CN116257266A - Automatic safety reinforcement method and equipment for Linux system host - Google Patents

Abstract

The invention discloses a method and equipment for automatically reinforcing safety of a host computer of a Linux system, and relates to the technical field of Linux server safety. After the host to be reinforced is inserted into the automatic reinforcing equipment, when the external storage equipment is detected, the USB controller automatically runs a powershell script program in the controller firmware, simulates keyboard input, automatically opens a system command line interface and inputs a command to start a safe reinforcing script program in a memory, the safe reinforcing script program creates and stores a system snapshot file of the host to be reinforced, loads a corresponding strategy, and completes reinforcing work by checking account password safety, adjusting an access control strategy, modifying system service default configuration, modifying protocol related configuration and configuring log audit strategy. The invention saves time, improves the reinforcement efficiency and reduces the occupation of host resources; and the reinforcement process does not need technical personnel support, the audience surface of the product is enlarged, and the product is portable and efficient and has wide application prospect.

Description

Automatic safety reinforcement method and equipment for Linux system host

Technical Field

The invention relates to the technical field of Linux server security, in particular to a method and equipment for automatically reinforcing security of a Linux system host.

Background

With the rapid development of internet information technology and the release of policies related to 2.0, more and more individuals and enterprises begin to pay attention to network security technology, and network security has become an important problem commonly faced by the current information society. Host security reinforcement has been a significant role in the security field, and has been playing a positive role. The Linux operating system, collectively called GNU/Linux, is a multi-user, multi-task, multi-thread and multi-CPU supporting operating system based on POSIX, has good character and graphic interfaces, can run on various hardware platforms, is favored by vast users due to the characteristics of high stability, high degree of freedom and high safety, and has very wide use rate in Internet enterprises.

Based on the characteristic of the open source of the Linux system code, good safety is brought to the Linux system code, and once major vulnerabilities are found, technicians in the open source community can spontaneously organize the vulnerabilities. Compared with the security defect of the Linux system, a plurality of security problems are caused by improper configuration. To meet the needs of the user, a large number of services are run on the system, and the more services are run, the greater the possibility of improper configuration. Most users do not make security modifications to some initial configuration after installing the Linux system, which results in a large number of weak links in the system, and these weak areas are often targets of an attacker.

The existing common Linux system safety reinforcement mode is to manually check and modify related configuration of the system, and the manual operation often requires maintenance personnel to have an excessively hard professional level and the capability of solving problems. Inexperienced maintenance personnel may have catastrophic losses if the configuration is improperly modified, resulting in a system crash that is difficult to restore.

According to the automatic safety reinforcement method for the Linux server disclosed in Chinese patent application No. 201810410494.9, flash script control is adopted, the operating system software of Linux6.0 is divided into a plurality of independent deployable extensible script control code segments, risks caused by a manual checking and modifying method are avoided, the process of importing configuration script setting parameters is complex, and the workload of the system is high.

The Linux system reinforcement method, device, computer equipment and storage medium disclosed in Chinese patent application No. 202111134618.3 are characterized in that a program is imported in a mode of accessing an external storage device, and an operation and maintenance person starts a base line reinforcement main program in the external storage device to achieve the effect of Linux system reinforcement. However, the method requires technical support of professional operation and maintenance personnel, the workload of the operation and maintenance personnel is increased, and general individual users do not have the conditions, so that the audience area is too small.

In summary, in order to solve the problems of long time consumption, low efficiency and low fault tolerance of manual operation for security reinforcement of a Linux system host, the traditional method needs support of professional technicians and has small audience, and development of an automatic security reinforcement method and equipment for the Linux system host is particularly necessary.

Disclosure of Invention

Aiming at the defects existing in the prior art, the invention aims to provide an automatic safety reinforcement method and equipment for a Linux system host, which are automatic in operation, time-saving, capable of reducing host resource occupation, improving safety reinforcement efficiency of the Linux system, wide in audience and easy to popularize and use.

In order to achieve the above object, the present invention is realized by the following technical scheme: an automatic security reinforcement method for a Linux system host comprises the following steps:

s11, checking account password security;

s12, adjusting an access control strategy;

s13, modifying default configuration of system service;

s14, checking protocol related configuration;

s15, configuring a log audit strategy.

