-
Notifications
You must be signed in to change notification settings - Fork 6
Guide to Server Security Reinforcement
-- V0.3
Version number | Revision time | Revision content |
---|---|---|
V0.1 | 20181016 | first draft |
V0.2 | 20181020 | one check item added, format modified; |
V0.3 | 20181022 | one check item added, format modified; |
In order to improve the security level of its node servers, HPB has decided to adopt the server security strengthening schemes of security audit companies , which apply to HPB node servers running Linux. This guide is intended to guide node server users to check and configure the security compliance of their servers.
Number | Content | Description |
---|---|---|
1 | Guide to Server Security Detection Script | Instruct node users to download and run the server security detection script so as to check the servers’ security configuration. See Chapter 2 for details. |
2 | Check Item Details | Details the 22 check items involved in the script and their configuration modification steps. Refer to Chapter 3 for details. |
To simplify steps of operation for its users, HPB provides a server security detection script, allowing user to automatically perform security configuration check on the servers’ Linux system.
Number | Steps | Description |
---|---|---|
1 | Download Script | Command: "git clone https://github.com/hpb-project/systemcheck" |
2 | Set Permissions | Command: "cd systemcheck" Command: "chmod +x systemcheck.sh" |
3 | Run script | Command: "sudo ./systemcheck.sh" Tip: enter the login password of the current account as prompted; Should “not installed chkconfig, whether to install (y/n)” appear, enter "y". |
4 | View the results | Command: " vi servercheck.txt" Tip: Passed check is prompted with "safe", failed check is prompted "unsafe". If you need to modify the configuration, please refer to Chapter 3 for details. The nth check item corresponds to Chapter 3 Section n. |
The HPB chain recommends that the user change the unchecked items of the running result to the security configuration. For details, see Chapter 3.
(1) Step 1: Download the server security detection script
Open command prompt window,enter” git clone https://github.com/hpb-project/systemcheck*";
hpb@dell-PowerEdge-R730:~$ git clone https://github.com/hpb-project/systemcheck
Cloning into 'systemcheck'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
Unpacking objects: 100% (8/8), done.
remote: Total 8 (delta 2), reused 8 (delta 2), pack-reused 0
Checking connectivity... done.
hpb@dell-PowerEdge-R730:~$
(2) Step 2: Set file permissions
Enter” cd systemcheck"
hpb@dell-PowerEdge-R730:~$ cd systemcheck
hpb@dell-PowerEdge-R730:~/systemcheck$
Continue setting file permissions
Enter” chmod +x systemcheck.sh"
hpb@dell-PowerEdge-R730:~$ cd systemcheck
hpb@dell-PowerEdge-R730:~/systemcheck$
(3) Step 3: Run the script
Enter” sudo ./systemcheck.sh", enter the current user's login password as prompted, and the file will automatically detect the server configuration.;
hpb@dell-PowerEdge-R730:~/systemcheck$ sudo ./systemcheck.sh
[sudo] password for hpb:
Start checking...
1. Check the password validity setting
2. Check the password strength configuration
3. Check the empty password account
4. Check the account lockout configuration
5. Check the UID of the accounts (other than root) to be 0.
6. Check the environment variables (including the parent directory)
7. Check the environment variables (including directory with the group permission of 777).
……
The user has to wait for a while. When prompted "chkconfig not installed, whether to install (y/n):", enter "y" to install chkconfig; "Check completed, please read the servercheck.txt file carefully" indicates that the security check has been completed.
Check the running service
Chkconfig is not installed, whether to install (y/n) :y
Reading package lists... Done
Building dependency tree
Reading state information... Done
......
Setting up sysv-rc-conf (0.99-7) ...
