23 CentOS Sabar Sabar Tukwici na Tsaro Hardening - Kashi na 2
Ci gaba da koyaswar da ta gabata akan Yadda ake Aminta da Harden uwar garken CentOS, a cikin wannan labarin, zamu tattauna wasu shawarwarin tsaro waɗanda za'a gabatar akan jerin abubuwan da ke ƙasa.
- 20 Nasihun Tsaro na Tsare Tsaran Sabar CentOS - Kashi na 1
21. Kashe SUID mara amfani da Dokokin SGID
Idan an saita setuid da setgid bits akan shirye-shiryen binary, waɗannan umarni na iya gudanar da ayyuka tare da wasu haƙƙoƙin mai amfani ko na ƙungiya, kamar tushen gata wanda zai iya fallasa manyan matsalolin tsaro.
Sau da yawa, harin wuce gona da iri na buffer na iya yin amfani da irin waɗannan binaries masu aiwatarwa don gudanar da lambar da ba ta da izini tare da haƙƙin tushen mai amfani da wutar lantarki.
# find / -path /proc -prune -o -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;
Don cire setuid bit aiwatar da umarnin da ke ƙasa:
# chmod u-s /path/to/binary_file
Don cire saitin setgid bit yi umarnin da ke ƙasa:
# chmod g-s /path/to/binary_file
22. Bincika Fayilolin da Ba a Mallaka ba
Fayiloli ko kundayen adireshi ba mallakin ingantacciyar asusu ba dole ne a share su ko sanya su tare da izini daga mai amfani da rukuni.
Ba da umarnin nemo da ke ƙasa don jera fayiloli ko kundayen adireshi ba tare da mai amfani da ƙungiya ba.
# find / -nouser -o -nogroup -exec ls -l {} \;
23. Jerin Fayilolin Duniya-Rubutu
Ajiye fayil ɗin rubutu a duniya akan tsarin na iya zama haɗari saboda gaskiyar cewa kowa zai iya gyara su. Aiwatar da umarnin da ke ƙasa don nuna fayilolin da za a iya rubuta kalmomi, ban da Symlinks, waɗanda koyaushe ake iya rubuta su a duniya.
# find / -path /proc -prune -o -perm -2 ! -type l –ls
24. Ƙirƙirar Kalmomin Kalmomin Ƙarfi
Ƙirƙirar kalmar sirri ta mafi ƙarancin haruffa takwas. Dole ne kalmar wucewa ta ƙunshi lambobi, haruffa na musamman, da manyan haruffa. Yi amfani da pwmake don samar da kalmar sirri na ragi 128 daga fayil /dev/urandom.
# pwmake 128
25. Aiwatar da Ƙarfin kalmar sirri
Tilasta tsarin yin amfani da kalmomin sirri masu ƙarfi ta ƙara layin da ke ƙasa a cikin /etc/pam.d/passwd fayil.
password required pam_pwquality.so retry=3
Ƙara layin da ke sama, kalmar sirrin da aka shigar ba zai iya ƙunsar fiye da haruffa 3 a cikin jeri na monotonic ba, kamar abcd, da fiye da haruffa 3 iri ɗaya a jere, kamar 1111.
Don tilasta wa masu amfani yin amfani da kalmar sirri tare da mafi ƙarancin tsawon haruffa 8, gami da duk nau'ikan haruffa, bincika ƙarfi don jerin haruffa da haruffa a jere suna ƙara layin masu zuwa zuwa fayil ɗin /etc/security/pwquality.conf.
minlen = 8 minclass = 4 maxsequence = 3 maxrepeat = 3
26. Amfani da kalmar sirri tsufa
Ana iya amfani da umarnin chage don tsufa kalmar sirri. Don saita kalmar wucewa ta mai amfani ta ƙare a cikin kwanaki 45, yi amfani da umarni mai zuwa:
# chage -M 45 username
Don kashe lokacin ƙarewar kalmar sirri yi amfani da umarnin:
# chage -M -1 username
Tilasta ƙarewar kalmar sirri nan take (mai amfani dole ne ya canza kalmar shiga ta gaba) ta hanyar aiwatar da umarni mai zuwa:
# chage -d 0 username
27. Kulle Accounts
Ana iya kulle asusun mai amfani ta aiwatar da passwd ko umarnin mai amfani:
# passwd -l username # usermod -L username
Don buɗe asusu yi amfani da zaɓin -u don umarnin passwd da zaɓi na -U don usermod.
