37.445994172 +0800
Modify: 2019-08-06 01:14:37.445994172 +0800
Change: 2019-08-06 01:14:37.447994172 +0800
Birth: -

Generally, it can be seen from some of the above file attributes whether these files have been tampered with, so in general, it is recommended to lock these two files and users other than the root user have no permission to modify and access them.

7. Enable the firewall

Using the system firewall to filter inbound and outbound traffic is a good strategy to prevent attacks, and the rules of the system firewall can be set one by one, which is very powerful, and it is recommended to enable it.

Linux system security configuration iptables service introduction

8. Software package management

For the software installed in the system, we use the RPM package manager to manage it. For the software listed using the yum or apt-get command, when deleting or uninstalling it, you must use the following command:

yum -y remove software-package-name

sudo apt-get remove software-package-name

9. Disable Crtl+Alt+Del to restart

Most servers will use the server restart after pressing the Crtl+Alt+Del combination key. This is an absolutely unfriendly security factor for online servers and must be prohibited, otherwise a misoperation will cause a great impact.

#CentOS6 disable Ctrl+Alt+Del restart function
#method one:
vi /etc/init/control-alt-delete.conf
#start on control-alt-delete #Comment this line

#Method Two:
mv /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.bak

#Note: Both methods can take effect without restarting the system

For CentOS7, the method is different:

[[email protected] ~]# cat /etc/inittab
# inittab is no longer used when using systemd.
# Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target
# systemd uses 'targets' instead of runlevels. By default, there are two main targets:
# multi-user.target: analogous to runlevel 3
# graphical.target: analogous to runlevel 5
# To view current default target, run:
# systemctl get-default
# To set a default target, run:
# systemctl set-default TARGET.target
The relevant introduction has been explained in this document.

14 Linux system security tips, there is always a trick!

After testing, if the configuration in the above file is commented out, the reboot command will not take effect:

[[email protected] ~]# ll /usr/lib/systemd/system/ctrl-alt-del.target
lrwxrwxrwx. 1 root root 13 Mar 14 17:27 /usr/lib/systemd/system/ctrl-alt-del.target -> reboot.target

This ctrl-alt-del.target this is a soft link to reboot.target. Therefore, the final correct method is: move this file to another directory, and then reload the configuration file to take effect. If you need this function again, you only need to add this software link again.

10. Monitor user behavior

If there are many users in your system, it is very important to collect information about each user’s behavior and their process consumption. User analysis can be done later and when some performance optimization and security issues are dealt with. But what about monitoring and collecting user behavior information? There are two very useful tools ‘psacct’ and ‘acct’ that can be used to monitor user behavior and processes in the system.

[[email protected] ~]# yum install psacct -y
The method of use is as follows:

ac Statistics user connection time
ac #Display the total connection time of all users
ac -p #Display each user connection time
ac -d #Display the total connection time of all users every day
ac silence #Display the connection time of the specified user
ac -d silence #Display the daily connection time of the specified user

sa output user activity information
sa #Display the execution status of all users
sa -u #Display command execution by user
sa -m #Display command execution status by process
sa -p #Display command execution by usage

lastcomm output last command information
lastcomm #Display all execution commands
lastcomm silence #Display the command executed by the specified user
lastcomm ls #Display the execution of the specified command

last #View the list of recent user login successes
last -x #Display system shutdown, restart and other information
last -a #Display IP in the last column
last -d #Do domain name resolution for IP
last -R #Do not display the IP column
last -n 3 #Display the last 3 entries
lastb #View the list of recent user login failures

Concrete usage examples:
[[email protected] ~]# ac -p
root 71.88
total 71.88
[[email protected] ~]# sa -u
root 0.00 cpu 1043k mem 0 io accton 
root 0.00 cpu 3842k mem 0 io systemd-tty-ask 
root 0.03 cpu 72576k mem 0 io pkttyagent 
root 0.00 cpu 32112k mem 0 io systemctl 
root 0.00 cpu 2674k mem 0 io systemd-cgroups 
root 0.07 cpu 37760k mem 0 io ps 
root 0.00 cpu 28160k mem 0 io grep 
root 0.00 cpu 1080k mem 0 io ac 
root 0.14 cpu 0k mem 0 io kworker/u256:0 *
root 0.10 cpu 0k mem 0 io kworker/0:0 *
root 0.02 cpu 0k mem 0 io kworker/0:2 *

[[email protected] ~]# lastcomm sa
sa root pts/0 0.00 secs Tue Aug 6 02:15

[[email protected] ~]# last -x
root pts/0 Tue Aug 6 00:48 still logged in 
root tty1 Tue Aug 6 00:48 still logged in 

[[email protected] ~]# lastb
mingongg ssh:notty Tue Aug 6 01:11 - 01:11 (00:00)
mingongg ssh:notty Tue Aug 6 01:11 - 01:11 (00:00)

btmp begins Tue Aug 6 01:11:27 2019

11. Regularly check logs

Save the system and its important logs on a professional log server other than this server, so as to prevent hackers from invading the system and applications by analyzing logs. The following are common log files:

14 Linux system security tips, there is always a trick!

12. Data backup

14 Linux system security tips, there is always a trick!

Needless to say, this is very important to know, especially for important production data, which must be backed up and saved locally, in different places, and on different media. At the same time, it is necessary to regularly check the integrity and availability of the data.

Xtrabackup implements data backup and recovery

Highly compelling enterprise-level MySQL database backup solution, it turned out to be like this….

Regarding recovery after accidental deletion of data: Accidentally execute rm -f, don’t rush to run away!

13. Security tools

For the system, commonly used security scanning tools are necessary, such as: scanning open ports nmap. For WEB applications in the system, you can use some open source tools: IBM AppScan, SQL Map, etc. There are also many commercial products of this type, so I won’t introduce them here (and don’t give me advertising fees).

There are file encryption tools for files, and some intrusion detection and vulnerability scanning tools for systems. Whether it is open source or commercial, you can decide which tool to use based on actual needs and enterprise costs.

14. Management method

For safety management, a good process and management system are also necessary, otherwise, the basic effect of the above 13 points is 0, there are methods, but there is no system to implement the methods! !

Therefore, no matter for small or large enterprises, processes and management systems are always ahead of all processing methods. Talent is the most uncontrollable factor in the world! !

Don’t fall into the trap, don’t take the blame! The most comprehensive server security management specification in history is open source

I hope these methods are helpful to you. Code words are not easy. If it is helpful, please forward, share and add points to watch to support Migong. The above are some summaries of migrant workers combined with personal work experience, which may be incomplete or incorrect. If you have different understandings or ways to strengthen system security, please leave a message and share them at the end of the article. We will discuss and communicate together. Work together to build a more powerful, safe and reliable Linux system environment.

Pay attention to the WeChat official account of Migong Ge Technology Road, and reply to the keyword in the background: 1024 to get a copy of the latest technical dry goods.

14 Linux system security tips, there is always a trick!