Preferably, the step S11 includes: (1) Checking whether an empty password user exists, configuring a fixed password for the empty password user, and checking configuration files/etc/shadow and/etc/passwd;

(2) Checking whether a privileged user exists, deleting the privileged user, and checking a configuration file/etc/passwd;

(3) Setting a system password strategy, and modifying a configuration file/etc/logic.defs;

(4) Setting password complexity, and modifying configuration files/etc/pam.d/system-auth;

(5) Setting a user login failure strategy, and modifying a configuration file/etc/pam.d/system-auth.

Preferably, the step S12 includes: (1) Limiting the users who can su to root, and modifying the configuration file/etc/pam.d/su;

(2) Direct login of root users is forbidden, and configuration files/etc/ssh/sshd_config are modified;

(3) Disabling control+alt+delete shortcut, modifying configuration file/usr/lib/system/system;

(4) Adding information such as user ip, execution time and the like to the historical command, and modifying the configuration file/etc/basherc;

(5) Limiting login timeout time, and modifying configuration file/etc/profile;

(6) Setting default access authority of a user directory, and modifying configuration files/etc/login.

(7) Rights to the critical directories and files are modified.

Preferably, the step S13 includes: (1) Modifying ssh port and version, setting login Banner prompt, setting password error times, and modifying configuration file/etc/ssh/sshd_config;

(2) Restricting ip allowing ssh remote connections, modifying configuration file/etc/host;

(3) Shut down unnecessary services such as telnet, ftp, talk, rsh, rsync, xinted, nfs, etc.;

(4) Starting a firewall, setting a corresponding firewall strategy, and modifying configuration files/etc/sysconfig/iptables;

(5) Checking whether a user directory exists a netrc/. Rhosts/host.equiv file, and deleting a potential threat file;

(6) And updating the bash version and the openssl version to avoid the existence of loopholes.

Preferably, the step S14 includes: (1) The anonymous user and the root user are forbidden to log in the FTP, and the configuration file/etc/vsftpd is modified;

(2) Limiting the authority of the file uploaded by the FTP user, and modifying the configuration file/etc/vsftpd/vsftpd.conf;

(3) Limiting the catalogue which can be accessed after the FTP user logs in;

(4) Closing the FTP Bannner, and modifying the configuration file/etc/vsftpd/vsftpd.conf;

(5) Checking the NTP configuration, and modifying the configuration file/etc/chronoy;

(6) Configuring an SNMP default community word, and modifying a configuration file/etc/SNMP/snmpd.conf;

(7) The ICMP route redirection is turned off, and the profile/etc/sysctl. Conf is modified.

Preferably, the step S15 includes: (1) Starting rsyslog service, centralizing management log, and modifying configuration file/etc/rsyslog.conf;

(2) Starting an audio service, recording a system event, and modifying a configuration file/etc/audisp/plug.

(3) Recording login operation logs of all users through script codes, and modifying configuration files/etc/profiles;

(4) Setting log file attribute, avoiding deleting and modifying, modifying/var/log file access right.

The automatic safety reinforcement equipment for the Linux system host comprises a USB controller and a memory, wherein a powershell script program for controlling keyboard input is burnt in control firmware in the memory, the Linux system safety reinforcement script program is stored in a mass storage in the memory, the powershell script program in the USB controller automatically runs the controller firmware to simulate keyboard input, and the steps in the reinforcement method are realized when the Linux system safety reinforcement script program in the memory is started.

Preferably, the Linux system host automation security reinforcement device automatically operates the keyboard according to the powershell script simulation HID (Human Interface Device) device, and the execution flow is as follows:

s21, inserting a host to be consolidated into automatic reinforcing equipment, and automatically running a powershell script program in a controller firmware by the USB controller after detecting external storage equipment;

s22, the powershell script in the controller firmware can cope with two situations, and if the reinforcement object is a server, the powershell script mounts the external storage device; if the reinforcement object is a person, the Linux system automatically mounts the external storage device;

s23, simulating keyboard input through the powershell script program, automatically opening a system command line and starting the Linux system security reinforcement script program in a memory;

s24, creating and storing a snapshot file of the current Linux system through the Linux system security reinforcement script, and loading the Linux system security reinforcement strategy.

