Multiple Ways to Ensure Linux Server Security (1)

As an open-source operating system, Linux is widely used for its security, efficiency and stability. However, without enough control, it won’t be that safe. In this blog, I will focus on optimization on account, system and login control.

Basic security tips

  • Various redundant accounts of the system, such as “games”, can be deleted directly, including some program accounts. If the account is not deleted after uninstalling the program, we need to manually delete it.
  • When the user account in the server is fixed and no longer changes, you can directly lock the account configuration file. After locking, you cannot add users and change user passwords.
[root@localhost ~]# chattr +i /etc/passwd /etc/shadow             #lock file
[root@localhost ~]# lsattr /etc/passwd /etc/shadow                  #check if it is locked
----i----------- /etc/passwd
----i----------- /etc/shadow
[root@localhost ~]# chattr -i /etc/passwd /etc/shadow             #unlock file
  • Password validity period control: In order to reduce the risk of password being brute force or guessed, you can set a password validity period to limit the maximum number of valid days. For users whose passwords have expired, they must reset the password when they log in. Otherwise, they will be denied login.
[root@localhost ~]# vim /etc/login.defs                #apply to newly created accounts
                     ........................
PASS_MAX_DAYS   30             #set the days to what you want (default is 99999)
[root@localhost ~]# chage -M 30 lv             #apply to existing users
[root@localhost ~]# chage -d 0 test              #test user has to change password on next login
  • Command history, automatic logout
#apply to new users
[root@localhost ~]# vim /etc/profile                
                         ................
HISTSIZE=200                 #set command history to 200
export TMOUT=600                        #auto logout to 600s 

 #apply to existing users
[root@localhost ~]# export HISTSIZE=200       #set command history to 200
[root@localhost ~]# export TMOUT=600           #auto logout to 600s    

It should be noted that it is best not to set the TMOUT variable when it is running a long time operation such as compiling the program code or modifying the system configuration. The “unset TMOUT” command can be executed to cancel the TMOUT variable setting if necessary.

How to control user switching and lifting rights:

  • Su command – switch users

By default, any user is allowed to use the su command, so that there is a chance to repeatedly try the login password of other users (such as root), which has security risks. In order to avoid this situation, you can use the pam_wheel authentication module to allow only the pole. Individual users use the su command to switch. The implementation process is as follows: Add the user authorized to use the su command to the wheel group, and modify the /etc/pam.d/su authentication configuration to enable the pam_wheel authentication:

[root@localhost ~]# gpasswd -a admin wheel                  #add user admin to wheel
[root@localhost ~]# grep wheel /etc/group             #confirm wheel members
wheel:x:10:lv,admin
[root@localhost ~]# vim /etc/pam.d/su

%PAM-1.0
auth            sufficient      pam_rootok.so
                        ...................
auth            required        pam_wheel.so use_uid          

At this point, only the users in the wheel group can use the su command. The operation using the su command to switch users will be recorded in the security log /var/log/secure file, which can be viewed as needed.

  • Sudo command – raise execution rights

You can easily switch to another user by using the su command, but only if you know the login password of the target user. If you want to switch to the root user, you must know the password of the root user. For a Linux server in a production environment, each person knows the root password and the security risk increases by one point. So the sudo command was born.

The control of the sudo command only needs to add authorization in the /etc/sudoers configuration file. It needs to be edited with a special visudo tool. You can also use vi, but you must execute the “w!” command to save it when saving. Otherwise, the system will refuse cause the file is read-only.

The prompt file is read-only and the save is refused. In the configuration file /etc/sudoers, the basic configuration format of the authorization record is as following:

User MACHINE=COMMANDS

The specific meanings of the above three parts are as follows:

User: directly authorizes the specified username, or in the form of “% group name” (authorizes all users in a group).

MACHINE: Use the host name of this configuration file. This part is mainly to facilitate sharing the same sudoers file among multiple hosts. Generally, it is set to localhost or the actual host name.

COMMANDS: A privileged command that allows authorized users to execute sudo mode. The absolute path of the command is required. Multiple commands are separated by a comma “,”.

If the current requirement is that the user jerry can execute the ifconfig command, and the user of the wheel group can execute any command without verifying the password, the following modifications can be made.

[root@localhost ~]# visudo
                      .........................
jerry   localhost=/sbin/ifconfig
%wheel  ALL=NOPASSWD:ALL

When there are more users using the same authorization, or more commands are authorized, a centralized definition of aliases can be used. For example: Allow users user1, user2, and user3 to execute rpm and yum commands in host smtp and pop:

[root@localhost ~]# visudo
                      .........................
User_Alias      OPERATORS=user1,user2,user3                 #定义用户名列表
Host_Alias      MAILSVRS=smtp,pop                            #定义主机列表
Cmnd_Alias      PKGTOOLS=/bin/rpm,/usr/bin/yum               #定义命令列表
OPERATORS       MAILSVRS=PKGTOOLS                              #使定义的列表关联起来

The command part of the sudo configuration record can use the wildcard ” * “, the negation symbol ” !”, or enable sudo logging for the maintenance personnel to view, especially useful when you need to authorize all commands in a directory or cancel individual commands. . For example, to authorize user zhangsan to execute other commands in the /sbin/ directory except for ifconfig and route, and enable logging:

[root@localhost ~]# visudo
                      .........................
zhangsan        localhost=/sbin/*,!/sbin/ifconfig,!/sbin/route             #通配符及取反符的应用。
Defaults logfile = "/var/log/sudo"                     #启用日志记录

Note on the use of the sudo command:

  1. The first time you execute a command with the sudo command, you must verify it with your own password. After that, execute the sudo command again. As long as the interval between the previous sudo operation is less than 5 minutes, you do not need to repeat the verification.
  2. If you want to see which sudo authorizations the user get, you can execute “sudo -l”. If a (ALL) ALL appears in a user’s sudo permission list, the authorization is incorrect. At this moment, the user has permission to execute all the commands. If there is no error in the authorization list edited by the visudo command, you need to see if the user has been added to the wheel group and pam_wheel authentication is enabled.

That’s the tip I have for today. Let take a look at other aspects on server security next time!