Successful installation
Check status of the core dump
Check is completed, please read servercheck.txt carefully
(4) Step 4: View the running results
Enter “vi servercheck.txt",running results will be displayed, with 22 check items involved. Passed check items are prompted "safe”, failed check items are prompted “unsafe”. HPB recommends users change failed check items into safe. For modification steps for specific items, please refer to Chapter 3. Tip : The nth check item corresponds to Chapter 3 Section n. There are 22 check items involved.
hpb@dell-PowerEdge-R730:~/systemcheck$ vi servercheck.txt
1. Password timeout not configured, unsafe.
Suggestion:
Execute sed -i '/PASS_MAX_DAYS/s/99999/90/g' /etc/login.defs Set the password to be valid for 90 days.
2. Password strength check not configured, unsafe
Suggestion:
Execute echo "passwd requisite pam_cracklib.so difok=3 minlen=8 ucrediit=-1 lcredit=-1 dcredit=-1">> /etc/pam.d/
Systemd-auth to configure the password to include uppercase and lowercase letters, numbers and at least 8 characters.
3. No empty password account found, safe
……
Number | Step | Description |
---|---|---|
1 | Switch to root user | Command:" su root" Tip: User should enter the root account password as prompted. |
2 | Set password expiration date (90 days) | Command:" sed -i '/PASS_MAX_DAYS/s/99999/90/g' /etc/login.defs" |
(1) Step 1: switch to root user Open command prompt,enter ”su root”,type in rooter account password as prompted;
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step 2: Set expiration date
Enter "sed -i '/PASS_MAX_DAYS/s/99999/90/g' /etc/login.defs" to set the password to be valid for 90 days. No returned message for this command.
root@dell-PowerEdge-R730:/home/hpb# sed -i '/PASS_MAX_DAYS/s/99999/90/g' /etc/login.defs
### Configuration Modification steps
Number | Step | Description |
---|---|---|
1 | Switch to root (already-switched user can skip this) | Command: " su root" Tip: User should enter the root account password as prompted |
2 | Set Password Strength Check | Command:"echo "passwd requisite pam_cracklib.so difok=3 minlen=8 ucrediit=-1 lcredit=-1 dcredit=-1">> /etc/pam.d/systemd-auth" |
(1) Step 1: Switch to root account Open command prompt,enter “su root",enter root account password as prompted ; Tip: if already switched to root account, skip this step.
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step 2: Set password strength check Enter” echo "passwd requisite pam_cracklib.so difok=3 minlen=8 ucrediit=-1 lcredit=-1 dcredit=-1">> /etc/pam.d/systemd-auth" to configure the password to include uppercase and lowercase letters, numbers and at least 8 characters, no returned message for this command.
root@dell-PowerEdge-R730:/home/hpb# echo "passwd requisite pam_cracklib.so difok=3 minlen=8 ucrediit=-1 lcredit=-1 dcredit=-1">> /etc/pam.d/systemd-auth
root@dell-PowerEdge-R730:/home/hpb#
编号 | 步骤 | 说明 |
---|---|---|
1 | switch to root account (already-switched users can skip) | command:” su root" tip:enter root account password as prompted |
2 | Set password | Command:”passwd account name” Tip:User should switch their account ID to the one in need of a password; Type in the new password twice as prompted. |
(1) Step 1: Switch to Root Account Open command prompt window,enter”su root”,enter root account password as prompted; Tip:Users already switched to root can skip this step.
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step 2: Set Password Enter”passwd account name”,enter new password as prompted, repeat entering the new password for a second time to complete the process. Tip:User should switch to the account name for which he has yet to set a password, such as “test” in the following example.
root@dell-PowerEdge-R730:/home/hpb# passwd test
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Number | Step | Descriptions |
---|---|---|
1 | Switch to root account (skip if already switched) | Command:” su root" Tip: enter root account password as prompted |
2 | Set account lockout policy | Command:”echo "auth required pam_tally.so onerr=fail deny=10 unlock_time=300" >> /etc/pam.d/systemd-auth" |
(1) Step one: switch to root account
Open Command Prompt,type in“su root”,enter password as prompted;
Tip: skip this step if already switched to root account.
