Fedora core 2 Server platform security settings under the hood 1

Preface very early to write an article about Linux security articles.

Writing a good blog is ideas clearly, and if you forget, then look at the article will be able to look back. This article just in my daily work and learn in the lessons of experience, if you have written wrong, also hope you correct me. First, set the start services after you install the system, we perform # netstat-an, you can see as the system default has launched many network-related services and, therefore, correspond to open many ports are LISTENING (sniffing). We know that the more open the port, the system from external intrusion, the greater the possible also, so we try to close some unneeded startup services, so as much as possible close port, provide system security. Here I give you keep systems up and running, start the service, and other services can be closed off. # Ntsysv, only start the following services. Second, the Netfilter/iptables firewall settings # touch/etc/rc.d/firewall # chmodu + x/etc/rc.d/firewall # vi/etc/rc.d/rc.local write line:/etc/rc.d/firewall Note:/etc/rc.d/firewall reads as follows: 1, single-card host set description: this setting applies to the erection of a specialized Web services or FTP service host. # First clear all firewall rules #!/bin/bas PATH =/sbin:/bin:/usr/sbin: synflood attack prevention/usr/bin # echo "1" >/proc/sys/net/ipv4/tcp_syncookies iptables-iptables-X iptables-Z # and then disable all package iptables-PINPUTDROP iptables-POUTPUTDROP iptables-PFORWARDDROP # allows local traffic on the loopback device iptables – AINPUT-ilo-pall-jACCEPT iptables-AOUTPUT-olo-pall-jACCEPT # let have established or are we host the response packet through iptables-AINPUT-ptcp-mstate--stateESTABLISHED, RELATED-jACCEPT # allow SSH remote management host iptables-AINPUT-ptcp--dport22-jACCEPT iptables-AOUTPUT-ptcp--sport22-jACCEPT # number of IP fragments to prevent IP fragmentation attack iptables-AINPUT-f-mlimit--limit100/s--limit-burst100-jACCEPT # if your host provides web services, you will need to open port 80 iptables-AINPUT-ptcp-mtcp--sport80-jACCEPT iptables-AOUTPUT-ptcp-mtcp--dport80-jACCEPT # set icmp protocol that allows the host to perform the Ping operation in order to test the network, but does not allow other host ping that host. Iptables-AOUTPUT-picmp--icmp-typeecho-request – jACCEPT iptables – AINPUT – picmp--icmp-typeecho-reply – set by previous jACCEPT, this host only network open 22, two port 80, the maximum guarantee the security of the host. 2, NAT host setting instructions: this setting applies to the NAT gateway server type of the host. Eth0 to eth1 external network card, network card for intranet. Intranet network segment as 192.168.1.0/24