First, the disk partition 1, if the newly installed Linux system, on a disk partition should consider security: 1) to the root (/), a user directory (/home), temporary directory (/tmp) and the/var directory separately to a different disk partitions; 2) of the directory partition of the disk space size should give full consideration to avoid some of the reasons the partition space and cause the system to crash; 2, for/tmp and/var directory is on a partition, in most cases you do not need to have the program suid property, you should add to these partitions nosuid property; method 1: modify the/etc/fstab file, add the nosuid property.
For example:/dev/hda2/tmpext2exec, dev, nosuid, rw00 method two: If the/etc/fstab file operations are not cooked, it is recommended that you modify the program through linuxconf. Run linuxconf program; select the "Filesystems" under the "Accesslocaldrive"; select the need to modify the properties of the disk partition; select Nosetuidprogramsallowed option; select other options; normal exit. (Generally, you will be prompted to mount the partitions again) 2, 1, for non-test host, should not be installed too many packages. This can reduce the package and lead to security vulnerabilities. 2. for non-test host, select the host starts the service should not select a non-essential services. For example, routed, ypbind, etc. Third, the security configuration and enhanced kernel upgrades. Minimum to upgrade to version 2.2.16 above. GNUlibc shared library upgrades. (Warning: If you do not have the experience, not easily try. Deferrable. ) Close dangerous network services. Echo, chargen, shell, login, finger, NFS, RPC, etc. off non-essential network services. Talk, ntalk, common network services, such as pop-2 security configurations and upgrades to ensure that the network services use the latest version to the current and the most secure version. Cancel the anonymous FTP access to unless required to use suid program uses tcpwrapper ipchains firewall log system syslogd details: 1. the operating system inside the logfile is network intrusion detection is an important clue is, of course, this assumes that your logfile is not destroyed by the intruder, if you have a server with a dedicated line connection to the Internet directly, which means that your IP address is a permanently fixed address, you will find a lot of people on your system to do telnet/ftp login attempt, try running # more/var/log/secure | greprefused to check. 2. restrict permission flags with SUID program number, this permission flag program run as root, is a potential security vulnerability, of course, some program is a must to have a flag, like the passwd program. 3.BIOS security. Set the BIOS password and change the boot order to boot the system from the floppy disk. 4. user's password. User passwords are Linux secure a basic starting point, a lot of people are using the user password is simple ' password, this equals to the trespasser opened, although theoretically no cannot do for the user's password, as long as there is sufficient time and resources available. Better user passwords are those that only he can easily remember and understand a string of characters, and never write it out in any place. 5./etc/exports file. If you use the services for network file system NFS, so make sure you have the most stringent of/etc/exports access permission setting does not mean that do not use any wildcard character, do not allow write permissions to the root, mount as read-only file system. Edit the file/etc/exports and plus: for example:/dir/to/exporthost1. mydomain.com (ro, root_squas)/dir/to/exporthost2. mydomain.com (ro, root_squas)/dir/to/export is what you want to output directory, this directory is login host.mydomain.com machine name, ro means that mount into a read-only system, write the root_squash prohibits the root directory. In order for the above change to take effect, run/usr/sbin/exportfs-a6. convinced/etc/inetd.conf is root, the owner and the file permissions set to 600. Root @ deep] # chmod600/etc/inetd.conensurethattheownerisroot.root @ deep] # stat/etc/inetd.conFile: "/etc/inetd.con" Size: 2869Filetype: RegularileMode: (0600/-rw-------) Uid: (0/root) Gid: (0/root) Device: 8, 6Inode: 18219Links: 1Access: WedSep2216: 24 161999 (00000.00: 10: 44) Modify: MonSep2010: 22: 441999 (00002.06: 12: 16) Change: MonSep2010: 22: 441999 (00002.06: 12: 16) edit/etc/inetd.conf to prohibit the following services: telnet, ftp, shellTo login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. unless you really want to use it. In particular the prohibition of those r commands. If you use ssh/scp, you also can prevent off telnet/ftp. In order for the change to take effect, run # killall-HUPinetd you can also run # chattr + I/etc/inetd.conf makes the file has not changed attributes. Only root can be solved with the command # chattr-i/etc/inetd.con
No comments:
Post a Comment