25 Hardening Security Tips for Linux Servers


Kowa ya ce Linux yana da tsaro ta tsoho kuma ya yarda da wasu haɓaka (Yana da batutuwan da za a iya tattaunawa). Koyaya, Linux yana cikin tsarin tsaro wanda aka gina shi ta hanyar tsoho. Kuna buƙatar kunna shi kuma tsara shi azaman buƙatarku wanda zai iya taimakawa wajen samar da ingantaccen tsarin. Linux yana da wuyar sarrafawa amma yana ba da ƙarin sassauƙa da zaɓuɓɓukan daidaitawa.

Tabbatar da tsari a cikin samarwa daga hannun masu fashin kwamfuta da masu fasa kwayoyi aiki ne mai wahala ga mai Gudanar da Tsarin. Wannan shine labarinmu na farko mai alaƙa da “Yadda ake amintar da akwatin Linux” ko “Hardening a Linux Box”. A wannan post din Zamuyi bayanin tukwici da dabaru 25 masu amfani don kiyaye tsarin Linux. Fata, a ƙasa nasihu & dabaru zasu taimaka muku wasu tsawaita don amintar da tsarinku.

1. Tsarin Tsarin Jiki

Sanya BIOS don kashe boot daga CD/DVD, Na'urorin waje, Floppy Drive a cikin BIOS. Na gaba, kunna kalmar sirri ta BIOS & kuma kare GRUB tare da kalmar wucewa don ƙuntata damar jiki na tsarinka.

  1. Saita Kalmar wucewa ta GRUB don Kare Sabbin Linux

2. Bangarorin Disk

Yana da mahimmanci a sami bangarori daban-daban don samun mafi girman tsaron bayanai idan har wani bala'i ya faru. Ta ƙirƙirar bangarori daban-daban, ana iya raba bayanai kuma a haɗa su. Lokacin da hatsarin da ba zato ba tsammani ya faru, kawai bayanan wannan bangare zai lalace, yayin da bayanan kan wasu bangarorin suka rayu. Tabbatar dole ne ku bi bangarori daban daban kuma ku tabbata cewa yakamata a shigar da aikace-aikacen ɓangare na uku akan tsarin fayil daban ƙarƙashin/opt.

/
/boot
/usr
/var
/home
/tmp
/opt

3. Rage fakitoci dan rage kaifin yanayin rauni

Shin kuna son shigar da kowane irin sabis? An ba da shawarar da a guji shigar da fakiti marasa amfani don kauce wa rauni a cikin fakiti. Wannan na iya rage haɗarin da ke tattare da sassauƙan sabis ɗaya na iya haifar da sasantawar sauran sabis. Nemo kuma cire ko musaki sabis ɗin da ba'a so daga sabar don rage rauni. Yi amfani da umarnin 'chkconfig' don gano ayyukan da ke gudana a kan layi na 3.

# /sbin/chkconfig --list |grep '3:on'

Da zarar kun gano duk wani sabis ɗin da ba'a so yana gudana, musaki su ta amfani da umarni mai zuwa.

# chkconfig serviceName off

Yi amfani da manajan kunshin RPM kamar "yum" ko "apt-get" kayan aikin don jera duk abubuwan fakitin da aka sanya a kan tsarin kuma cire su ta amfani da wannan umarnin.

# yum -y remove package-name
# sudo apt-get remove package-name

  1. 5 chkconfig Misalan Umurnin
  2. Misalan Aiki 20 na Dokokin RPM
  3. 20 Linux YUM Umarnin don Gudanar da Kunshin Linux
  4. 25 APT-GET da APT-CACHE Umarnin don Gudanar da Gudanar da Kunshin

4. Duba Tashar Jirgin Ruwa na Sauraro

Tare da taimakon 'netstat' tsarin sadarwar yanar gizo zaka iya duba duk buɗe tashoshin jiragen ruwa da shirye-shiryen haɗi. Kamar yadda na fada a sama amfani da 'chkconfig' umarni don musaki dukkan ayyukan hanyar sadarwa da ba'a so daga tsarin.

