Detect whether secure socket layer encryption is used to transmit information to avoid eavesdropping on sensitive information
Test type: Whether to use encrypted remote administration ssh
Risk level: Medium risk
Risk detail: Remote administration of ssh without secure socket encryption
Solution:
1. Add or modify Protocol 2 in [/etc/ssh/sshd_config] file
2. Then run the command systemctl restart sshd to restart the process
Tips: This scheme can enhance the protection of SSH communication and avoid sensitive data leakage.
Check if the command-line interface timeout is set
Test type: Check if the command-line interface timeout is set
Risk level: Medium risk
Risk detail: No command line timeout is configured for exit
Solution:
1. Add tmout=300 in the file [/etc/profile], and the waiting time is not more than 600 seconds
2. Execute source /etc/profile to make the configuration work
Tips: This solution will make the server command line over a certain period of time does not operate automatically shut down, can strengthen the security of the server.
User FTP access security configuration checks
Test type: User FTP access security configuration
Risk level: Medium risk
Risk detail: Currently pure-ftpd is not configured with security access. Modify/add the value of Umask to 177:077 in the [pure-ftpd.conf] file
Solution:
1. In [/www/server/pure-ftpd/etc/pure-ftpd.conf] change the value of Umask to 177:077 in the config file
Tips: This scheme can enhance the protection of FTP server and reduce the risk of server intrusion.
Check important files for suid and sgid permissions
Test type: Check for files with suid and sgid permissions
Risk level: Medium risk
Risk detail: The following files have sid privilege, chmod u-s or g-s remove sid bits: “/usr/bin/chage、/usr/bin/gpasswd、/usr/bin/wall、/usr/bin/chfn、/usr/bin/chsh、/usr/bin/newgrp、/usr/bin/write、/usr/sbin/usernetctl、/bin/mount、/bin/umount、/sbin/netreport”
Solution:
1. Use the chmod u-s/g-s [filename] command to change the permissions of the file
Tips: This scheme removes the special permissions of important files, which can prevent intruders from using these files for privilege escalation.
chmod g-s /usr/bin/chage chmod u-s /usr/bin/gpasswd chmod u-s /usr/bin/chfn chmod u-s /usr/bin/chsh chmod u-s /usr/bin/newgrp chmod u-s /bin/mount chmod u-s /bin/umount
bootloader Configuring permission checks
Test type: bootloader Configuring permissions
Risk level: Medium risk
Risk detail: The following critical file or directory permissions are incorrect:/boot/grub2/grub.cfg Current permissions: 644 : root Security permissions: 600 : root
Solution:
1. Configure secure permissions for grub according to the file suggested by the risk description
2. If grub2, then: chmod 600 /boot/grub2/grub.cfg、chown root /boot/grub2/grub.cfg
3. If grub, then: chmod 600 /boot/grub/grub.cfg、chown root /boot/grub/grub.cfg
Tips: This scheme can strengthen the server grub interface protection, further prevent external intrusion server.
Check if an empty password user exists
Test type: Check if an empty password user exists
Risk level: High risk
Risk detail: Found an empty password user【】
Solution:
1. Log in to server as root, set password for empty password user
2. If you do not know the user’s purpose, you can execute the command [passwd -l (username)] to temporarily block the user.Unlock user command [passwd-fu (username)]
Tips: detects the existence of blank password users, may be hackers reserved backdoor users, if not business needs to suggest setting a password.