The invention has the beneficial effects that: according to the method, all manual operations are converted into automatic operations in the reinforcement process, so that time is saved, and the safety reinforcement efficiency of the Linux system is improved; the security reinforcement script program runs on the external equipment, so that a system and a configuration environment are not required to be imported in advance, and the occupation of host resources is reduced; and the reinforcement process does not need technical personnel to support, the audience surface of the product is enlarged, and the portable and efficient Linux system host automation safety reinforcement method and equipment are provided for individuals and enterprises, so that the application prospect is wide.

Drawings

The invention is described in detail below with reference to the drawings and the detailed description;

FIG. 1 is a flow chart of a method for automatically reinforcing security of a Linux system host computer according to the invention;

FIG. 2 is a schematic view of an application environment of the present invention;

FIG. 3 is a flowchart of the execution of the host automated security reinforcement device of the Linux system of the present invention;

FIG. 4 is a schematic flow chart of the host automation security reinforcement device of the Linux system.

Detailed Description

The invention is further described in connection with the following detailed description, in order to make the technical means, the creation characteristics, the achievement of the purpose and the effect of the invention easy to understand.

Referring to fig. 1-4, the present embodiment adopts the following technical scheme: an automatic security reinforcement method for a Linux system host comprises the following steps:

s11, checking account password security;

s12, adjusting an access control strategy;

s13, modifying default configuration of system service;

s14, checking protocol related configuration;

s15, configuring a log audit strategy.

Specifically, the steps are as follows:

(1) checking account password security. The checking of the security aspect of the account password comprises the following aspects:

(1) Checking whether an empty password user exists, configuring a fixed password for the empty password user, and checking configuration files/etc/shadow and/etc/passwd. And for the empty password user, the operation of passwd user name is executed, a fixed password is input, the existence of the empty password user is a huge potential safety hazard for the system, and the empty password user is easy to acquire by an attacker and becomes an entrance of an attack system.

(2) Checking whether a privileged user exists, deleting the privileged user, and checking the configuration file/etc/passwd. An attacker can use redundant privileged users to perform unauthorized operations, modify user resources and system resources, or install unnecessary programs. The account with the uid of 0 is ensured to be only a root account, and other privileged users are deleted by executing the operation of userde1-r [ user name ].

(3) Setting a system password strategy, setting a password expiration period, and using a modification configuration file/etc/login.defs; the following policies are set:

the password of the # PASS_MAX_DAYS90# newly-built user is the longest using DAYS;

the password shortest using DAYS of the # PASS_MIN_DAYS0# newly-built user;

password expiration of the #pass_warn_age 7# new subscriber advances the reminder days.

(4) Setting password complexity, modifying configuration file/etc/pam.d/system-auth, and setting the following strategies:

password requisite pam_cracklib.so retry＝3difok＝3minlen＝10ucredit＝-1lcredit＝-2dcredit＝-1ocredit＝-1

# retry=3# allows 3 retries;

the # difok=3# new password must have 3 bits different from the old password;

the minimum number of bits for the # minlen=10# cipher is 10;

# ucredit= -1# contains at least one capital letter digit;

# lcredit= -2# contains at least one lowercase letter digit;

there are a minimum of 1 digit in the #dcread= -1# code;

there are at least 1 special character in the # ocredit= -1# password.

(5) Setting a user login failure strategy, modifying a configuration file/etc/pam.d/system-auth, and setting the following strategy:

the settings were added at #% PAM-1.0, auth required PAM _tally2.So dense=3unlock_time= 300even_deny_root root_unlock_time =300;

# dense=3# limits the number of crypto errors to 3;

# unlock_time=300# lock time is 300 seconds;

the # even_density_root_unlock_time=300#root user lock time is 300 seconds.

(2) The access control policy is adjusted. The adjustment of the access control policy is performed in the following ways:

(1) root is called a superuser in the Linux system because he has the right to modify any file in the storage system. When a user uses a su command, the user can be converted into a root user, which is a great potential safety hazard for the safety of the Linux system. An attacker can carry out any command endangering the system or install malicious programs by taking the right to the root user under the condition of obtaining the right of the common user, and can delete related logs to realize traceless attack. Only the users who can restrict su to root can the security of the system be guaranteed to a certain extent. Limiting the users who can su to root, adding the users who can su to root to a fixed user group Wheel, modifying the configuration file/etc/pam.d/su, adding auth required pam _Wheel.sogroup=Wheel at the head, indicating that the users are required to be able to pick up the root under the Wheel group.

