First, install and upgrade using custom custom install, unnecessary packages to install, if necessary to lilo/grub loader added password restrictions, after the installation is complete, use the up2date yum or apt (Debian) upgrade system software, sometimes it is also necessary to upgrade the kernel.
Add the following content editing/etc/sudoers jinshuai ALL = NOPASSWD: ALL 1 second, account security, General server are placed in the IDC, you need to be managed by remote access, to restrict the root of the remote access to administrators through the ordinary account to log on remotely, and then su to root, the developers just use ordinary account permissions. 1) increase in/etc/default/login file, set the command line: CONSOLE =/dev/tty012) can use the following script to prohibit access to the console: #!/bin/shcd/etc/pam.dfor I in *; Dosed '/[^ #]. * pam_console.so/s/^/#/' foo & & mv foo $ Idone3) through the following measures can prevent anyone can su to root, in/etc/pam.d/su add the following two rows. Auth sufficient/lib/security/$ ISA/pam_rootok.so debugauth/lib/security/$ ISA/required pam_wheel.so group = wheel and you want to execute su to become root user placed in the wheel group: usermod-G10/etc/securetty admin2, edit, comment out all allow remote login console root, and the prohibition of the use of all the console program, its commands are as follows: rm-f/etc/security/console.apps/servicename III, using the principle of least service, any unneeded services are commented out. In/etc/inetd.conf in unneeded services with a "#", a higher version already not inetd, but replaced with Xinetd; abolition of post automatically run service under the/etc/rc.d/rc3.d do not need to run the service of the first letter "S" to "K", other unchanged. IV. file system permissions 1) find the system all the w s "bit of procedure, put unnecessary" s "bit removed, or never have to delete the direct, so you can prevent users from abuse and the possibility of an elevation of privilege, its commands are as follows: find/-type f-perm-4000-o-perm-2000-print | Xargs ls-lg2) put the important file plus the immutable property (typically don't do):/etc/passwdImmutable chattr + I, the system does not allow the file to make any changes. If the directory has this attribute, so any process can modify the files under a directory, and are not allowed to create and delete files. 3) find the system without the owner of the file: find/-nouser-o-nogroup4) identify any has write permissions of files and directories: find/-type f-perm-2-o-perm-20 | xagrs ls-lgfind/-type d-perm-2-o-perm-20 | xagrs ls-ldg5) ftp upload directory cannot give execute permissions, such as the provision can run CGI Web hosting service, do the extra security to configure/etc/security/limits.conf,. preparation of accession or change the following line: hard core 0hard rss 5000hard nproc 20 five .Banner camouflage 1) intruder usually by operating system, service and application version to attack, leaking oil list and attack range is also classified according to this, so we need to make a point and to increase the difficulty of invasion. So the editors/etc/rc.d/rc.local: echo "Kernel $ (uname-r) on $ a $ (uname-m)" >/etc/issueecho "Kernel \r on an \m" >>/etc/issuecp-f/etc/issue/etc/issue.netecho >>/etc/issue2) for Apache's configuration file, locate the ServerTokens and ServerSignature directive, both to modify their default attributes are as follows, using a non-echoing version: ServerTokens prodServerSignature Off six, IPTABLES firewall rules: iptables-A INPUT-p--dport 22-j ACCEPTiptables-A INPUT-I eth0-p tcp--dport 80-j ACCEPTiptables-A INPUT-m state--state ESTABLISHED, RELATED-j ACCEPTiptables-A INPUT-j DROP the above rule will be blocked from inside to outside of TCP received active selection. Above is a simple example, IPTABLES is very powerful, can function as the case may require setting up firewall rules. Seven, tripwire is a well-known tool that can help you figure out some important system files have been modified. Now Linux release General Department with the tools of open source version, in the default validation object configuration files include some sensitive files can be used. VIII. to scan for common security reinforcement is essentially finished, we can do a risk assessment, it is recommended to use nessus latest version-9. the main log policy is created on the invading related key hard copy of the log, not in emergency response time even the last of the black box. They could be redirected to the printer, the administrator messages, independent of the logging server and hot backup. 10 .Snort Intrusion detection system on human intrusion response and security log requires the higher system necessary; the system in General, if the administrator does not go to see a pile of logs, then it simply consume system resources, just like chicken. On the Linux platform virus prevention summed up the following recommendations are for reference only: (1) do the work of strengthening the system. (2) see security bulletin, timely correction of vulnerability. (3) daily operations do not use the root permissions. (4) don't install all kinds of dubious device drivers. (5) not important server running some unidentified executable program or script. (6) to install anti-virus software and regularly upgrade virus code library. (7) for the connection to the Internet for Linux servers, to periodically check for Linux viruses, worms and Trojans are present. (8) to provide file services for Linux server, it is best to deploy a killing both Windows and Linux virus software. (9) to provide email services for Linux server, it is best to use an E-mail virus scanner. All in all, for Linux platform virus protection to a variety of means, and must not be because now Linux viruses seldom it lightly.
No comments:
Post a Comment