Details: 1. the operating system inside the logfile is network intrusion detection is an important clue is, of course, this assumes that your logfile is not destroyed by the intruder, if you have a server with a dedicated line connection to the Internet directly, which means that your IP address is a permanently fixed address, you will find a lot of people on your system to do telnet/ftp login attempt, try running # more/var/log/secure | greprefused to check.
2. restrict permission flags with SUID program number, this permission flag program run as root, is a potential security vulnerability, of course, some program is a must to have a flag, like the passwd program. 3.BIOS security. Set the BIOS password and change the boot order to boot the system from the floppy disk. 4. user's password. User passwords are Linux secure a basic starting point, a lot of people are using the user password is simple ' password ', ' this is equal to the trespasser opened, although theoretically no cannot do for the user's password, as long as there is sufficient time and resources available. Better user passwords are those that only he can easily remember and understand a string of characters, and never write it out in any place. 5./etc/exports file. If you use the services for network file system NFS, so make sure you have the most stringent of/etc/exports access permission setting does not mean that do not use any wildcard character, do not allow write permissions to the root, mount as read-only file system. Edit the file/etc/exports and plus: for example:/dir/to/exporthost1. mydomain.com (ro, root_squas)/dir/to/exporthost2. mydomain.com (ro, root_squas)/dir/to/export is what you want to output directory, this directory is login host.mydomain.com machine name, ro means that mount into a read-only system, write the root_squash prohibits the root directory. In order for the above change to take effect, run/usr/sbin/exportfs-a6. convinced/etc/inetd.conf is root, the owner and the file permissions set to 600. Root @ deep] # chmod600/etc/inetd.con ENSUREthattheownerisroot.root @ deep] # stat/etc/inetd.con File: "/etc/inetd.con" Size: 2869Filetype: RegularileMode: (0600/-rw-------) Uid: (0/root) Gid: (0/root) Device: 8, 6Inode: 18219Links: 1Access: WedSep2216: 24 161999 (00000.00: 10: 44) Modify: MonSep2010: 22: 441999 (00002.06: 12: 16) Change: MonSep2010: 22: 441999 (00002.06: 12: 16) edit/etc/inetd.conf to prohibit the following services: telnet, ftp, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. unless you really want to use it. In particular the prohibition of those r commands. If you use ssh/scp, you also can prevent off telnet/ftp. In order for the change to take effect, run # killall-HUPinetd you can also run # chattr + I/etc/inetd.conf makes the file has not changed attributes. Only root can be solved with the command # chattr-i/etc/default, inetd.con 7.TCP_WRAPPERS RedhatLinux allowing all requests to use TCP_WRAPPERS enhance your site's security is a little effort, you can put into the "ALL: ALL" to prohibit all in/etc/hosts.deny request, and then put the request to the explicitly permitted, as in the/etc/hosts.allow: sshd: 192.168.1.10/255.255.255.0gate openarc.com on IP address 192.168.1.10 and hostname gate.openarch.com, allow ssh connections. After the configuration was finished, check the root @ tcpdchk deep] # tcpdcktcpchk is TCP_Wrapper Configuration Checker that checks your tcpwrapper configuration and report all discovered potential/existing problems. 8. alias file aliases edit alias file/etc/aliases (or possibly/etc/mail/aliases), remove/comment out the following line. #Basicsystemaliases--theseMUSTbepresent.MAILER-DAEMON:postmasterpostmaster:root#Generalredirectionsforpseudoaccounts.bin:rootdaemon:root#games:root?removeOrcommentout. # ingres: root root? removeorcommentout.nobody: # root system:? removeorcommentout. # toor: root? removeorcommentout. # uucp: root? removeorcommentout. # Well-knownaliases. # manager: root? removeorcommentout. # dumper: root? removeorcommentout. # root operator:? removeorcommentout. # trapdecodetocatchsecurityattacks # decode: root # Personwhoshouldgetroot''smail # root: marc finally don't forget to run after the update, make the change take effect/usr/bin/newaliases.
No comments:
Post a Comment