Critical file permission checks
Test type: Critical file permission checks
Risk level: High risk
Risk detail: The following critical files or directories have permission errors:
/etc/shadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/security Current permissions: 755 : root Suggested changes to: 600 : root
/etc/ssh/sshd_config Current permissions: 600 : root Suggested changes to: 644 : root
/etc/gshadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/shadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/gshadow Current permissions: 000 : root Suggested changes to: 400 : root
Solution:
1、On the [File] page, set the correct permissions and owner for the specified directory or file
- Detect whether to limit password reuse times
Test type: Check password reuse limit
Risk level: Medium risk
Risk detail: Unlimited password reuse
Solution:
1、Configuration file backup: cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
2、Add or modify remember=5 after [password sufficient] in [/etc/pam.d/system-auth] file
- SSH idle timeout detection
Test type: SSH idle timeout detection
Risk level: Medium risk
Risk detail: The current SSH idle timeout time is: 0, it is recommended to set it to 600-900
Solution:
1、Set [ClientAliveInterval] in the [/etc/ssh/sshd_config] file to be between 600 and 900
2、Tip: The recommended SSH idle timeout time is: 600-900
- Check whether the current panel port is safe
Test type: Panel port
Risk level: Medium risk
Risk detail: The panel port is the default port (7800), which may cause unnecessary security risks
Solution:
1. Please modify the default panel port on the [Settings] page
2. Note: Servers with [Security Group] should release the new port in the [Security Group] in advance to prevent the new port cannot be opened
- SSH password complexity check
Test type: SSH password complexity check
Risk level: Medium risk
Risk detail: 【/etc/security/pwquality.conf】set the minclass setting to 3 or 4 in the file
Solution:
1、【/etc/security/pwquality.conf】 Set password complexity to require 3 or 4 types of characters, such as lowercase letters, uppercase letters, numbers, and special characters. like:
2、minclass=3
- /etc/bashrc User default permission check
Test type: [/etc/bashrc] User default permission check
Risk level: Medium risk
Risk detail: umask is not set to 027
Solution:
1、[/etc/bashrc] The umask set in the file is 002, and it is recommended to set it to 027
2、Solution: Modify the /etc/bashrc file permission to 027
- Panel login alarm
Test type: Panel login alarm
Risk level: Medium risk
Risk detail: Please enable it in [Settings] – [Notification]
Solution:
1、Enable it in [Settings] – [Notification]
- [/etc/csh.cshrc] User default permission check
Test type: [/etc/csh.cshrc] User default permission check
Risk level: Medium risk
Risk detail: umask not set to 027
Solution:
1、[/etc/csh.cshrc] The umask set in the file is 002, which does not meet the requirements. It is recommended to set it to 027
2、The operation is as follows: Modify umask to 027
- Check the minimum interval between SSH password changes
Test type: Check the minimum interval between SSH password changes
Risk level: Medium risk
Risk detail: 【/etc/login.defs】In the file, PASS_MIN_DAYS is greater than or equal to 7
Solution:
1、[/etc/login.defs] PASS_MIN_DAYS should be set to be greater than or equal to 7
2、PASS_MIN_DAYS 7 needs to execute the command at the same time to set the expiration time of the root password. The command is as follows: chage –mindays 7 root
- Check SSH password expiration time
Test type: Check SSH password expiration time
Risk level: Medium risk
Risk detail: 【/etc/login.defs】Set PASS_MAX_DAYS to between 90-180 in the file
Solution:
1、[/etc/login.defs] Use a non-password login key pair. Please ignore this, and set the PASS_MAX_DAYS parameter to between 90-180 in /etc/login.defs
2、PASS_MAX_DAYS 90 You need to execute the command to set the root password expiration time at the same time. The command is as follows: chage –maxdays 90 root
- The panel is not monitoring
Test type: The panel is not monitoring
Risk level: Low risk
Risk detail: Open it in [Monitor] – [System Monitor]
Solution:
1、Open it in [Monitor] – [System Monitor]
Check the website to prevent cross-site
Test type: Website anti-cross-site detection
Risk level: Low risk
Risk detail: The following websites are not enabled for cross-site prevention: …
Solution:
1. On the [WebSite] page, [Settings]-[Site Directory], turn on the [Anti-cross-site attack (open_basedir)] function