Limit network access 1.NFS access if you use the NFS network file system service, you should make sure that you have the most stringent/etc/exports access permission settings, which means that do not use any wildcard, write permission does not allow root and can only be installed to read-only file system.
Edit the file/etc/exports and join the following two rows. /Dir/to/exporthost1. mydomain.com (ro, root_squas)/dir/to/exporthost2. mydomain.com (ro, root_squas)/dir/to/export is what you want to output directory, this directory is login host.mydomain.com machine name, ro means that mount into a read-only system, write the root_squash prohibits the root directory. In order for the changes to take effect, run the following command. #/Usr/sbin/exportfs-a2.Inetd set first to confirm that the owner of the/etc/inetd.conf is root, and the file permissions set to 600. Setup is finished, you can use the "stat" command to check. # Chmod600/etc/inetd.con then edit/etc/inetd.conf to prohibit the following services. Ftptelnetshellloginexectalkntalkimappop-2pop-3fingeraut if you installed ssh/scp, you can also prohibit off Telnet/FTP. in order to make the change to take effect, run the following command: # killall-HUPinetd by default, most Linux system allowing all requests to use TCP_WRAPPERS enhanced system security is a little effort, you can modify the/etc/hosts.deny and/etc/hosts.allow to increase access restrictions. For example, the/etc/hosts.deny is set to "ALL: ALL" can default deny all access. Then add in the/etc/hosts.allow file allows access. For example, the "sshd: 192.168.1.10/255.255.255.0gate openarch.com" that allows the IP address 192.168.1.10 and hostname gate.openarch.com allow SSH connections. Once configured, you can use the tcpdchk check: # tcpdcktcpchk is TCP_Wrapper Configuration Checker that checks your tcpwrapper configuration and report all discovered potential/existing problems. 3. log into the Terminal settings/etc/securetty file specifies that allow root logins of tty equipment, read by/bin/login program, its format is a list of the names are allowed, you can edit/etc/securetty and comment out the following line. # Tty1 # tty2 # tty3 # tty4 # tty5 # tty6 at this time, the root is only available at tty1 Terminal login. 4. avoid display system and version information if you want the remote login user system, and version information, can change the/etc/inetd.conf file: telnetstreamtcpnowaitroot/usr/sbin/tcpdin.telnetd-plus-h for telnet does not display system information, but merely show the "login:". Prevent attack 1. prevent ping if nobody can ping through your system, the safety of natural increase. To do this, you can add in/etc/rc.d/rc.local file is the following line: echo1 >/proc/sys/net/ipv4/icmp_echo_ignore_all2. prevent IP spoofing edit host.conf file and add the following line to prevent IP spoofing attacks. Orderbind, ostsmultiofnospoofon3. preventing DOS attacks on the system, all of the user to set resource limits can prevent DOS type attack. If the maximum number of processes and memory usage, etc. For example, you can add in/etc/security/limits.conf as follows several lines: * hardcore0 * hardrss5000 * hardnproc20 then you must edit/etc/pam.d/login file checks the following line exists. Sessionrequired/lib/security/pam_limits.so above command against the debug file, limit the number of processes is 50 and the limit memory usage to 5MB. following the above settings, your Linux server can be on the vast majority of known security issues and network attacks with immunity, but a good system administrator still should always pay attention to network security, at any time has been revealed and potential security vulnerability patch.
No comments:
Post a Comment