(2) The root user is prohibited from logging in directly, the configuration file/etc/ssh/sshd_config is modified, the value of permitroootlegin is changed from yes to no, and then the service is restarted using command service sshd restart. In order to strengthen the security of the host, direct login of a root user should be avoided, and an attacker can obtain the authority of the root by means of violently cracking the root password. In general, the normal operation of the system is prevented from being influenced by dangerous operation in a mode of logging in a common user and then upgrading the right to a root user.

(3) And the control, alt and delete shortcut key is disabled, the configuration file/usr/lib/system/system is modified, and the system is prevented from being restarted due to false touch, so that the use of other users is prevented from being influenced. The execute command cp-a/usr/lib/system/ctrl-alt-del. Target. Default backup configuration file, execute command rm-rf/usr/lib/system/ctrl-alt-del. Target removes the original source file.

(4) The user ip, execution time and other information are added for the historical command, so that the operation of the user on the system before the operation can be conveniently inquired, and the abnormal operation of the user can be timely found; modifying the configuration file/etc/basherc, setting histfilesize=4000, saving the latest 4000 pieces of command information, adding configuration:

user_ip= 'who-uam I2 >/dev/null|awk' { prin$nf } '|sed-e's/[ () ]// g "# obtain IP of the login client

if[-z$USERIP]

then

USER_IP＝‘host_name’

fi

Histidimeformat= "% f% t$user_ip: 'whoani' "# sets the format of the new display history

export HISTTIMEFORMAT

The re-execution command #source/etc/basherc loads the added configuration.

(5) Limiting login time of a login user, setting operation timeout locking of a login terminal according to a security policy, releasing system resources and improving security of a host. Modifying the configuration file/etc/profile, adding the setup export tmout=900, and operating no auto-lock for more than 15 minutes.

(6) And setting default access authority of the user directory, and ensuring the safety of personal files of the user. Each user only has reading and executing rights to the files of other users, so that when a certain user is prevented from being acquired by an attacker, the file contents of other users can be modified across users. The configuration file/etc/login. Defs is modified and the user directory Unmask value is set to 022.

(7) The authority of the important directory and the file is modified, wherein the important directory and the file mainly refer to a system file and are prevented from being maliciously modified. The command chmod [ mask value ] [ filename/directory name ] is used to modify the rights of a file or directory, the modified directory having/etc,/tmp,/dev/null, etc.

(3) System service default settings are modified. Modifications to the default settings for system services include the following:

(1) Modifying ssh port, fixing ssh version, setting IP address capable of logging in, setting prompt of logging in Banner, and setting number of cipher error. Many violent scripts currently popular only try ssh to connect with the default port 22, and the default port is modified to better avoid the possibility of being attacked, so that the fixed ssh version ensures that the ssh provides a stable service. The configuration file/etc/ssh/sshd_config is modified, the version of Protocol is set to 2, the maxauthtri is set to 3, and the port is set to 2022. Setting a login Banner prompt:

cp/etc/issue/etc/’issue-’`date+％Y％m％d`.bak

egrep-q″WARNING″/etc/issue||(echo″**************WARNING**************″>>/etc/issue；echo″Authorized only.All activity will be monitored and reported.″>>/etc/issue)

egrep-q″^\s*(banner|Banner)\s+\W+.*$″/etc/ssh/sshd_config&&sed-ri″s/^\s*(banner|Banner)\s+\W+.*$/Banner\/etc\/issue/″/etc/ssh/sshd_config||echo″Banner/etc/issue″>>/etc/ssh/sshd_config

(2) The ip allowing ssh remote connection is limited, an access control list is set, and an attacker can be restrained to a certain extent from the source. Modifying the configuration file/etc/host.allowances, adding ip addresses or segments allowing ssh to log in, i.e. sshd:192.168.1.2: allow or sshd:192.168.1.0/24: allowances.

(3) Unnecessary services such as telnet, ftp, talk, rsh, nfs are turned off. The system can be operated more efficiently by closing unnecessary services, and meanwhile, the security damage to the system caused by the loopholes of certain services can be avoided. The corresponding service is disabled using the command systemctl disable [ service name ] & >/dev/null.