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step two: set account lockout policy
Type in “ echo "auth required pam_tally.so onerr=fail deny=10 unlock_time=300" >> /etc/pam.d/systemd-auth" to set the consecutive error limit at 10 times max over which the account would be locked automatically, no return code for this command;
Tip:command to unlock the account:" faillog -u <user> -r"。
root@dell-PowerEdge-R730:/home/hpb# echo "auth required pam_tally.so onerr=fail deny=10 unlock_time=300" >> /etc/pam.d/systemd-auth
root@dell-PowerEdge-R730:/home/hpb#
Number | Step | Description |
---|---|---|
1 | Switch to root account (skip if already switched) | Command:” su root" Tip: enter root account password as prompted |
2 | Modify account with UID 0 | command:” usermod -u <new-uid> <user>" command:”groupmod -g <new-gid> <user>" |
(1) Step one: switch to root account
Open Command Prompt,type in“su root”,enter password as prompted;
Tip: skip this step if already switched to root account.
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step two: change into the account with UID 0
Type in " usermod -u <new-uid> <user>";continue to type in”groupmod -g <new-gid> <user>"。
Tip:<user>refers to the account name,which should be changed into the account with UID 0;<new-uid> refers to the new uid;<new-gid> refers to the parameters.
Should a parent directory exist in the environmental variables, it is recommended that the user modify the configuration to remove the parent directory from environment variables.
Should the environment variables contain a directory with a group permission of 777, it is recommended that the user run the chmod command to modify the permission of the directory in the running result.
Should the server fail the remote connection security test, it is recommended that the user contact the administrator to confirm the necessity of the files in the running results. Once found unnecessary, the files in question should be deleted.
Number | Step | Description |
---|---|---|
1 | Switch to root account (skip if already switched) | Command:” su root" Tip: enter root account password as prompted |
2 | umask not configured | command:”echo "umask 027" >> /etc/profile" command:”echo "umask 027" >> /etc/bash.bashrc" |
2' | umask configuration not safe | command:”vi /etc/profile" move the cursor to locate the umask parameter, and change the subsequent number to "027" 命令:"vi /etc/bash.bashrc" move the cursor to locate the umask parameter, and change the subsequent number to "027" |
(1) Step one: switch to root account
Start Command Prompt, type in "su root”,and enter root account password as prompted;
Tip: skip if already switched to root account.
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step two: umask not configured
Type in” echo "umask 027" >> /etc/profile",no return code for this command; Type in” echo "umask 027" >> /etc/bash.bashrc”,no return code for this command;
root@dell-PowerEdge-R730:/home/hpb# echo "umask 027" >> /etc/profile
root@dell-PowerEdge-R730:/home/hpb# echo "umask 027" >> /etc/bash.bashrc
(3) Step two: ‘ umask configuration not safe
Type in “ vi /etc/profile"; press the “↓”key to move the cursor to the umask parameter and change the immediately following number to "027"; ''root@dell-PowerEdge-R730:/home/hpb# vi /etc/profile
if [ -d /etc/profile.d ]; then
for i in /etc/profile.d/*.sh; do
if [ -r $i ]; then
. $i
fi
done
unset i
fi
umask 027
TMOUT=180
:wq(Press the “ESC” key and type in ":wq" to save the file and exit)
Type in “ vi /etc/bash.bashrc"; press the “↓” key to move the cursor to the umask parameter and change the immediately following number to “027”;
root@dell-PowerEdge-R730:/home/hpb# vi /etc/bash.bashrc
if [ -d /etc/profile.d ]; then
for i in /etc/profile.d/*.sh; do
if [ -r $i ]; then
. $i
fi
done
unset i
fi
umask 027
TMOUT=180
:wq(Press the “ESC” key and type in ":wq" to save the file and exit)
Carefully check the permissions of the files and directories in the running results. If the permissions are too low, please modify them in time.
