This is the 22nd day of my participation in Gwen Challenge

I. Identification

1.1 Users who log in should be identified and authenticated. The identification should be unique, and the identification information should be complicated and replaced regularly.

It is recommended that the operating system identify and authenticate users who log in to the operating system. The configuration complexity of identity authentication information requires that the periodic change policy be enabled, and weak passwords must contain at least letters and digits, and contain at least eight characters. The password is valid for a maximum of 90 days and will not be repeated within five times

Rectification plan:

  • 1. Modify the content of the /etc/login.defs file and add it as follows
PASS_MAX_DAYS 90 # Minimum interval between password changes PASS_MIN_DAYS 1 # Minimum password length, Invalid for root PASS_MIN_LEN 8 # PASS_WARN_AGE 7 is displayed 7 days before the password expiresCopy the code
  • 2. Modify the system-auth file vim /etc/pam.d/system-auth as follows:
Password requisite pam_cracklib.so retry=5 difok=3 minlen=10 UCredit =-1 lcredit=-3 dcredit=-3 Dictpath =/usr/share/cracklib/pw_dict # remember=5 No password repeat within 5 attempts # retry=3 Retry 3 times # difok=3 # minlen=10 Indicates that the minimum password length is 10 number of types # Ucredit =-1: the password must contain at least one uppercase letter. # lcredit=-3: the password must contain at least three lowercase letters. # dcredit=-3: the password must contain at least three digitsCopy the code

1.2 It should have the function of handling login failures. It should configure and enable measures such as ending sessions, limiting the number of illegal login times, and automatically logging out when the login connection times out.

    1. Login failed

You are advised to enable the login failure processing function on the OPERATING system. Set the login failure duration for five times and the lockout duration for 30 minutes.

vim /etc/pam.d/system-auth

Auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root root_unlock_time=1800 The password is locked for 1800 seconds for five incorrect attemptsCopy the code
    1. Session expired. Modify /etc/profile

vim /etc/profile

Export TMOUT=1800 source /etc/profileCopy the code

Access control

2.1 Accounts and permissions shall be assigned to logged-in users;

It is recommended that the operating system assign accounts and permissions to login users. Solution: Group System description Function Database The DB is responsible for user services of the database. Server Is responsible for user security of service services and other components. Security Is responsible for system security and logs audit users

The command is as follows:

Cat /etc/group # Delete groupdel xulei # add groupadd db groupadd server groupadd security # check all users cat /etc/passwd Userdel-rf xulei # add user to group db # add user to group DB Add xulei -d /home/users/xulei -n # Change the user group usermod -g db xulei # Change the file attributes. Chown :server can be operated only for members of a certain group /home/server # Change the password passwd xulei user name group password dbuser db Dbuser@2021 secuser security Secuser@2021 serveruser server Serveruser@2021Copy the code

2.2 Modifying the Default Account Information of the root User

Alter user name; 1, vim /etc/passwd replace the first root in the first line with the renamed user. 2, vim /etc/shadow replace the root in the first line with the renamed user Replace the renaming password with SuperAdmin@2021. 3. Security audit 3.1 Enable the security audit function to audit every user and audit important user behaviors and security events. You are advised to enable the security audit function in the OPERATING system to cover all users and audit important user behaviors and security events. Rectification plan: Service auditd start # check whether auditd is enabled. Vim /etc/audit/audit.rules # monitor /etc/my.cnf -w /etc/my.cnf -p wa # -w path # -p permission -w /etc/my.cnf -p wa # -p path # -p permission Always -s umask -s chown # -a always always records audit; None Does not record; Record audit after exit behavior is completed. Entry behavior just starts when recording audit # -S system call name # -F field = value # -k keywordCopy the code

3.2 Audit records shall include the date and time of the event, users, event types, success of the event and other information related to the audit;

You are advised to enable the security audit function in the operating system. Audit records include the date and time of events, users, event types, event success, and other information related to auditing.

Cat /var/log/audit/audit.logCopy the code

3.3 Audit records shall be protected and backed up regularly to avoid unexpected deletion, modification or overwriting;

It is recommended that the operating system enable the security audit function and deploy a log audit system to protect audit records and back up audit records periodically to avoid unexpected deletion, modification, or overwriting.