28. Hana Shiga Shell Accounts
Don hana tsarin asusun (asusu na yau da kullun ko asusun sabis) don samun dama ga harsashi bash, canza tushen harsashi zuwa /usr/sbin/nologin ko /bin/ƙarya a cikin /etc/passwd fayil ta hanyar ba da umarnin da ke ƙasa:
# usermod -s /bin/false username
Don canza harsashi lokacin ƙirƙirar sabon mai amfani ba da umarni mai zuwa:
# useradd -s /usr/sbin/nologin username
29. Kulle Console mai amfani na Virtual tare da vlock
vlock shiri ne da ake amfani da shi don kulle zama dayawa akan na'ura wasan bidiyo na Linux. Shigar da shirin kuma fara kulle zaman tasha ta hanyar bin umarnin da ke ƙasa:
# yum install vlock # vlock
30. Yi amfani da Tsari Mai Tsari don Sarrafa Asusu da Tabbatarwa
Yin amfani da tsarin tantancewa na tsakiya zai iya sauƙaƙa sarrafa asusu da sarrafawa sosai. Ayyukan da zasu iya ba da irin wannan nau'in sarrafa asusun sune IPA Server, LDAP, Kerberos, Microsoft Active Directory, Nis, Samba ADS ko Winbind.
Wasu daga cikin waɗannan ayyukan ta tsohuwa suna da tsaro sosai tare da ƙa'idodin ƙa'idodin sirri da kuma maɓalli na maɓalli, kamar Kerberos.
31. Ƙaddamar da Ƙaddamar da Ƙaddamarwa kawai na USB Media
Yin amfani da blockdev utility zaka iya tilasta duk kafofin watsa labarai masu cirewa don a dora su azaman karantawa kawai. Misali, ƙirƙirar sabon fayil ɗin sanyi na udev mai suna 80-readonly-usb.rules a cikin /etc/udev/rules.d/ directory tare da abun ciki mai zuwa:
SUBSYSTEM=="block",ATTRS{removable}=="1",RUN{program}="/sbin/blockdev --setro %N"
Sannan, yi amfani da ƙa'idar tare da umarnin da ke ƙasa:
# udevadm control -reload
32. Kashe Tushen Shiga ta hanyar TTY
Don hana tushen asusun yin shigar da tsarin ta duk na'urorin wasan bidiyo (TTY), goge abubuwan da ke cikin fayil mai tsaro ta hanyar buga tashar tashar umarni mai zuwa azaman tushen.
# cp /etc/securetty /etc/securetty.bak # cat /dev/null > /etc/securetty
Ka tuna cewa wannan doka ba ta shafi zaman shiga SSH
Don hana tushen shiga ta hanyar SSH gyara fayil ɗin /etc/ssh/sshd_config kuma ƙara layin da ke ƙasa:
PermitRootLogin no
33. Yi amfani da POSIX ACLs don Faɗa Izinin Tsarin
Lissafin Sarrafa Mahimmanci na iya ayyana haƙƙoƙin samun dama fiye da mai amfani ɗaya ko ƙungiya kuma suna iya ƙayyadadden haƙƙoƙin shirye-shirye, matakai, fayiloli, da kundayen adireshi. Idan kun saita ACL akan kundin adireshi, zuriyarsa za su gaji haƙƙoƙin iri ɗaya ta atomatik.
Misali,
# setfacl -m u:user:rw file # getfacl file
34. Saita SELinux a Yanayin Ƙarfafawa
Haɓakawa ta SELinux zuwa kwaya ta Linux tana aiwatar da manufofin Ikon Samun Mahimmanci (MAC), ƙyale masu amfani su ayyana manufar tsaro wacce ke ba da izini ga duk masu amfani, shirye-shirye, matakai, fayiloli, da na'urori.
Hukunce-hukuncen sarrafa damar kernel sun dogara ne akan duk mahallin da ke da alaƙa da tsaro ba akan ingantacciyar asalin mai amfani ba.
Don samun matsayin Selinux da aiwatar da manufofin gudanar da umarnin da ke ƙasa:
# getenforce # setenforce 1 # sestatus
35. Shigar SELinux Ƙarin Utilities
Shigar kunshin policycoreutils-python wanda ke ba da ƙarin kayan aikin Python don sarrafa SELinux: audit2allow, audit2why, chcat, da semanage.
Don nuna duk ƙimar boolean tare da taƙaitaccen bayanin, yi amfani da umarni mai zuwa:
# semanage boolean -l
Misali, don nunawa da saita ƙimar httpd_enable_ftp_server, gudanar da umarnin da ke ƙasa:
# getsebool httpd_enable_ftp_server
Don tabbatar da ƙimar boolean ta ci gaba da yin aikin sake yi, saka zaɓin -P don saita saitin, kamar yadda aka kwatanta akan misali mai zuwa:
# setsebool -P httpd_enable_ftp_server on
36. Yi Amfani da Tsararriyar Log Server
Sanya rsyslog daemon don aika saƙonnin log ɗin kayan aiki masu mahimmanci zuwa uwar garken log ɗin tsakiya. Hakanan, saka idanu fayilolin log tare da taimakon kayan aikin logwatch.