Check for suspicious files in the running results and delete them in time.
Check the necessity of such permission set-up in all directories in the running results. If not necessary, modify the permission level in time.
Check the necessity of such permission set-up in all the files in the running results. If found unnecessary, modify the permission level in time.
Should there exist files without owners in the running results, add owners to the files. Should there exist suspicious files, delete them in time.
Check for suspicious files in the running results and delete in time.
Number | Step | Description |
---|---|---|
1 | Switch to root account ( skip if already switched) | Command: " su root" Tip: enter the root account password as prompted |
2 | Increase the login timeout configuration | Command: "echo "TMOUT=180" >> /etc/profile" |
(1) Step 1: Switch to root account
Start command prompt, type in "su root”,and enter root account password as prompted;
Tip: Skip this step if already switched to root account.
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step 2: Increase the login timeout configuration
Type in” echo "TMOUT=180" >> /etc/profile" no return code for this command;
root@dell-PowerEdge-R730:/home/hpb# echo "TMOUT=180" >> /etc/profile
root@dell-PowerEdge-R730:/home/hpb#
If ssh is not running, the user is advised to install and start the ssh service.
If telnet is running, the user is advise to stop the telnet service.
Number | Step | Description |
---|---|---|
1 | Switch to root account (skip if already switched) | command:” su root" tip: enter root account password as prompted |
2 | Forbid root remote login | command:" vi /etc/ssh/sshd_config" Move the cursor to find the parameters of “PermitRootLogin”,change the following “yes” to “no”. Tip: If the parameter is followed by other values other than "yes", no modification is required. |
(1) Step 1: Switch to root account
Start Command Prompt, type in "su root”,enter root account password as prompted;
Tip: skip this step if already switched to root account.
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step 2: Forbid remote login for root account
Type in” vi /etc/ssh/sshd_config",move the cursor to PermitRootLogin,if the following value is “yes”, change it to "no”.
Tip: If the parameter is followed by other values other than "yes", no modification is required.
root@dell-PowerEdge-R730:/home/hpb# vi /etc/ssh/sshd_config
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
:wq(press the ”ESC” key and type in ”:wq” to save the file and exit)
Check all the running services in the running results and turn off unnecessary ones.
Tip: command to turn off services “chkconfig --level $level <service name> "
Number | Step | Description |
---|---|---|
1 | Switch to root account (skip if already switched) | command:” su root" Tip: enter root account password as prompted |
2 | Modify limits files | command:”vi /etc/security/limits.conf" type in the following command before ”End of file": "* soft core 0 * hard core 0" |
(1) Step 1: Switch to root account
Open Command Prompt, type in "su root”,enter root account password as prompted;
Tip: skip this step if already switched to root account.
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step2: modify limits files
Type in “vi /etc/security/limits.conf";
Move the cursor to the last but two line, just before “End of file”, and type in"* soft core 0
* hard core 0"。
Tip: if unable to type in, press the key for letter “I” to activate “INSERT” mode.
root@dell-PowerEdge-R730:/home/hpb#
#ftp hard nproc 0
#ftp - chroot /ftp
#@student - maxlogins 4
* soft core 0
* hard core 0
# End of file
:wq(press the ”ESC” key and type in ”:wq” to save the file and exit)
### Configuration Modifying Steps
Number | Step | Description |
---|---|---|
1 | Switch to root account (skip if already switched) | command:” su root" Tip: enter root account password as prompted |
2 | Configure and start rsyslog | command:”vi /etc/rsyslog.conf"; enter at the end of file: "*.err;kern.debug;daemon.notice /var/adm/messages" |
command:”sudo mkdir /var/adm" command:”sudo touch /var/adm/messages" command:”sudo chmod 666 /var/adm/messages" command:”sudo systemctl restart rsyslog" |
(1) Step One: Switch to Root User Account: Open Command Prompt, type in "su root", and enter the password for the root account as prompted; Tip: skip this step if you have already switched to the root account.
