◆ 7, default TCP_WRAPPERS, RedhatLinux allowing all requests to use TCP_WRAPPERS enhance your site's security is a little effort, you can put into the "ALL: ALL" to prohibit all in/etc/hosts.deny request, and then put the request to the explicitly permitted, as in the/etc/hosts.allow: sshd: 192.168.1.10/255.255.255.0gate openarch.com on IP address 192.168.1.10 and hostname gate.openarch.com, allow ssh connections.
After the configuration was finished, check the root @ tcpdchk deep] # tcpdcktcpchk is TCP_Wrapper Configuration Checker that checks your tcpwrapper configuration and report all discovered potential/existing problems. ¡Ô 8, alias file aliases edit alias file/etc/aliases (or possibly/etc/mail/aliases), remove/comment out the following line. # Basicsystemaliases--theseMUSTbepresent.MAILER-DAEMON: postmasterpostmaster: root # Generalredirectionsforpseudoaccounts.bin: rootdaemon: games: root root #? removeorcommentout. # ingres: root root? removeorcommentout.nobody: # root system:? removeorcommentout. # toor: root? removeorcommentout. # uucp: root? removeorcommentout. # Well-knownaliases. # manager: root? removeorcommentout. # dumper: root? removeorcommentout. # root operator:? removeorcommentout. # trapdecodetocatchsecurityattacks # decode: root # Personwhoshouldgetroot'smail # root: marc finally don't forget to run after the update, make the change take effect/usr/bin/newaliases. ◆ 9, prevent your system from the response any external/internal to ping request. Since no one can ping-pass your machine and receive a response, you can greatly enhance the security of your site. You can add the following line to/etc/rc.d/rc.local so that each time you start to run automatically after. Echo1 >;/proc/sys/net/ipv4/icmp_echo_ignore_all ◆ 10, do not display the operating system and version information. If you want someone to Telnet to your server not to display the operating system and version information, you can change the line in/etc/inetd.conf like the following: telnetstreamtcpnowaitroot/usr/sbin/tcpdin.telnetd-plus-h flags at last make telnet daemon not display system information, but merely show login: ◆ 11, The/etc/host.confile edit host.conf file (vi/etc/host.conf) and add the following line: # LookupnamesviaDNSfirstthenfallbackto/etc/osts.orderbind, osts # Wedon'thavemachineswithmultipleIPaddressesonthesamecard (likevirtualserver, IPAliasing) .multiof # CheckforIPaddressspooing.nospoo onIPSpoofing: IP-Spoofingisasecurityexploitthatworksbytrickingcomputersinatrustrelationshipthatyouaresomeonethatyoureallyaren't. ◆ 12.The/etc/securettyile this file specifies the allowable root login tty equipment, read by/etc/securetty/bin/login program, its format is a line of a permitted name list, you can edit and comment out the following/etc/securetty. Tty1 # tty2 # tty3 # tty4 # tty5 # tty6 # tty7 # tty8-means that the root is only allowed to log on at tty1 Terminal.
No comments:
Post a Comment