Source: http://coolyan.ns110.cn/
The log file inside the system security record file operating system is an important clue to detect if there is a network invasion. If your system is connected directly to the Internet, you find that there are many people do Telnet / FTP login attempts for your system. You can run "#MORE / VAR / LOG / Secure | GREP REFUSED" to check the attack of the system, so that Take the corresponding countermeasures, such as using SSH to replace Telnet / RLogin et al. Start and login security 1. BIOS security Set the BIOS password and modify the boot order to start the system from the floppy disk. 2. User password user password is a basic starting point for Linux security. Many people used by users are too simple. This is equal to the invasant to open the door, although in theory, as long as there is enough time and resources, there is no User passwords that cannot be cracked. However, the choice of password is difficult to crack, and better user passwords are those characters that are only easy to remember and understand, and never write anywhere. 3. The default account should prohibit all the default accounts that are started and unnecessary, when you first install the system, Linux provides a lot of default accounts, and the more you account, the easier system is being attacked. You can delete your account with the following command. # Userdel username or use the following command to delete the group user account. # GroupDel Username 4. The password chattr command adds the following files that cannot be changed to prevent unauthorized users from obtaining permissions. # chattr I / etc / passwd # chattr I / etc / shadow # chattr I / etc / group # chattr I / etc / gshadow 5. Disable Ctrl Alt DELETE Restart Machine command modify / etc / inittab file Comment "Ca :: Ctrlattdel: / sbin / shutdown -t3 -r now" comes away. Then reset the permission permission of all files in /etc/rc.d/init.d/ directory, run as follows: # chmod -r 700 /etc/rc.d/init.d/* This is only root to read All script files described above are written or executed. 6. Restrict Su Command If you don't want anyone to use SU as root, you can edit the /etc/pam.d/su file, add the following two lines: auth sufficient /lib/security/pam_rootok.so debug auth request / lib / security /PAM_WHEEL.SO Group = ISD This time, only the user of the ISD group can use SU as root. Thereafter, if you want user admin to use SU as root, you can run as follows: # usermod -g10 admin 7. Delete login information By default, login prompt information includes Linux distribution, kernel version name, and server host name. For a machine that is highly required, it has leaked too much information. You can edit /etc/rc.d/rc.local comment out of the output system information.
# This will overwrite / etc / ssue at every boot. So, make any changes you #ow to make to / etc / ipsue here or you will lose theme you reboot # echo "> / etc / issue # echo" $ R ">> / etc / issue # echo" kernel $ (uname $ (uname) >> / etc / issue # cp -f / etc / issu /etc/issue.net # echo> > / etc / issu then, do the following: # r r -f / etc / issue # rm -f /etc/issue.net # touch / etc / ixue # Touch /et / Etc/issue.net Limit Network Access 1.NFS Access If you use NFS network file system services, you should make sure your / etc / exports has the most stringent access settings, which means do not use any wildcards, not allowing ROOT write permissions and can only be installed as a read-only file system. Edit file / etc / exports and join the following two lines. / DIR / TO / EXPORT HOST1.MYDOMAIN.com (ro, root_squash) / dir / to / export host2.mydomain.com (ro, root_squash) / DIR / to / export is the directory you want to output, host.mydomain.com It is the machine name that logs in to this directory. In order to enable the change to take effect, run the following command. # / Usr / sbin / exportfs -a 2.inetd settings First I want to make sure the owner of /etc/inetd.conf is root, and the file permission is set to 600. Once the setting is complete, you can check with the "stat" command. # Chmod 600 /etc/inetd.conf then edit /etc/inetd.conf prohibit the following services. FTP Telnet Shell Login Exec Talk Ntalk IMAP POP-2 POP-3 Finger Auth If you have SSH / SCP, you can also prohibit Telnet / FTP. In order to enable change to take effect, run as follows: #killall -hup inetd By default, most Linux systems allow all requests, and TCP_WrapPERS enhancement system security is to raise hand, you can modify /etc/hosts.dey and / etc / hosts . Allow to increase access restrictions. For example, set /etc/hosts.deny to "all: all" to refuse all access by default. Then add a permitted access in the /etc/hosts.allow file. For example, "SSHD: 192.168.1.10/255.255.255.0 Gate.openarch.com" means allowing IP address 192.168.1.10 and hostname Gate.OpenArch.com to allow via SSH connection. Once the configuration is complete, you can check with TCPDCHK: # TCPDCHK TCPCHK is the TCP_Wrapper Configuration Check Tool, which checks your TCP Wrapper configuration and reports all discovered potential / existent problems.