(4) Starting a firewall, adopting iptables, modifying configuration files/etc/sysconfig/iptables, and adding the following similar strategies:

-A INPUT-p tcp-m state-state NEW-m tcp-dport xxx-j ACCEPT# allows access to the designated port xxx

-A INPUT-s xxx. Xxx-p tcp-m state-state NEW-m tcp-dport 3306-j ACCEPT# allows the specified ip to access the database 3366 port

-A INPUT-s XXX, xxx, xXx, XXX-p tcp-m state-state NEW-m tcp-dport 22-j ACCEPT# allows a specified ip access to the tcp22 port

The firewall is restarted using command service iptables restart, loading the new configuration.

(5) And checking whether the user directory contains the netrc/. Rhosts/host.equiv potential threat files which can be backdoors left in the user directory after an attacker breaks the user account, so that the host can be conveniently attacked. The following commands are executed for deletion:

find/-maxdepth 3-name hosts.equiv|xargs-i mv{}{}.bakfind/-maxdepth 3-name.netrc|xargs-i mv{}{}.bak

find/-maxdepth 3-name.rhosts|xargs-i mv{}{}.bak

(6) And updating the bash version and the openssl version to avoid the existence of loopholes. GNU Bash 4.3 and previous versions have a crust breaking vulnerability that an attacker can use to change or bypass environmental restrictions, executing Shell commands. The heart blood drop loophole exists between the OpenSSL version 1.0.1 and the 1.0.1f Beta version, and an attacker can read data from the memory of the attacked object under the condition of no privilege information by utilizing the loophole and steal the privacy information of the attacked object. The command yum update flash/openssl update version is executed.

(4) Protocol related settings are checked. A check of protocol related configuration, comprising the following aspects:

(1) The anonymous users and the root users are forbidden to log in the FTP, the FTP enables the anonymous login function and the root users to log in, the FTP is easy to attack, and malicious file uploading or more serious invasion actions occur. The configuration file/etc/vsftpd/vsftpd.conf is modified, the anonymous_enable value is set to N0, and user authentication must be created before the FIP service can be logged in.

(2) Limiting the authority of the file uploaded by the FTP user, modifying the configuration file/etc/vsftpd/vsftpd.conf, and executing the following commands:

systemctl list-unit-files|grep vsftpd>/dev/null&&sed-ri″/^\s*write_enable\s*\W+.+$/s/^/#/″/etc/vsftpd/vsftpd.conf&&echo″write_enable＝NO″>>/etc/vsftpd/vsftpd.conf

systemctl list-unit-files|grep vsftpd>/dev/null&&sed-ri″/^\s*ls_recurse_enable\s*\W+.+$/s/^/#/″/etc/vsftpd/vsftpd.conf&&echo″ls_recurse_enable＝NO″>>/etc/vsftpd/vsftpd.conf

systemctl list-unit-files|grep vsftpd>/dev/null&&sed-ri″/^\s*anon_umask\s*\W+.+$/s/^/#/″/etc/vsftpd/vsftpd.conf&&echo″anon_umask＝077″＞＞/etc/vsftpd/vsftpd.conf

systemctl list-unit-files|grep vsftpd>/dev/null&&sed-ri″/^\s*local_umask\s*\W+.+$/s/^/#/″/etc/vsftpd/vsftpd.conf&&echo″local_umask＝022″＞>/etc/vsftpd/vsftpd.conf

(3) The method comprises the steps of limiting the directory which can be accessed after the FTP user logs in, preventing an attacker from stealing information of other users after acquiring a user account, modifying configuration files/etc/vsftpd/vsftpd.conf, and executing the following commands:

systemctl list-unit-files|grep vsftpd>/dev/null&&sed-ri″/^\s*chroot_local_user\s*\W+.+$/s/^/#/″/etc/vsftpd/vsftpd.conf&&echo″chroot_local_user＝NO″>>/etc/vsftpd/vsftpd.conf

(4) When the FTP Banner is closed and the FTP service is used, the version information of the host is displayed in the Banner by default, and the time cost of malicious attack can be increased by shielding the version information display. Modify profile/etc/vsftpd/vsftpd.conf, set ftpd_canner=welcome, execute command service vsftp restart restart service load settings.