# netstat -tulpn

  1. Dokokin Netstat guda 20 don Gudanar da Sadarwar Yanar gizo a cikin Linux

5. Amfani da kafaffen harsashi (SSH)

Telnet da ladabi na ladabi suna amfani da rubutu bayyananne, ba sigar ɓoyayyen tsari wanda shine matsalar keta tsaro. SSH amintacciyar yarjejeniya ce wacce ke amfani da fasahar ɓoye yayin sadarwa tare da sabar.

Kada a taɓa shiga kai tsaye azaman tushe sai dai idan ya cancanta. Yi amfani da “sudo” don aiwatar da umarni. sudo an ƙayyade a cikin/sauransu/sudoers fayil kuma ana iya shirya su tare da "visudo" mai amfani wanda ya buɗe a cikin editan VI.

Hakanan an ba da shawarar canza tsoho lambar tashar SSH 22 tare da wasu sauran manyan tashar tashar jirgin ruwa. Bude babban fayil ɗin daidaitawa na SSH kuma sanya wasu sigogi masu zuwa don ƙuntata masu amfani don samun dama.

# vi /etc/ssh/sshd_config
PermitRootLogin no
AllowUsers username
Protocol 2

  1. 5 Mafi Kyawun Ayyuka don Amintarwa da Kare Sabis na SSH

6. Ci gaba da sabunta tsarin

Koyaushe ci gaba da sabunta tsarin tare da sabbin faci, gyaran tsaro da kernel idan ya samu.

# yum updates
# yum check-update

7. Kulle Cronjobs

Cron yana da kansa wanda aka gina a fasali, inda yake ba da damar tantance wanda zai iya, da kuma waɗanda ba za su so gudanar da ayyuka ba. Ana sarrafa wannan ta amfani da fayilolin da ake kira /etc/cron.allow da /etc/cron.deny. Don kulle mai amfani ta amfani da cron, kawai ƙara sunayen mai amfani a cikin cron.deny kuma don bawa mai amfani damar gudanar da cron ƙarawa cikin fayil ɗin cron.allow. Idan kuna son musaki duk masu amfani daga yin amfani da cron, ƙara layin 'DUK' zuwa fayil ɗin cron.deny.

# echo ALL >>/etc/cron.deny

  1. 11 Tsarin Cron Tsara Misalai a cikin Linux

8. Kashe USB stick to Ganowa

Yawancin lokuta yana faruwa cewa muna son ƙuntata masu amfani daga amfani da sandar USB a cikin tsarin don karewa da amintaccen bayanai daga sata. Irƙiri fayil '/etc/modprobe.d/no-usb' kuma ƙara ƙasa layi ba zai gano ajiyar USB ba.

install usb-storage /bin/true

9. Kunna SELinux

Tsaro na Ingantaccen Linux (SELinux) tsari ne na tilasta isar da tsaro wanda aka samar a cikin kwaya. Kashe SELinux yana nufin cire hanyar tsaro daga tsarin. Yi tunani sau biyu a hankali kafin cirewa, idan tsarinku yana haɗe da intanet kuma jama'a ke samun dama, to kuyi tunanin ƙarin akan sa.

SELinux yana samar da ingantattun hanyoyin aiki guda uku kuma sune.

  1. Aiwatarwa: Wannan yanayin ƙa'ida ce wacce ke ba da damar aiwatar da manufofin tsaro na SELinux akan injin
  2. Mai yarda: A wannan yanayin, SELinux ba zai aiwatar da manufofin tsaro akan tsarin ba, sai kawai yayi gargadi da shiga ayyukan. Wannan yanayin yana da matukar amfani a lokacin magance matsalolin da suka shafi SELinux.
  3. Naƙasasshe: an kashe SELinux.

Kuna iya duba halin yanzu na yanayin SELinux daga layin umarni ta amfani da 'system-config-selinux', 'getenforce' ko 'sestatus' umarnin.

# sestatus

Idan ta nawaya, kunna SELinux ta amfani da wannan umarni.