3. The login terminal setting / etc / secureTty file specifies the TTY device that allows root to log in, read by the / bin / login program, the format is a list of allowed names, you can edit / etc / securetty and comment out Row. # TTY1 # Tty2 # Tty3 # Tty4 # Tty5 # TTY6 At this time, root can only log in at TTY1 terminals. 4. Avoid displaying system and version information If you want remote login users to see system and version information, you can change the /etc/inetd.conf file by following the following: Telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in.telnetd - H plus -h means Telnet does not display system information, but only "login:" is displayed. Prevent attack 1. Prevent ping If no one can ping your system, the security has naturally increased. To do this, you can add the following line in the /etc/rc.d/rc.local file: echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all 2. Prevent IP spoofing to edit the host.conf file and increase the following lines Prevent IP spoof attack. ORDER BIND, HOSTS MULTI OFF NOSPOOF ON 3. Prevent DOS attacks from setting up resource restrictions for all users of the system can prevent DOS type attacks. Such as the maximum number of processes and the number of memory usage, etc. For example, you can add the following lines in /etc/security/limits.conf: * Hard Core 0 * HARD RSS 5000 * HARD NPROC 20 You must edit the /etc/pam.d/login file check whether the following line exists. Session Required /Lib/security/pam_limits.so The above command is forbidden to debug files, restricting the number of 50 and limited memory to 5MB. Installation Patch Due to the different version of Linux vendors, we recommend that you access the relevant homepage to get information redhat ftp://updates.redhat.com/ Can use the following command to install the patch: rpm -fvh [file name] Debian http: // Www.debian.org/security/ You can use the APT to download the latest security updates. Advance the /etc/apt/sources.list file can. Manual installation patch: Using the APT-GET Auto Install Patch Pack: First, use the following command to update the internal database: # APT-GET UPDATE, use the following command to install the update package: # APT-GET Upgrade manual installation: First, Use the following command to download the patch software: # Wget URL (URL is the patch download address) and then use the following command to install the patch: #DPKG -I file.deb (file is the corresponding patch name) After the above settings, Your Linux server has access to most known security issues and network attacks, but an excellent system administrator still wants to pay attention to network security dynamics, ready to expose and potentially safe vulnerabilities. repair.
The log file inside the system security record file operating system is an important clue to detect if there is a network invasion. If your system is connected directly to the Internet, you find that there are many people do Telnet / FTP login attempts for your system. You can run "#MORE / VAR / LOG / Secure | GREP REFUSED" to check the attack of the system, so that Take the corresponding countermeasures, such as using SSH to replace Telnet / RLogin et al. Start and login security 1. BIOS security Set the BIOS password and modify the boot order to start the system from the floppy disk. 2. User password user password is a basic starting point for Linux security. Many people used by users are too simple. This is equal to the invasant to open the door, although in theory, as long as there is enough time and resources, there is no User passwords that cannot be cracked. However, the choice of password is difficult to crack, and better user passwords are those characters that are only easy to remember and understand, and never write anywhere. 3. The default account should prohibit all the default accounts that are started and unnecessary, when you first install the system, Linux provides a lot of default accounts, and the more you account, the easier system is being attacked. You can delete your account with the following command. # Userdel username or use the following command to delete the group user account. # GroupDel Username 4. The password chattr command adds the following files that cannot be changed to prevent unauthorized users from obtaining permissions. # chattr I / etc / passwd # chattr I / etc / shadow # chattr I / etc / group # chattr I / etc / gshadow 5. Disable Ctrl Alt DELETE Restart Machine command modify / etc / inittab file Comment "Ca :: Ctrlattdel: / sbin / shutdown -t3 -r now" comes away. Then reset the permission permission of all files in /etc/rc.d/init.d/ directory, run as follows: # chmod -r 700 /etc/rc.d/init.d/* This is only root to read All script files described above are written or executed. 6. Restrict Su Command If you don't want anyone to use SU as root, you can edit the /etc/pam.d/su file, add the following two lines: auth sufficient /lib/security/pam_rootok.so debug auth request / lib / security /PAM_WHEEL.SO Group = ISD This time, only the user of the ISD group can use SU as root. Thereafter, if you want user admin to use SU as root, you can run as follows: # usermod -g10 admin 7. Delete login information By default, login prompt information includes Linux distribution, kernel version name, and server host name. For a machine that is highly required, it has leaked too much information. You can edit /etc/rc.d/rc.local comment out of the output system information.
# This will overwrite / etc / ssue at every boot. So, make any changes you #ow to make to / etc / ipsue here or you will lose theme you reboot # echo "> / etc / issue # echo" $ R ">> / etc / issue # echo" kernel $ (uname $ (uname) >> / etc / issue # cp -f / etc / issu /etc/issue.net # echo> > / etc / issu then, do the following: # r r -f / etc / issue # rm -f /etc/issue.net # touch / etc / ixue # Touch /et / Etc/issue.net Limit Network Access 1.NFS Access If you use NFS network file system services, you should make sure your / etc / exports has the most stringent access settings, which means do not use any wildcards, not allowing ROOT write permissions and can only be installed as a read-only file system. Edit file / etc / exports and join the following two lines. / DIR / TO / EXPORT HOST1.MYDOMAIN.com (ro, root_squash) / dir / to / export host2.mydomain.com (ro, root_squash) / DIR / to / export is the directory you want to output, host.mydomain.com It is the machine name that logs in to this directory. In order to enable the change to take effect, run the following command. # / Usr / sbin / exportfs -a 2.inetd settings First I want to make sure the owner of /etc/inetd.conf is root, and the file permission is set to 600. Once the setting is complete, you can check with the "stat" command. # Chmod 600 /etc/inetd.conf then edit /etc/inetd.conf prohibit the following services. FTP Telnet Shell Login Exec Talk Ntalk IMAP POP-2 POP-3 Finger Auth If you have SSH / SCP, you can also prohibit Telnet / FTP. In order to enable change to take effect, run as follows: #killall -hup inetd By default, most Linux systems allow all requests, and TCP_WrapPERS enhancement system security is to raise hand, you can modify /etc/hosts.dey and / etc / hosts . Allow to increase access restrictions. For example, set /etc/hosts.deny to "all: all" to refuse all access by default. Then add a permitted access in the /etc/hosts.allow file. For example, "SSHD: 192.168.1.10/255.255.255.0 Gate.openarch.com" means allowing IP address 192.168.1.10 and hostname Gate.OpenArch.com to allow via SSH connection. Once the configuration is complete, you can check with TCPDCHK: # TCPDCHK TCPCHK is the TCP_Wrapper Configuration Check Tool, which checks your TCP Wrapper configuration and reports all discovered potential / existent problems.