Aika saƙonnin log ɗin zuwa uwar garken nesa yana tabbatar da cewa da zarar tsarin ya lalace, masu mugayen masu amfani ba za su iya ɓoye ayyukansu gaba ɗaya ba, koyaushe suna barin sawu akan fayilolin log na nesa.
37. Kunna Tsari Accounting
Kunna aiwatar da lissafin kuɗi ta hanyar shigar da kayan aikin psacct kuma yi amfani da umarnin lastcomm don nuna bayanai game da umarnin da aka aiwatar a baya kamar yadda aka rubuta a cikin fayil ɗin lissafin tsarin kuma don taƙaita bayani game da umarnin da aka aiwatar a baya kamar yadda aka rubuta a cikin fayil ɗin lissafin tsarin.
38. Hardening /etc/sysctl.conf
Yi amfani da ƙa'idodin sigogin kwaya don kare tsarin:
net.ipv4.conf.all.accept_source_route=0
ipv4.conf.all.forwarding=0
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
Kashe karɓa da aika fakitin da aka tura ICMP sai dai in an buƙata ta musamman.
net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.rp_filter=2
Yi watsi da duk buƙatun echo na ICMP (saita zuwa 1 don kunna)
net.ipv4.icmp_echo_ignore_all = 0
39. Yi amfani da sabis na VPN don shiga cikin wuraren ku akan hanyoyin sadarwar jama'a marasa tsaro
Yi amfani da sabis na VPN koyaushe don masu ɗaukar hoto don shiga cikin wuraren LAN ta hanyar Intanet. Ana iya saita irin waɗannan nau'ikan sabis ɗin ta amfani da mafita mai buɗewa kyauta, kamar Epel Repositories).
40. Yi Scan System External
Ƙimar tsaro na tsarin ku don rashin lahani ta hanyar duba tsarin daga wurare masu nisa akan LAN ɗinku ta amfani da takamaiman kayan aiki kamar:
- Nmap – na'urar daukar hotan takardu na cibiyar sadarwa 29 Misalan Umurnin Nmap
- Nessus – na'urar daukar hoto ta tsaro
- OpenVAS - ana amfani da shi don bincika raunin rauni da kuma cikakken sarrafa raunin rauni.
- Nikto – Kyakkyawan na'urar daukar hotan takardu ta gama gari (CGI) Scan Web Vulnerability in Linux
41. Kare Tsarin Ciki
Yi amfani da tsarin kariya na ciki daga ƙwayoyin cuta, rootkits, malware, kuma, a matsayin kyakkyawan aiki, shigar da tsarin gano kutse wanda zai iya gano ayyukan da ba a ba da izini ba ( hare-haren DDOS, sikanin tashar jiragen ruwa), kamar:
- AIDE – Babban Muhalli na Gano Kutse - http://aide.sourceforge.net/
- ClamAV - Scanner Antivirus https://www.clamav.net
- Rkhunter – Rootkit Scanner
- Lynis - Kayan aikin Binciken Tsaro da Binciken Linux
- Tripwire - Tsaro da amincin Bayanai http://www.tripwire.com/
- Fail2Ban - Rigakafin Kutse na hanyar sadarwa
- OSSEC - (HIDS) Tsarin Gano Kutse na tushen Mai watsa shiri http://ossec.github.io/
- Mod_Tsaro - Kare Ƙarfin Ƙarfi ko Hare-Haren DDoS
42. Gyara Canje-canjen Mahalli na Mai amfani
Ƙara kwanan wata da tsarin lokaci don adana aiwatar da umarni ta hanyar ba da umarnin da ke ƙasa:
# echo 'HISTTIMEFORMAT="%d/%m/%y %T "' >> .bashrc'
A tilasta yin rikodin HISTFILE nan take duk lokacin da aka buga umarni (maimakon fita):
# echo ‘PROMPT_COMMAND="history -a"’ >> .bashrc
Iyakance zaman lokacin shiga. Rushe harsashi ta atomatik lokacin da babu wani aiki da aka yi a lokacin zaman banza. Yana da amfani sosai don cire haɗin zaman SSH ta atomatik.
# echo ‘TMOUT=120’ >> .bashrc
Aiwatar da duk dokoki ta aiwatarwa:
# source .bashrc
43. Ajiyayyen Data
Yi amfani da hotuna na LVM, da sauransu domin adana kwafin tsarin ku, zai fi dacewa a waje, idan akwai gazawar tsarin.
Idan tsarin ya lalace, zaku iya dawo da bayanan da aka adana a baya.
A ƙarshe, kar ku manta cewa komai yawan matakan tsaro da matakan da kuka ɗauka don kiyaye tsarin ku, ba za ku taɓa zama amintaccen 100% ba muddin injin ku ya toshe kuma yana kunnawa.