# setenforce enforcing

Hakanan za'a iya sarrafa shi daga fayil ɗin '/ etc/selinux/config', inda zaku iya kunna ko kashe shi.

10. Cire Kananan kwamitocin KDE/GNOME

Babu buƙatar gudanar da tebur ɗin Window na X kamar KDE ko GNOME akan sabar garken LAMP ɗinka. Kuna iya cirewa ko musaki su don haɓaka tsaro na sabar da aikin. Don kashe sauki bude fayil din '/ etc/inittab' kuma saita matakin gudu zuwa 3. Idan kanaso ka cire shi gaba daya daga tsarin kayi amfani da umarnin da ke kasa.

# yum groupremove "X Window System"

11. Kashe IPv6

Idan ba ku amfani da ladabi na IPv6, to ya kamata ku kashe shi saboda yawancin aikace-aikace ko manufofin ba a buƙatar yarjejeniyar IPv6 ba kuma a halin yanzu ba a buƙata akan sabar. Je zuwa fayil ɗin daidaitawar hanyar sadarwa kuma ƙara layin bin don musaki shi.

# vi /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no

12. Takaita Masu Amfani da Tsoffin Password

Wannan yana da matukar amfani idan kuna son hana masu amfani amfani da tsoffin kalmomin shiga. Tsohon fayil ɗin kalmar sirri yana a/sauransu/tsaro/opasswd. Ana iya cimma wannan ta amfani da tsarin PAM.

Bude fayil '/etc/pam.d/system-auth' a karkashin RHEL/CentOS/Fedora.

# vi /etc/pam.d/system-auth

Bude fayil '/etc/pam.d/common-password' a karkashin Ubuntu/Debian/Linux Mint.

# vi /etc/pam.d/common-password

Sanya layin da ke gaba zuwa sashen 'auth'.

auth        sufficient    pam_unix.so likeauth nullok

Addara layi mai zuwa zuwa 'kalmar sirri' sashin don hana mai amfani sake amfani da kalmar wucewa ta 5 ta ƙarshe ta nasa.

password   sufficient    pam_unix.so nullok use_authtok md5 shadow remember=5

Kalmomin sirri 5 na ƙarshe kawai ana tuna su ta sabar. Idan kayi ƙoƙarin amfani da kowane kalmomin sirri 5 da suka gabata, zaku sami kuskure kamar.

Password has been already used. Choose another.

13. Yadda Ake Duba Karshen Password na Mai Amfani

A cikin Linux, ana adana kalmomin shiga na mai amfani a cikin '/ etc/inuwa' fayil a cikin ɓoyayyen tsari. Don bincika ƙarewar kalmar sirri ta mai amfani, kuna buƙatar amfani da umarnin 'chage'. Yana nuna bayanan karewar bayanan wucewa tare da ranar sauya kalmar wucewa ta karshe. Waɗannan bayanai suna amfani da tsarin don yanke shawarar lokacin da mai amfani zai canza kalmar sirrin sa/ta.

Don duba duk wani bayanin mai tsufa na mai amfani kamar ranar karewa da lokaci, yi amfani da umarni mai zuwa.

#chage -l username

Don canza tsufan kalmar sirri na kowane mai amfani, yi amfani da umarni mai zuwa.

#chage -M 60 username
#chage -M 60 -m 7 -W 7 userName

  1. -M Saita mafi yawan kwanaki
  2. -m Saita mafi ƙarancin kwanaki
  3. -W Saita adadin kwanakin gargadin

14. Kulle da Buše Asusun da hannu

Abubuwan kullewa da buɗe abubuwa suna da amfani ƙwarai, maimakon cire asusu daga tsarin, zaku iya kulle shi na sati ɗaya ko wata. Don kulle takamaiman mai amfani, zaku iya amfani da umarnin da ake bi.

# passwd -l accountName

Lura: Mai amfani da kulle yana nan har zuwa mai amfani tushen kawai. Ana kulle kulle ta maye gurbin ɓoyayyen kalmar sirri tare da kirtani (!) Idan wani yana ƙoƙarin samun damar tsarin ta amfani da wannan asusun, zai sami kuskure kwatankwacin ƙasa.

