#!/Bin/bas PATH =/sbin:/bin:/usr/sbin:/usr/bin # l connection Internet for the external network adapter interface EXTIF = "et0" # external network adapter IP address, please make your own settings EXTIFIPADDR = "219.150.46.98" # connect LAN interface of the intranet network adapter INIF = "et1" # intranet host segments INNET = "192.168.1.0/24" # open system kernel IP forwarding feature that enables the Linux into the router.
Echo "1" > synflood attack prevention/proc/sys/net/ipv4/ip_forward # echo "1" >/proc/sys/net/ipv4/tcp_syncookies # finishing kernel module list is supported by a #/sbin/depmod – load a list of supported modules modprobeip_tables modprobeiptable_nat modprobeip_nat_tp modprobeip_nat_irc modprobeip_conntrack modprobeip_conntrack_tp modprobeip_conntrack_irc # clear established rules, to restore to the State of the firewall is not set iptables-iptables-X iptables-Z iptables-F-tnat iptables-X-tnat iptables-Z-tnat iptables-PINPUTDROP iptables-POUTPUTDROP iptables-PFORWARDACCEPT iptables-tnat-PPREROUTING ACCEPT iptables-tnat-PPOSTROUTINGACCEPT iptables-tnat-POUTPUT ACCEPT # following will host security settings allow the local loopback device communication iptables – AINPUT-ilo-pall-jACCEPT iptables-AOUTPUT-olo-pall-jACCEPT # let have established or are we host the response packet through iptables-AINPUT-ptcp-mstate--stateESTABLISHED, RELATED-jACCEPT # allow SSH remote management host iptables-AINPUT-ptcp--dport22-jACCEPT iptables-AOUTPUT-ptcp--sport22-jACCEPT # number of IP fragments to prevent IP fragmentation attack iptables-AINPUT-f-mlimit--limit100/s--limit-burst100-jACCEPT # set icmp protocol that allows the host to perform the Ping operation in order to test the network, but does not allow other host ping that host. Iptables-AOUTPUT-picmp--icmp-typeecho-request – jACCEPT iptables – AINPUT – picmp--icmp-typeecho-reply – jACCEPT # the following will be NAT settings # if you want the intranet to access the external network, you must set for SNAT iptables-tnat-APOSTROUTING – pall-s $ INNET-o $ EXTIF-jSNAT--to $ EXTIFIPADDR # if your network has been set up, the Web server (IP: 192.168.1.10), want to be able to access the external network, you must set for DNAT iptables-tnat-APREROUTING – ptcp-I $ EXTIF--dport80 – jDNAT--to192.168.1.10: 80 three, system settings 1, limit Shelllogging Bash shell in "~/.bash_history" ("~/" indicates that the user directory) files saved in 500 used command, which allows you to enter long commands used. Every system has an account of the user in his directory has a ".bash_history" file. Bash shell should save a small amount of command, and each time the user logs off all the history command to remove. Step one: "/etc/profile" file "HISTSIZE" line determine all users ".bash_history" file you can save the old order number. It is strongly recommended that the "/etc/profile" file "HISTSIZE" value is set to a smaller number, such as 30. Edit profile file (vi/etc/profile), put this line to read: HISTSIZE = 30 this means each user's ".bash_history" file can only be saved 30 old command. Step 2: network management should alsoThe files in the "/etc/skel/.bash_logout", add the following line "rm-f $ HOME/.bash_history". That way, when each time the user logs off, the ".bash_history" files are deleted. Edit the .bash_logout file (vi/etc/skel/.bash_logout), add the following line: rm-f $ HOME/.bash_history 2, modify the SSH connection ports use SSH we can remotely manage Linux host, but if it is set incorrectly, you will also be exploited by hackers to break into the system. SSH default connection port 22, in practice, the authors found that hosts 22 port often scan, try to brute force method of forced landing, a good comparison of the password settings, it is not complicated. So I think you can change the SSH connection port, for example, you can set the connection port is set to 10000 above, Oh, so as to let the thief could not find the door, how House stealing it. Specific modifications as follows: vi/etc/ssh/sshd_conig will replace # port22 port20068 so later we need through this port to connect 20068 SS. And then added DenyUser * prohibition of ordinary users login, it should be able to prevent the denial of the daemons (daemon) account to access the system, such as determining the following daemons account cannot access system: DenyUsersdaemonbinsyncadmlpshutdownhaltmail newsuucpnobodyoperatorsympa, squid, postfix, gopher, postgres, xs. 3. set the default TCP_WRAPPERS, RedhatLinux allow all requests, this is very dangerous. If you use TCP_WRAPPERS to enhance our site security is a little effort, you can disable all requests placed in the "ALL: ALL" to/etc/hosts.deny and put those explicitly permit request to/etc/hosts.allow, such as: sshd: 192.168.1.10/255.255.255.0gate openarc.com on IP address 192.168.1.10 and hostname gate.openarch.com, allow ssh connections. After the configuration was finished, tcpdchk check, you can directly execute: tcpdchk. Here, the configuration check TCP_Wrapper tcpchk is a tool that checks your tcpwrapper configuration and report all discovered potential/existing problems. Set in the research station PostScript Netfilter/iptables firewall, once because of the lack of multi-master network environment, and learning progress is slow, then installed the Vmware virtual machine, WinXP home again virtual out two Fedoracore2 and formed into a local area network, makes research continue. If you are suffering a lack of network environment, then be sure to try the Vmware, I believe it will give you a surprise! actually Linux security settings also far more than these, because of the limited level of webmasters can only write here, but things will continue to update this article, I hope you will be more valuable opinions!
No comments:
Post a Comment