hpb@dell-PowerEdge-R730:~$ su root
Password:
root@dell-PowerEdge-R730:/home/hpb#
(2) Step Two: Configure and Launch rsyslog Type in "vi /etc/rsyslog.conf" to open the rsyslog.conf file. Press the key for letter "I" to activate the "INSERT" mode; Press the "↓" key to move the cursor to the last line of the file and type in:
"*.err;kern.debug;daemon.notice /var/adm/messages";
Press the “ESC” key and type in ":wq" to save the file and exit;
root@dell-PowerEdge-R730:/home/hpb# vi /etc/rsyslog.conf
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
*.err;kern.debug;daemon.notice /var/adm/messages
:wq(press the ”ESC” key and type in ”:wq” to save the file and exit)
Continue to type in”sudo mkdir /var/adm”,no return code for this command; Continue to type in“sudo touch /var/adm/messages" , no return code for this command; Continue to type in“sudo chmod 666 /var/adm/messages" ,no return code for this command; Continue to type in”sudo systemctl restart rsyslog" ,no return code for this command.
root@dell-PowerEdge-R730:/home/hpb# sudo mkdir /var/adm
root@dell-PowerEdge-R730:/home/hpb# sudo touch /var/adm/messages
root@dell-PowerEdge-R730:/home/hpb# sudo chmod 666 /var/adm/messages
root@dell-PowerEdge-R730:/home/hpb# sudo systemctl restart rsyslog
Servers that do not have BOE boards installed can skip this check item. When servers fail this check item, the user needs to provide the system information displayed in the results and contact HPB staff through "Appendix Tech-Support" for assistance.
Should you need any help, feel free to contact HPB staff for tech support:
Tech support mailbox: node@hpb.io
HPB Tech Forum:http://blockgeek.org/c/hpb
HPB Official Website:http://www.hpb.io/
Telegram:https://t.me/hpbglobal
Facebook:HPB Blockchain
Twitter: @HPBGlobal
Reddit: r/HPBGlobal
|中文(简体)版本 | |English Version|
Basics
R&D
- HPB-Consensus-Algorithm-Election-Mechanism
- HPB-BOE-Introduction
- HPB-Consensus-Algorithm--Compare
- HPB-Gas-Mechanism
- HPB-P2P-NetWork
- HPB-JSON-RPC-API-Index
- RLP-Agreement-Extended-Reading
- Interface-of-HPB-hardware-random-number-generator
- HPB-hardware-random-number-service
HPB Dapp Development
- Quick-Start-For-HPB-Developer
- HPB-Dapps-Introductions
- HPB-EVM-Contracts-Introductions
- HPB-Extended-Reading-on-EVM-Development
- An-Introduction-to-EVM-Virtual-Machines
- HPB-Smart-Contracts-Extended-Doc
- Best-Practice-of-Accessing-HPB-Main-Network-in-JS-version
- Best-Practice-of-HPB-Main-Network-Access-Java-Version
- Best-Practice-of-HPB-Smart-Contract
- Case-of-Transmission-from-Ethereum-DAPP-to-HPB-blockchain
- How-to-Write-a-Contract-Extended-Reading
- Development-Tool--Remix-Extended-Reading
- Solidity-Language-Extended-Reading
- Token-issuance-on-HPB-MainNet
- Migrating-a-Ethereum-DApp-to-the-HPB-MainNet
HPB Wallet Development
- An-Introduction-to-HPB-Wallet
- HPB-Wallet-for-Xcode-Integration
- Creating-the-HPB-Wallet
- Generating-Mnemonics-for-HPB Wallet
- HPB-Wallet-and-Middleware-Interface
HPB Mainnet/TestNet Entry
- HPB-Development-Node-Construction-Guild
- Guide-to-Server-Security-Reinforcement
- Build Node With Docker
- HPB-Private-Chain-Building-Guide
Developer Community