# su - accountName
This account is currently not available.

Don buɗe ko ba da damar isa ga asusun da aka kulle, yi amfani da umarnin azaman. Wannan zai cire (!) Kirtani mai rufin asiri.

# passwd -u accountName

15. Aiwatar da kalmomin shiga masu karfi

Yawancin masu amfani suna amfani da kalmomin shiga mai laushi ko masu rauni kuma ana iya satar kalmar sirrin su tare da kamus na tushen ko kuma kai hari da karfi. Ana samun samfurin 'pam_cracklib' a cikin tsarin PAM (Module Authentication Module) wanda zai tilasta mai amfani ya saita kalmomin shiga masu ƙarfi. Bude fayil mai zuwa tare da edita.

Karanta Har ila yau:

# vi /etc/pam.d/system-auth

Kuma ƙara layi ta amfani da sifofin bashi kamar (lcredit, ucredit, dcredit da/ko ocredit bi da bi ƙananan-harka, babba, lambobi da sauran su)

/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1

16. Enable Iptables (Firewall)

An ba da shawarar sosai don kunna Firewall na Linux don samun damar shiga ba tare da izini ba na sabobinku ba. Aiwatar da ƙa'idodi a cikin abubuwan sarrafawa don tace fakitoci masu shigowa, masu fita da kuma turawa. Zamu iya tantance tushe da adireshin makoma don ba da izini da musantawa a takamaiman lambar tashar udp/tcp.

  1. Jagoran IPTables na asali da Tukwici

17. Kashe Ctrl + Alt + Share a cikin Inittab

A mafi yawan rarrabawar Linux, danna 'CTRL-ALT-DELETE' zai ɗauki tsarinka don sake aiwatarwa. Don haka, ba abu ne mai kyau ba a zaɓi wannan zaɓin aƙalla a kan sabobin samarwa, idan wani bisa kuskure ya yi wannan.

An bayyana wannan a cikin '/ etc/inittab' file, idan ka duba sosai a cikin wannan file ɗin zaka ga layi mai kama da na ƙasa. Ta hanyar layin layin baya yin sharhi. Dole ne muyi sharhi akai. Wannan siginar maɓallin keɓaɓɓen sigina zai rufe tsarin.

# Trap CTRL-ALT-DELETE
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

18. Duba Lissafi don Kalmomin shiga Babu wofi

Duk wani asusun da yake da kalmar sirri mara ma'ana yana nufin bude shi don samun damar izini ga kowa a kan yanar gizo kuma yana daga cikin tsaro a cikin sabar Linux. Don haka, dole ne ku tabbatar duk asusun suna da kalmomin shiga masu ƙarfi kuma babu wanda ke da damar samun izini. Asusun asusun ajiya mara kyau haɗari ne na tsaro kuma hakan na iya zama cikin sauki. Don bincika idan akwai wasu asusu tare da kalmar wucewa mara amfani, yi amfani da umarni mai zuwa.

# cat /etc/shadow | awk -F: '($2==""){print $1}'

19. Nuna Bankin SSH Kafin Shiga ciki

Yana da kyau koyaushe a sami banner na doka ko banners na tsaro tare da wasu gargaɗin tsaro kafin amincin SSH. Don saita irin waɗannan banners karanta labarin mai zuwa.

  1. Nuna Sakon Gargadi na SSH ga Masu amfani

20. Kula da Ayyukan Mai amfani

Idan kuna ma'amala da masu amfani da yawa, to yana da mahimmanci don tattara bayanan kowane ayyukan mai amfani da hanyoyin da suke cinyewa da bincika su a wani lokaci na gaba ko kuma idan akwai wani aiki, matsalolin tsaro. Amma yadda zamu iya saka idanu da tattara bayanan ayyukan mai amfani.