# Input the following script and add it to timer #! / bin/bash FILE = # log position/var/log/audit/audit log current_time = ` date + % y % m % d ` cat $FILE | while read the LINE do Udate = ` echo $LINE|awk -F'[(.]+' '{print $2}'` #Udate=`echo $LINE|awk -F. '{print $1}' | awk -F'(' '{print $2}'` Cdate=`date -d @$Udate` echo $LINE|sed "s/[0-9]\{10\}/$Cdate/" >> /home/sh/log/audit${current_time}.log doneCopy the code

3.4 The audit process shall be protected against unauthorized interruption.

You are advised to enable the security audit function in the operating system to protect the audit process from unauthorized interruption and limit the audit control rights except for auditors.

Solution: Only the security group can read the output logs. # The authpriv file has restricted access. Authpriv.* /var/log/secure Enable security logs. Log file location /var/log/secure There is no syslog.conf file, only rsyslog.conf. Rsyslog. conf itself has the statement # change group chown :security /var/logCopy the code

Third, intrusion prevention

3.1 Install only required components and applications in accordance with the principle of minimum installation;

You are advised to install only required components and applications for the OPERATING system in accordance with the principle of minimum installation.

Solution: Delete unnecessary applications on each machine according to the deployment plan.

3.2 Disable unnecessary system services, default shares, and high-risk ports.

You are advised to disable unnecessary system services, default shares, and high-risk ports, such as FTP and DHCP

Rectification solution: FTP cannot be closed at present, but files need to be uploaded. If there is any excess, you can shut it down.

Systemctl list-units View snapshots of all services. Backup the snapshots for six months. You can log in to a physical machine and assign the snapshots.

3.3 Setting Login Address Restriction (The setting takes effect with Restart)

You can restrict terminal login by setting terminal access mode and network address range

SSHD :10.10.20.99:allow # Allow this segment to use Telnet to access in.telnetd:192.168.221 /etc/hosts.deny # modify the following SSHD :all:deny example 10.10.20.99 SSH login valid, The priority is first. Check hosts.deny and hosts.allow. If the latter is set, add SSHD :all:deny to hosts.deny. Add allowed IP addresses or IP address segments to hosts. allow SSHD: IP :allow.Copy the code

3.4 High-risk Port Management

Permanently disabled, Yum install iptables-services # yum install iptables-services # yum install iptables-services # yum install iptables-services # yum install iptables [stop | start | restart] # iptables status view service iptables status # # to disable the port to open the file editor vim/etc/sysconfig/iptables # add port access - A is prohibited INPUT -p TCP --dport 445 -j DROP -A INPUT -p TCP --dport 139 -j DROP -A INPUT -p TCP --dport 3389 -j DROP # Check open ports The iptables -nl # -a parameter is considered to add an INPUT or OUTPUT rule. # -p TCP/UDP/DNS/port 53 / DNS/port 53 / udp/DNS/DNS/port 53 -- Dport is the destination port. When data enters the server from outside, it is the destination port. When data enters the server from outside, it is the destination port. -a INPUT -p TCP -s 192.168.1.2 -j DROP -p TCP -s 192.168.1.2 -j DROP -s = 192.168.1.2, -j = 192.168.1.2, -j = 192.168.1.2, -j = 192.168.1.2 /sbin/iptables -a INPUT -p TCP --dport 8080 -j DROP /sbin/iptables -a OUTPUT -p TCP --sport 8080 -j DROP # Allow port /sbin/iptables -a INPUT -p TCP --dport 8080 -j ACCEPT /sbin/iptables -a OUTPUT -p TCP --sport 8080 -j /sbin/iptables -a INPUT -p TCP -s 192.168.200.16 -j DROP # Service iptables save service iptables save Iptables -p INPUT ACCEPT iptables -p FORWARD DROP iptables -p OUTPUT ACCEPT -a INPUT -m state --state RELATED,ESTABLISHED -- J ACCEPT -a INPUT -p icmp -- j ACCEPT -a INPUT -I LO -- j ACCEPT -a INPUT -p TCP -- m state --state NEW -m TCP --dport 22 -- j ACCEPT -a INPUT -j REJECT -- REJECT -with icMP-host-shell-a FORWARD -j REJECT -- REJECT -with Iptables -nl --line-number # Delete iptables -d INPUT 1 -d INPUT specifies whether to delete rule 1 for INPUT If yes, disable firewalld # systemctl status firewalld # systemctl stop firewalld # systemctl disable firewalldCopy the code