(5) Checking NTP configuration, modifying configuration file/etc/chronoy. Conf, performing the following configuration:

cp/etc/chrony.conf/etc/’chrony.conf-’`date+%Y%m％d`.bak

systemctl list-unit-files|grep chronyd.service>/dev/null&&egrep-q″^\s*server\s+\w[.]\w+.*$″/etc/chrony.conf&&sed-ri″/^\s*server\s+\w[.]\w+.*$/s/^/#/″/etc/chrony.conf

systemctl list-unit-files|grep chronyd.service>/dev/null&&sed-ri″/^\s*maxdistance\s*\W+.+$/s/^/#/″/etc/chrony.conf&&echo″maxdistance 16″>＞/etc/chrony.conf

systemctl start chronyd.service>/dev/null

systemctl 1ist-unit-files|grep chronyd.service>/dev/null&&egrep-q″^\s*server\s+\w+.*$″/etc/chrony.conf&&sed-ri″s/^\s*server\s+\w+.*$/server$NTP_ip iburst/″/etc/chrony.conf||sed-ri″/^\s*#\s+Please\s+.*$/a\server$NTP_ip iburst″/etc/chrony.conf

systemctl restart chronyd.service>/dev/nul1

systemctl enable chronyd.service&>/dev/null 2

/usr/sbin/iptables-I INPUT-p UDP--dport 161-j ACCEPT hwclock-w>/dev/null

(6) Configuring an SNMP default community word, modifying a configuration file/etc/SNMP/snmpd.conf, and performing the following configuration:

cp/etc/snmp/snmpd.conf/etc/snmp/’snmpd.conf-’`date+％Y％m％d`.bak

cat＞/etc/snmp/snmpd.conf＜＜EOF

com2sec$SNMP_user default$SNMP_password

group$SNMP_group v1$SNMP_user

group$SNMP_group v2c$SNMP_user

view systemview included.1 80

view systemview included.1.3.6.1.2.1.1

view systemview included.1.3.6.1.2.1.25.1.1

view$SNMP_view included.1.3.6.1.4.1.2021.80

access$SNMP_group″″any noauth exact systemview none none

access$SNMP_group″″any noauth exact$SNMP_view none none

dontLogTCPWrappersConnects yes

trapcommunity$SNMP_password

authtrapenable 1

trap2sink$SNMP_ip

agentSecName$SNMP_user

rouser$SNMP_user

defaultMonitors yes

linkUpDownNotifications yes

EOF。

(7) Closing ICMP route redirection, preventing a routing table which is attacked and modified by mistake or being a Dos attacked broiler, modifying configuration files/etc/sysctl.conf, and adding configuration net.ipv4.conf.all.accept_directs=0.

(5) And configuring a log audit strategy. The configuration of the log audit strategy comprises the following aspects:

(1) Starting rsyslog service, centralizing management log, and modifying configuration file/etc/rsyslog.

(2) And starting an audio service, recording a system event, checking a system log file if a fault and a safety accident occur later, checking the fault, tracing information of an invader and the like, and modifying a configuration file/etc/audisp/plug.

(3) Recording all user login operation logs through script codes, preventing no evidence from being found after a security event occurs, modifying a configuration file/etc/profile, and inputting the following contents in the configuration file:

history

USER＝`whoami`

USER_IP＝`who-u am i 2>/dev/nul 1|awk’{print$NF}’|sed-e’s/[()]//g’`

if[″$USER_IP″＝″″]；then

USER_IP＝`｀hostname`｀

fi

if[！-d/var/log/history]；then

mkdir/var/log/history

chmod 777/var/log/history

fi

if[！-d/var/log/history/${LOGNAME}]；then

mkdir/var/log/history/${LOGNAME}

chmod 300/var/log/history/${LOGNAME}

fi

export HISTSIZE＝4096

DT＝｀date+″％Y％m％d_％H：％M：％S″`

exportHISTFILE＝″/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT″

chmod 600/var/log/history/${LOGNAME}/*history*2>/dev/null

wherein/var/log/history is the storage location of the log, and can be customized. The run #source/etc/profile loading configuration takes effect.

(4) And setting the log file attribute, avoiding deletion and modification, and modifying the access authority of the file under the/var/log. The following commands are executed:

chmod 755/var/log/messages；chmod 775/var/log/spooler；chmod 775/var/log/mail&>/dev/null2&>/dev/null；chmod 775/var/log/cron；chmod 775/var/log/secure；chmod 775/var/log/maillog；chmod 775/var/log/localmessages&>/dev/null 2&>/dev/nul l。

the Linux system host automation security reinforcement method provided by the embodiment can be applied to an application environment shown in fig. 1. The system comprises a host to be consolidated and external storage equipment, wherein the external storage equipment and the host to be consolidated realize communication in a USB interface mode. The external storage device consists of a USB controller and a memory, the memory consists of control firmware and a mass storage, the control firmware can burn a powerhand script, the mass storage can store a Linux system security reinforcement script, and the external storage device can run the Linux system security reinforcement script. The host to be reinforced is a terminal needing to be reinforced safely, and the host to be reinforced is mainly a server and a personal host of a Linux system.

