Linuxセキュリティの基礎

Security

1,Hardware security (server room security, server lock, server bios password, grub password, etc., lukes hard disk or partition encryption, keyboard alphabetical disruption, etc.)
2, password security (password complexity, regular password changes, password policies, etc.)
3, user security or security operation management (access control, access time control, lock screen - ordinary users ctrl+alt+l; root users can install similar xlock software to achieve. rhel7, centos7 can lock the screen by default. rhel6 to prohibit at 3 levels ctrl+alt+delete shutdown - comment out the start on control-alt-delete line in /etc/init/control-alt-delete.conf; comment out or delete /usr/lib/systemd/system/ctrl in rhel7,centos7 -alt-del.target file)
4, service security (each service generally has its own methods or parameters to enhance security, and some can be dragged and managed to enhance security under similar xinetd; tcp_wrapper; xinetd)
5, authentication security (nis, ldap, kerberos can achieve centralized user management, but also some software authentication data is placed in the database (such as mail system users on the database or ldap this way); pam implantable authentication module;)
6, network or network communication security (tunnel or vpn; iptables or firewalld; gpg transmission encryption; ssl/tls; ssh login security)
7,Software security (vulnerabilities, bugs, software updates, software installation detection signature)
8,system audit, log statistics, log management
9,Permissions strengthening (to some important system files such as: chmod 600 /etc/passwd, etc.; file acl; selinux; sudo, etc.)
10,Intrusion detection (post-intrusion completeness check, data intrusion analysis)

11,company internal security (to find honest and professional staff, the development of operational norms, the boss processing wages to employee happiness @_@)



docs.redhat.com
Reference Document:Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf
        Red_Hat_Enterprise_Linux-7-Security_Guide-zh-CN.pdf


==========================================================================================================


Encryption

Hard disk partition encryption cryptsetup luks (linux unify key setup )
File encryption PGP (Pretty Good Privacy) gpg (GNU Privacy Guard)
Network communication encryption SSL/TLS tunnel VPN (virtual private network)
(This article introduces hard disk and file)


LUKS (Linux Unified Key Setup-on-disk-format) is a standard for Linux hard disk encryption.
By providing a standard on-disk format, it not only facilitates compatibility between distributions, but also provides secure management of multiple user passwords.
The encrypted volume must first be decrypted before the file system can be mounted

You can encrypt partitions or logical volumes directly


# rpm -qf `which cryptsetup` 
cryptsetup-1.7.2-1.el7.x86_64

       cryptsetup - setup cryptographic volumes for
       dm-crypt (including LUKS extension)


-- I'll test it on a virtual machine by adding a new disk (1G size is ok) and splitting it into /dev/vdb1, without formatting
[root@localhost ~]# cryptsetup luksFormat /dev/vdb1

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES --- to uppercase YES
Enter LUKS passphrase: 
Verify passphrase: ---The password is the same twice, and in centos7 version requires that the password is not too simple and has a certain degree of complexity


[root@localhost ~]# cryptsetup luksOpen /dev/vdb1 secretdisk -- Here is a mapping of this encrypted disk, followed by the name secretdisk to customize it
Enter passphrase for /dev/vdb1: --Input the password set in the previous step

[root@localhost ~]# ls /dev/mapper/secretdisk ---this will generate the device file
/dev/mapper/secretdisk


[root@localhost ~]# mkfs.xfs /dev/mapper/secretdisk -- format it, you need it the first time, but you don't need it when you access it again

[root@localhost ~]# mount /dev/mapper/secretdisk /mnt/ --mount it, then you can read and write to it


[root@localhost /]# umount /mnt/ -- if not in use, umount it first

[root@localhost /]# cryptsetup luksClose /dev/mapper/secretdisk --close it again, then /dev/mapper will not have the device file secretdisk


[root@localhost /]# mount /dev/vdb1 /mnt/ -- It is useless to try to mount the original device
mount: unknown filesystem type 'crypto_LUKS'


[root@localhost ~]# cryptsetup luksOpen /dev/vdb1 abc -- If you want to use it again, use this command to open a map again, the name can be different from the last one; of course you still need to enter your password



[root@localhost ~]# ls /dev/mapper/abc ---There's the device, mount it and you can get the encrypted data inside



--that is to say, even if you get root access, there is no way to get the data inside without password; of course you can format /dev/vdb1, but the data will be gone for sure



=============================================================



File encryption


Symmetric encryption
--Encrypted with the same key, also need to use this key to decrypt; so not suitable for network transmission encryption; because you encrypted with the key locally, the data to another party also need to pass the key to him; so will be intercepted in the middle



				Merchants


				Platform


			User(Zhang San) Bank



			             Network
			Zhang San ----------------------> Bank
		1 Key encryption file		 
		2 Network transfer of files and keys	         		
		3 Both the file and the key may be intercepted in the network



Asymmetric encryption
--Use a pair of keys (public key and private key), give the public key to the other party, the other party wants to transfer data to you, use this public key to encrypt; even if intercepted in the middle, without the private key can not be decrypted; after the transfer, use your private key to decrypt; so suitable for network transmission


			             Network
			Zhang San ----------------------> Bank
		1 The bank generates or pays for a pair of keys
		2 The bank publishes the public key to the public network, but keeps the private key for itself
		3 Encrypt the data with the bank's public key		 
		4 The network transmits the encrypted data to the bank on	         	
		5 Even if it is intercepted, it cannot be decrypted without the private key


PGP (Pretty Good Privacy)
gpg (GNU Privacy Guard)


Example 1: Symmetric encryption and decryption of local or remote files


Encrypted file.	
[root@li ~]# gpg2 -c test --c parameter is symmetric encryption
Password.
Retype password.

--encrypted to produce test.gpg file, then the original file can be deleted; rm test -rf

# file test.gpg --View type
test.gpg: data


# cat test.gpg --gibberish
# vim test.gpg --gibberish
# strings test.gpg --also invisible



To decrypt the file.
[root@li ~]# gpg2 test.gpg 



--encrypt the directory, pack the directory first, then encrypt it

--scp the above encrypted file to a remote machine, the remote machine (any machine) can decrypt it as long as it has the password (equivalent to packaging the encrypted file and the key together and passing it over)

----------------------------------------------------

Example 2,
Both sides of the communication use key pairs to do asymmetric encryption and decryption

		Simulated user Zhang San Simulated bank
		172.16.25.2 --------- --- 172.16.25.3



Step 1:
Look up the public and private keys on your own computer on the bank 172.16.25.3
# gpg2 --list-keys or gpg2 -k --query the public key on the local machine, now empty
# gpg2 --list-secret-keys or gpg2 -K --query the private key of this machine, now empty



Generate the asymmetric encryption key at bank 172.16.25.3
# gpg2 --gen-key --generate a pair of keys


Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1 -- Algorithm selection default 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) -- The longer the keysize, the more secure it is, but the longer the encryption and decryption resources and time consumed
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      


  = キーの有効期限はn日
      


w = キーの有効期限はn週間です
      


m = キーの有効期限はnヶ月
      


y = キーの有効期限はn年
鍵の有効期限は？(0) 1 -- 鍵の有効期限、ここでは後のテストを容易にするために1日を選択します。
キーの有効期限：2015年10月9日（金）11:35:11 AM（日本時間
これは正しいですか？(y/N) y

GnuPGでは、鍵を識別するためにユーザーIDを構築する必要があります。

本名: haha
名前は5文字以上でなければなりません
本名: hahahehe
メールアドレス：[email protected](ご自由にご記入ください)
コメント @_@
このUSER-IDを選択しました。
    はへへ (@_@)