1. Secure Computing Environment
1) The database and server are not configured with a password complexity policy.
OS Edit the file /etc/pam.d/system-auth to check whether the following configuration exists: password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=8 mysql show variables like 'plugin_dir'; show plugins; Install the password plugin install plugin validate_password soname 'validate_password.so'; Password Policy Parameters mysql>show variables like 'validate%'; #permanent [mysqld] plugin-load-add=validate_password.so # The server loads plugins on startup and prevents plugins from being removed while the server is running. validate-password=FORCE_PLUS_PERMANENT uninstall plugin uninstall plugin connection_control_failed_login_attempts </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack.png" alt ="" title="">
It is recommended to configure the password complexity policy (complexity includes uppercase and lowercase letters, numbers, special characters, and the password length is more than eight digits) to prevent passwords from being easily cracked.
2) The database and server are not configured with a password validity period policy.
It is recommended to configure the database password validity period policy, the minimum change time and the maximum change time (the longest is recommended to be three months, and the shortest time should not be 0 days).
OS Check the file /etc/login.defs ( more /etc/login.defs ) and check whether the following parameter values meet the requirements: PASS_MAX_DAYS 90 #The maximum number of days for a new user's password is not more than 90 PASS_MIN_DAYS 10 #The minimum number of days for a new user's password is 10 PASS_WARN_AGE 7 # New user's password expiration reminder days in advance is 7 mysql alter user 'root'@'%' password expire interval 90 days;
3) Servers and databases are not configured with login failure handling and connection timeout automatic exit policies.
It is recommended to configure a login failure processing policy to prevent malicious personnel from brute force cracking account passwords. And configure the login connection timeout policy to reduce the risk of unauthorized access to the device.
OS Edit the file /etc/pam.d/system-auth auth required pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=180 mysql #login error limit plugin install plugin connection_control soname "connection_control.so"; #In order to record the number of errors in the table install plugin connection_control_failed_login_attempts soname 'connection_control.so'; #Set strategy set global connection_control_failed_connections_threshold = 5; set global connection_control_max_connection_delay = 1800000; set global connection_control_min_connection_delay = 1800000; #permanent [mysqld] plugin-load-add=connection_control.so connection-control = FORCE connection-control-failed-login-attempts = FORCE connection_control_min_connection_delay = 1000 connection_control_max_connection_delay = 86400 connection_control_failed_connections_threshold = 3 </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack.png" alt ="" title="">
4) There is a shared account on the server.
It is recommended to create different accounts for each administrator to ensure that different administrators use different accounts for management.
New account
5) All operation and maintenance personnel log in to the server system through an account, and there is no restriction on the use of su and sudo commands.
It is recommended to have a full-time security administrator who configures access control policies, stipulates access rules for subjects to objects, and strictly restricts the use of su and sudo commands.
#Be sure to pay attention to the users who join the wheel with the test account and can log in smoothly, otherwise they cannot remotely su to root. usermod -G wheel sysadmin [root@host ~]# vim /etc/pam.d/su auth required pam_wheel.so use_uid
6) The server has not closed port 80.
It is recommended to close unnecessary ports.
Change the external port.
7) The server is only set up with a system administrator account, but no security administrator, audit administrator and other accounts are set up, and the authority separation of management users has not been realized.
It is recommended to establish security officer and auditor accounts, and set the permissions of each account according to business needs to minimize management permissions.
Create a new system administrator user add sysadmin passwd sysadmin #visudo Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/ systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount sysadmin ALL=(root) SOFTWARE, SERVICES security administrator user add secadmin passwd secadmin #visudo Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, / sbin/iwconfig, /sbin/mii-tool secadmin ALL=(root) DELEGATING, PROCESSES, NETWORKING Audit Administrator useraddauditadmin passwd auditadmin #visudo auditadmin ALL=(root) NOPASSWD:/usr/sbin/aureport, NOPASSWD:/usr/sbin/autrace, NOPASSWD:/usr/sbin/ausearch, NOPASSWD:/usr/sbin/audispd, NOPASSWD:/usr/sbin/auditctl #Audit administrator permissions auditadmin ALL=(root) NOPASSWD:/usr/sbin/aureport, NOPASSWD:/usr/sbin/autrace, NOPASSWD:/usr/sbin/ausearch, NOPASSWD:/usr/sbin/audispd, NOPASSWD:/usr/sbin/auditctl #System administrator Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/ systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount sysadmin ALL=(root) SOFTWARE, SERVICES, STORAGE #Security Admin Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, / sbin/iwconfig, /sbin/mii-tool secadmin ALL=(root) DELEGATING, PROCESSES, NETWORKING </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack.png" alt ="" title="">
8) The server does not guarantee that the storage space containing sensitive data is completely cleared before being released or reallocated. (high risk)
It is recommended to ensure that the storage space containing sensitive data is completely cleared before being released or reallocated (history, history commands suggest that you cannot view previously entered commands).
sed -ri "s/HISTSIZE=(.*)/HISTSIZE=0/g" /etc/profile vim /etc/profile HISTSIZE=0 source /etc/profile HISTFILESIZE: defines the number of commands saved in the .bash_history file HISTSIZE: Defines the number of commands output by the history command The root user adds code in /etc/skel/.bash_logout: rm -f $HOME/.bash_history
9) No mandatory access control via sensitive flags.
