How to perform security hardening and vulnerability repair on Linux systems

As every business becomes increasingly reliant on the Internet, cybersecurity is increasingly becoming an organizational focus. In this regard, Linux systems are a good starting point. Due to its characteristics of open source, widespread use, and no need for authorization, Linux system has become the operating system of choice for many organizations and enterprises. However, the risks of Linux systems are also increasing. This article will introduce how to harden and repair Linux system vulnerabilities, and provide some sample code to help you configure a more secure Linux system.

First, we need to focus on these aspects: user management, file and directory permissions, network and server configuration, and application security. Detailed measures and sample code for each aspect are described below.

1. User Management

Strong Password

Develop a password policy that requires users to choose complex passwords and change passwords regularly.

#强制用户选择具备最低密码强度的密码
auth requisite pam_passwdqc.so enforce=users
#强制/用户更改自己的密码
auth required pam_warn.so
auth required pam_passwdqc.so min=disabled,disabled,12,8,7
auth required pam_unix.so remember=24 sha512 shadow

Prohibit root remote login

It is recommended that only users with root permissions can connect directly. Configure PermitRootLogin in /etc/ssh/sshd_config to no.

Login Timeout

The timeout setting can ensure that the connection is automatically disconnected after a period of idle time. Set as follows in /etc/profile or ~/.bashrc:

#设置空闲登陆超时退出时间为300秒
TMOUT=300
export TMOUT

2. File and directory permissions

Default configuration

The default configuration will allow all Users can view all files and directories. Add the following content to the /etc/fstab file:

tmpfs /tmp            tmpfs defaults,noatime,mode=1777 0  0
tmpfs /var/tmp        tmpfs defaults,noatime,mode=1777 0  0
tmpfs /dev/shm        tmpfs defaults,noatime,mode=1777 0  0

Determine permissions for sensitive files and directories

Access permissions should be restricted to specific user groups or individuals. Use the chown and chmod commands to modify the permissions of files and directories. The following example sets a directory that can only be modified by the root user:

#修改某目录只能root用户修改
chown root /etc/cron.deny
chmod 600 /etc/cron.deny

Check the SUID, SGID, and Sticky Bit bits

SUID ( Set user ID), SGID (Set group ID), Sticky Bit and other bits are some security marks in the Linux system and need to be audited regularly. The following command is used to find any unqualified permission conditions:

#查找SUID权限未被使用的文件和目录
find / -perm +4000 ! -type d -exec ls -la {} ; 2>/dev/null
#查找SGID权限未被使用的文件和目录
find / -perm +2000 ! -type d -exec ls -la {} ; 2>/dev/null
#查找粘滞位未设置的目录
find / -perm -1000 ! -type d -exec ls -la {} ; 2>/dev/null

3. Network and Server Configuration

Firewall

iptables is the most commonly used in Linux One of the firewall applications. The following sample code blocks all incoming access:

#清空所有规则和链
iptables -F
iptables -X
#允许所有本地进出的通信，并拒绝所有远程的访问
iptables -P INPUT DROP
iptables -P OUTPUT DROP
#添加规则
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Restrict service access

Some services should only run locally, and there is a great risk of being accessed from the outside network. Develop rules in the /etc/hosts.allow and /etc/hosts.deny directories to limit access time, IP and other information to the service.

4. Application Security

Update Software Packages

Both kernel and user space software require regular updates to resolve known bugs and vulnerabilities . You can use yum, rpm and other tools to update software packages. Sample code is given below:

#更新已安装的所有软件包
yum -y update
#更新单个软件包
yum -y update <package>

Avoid using root user to run applications

When running applications, you should use unprivileged users and do not use root users to run applications.

Compile static link library

The static link library contains all dependencies for writing applications, which can prevent other users from tampering with dependent packages. Sample code is given below:

#编译静态链接库
gcc -o app app.c -static

Conclusion

The security reinforcement and vulnerability repair work of Linux system does not stop there, but the above measures can help us strengthen the security of Linux system. It should be noted that these measures cannot fully guarantee the security of the system. Organizations and enterprises should take multiple measures to ensure security.

The above is the detailed content of How to perform security hardening and vulnerability repair on Linux systems. For more information, please follow other related articles on the PHP Chinese website!