The embodiment provides a Linux system host automation security reinforcement device, which comprises a USB controller and a memory, wherein a powershell script program for controlling keyboard input is burnt in control firmware in the memory, a Linux system security reinforcement script program is stored in a mass storage in the memory, the USB controller automatically runs the powershell script program in the controller firmware to simulate keyboard input, and the steps in the reinforcement method are realized when the Linux system security reinforcement script program in the memory is started.

Notably, the Linux system host automation security reinforcement device automatically operates the keyboard according to the powershell script simulation HID (Human Interface Device) device, and the execution flow is as follows:

s21, inserting the host to be consolidated into the automatic reinforcing equipment, and automatically running a powershell script program in the controller firmware by the USB controller after the external storage equipment is detected.

The controller firmware burnt with the powershell script program can simulate HID (Human Interface Device) equipment, and commands set in the execution script are input through a simulated keyboard. HID devices define devices that are man-machine interaction devices for controlling some aspects of computer operation, such as USB mice, USB keyboards, USB joysticks, etc. In one embodiment, the external storage device is a USB flash disk that includes control firmware and a mass storage area, where the mass storage area is the only user visible portion that can be normally recognized by the operating system, and the powershell script is stored in the controller firmware of the USB flash disk, which is typically a USB interface or USB data line.

S22, a powershell script in the controller firmware can correspond to two cases, and if the reinforcement object is a server, the powershell script mounts the external storage device; if the reinforcement object is a person, the Linux system can automatically mount the external storage device.

When the powershell script program in the controller firmware is executed, the Linux system type of the host to be consolidated is identified as a desktop release or a server release. The Linux system of the desktop release is generally used by a personal host, and can automatically mount the accessed mobile storage device, the Linux system of the server release is generally used by a server, and the accessed mobile storage device needs to be manually mounted. After the powershell script program checks, it is determined whether mount is needed.

S23, simulating keyboard input through the powershell script program, automatically opening a system command line and starting a Linux system security reinforcement script program stored in a memory.

S24, creating and storing a snapshot file of the current Linux system through the Linux system security reinforcement script, and loading the Linux system security reinforcement strategy.

After the external storage equipment is mounted, a current system snapshot is created and used for restoring the original system under special conditions, and then the security policy is implemented on the host to be reinforced, so that the host to be reinforced loads the target security policy to realize security reinforcement. In one embodiment, the target security policy is a security policy that needs to be checked for updates by the host to be consolidated, and includes five modules including an account security policy, an access control policy, a system security policy, a log audit policy, and a protocol security policy.

In this embodiment, when the automatic security reinforcement device is connected to the host to be reinforced, the USB controller automatically runs the powershell script in the controller firmware to simulate the keyboard input to start the Linux system security reinforcement script program in the memory. And loading a corresponding Linux system security reinforcement strategy by the host to be reinforced through a Linux system security reinforcement script program stored in the memory of the automatic reinforcement equipment.

The security reinforcement work of the host to be reinforced of the Linux system is completed by combining a series of operations of checking account password security, adjusting access control strategies, modifying system service default configuration, checking protocol related configuration and configuring log inspection strategies with automatic reinforcement equipment. The whole reinforcement process converts all manual operations into automatic operations, and the safety reinforcement script program runs on external equipment, so that the occupation of host resources to be reinforced is reduced, the host safety is improved in a convenient and efficient mode, the portable and efficient Linux system host automation safety reinforcement method and equipment are provided for individuals and enterprises, the audience is wider, and the market application prospect is wide.

The foregoing has shown and described the basic principles and main features of the present invention and the advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (7)

1. The automatic safety reinforcement method for the Linux system host is characterized by comprising the following steps:

s11, checking account password security;

s12, adjusting an access control strategy;

s13, modifying default configuration of system service;

s14, checking protocol related configuration;

s15, configuring a log audit strategy.