It is recommended that setatus be turned on in Enforcing mode.
It is not recommended to open
10) The access rights of server root are not restricted.
It is recommended to configure PermitRootLogin as no.
# After adding a common account cp /etc/ssh/sshd_config /etc/ssh/sshd_configbak sed -i '30 a PermitRootLogin no' /etc/ssh/sshd_config systemctl restart sshd
11) The database has not enabled the security audit behavior, so the behavior cannot be monitored. (high risk)
It is recommended to enable the security audit of the database, audit the operation behavior, protect the logs, make regular backups, and save them for more than 6 months.
show variables like 'general%'; -- check whether the log is enabled show variables like 'log_output'; -- see log output type table or file set global general_log=on; -- Turn on the log function set global general_log_file='tmp/general.lg'; -- Set the log file save location set global log_output='file'; -- set the output type to file #permanent [mysqld] general-log=1 #Log cutting settings, using logrote to achieve one compressed log per day. cp support-files/mysql-log-rotate /etc/logrotate.d/ vim /etc/logrotate.d/mysql-log-rotate chmod 644 /etc/logrotate.d/mysql-log-rotate logrotate -f /etc/logrotate.conf </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack.png" alt ="" title="">
12) The database is not equipped with network administrators, security administrators.
It is recommended to configure network administrators, security administrators and system administrators, and assign corresponding permissions.
MySQL can be equipped with network administrators and security administrators by creating different users and roles. 1. Create a network administrator user A user with network administrator privileges can be created with the following command: ``` CREATE USER 'netadmin'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON *.* TO 'netadmin'@'localhost'; ``` This will create a user called "netadmin" and grant that user permission to perform any operation on all databases and tables. 2. Create a security administrator user A user with security administrator privileges can be created with the following command: ``` CREATE USER 'secadmin'@'localhost' IDENTIFIED BY 'password'; GRANT SELECT, INSERT, UPDATE, DELETE ON mysql.* TO 'secadmin'@'localhost'; ``` This will create a user named "secadmin" and grant this user permission to perform SELECT, INSERT, UPDATE, and DELETE operations on the MySQL system database. 3. Create a role In addition to creating users, you can also create roles to assign permissions. A role named "netadmin_role" can be created and granted permission to perform any operation on all databases and tables with the following command: ``` CREATE ROLE 'netadmin_role'; GRANT ALL PRIVILEGES ON *.* TO 'netadmin_role'; ``` Then, the "netadmin" user can be added to the "netadmin_role" role: ``` GRANT 'netadmin_role' TO 'netadmin'@'localhost'; ``` This will make the "netadmin" user inherit all privileges of "netadmin_role". Similarly, a role named "secadmin_role" can be created and granted to perform SELECT, INSERT, UPDATE, and DELETE operations on MySQL system databases: ``` CREATE ROLE 'secadmin_role'; GRANT SELECT, INSERT, UPDATE, DELETE ON mysql.* TO 'secadmin_role'; ``` Then, the "secadmin" user can be added to the "secadmin_role" role: ``` GRANT 'secadmin_role' TO 'secadmin'@'localhost'; ``` This will make the "secadmin" user inherit all permissions of "secadmin_role". </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack.png" alt ="" title="">
13) Anti-DDOS is not enabled
It is recommended to enable anti-DDOS
A DDoS attack is a type of cyber attack designed to disable a target server from functioning by sending a large amount of traffic to it. To protect your Linux server from DDoS attacks, you can take the following measures: 1. Install DDoS protection software: such as ModSecurity, Fail2ban, DDoS Deflate and other software can help prevent DDoS attacks. 2. Configure the firewall: Use firewall software such as iptables or firewalld to limit the traffic from specific IP addresses or ports, thereby reducing the impact of DDoS attacks. 3. Use CDN: Using CDN (Content Distribution Network) can distribute traffic to multiple servers, thereby reducing the load on the server and preventing DDoS attacks. 4. Limit the number of connections: By limiting the number of connections per IP address, you can reduce the impact of DDoS attacks. 5. Using a reverse proxy: Using a reverse proxy can distribute the traffic to multiple servers, thereby reducing the load on the server and preventing DDoS attacks. 6. Update software and patches: Update the software and patches on the server in time to reduce the risk of DDoS attacks. 7. Use cloud firewall: use cloud firewall to monitor and filter traffic in the cloud, so as to protect servers from DDoS attacks. </code><img class="look-more-preCode contentImg-no-view" src="//i2.wp.com/csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreBlack.png" alt ="" title="">