10, comment out the unwanted users and user groups.
Vipwroot: x: 0: 0: root:/root:/bin/bas bin: x: 1: 1: bin:/bin:/sbin/nologindaemon: x:2: 2: daemon:/sbin:/sbin/nologinadm: x:3: 4: adm:/var/adm:/sbin/nologinlp: x:4: 7: lp:/var/spool/lpd:/sbin/nologinsync: x:5: 0: sync:/sbin:/bin/syncshutdown: x:6: 0: shutdown:/sbin:/sbin/shutdownhalt: x:7: 0: halt:/sbin:/sbin/altmail: x:8: 12: mail:/var/spool/mail:/sbin/nologinnews: x:9: 13: news: news:/etc/uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologinoperator: x:11: 0: operator:/root:/sbin/nologingames: x:12: 100: games:/usr/games:/sbin/nologingopher: x:13: 30: gopher:/var/gopher:/sbin/nologinftp: x:14: 50: FTPUser:/var/ftp:/sbin/nologinnobody: x:99: 99: Nobody:/:/sbin/nologindbus: x:81: 81: Systemmessagebus:/:/sbin/nologinvcsa: x:69: 69: virtualconsolememoryowner:/dev:/sbin/nologinrpm: x:37: 37::/var/lib/rpm:/sbin/nologinhaldaemon: x:68: 68: HALdaemon:/:/sbin/nologinnetdump: x:34: 34 NetworkCrashDumpuser:/var/crash:/bin/bas nscd: x: 28: 28 NSCDDaemon:/:/sbin/nologinsshd: x:74: 74: Privilerpc: x: 32: 32 PortmapperRPCuser:/:/sbin/nologinrpcuser: x:29: 29 RPCServiceUser:/var/lib/nfs:/sbin/nologinnfsnobody: x:65534: 65534: AnonymousNFSUser:/var/lib/nfs:/sbin/nologinmailnull: x:47: 47::/var/spool/mqueue:/sbin/nologinsmmsp: x:51: 51::/var/spool/mqueue:/sbin/nologinpcap: x:77: 77::/var/arpwatch:/sbin/nologinxfs: x:43: 43 XFontServer:/etc/X11/fs:/sbin/nologinntp: x:38: 38::/etc/ntp:/sbin/nologingdm: x:42: 42::/var/gdm:/sbin/nologinpegasus: x:66: 65: tog-pegasusOpenPegasusWBEM/CIMservices:/var/lib/Pegasus:/sbin/nologinhtt: x:100: 101: IIIMFHtt:/usr/lib/im:/sbin/nologinwangjing: x:500: 500::/home/wangjing:/bin/bas mysql: x: 101: 102: MySQLserver:/var/lib/mysql:/bin/bas apache: x: 48: 48 Apache:/var/www:/sbin/nologinge-separatedSSH:/var/empty/sshd:/sbin/nologin for unwanted users add # commented out. Note that I do not propose to delete directly, when you need a user for some reason, his bother again. vi/etc/grouproot:x:0:rootbin:x:1:root,bin,daemondaemon:x:2:root,bin,daemonsys:x:3:root,bin,admadm:x:4:root,adm,daemontty:x:5:disk:x:6:rootlp:x:7:daemon,lpmem:x:8:kmem:x:9:wheel:x:10:rootmail:x:12:mailnews:x:13:newsuucp:x:14:uucpman:x:15: Games: x: x: gopher: 20: 30: dip: x: x: ftp: 40: 50: 54 lock: x: x: nobody:: 99: users: x: 100: dbus: 81: x: x: floppy: 19: vcsa: 69: x: x: 37 rpm:: haldaemon: x: 68: utmp: x: 22: 34: netdump: x: x: nscd: 28: slocate: x: x 21: sshd:: 74: rpc: x: x 32: rpcuser:: 29: nfsnobody: x: 65534: mailnull: x: x: smmsp: 47: 51: pcap: x: 77: xfs: x: x: ntp: 43: 38: gdm: x: x 42: pegasus:: 65: htt: x: 101: wangjing: x: x 500: mysql:: 102: apache: x: 48 for unwanted users group all # commented out. Note that I do not propose to delete directly, if you for some reason you need a user group, own bother again. 11, using the chattr command to the following file plus the unchangeable properties. Root @ deep] # chattr + I/etc/passwdroot @ deep] # chattr + I/etc/sadowroot @ deep] # chattr + I/etc/grouproot @ deep] # chattr + I/etc/gshadow note perform this operation, as root will not be able to add users or modify the system password. If we want to increase user or modify the password. You should use chattr-i/etc/passwd commands discharge is not writable, then set. 12, change the default port of sshd SSHD is the default port 22, Earth people know, usually the hacker in the absence of accurate target Linux machine you are looking for the best way is to scan all open 22 port machine and put it in a list, to explore its vulnerability. New features such as nmap4 nmap-v-iR10000-P0-p22 may randomly in 10000 IP to find open 22 port of the machine. Of course, can also be targeted to Japan or other countries ' ip scan again on Tim. Usually follow the service go to the corresponding general port scanning, unless using all ports 1-65535, but unless it is focused on a machine that scans or inefficient. Change the default port www.britepic.org into 60022: vi/etc/ssh/sshd_conig found # Port22, identifies the default uses port 22, if you need to change to remove the previous 8888 # comment symbols, is amended as follows: Port60022 then restart process #/etc/init.d/sshdrestartsshd_config other security options for the # PermitRootLoginyes PermitRootLoginno prevents root remote login to # Protocol1, 2 changed Protocol2, instead of only 2 SSHprotocol1 agreement, of course, there are some options, as required, such as: Banner of the forge, login failed after locking time, whether or not to allow a blank password account login, the server key bits, etc., allow login user and IP, etc. 13, kernel parameter adjustment sysctl-wnet.ipv4.conf.default.accept_source_route = 0sysctl-wnet.ipv4.icmp_echo_ignore_broadcasts = 1 # sysctl-wnet.ipv4.icmp_echo_ignore_all = 1sysctl-wnet.ipv4.icmp_ignore_bogus_error_responses = 1sysctl-wnet.ipv4.ip_conntrack_max = 65535sysctl-wnet.ipv4.tcp_syncookies = 1sysctl-wnet.ipv4.tcp_syn_retries = 1sysctl-wnet.ipv4.tcp_fin_timeout = 5sysctl-wnet.ipv4.tcp_synack_retries = 1sysctl-wnet.ipv4.tcp_syncookies = 1sysctl-wnet.ipv4.route.gc_timeout = 100sysctl-wnet.ipv4.tcp_keepalive_time = 500sysctl-wnet.ipv4.tcp_max_syn_backlog = 1000014, always check the system log. System log are located mainly in/var/log/directory. They happen. The above settings for your system in General is more secure. Of course security and insecurity is road and spot.
No comments:
Post a Comment