sudo awk -F":" '($2 == "") {print $1 ": has no password."}' /etc/shadow
Critical file permission checks
Test type: Critical file permission checks
Risk level: High risk
Risk detail: The following critical files or directories have permission errors:
/etc/shadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/security Current permissions: 755 : root Suggested changes to: 600 : root
/etc/ssh/sshd_config Current permissions: 600 : root Suggested changes to: 644 : root
/etc/gshadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/shadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/gshadow Current permissions: 000 : root Suggested changes to: 400 : root
Solution:
1、On the [File] page, set the correct permissions and owner for the specified directory or file
Detect whether to limit password reuse times
Test type: Check password reuse limit
Risk level: Medium risk
Risk detail: Unlimited password reuse
Solution:
1、Configuration file backup: cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
2、Add or modify remember=5 after [password sufficient] in [/etc/pam.d/system-auth] file
SSH idle timeout detection
Test type: SSH idle timeout detection
Risk level: Medium risk
Risk detail: The current SSH idle timeout time is: 0, it is recommended to set it to 600-900
Solution:
1、Set [ClientAliveInterval] in the [/etc/ssh/sshd_config] file to be between 600 and 900
2、Tip: The recommended SSH idle timeout time is: 600-900
Check whether the current panel port is safe
Test type: Panel port
Risk level: Medium risk
Risk detail: The panel port is the default port (7800), which may cause unnecessary security risks
Solution:
1. Please modify the default panel port on the [Settings] page
2. Note: Servers with [Security Group] should release the new port in the [Security Group] in advance to prevent the new port cannot be opened
SSH password complexity check
Test type: SSH password complexity check
Risk level: Medium risk
Risk detail: 【/etc/security/pwquality.conf】set the minclass setting to 3 or 4 in the file
Solution:
1、【/etc/security/pwquality.conf】 Set password complexity to require 3 or 4 types of characters, such as lowercase letters, uppercase letters, numbers, and special characters. like:
2、minclass=3
/etc/bashrc User default permission check
Test type: [/etc/bashrc] User default permission check
Risk level: Medium risk
Risk detail: umask is not set to 027
Solution:
1、[/etc/bashrc] The umask set in the file is 002, and it is recommended to set it to 027
2、Solution: Modify the /etc/bashrc file permission to 027
Panel login alarm
Test type: Panel login alarm
Risk level: Medium risk
Risk detail: Please enable it in [Settings] – [Notification]
Solution:
1、Enable it in [Settings] – [Notification]
[/etc/csh.cshrc] User default permission check
Test type: [/etc/csh.cshrc] User default permission check
Risk level: Medium risk
Risk detail: umask not set to 027
Solution:
1、[/etc/csh.cshrc] The umask set in the file is 002, which does not meet the requirements. It is recommended to set it to 027
2、The operation is as follows: Modify umask to 027
Check the minimum interval between SSH password changes
Test type: Check the minimum interval between SSH password changes
Risk level: Medium risk
Risk detail: 【/etc/login.defs】In the file, PASS_MIN_DAYS is greater than or equal to 7
Solution:
1、[/etc/login.defs] PASS_MIN_DAYS should be set to be greater than or equal to 7
2、PASS_MIN_DAYS 7 needs to execute the command at the same time to set the expiration time of the root password. The command is as follows: chage –mindays 7 root
Check SSH password expiration time
Test type: Check SSH password expiration time
Risk level: Medium risk
Risk detail: 【/etc/login.defs】Set PASS_MAX_DAYS to between 90-180 in the file
Solution:
1、[/etc/login.defs] Use a non-password login key pair. Please ignore this, and set the PASS_MAX_DAYS parameter to between 90-180 in /etc/login.defs
2、PASS_MAX_DAYS 90 You need to execute the command to set the root password expiration time at the same time. The command is as follows: chage –maxdays 90 root
The panel is not monitoring
Test type: The panel is not monitoring
Risk level: Low risk
Risk detail: Open it in [Monitor] – [System Monitor]
Solution:
1、Open it in [Monitor] – [System Monitor]
Check the website to prevent cross-site
Test type: Website anti-cross-site detection
Risk level: Low risk
Risk detail: The following websites are not enabled for cross-site prevention: …
Solution:
1. On the [WebSite] page, [Settings]-[Site Directory], turn on the [Anti-cross-site attack (open_basedir)] function
PHP version leaked
Test type: PHP version leaked
Risk level: High risk
Risk detail: Risk-free
Suggest:
1. Set [expose_php] in the [php.ini] file and configure it to Off
2. Tips: Set [expose_php] in the [php.ini] file and configure it to Off
Tips: This solution can prevent the disclosure of sensitive information on the website and reduce the possibility of server intrusion.