2. The method for automatically reinforcing security of a Linux system host according to claim 1, wherein the step S11 comprises: (1) Checking whether an empty password user exists, configuring a fixed password for the empty password user, and checking configuration files/etc/shadow and/etc/passwd;

(2) Checking whether a privileged user exists, deleting the privileged user, and checking a configuration file/etc/passwd;

(3) Setting a system password strategy, and modifying a configuration file/etc/logic.defs;

(4) Setting password complexity, and modifying configuration files/etc/pam.d/system-auth;

(5) Setting a user login failure strategy, and modifying a configuration file/etc/pam.d/system-auth.

3. The method for automatically reinforcing security of a Linux system host according to claim 1, wherein the step S12 comprises: (1) Limiting the users who can su to root, and modifying the configuration file/etc/pam.d/su;

(2) Direct login of root users is forbidden, and configuration files/etc/ssh/sshd_config are modified;

(3) Disabling control+alt+delete shortcut, modifying configuration file/usr/lib/system/system;

(4) Adding user ip and execution time information for the historical command, and modifying configuration files/etc/basherc;

(5) Limiting login timeout time, and modifying configuration file/etc/profile;

(6) Setting default access authority of a user directory, and modifying configuration files/etc/login.

(7) Rights to the critical directories and files are modified.

4. The method for automatically reinforcing security of a Linux system host according to claim 1, wherein the step S13 comprises: (1) Modifying ssh port and version, setting login Banner prompt, setting password error times, and modifying configuration file/etc/ssh/sshd_config;

(2) Restricting ip allowing ssh remote connections, modifying configuration file/etc/host;

(3) Closing unnecessary services, including telnet, ftp, talk, rsh, rsync, xinted, nfs;

(4) Starting a firewall, setting a corresponding firewall strategy, and modifying configuration files/etc/sysconfig/iptables;

(5) Checking whether a user directory exists a netrc/. Rhosts/host.equiv file, and deleting a potential threat file;

(6) And updating the bash version and the openssl version to avoid the existence of loopholes.

5. The method for automatically reinforcing security of a Linux system host according to claim 1, wherein the step S14 comprises: (1) The anonymous user and the root user are forbidden to log in the FTP, and the configuration file/etc/vsftpd is modified;

(2) Limiting the authority of the file uploaded by the FTP user, and modifying the configuration file/etc/vsftpd/vsftpd.conf;

(3) Limiting the catalogue which can be accessed after the FTP user logs in;

(4) Closing the FTP Bannner, and modifying the configuration file/etc/vsftpd/vsftpd.conf;

(5) Checking the NTP configuration, and modifying the configuration file/etc/chronoy;

(6) Configuring an SNMP default community word, and modifying a configuration file/etc/SNMP/snmpd.conf;

(7) The ICMP route redirection is turned off, and the profile/etc/sysctl. Conf is modified.

6. The method for automatically reinforcing security of a Linux system host according to claim 1, wherein the step S15 comprises: (1) Starting rsyslog service, centralizing management log, and modifying configuration file/etc/rsyslog.conf;

(2) Starting an audio service, recording a system event, and modifying a configuration file/etc/audisp/plug.

(3) Recording login operation logs of all users through script codes, and modifying configuration files/etc/profiles;

(4) Setting log file attribute, avoiding deleting and modifying, modifying/var/log file access right.

7. The automatic safety reinforcement equipment for the Linux system host is characterized by comprising a USB controller and a memory, wherein a powershell script program for controlling keyboard input is burnt in control firmware in the memory, a Linux system safety reinforcement script program is stored in a mass storage in the memory, the USB controller automatically runs the powershell script program in the controller firmware to simulate keyboard input, and the steps in the reinforcement method are realized when the Linux system safety reinforcement script program in the memory is started; the execution flow of the Linux system host automation security reinforcement device is as follows:

s21, inserting a host to be consolidated into automatic reinforcing equipment, and automatically running a powershell script program in a controller firmware by the USB controller after detecting external storage equipment;

s22, the powershell script in the controller firmware can cope with two situations, and if the reinforcement object is a server, the powershell script mounts the external storage device; if the reinforcement object is a person, the Linux system automatically mounts the external storage device;

s23, simulating keyboard input through the powershell script program, automatically opening a system command line and starting the Linux system security reinforcement script program in a memory;

s24, creating and storing a snapshot file of the current Linux system through the Linux system security reinforcement script, and loading the Linux system security reinforcement strategy.

Images