By default, 7.TCP_WRAPPERS RedhatLinux allowing all requests to use TCP_WRAPPERS enhance your site's security is a little effort, you can put into the "ALL: ALL" to prohibit all in/etc/hosts.deny request, and then put the request to the explicitly permitted, as in the/etc/hosts.allow: sshd: 192.168.1.10/255.255.255.0gate openarc.com on IP address 192.168.1.10 and hostname gate.openarch.com, allow ssh connections.
After the configuration was finished, check the root @ tcpdchk deep] # tcpdcktcpchk is TCP_Wrapper Configuration Checker that checks your tcpwrapper configuration and report all discovered potential/existing problems. 8. alias file aliases edit alias file/etc/aliases (or possibly/etc/mail/aliases), remove/comment out the following line. # Basicsystemaliases--theseMUSTbepresent.MAILER-DAEMON: postmasterpostmaster: root # Generalredirectionsforpseudoaccounts.bin: rootdaemon: games: root root #? removeorcommentout. # ingres: root root? removeorcommentout.nobody: # root system:? removeorcommentout. # toor: root? removeorcommentout. # uucp: root? removeorcommentout. # Well-knownaliases. # manager: root? removeorcommentout. # dumper: root? removeorcommentout. # root operator:? removeorcommentout. # trapdecodetocatchsecurityattacks # decode: root # Personwhoshouldgetrootsmail # root: marc finally don't forget to run after the update, make the change take effect/usr/bin/newaliases. 9. stop your system to respond to any external/internal to ping request. Since no one can ping-pass your machine and receive a response, you can greatly enhance the security of your site. You can add the following line to/etc/rc.d/rc.local so that each time you start to run automatically after. Echo1 >; don't show/proc/sys/net/ipv4/icmp_echo_ignore_all10. operating system and version information. If you want someone to Telnet to your server not to display the operating system and version information, you can change the line in/etc/inetd.conf like the following: telnetstreamtcpnowaitroot/usr/sbin/tcpdin.telnetd-plus-h flags at last make telnet daemon not display system information, but merely show login: 11.The/etc/host.confile edit host.conf file (vi/etc/host.conf) and add the following line: LookupnamesviaDNSfirstthenfallbackto/etc/osts.orderbind, osts # WedonthavemachineswithmultipleIPaddressesonthesamecard (likevirtualserver, IPAliasing) .multiof # CheckforIPaddressspooing.nospoo onIPSpoofing: IP-Spoofingisasecurityexploitthatworksbytrickingcomputersinatrustrelationshipthatyouaresomeonethatyoureallya12.The/etc/securettyile this file specifies the allowable root login tty equipment, read by/etc/securetty/bin/login program, its format is a line of a permitted name list, you can edit and comment out the following/etc/securetty. Tty1 # tty2 # tty3 # tty4 # tty5 # tty6 # tty7 # tty8 means root only are allowed to login at tty1 Terminal. 13. the special account banned all default start of the operating system itself and does not require account, when you first installed the system should do this check, Linux offers a variety of account, you may not need, if you do not need this account, you remove it, you have the account number, the more the more vulnerable to attack. To delete a user on your system, use the following command: root @ deep] # userdelusername for deletion of groups on your system, the user accountUse the following command: root @ deep] # groupdelusername in Terminal to enter the following command to delete the following users. Root @ deep] # userdeladmroot @ deep] # userdellproot @ deep] # userdelsyncroot @ deep] # userdelshutdownroot @ deep] # userdelaltroot @ deep] # userdelmail if you don't have sendmail server, procmail.mailx, delete the account. Root @ deep] # userdelnewsroot @ deep] # userdeluucproot @ deep] # userdeloperatorroot @ deep] # userdelgames if you don't use Xwindows server, delete the account. Root @ deep] # userdelgoperroot @ deep] # userdeltp if you do not allow anonymous FTP, delete the user account. Enter the following command to delete a group account root @ deep] # groupdeladmroot @ deep] # groupdellproot @ deep] # groupdelmail if no Sendmail server, delete the group account root @ deep] # groupdelnewsroot @ deep] # groupdeluucproot @ deep] # groupdelgames if you don't use XWindows, delete this group account root @ deep] # groupdeldiproot @ deep] # groupdelpppusersroot @ deep] # groupdelpopusers if you don't have to POP server, delete the group account root @ deep] # groupdelslipusers with the following command with root user account @ deep] # useraddusername with the following command to change the user password root @ deep] # chattr command to passwdusername uses the following file plus the unchangeable properties. root@deep]# chattr+i/etc/passwdroot@deep]# chattr+i/etc/sadowroot@deep]# chattr+i/etc/grouproot@deep]# chattr+i/etc/gshadow
No comments:
Post a Comment