Akwai kayan aiki guda biyu masu amfani waɗanda ake kira 'psacct' da 'acct' ana amfani dasu don sa ido kan ayyukan mai amfani da aiwatarwa akan tsarin. Waɗannan kayan aikin suna gudana a cikin tsarin tsarin kuma suna ci gaba da bin kowane aikin mai amfani akan tsarin da albarkatun da ayyuka ke cinyewa kamar su Apache, MySQL, SSH, FTP, da dai sauransu. Don ƙarin bayani game da girkewa, daidaitawa da amfani, ziyarci url ɗin da ke ƙasa.

  1. Kula da Ayyukan Mai amfani tare da psacct ko Dokokin acct

21. Binciken Rubuta Kai Tsaye

Matsar da rajistan ayyukan a cikin kwazo uwar garken log, wannan na iya hana masu kutse don sauƙaƙa ƙananan ayyukan gida. Da ke ƙasa akwai sunaye na haɗin tsoho na Linux na yau da kullun da amfanin su:

  1. /var/log/message - Inda duk tsarin rajista ko rajistan ayyukan yanzu suke akwai.
  2. /var/log/auth.log - Lantarki rajistan ayyukan.
  3. /var/log/kern.log - Kernel rajistan ayyukan.
  4. /var/log/cron.log - Rajistan ayyukan Crond (aikin cron).
  5. /var/log/maillog - rajistan ayyukan uwar garken.
  6. /var/log/boot.log - Rubutun tsarin tsarin.
  7. /var/log/mysqld.log - MySQL fayil ɗin sabar bayanan uwar garken.
  8. /var/log/secure - Tabbatar da tabbacin.
  9. /var/log/utmp ko/var/log/wtmp: Fayil na bayanan shiga.
  10. /var/log/yum.log: Yum log files.

22. Mahimmin fayil Ajiyayyen

A cikin tsarin samarwa, ya zama dole a ɗauki mahimman fayiloli a madadin kuma adana su a cikin taskar aminci, rukunin yanar gizo mai nisa ko waje don murmurewar Bala'i.

23. NIC Bonding

Akwai yanayi iri biyu a cikin haɗin NIC, ana buƙatar ambata a cikin haɗin keɓaɓɓu.

  1. yanayin = 0 - Zagaye zagaye
  2. yanayin = 1 - Mai Aiki da Ajiyayyen

NIC Bonding yana taimaka mana mu guji batun gazawa guda ɗaya. A cikin haɗin NIC, muna ɗaura Cards na Ethernet na Intanet guda biyu ko sama tare kuma muna yin Interface guda ɗaya ta kama-gari inda za mu iya ba da adireshin IP don yin magana da wasu sabobin. Cibiyar sadarwar mu zata kasance idan Kati daya NIC tayi kasa ko babu saboda kowane dalili.

24. Ka/Kalla kamar yadda aka karanta kawai

Kernel na Linux da fayilolin da suke da alaƙa suna cikin/boot directory wanda hakan tsoho ne kamar yadda ake karantawa. Canza shi don karanta-kawai yana rage haɗarin sauya izini na mahimman fayilolin taya. Don yin wannan, buɗe fayil ɗin "/ etc/fstab".

# vi /etc/fstab

Ara layin da ke gaba a ƙasa, adana kuma rufe shi.

LABEL=/boot     /boot     ext2     defaults,ro     1 2

Lura cewa kuna buƙatar sake saita canjin don karanta-rubuta idan kuna buƙatar haɓaka kwaya a nan gaba.

25. Yi watsi da ICMP ko Neman Watsawa

Ara layi mai zuwa a cikin fayil ɗin "/etc/sysctl.conf" don watsi da ping ko buƙatar watsawa.

Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1

Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Loda sabon saituna ko canje-canje, ta hanyar bin bin umarni

#sysctl -p

Idan ka rasa duk wani muhimmin tsaro ko hargitsi a cikin jerin da ke sama, ko kuma kana da duk wata shawarar da za a saka ta cikin jerin. Da fatan za a sauke ra'ayoyinku a cikin akwatin mu na sharhi. TecMint koyaushe yana da sha'awar karɓar tsokaci, shawarwari gami da tattaunawa don ingantawa.