Author: dingwei NFS services for network file system is Unix file sharing access to the world.
If you want to prevent users from any of the shared directory, you can increase the limits, such as NFS locking/etc/exports file and define the shared directories. If you do not want users to share, just restrict user access, you need to modify NFS startup script. Edit the file, locate the/etc/init.d/nfs daemon line is commented out. /Etc/init.d/ns # daemonrpc.nfsd $ RPCNFSDCOUNT system many of the configuration file and the command is very sensitive, modify permissions, and to increase the read-only property to some degree to avoid security problems. Chmod700/bin/rpm # NFS shared directory profile chmod600/etc/exports # host access control file chmod600/etc/hosts. * chmodR751/var/log chmod644/var/log/messages # syslog configuration file chmod640/etc/syslog.con chmod660/var/log/wtmp chmod640/var/log/lastlog chmod600/etc/ftpusers # user password file chmod644/etc/passwd chmod600/etc/modules # validate sadow profile directory chmodR750/etc/pam.d chmod600/etc/lilo.con # Terminal profile chmod600/etc/securetty chmod400/etc/shutdown.allow # system access security profile chmod700/etc/security # network system profile chmodR751/etc/sysconig # Super daemon configuration file chmod600/etc/xinetd.con chmod600/etc/inetd.con chmodR750/etc/rc.d/init.d/chmod750/etc/rc.d/init.d/* # autorun program control file chmod600/etc/crontab chmod400/etc/cron. * # SSH configuration file chmod750/etc/ss # kernel control profile chmod400/etc/sysctl.cong chattr + I/etc/services chattr + I/etc/group chattr + I/etc/gsadow chattr + I/etc/hosts. * chattr + I/etc/xinetd.con chattr + I/etc/exports chattr + I/bin/login chattr + a/var/log/message concerns the log first to use the log server. The client saves a copy of the log information is a good idea to create a server dedicated to store log files, you can check the log to discover the problem. Modify/etc/sysconfig/syslog file to accept remote logging. /Etc/sysconfig/syslog SYSLOGD_OPTIONS = "-mr0" should also be set to save the log remote. Modify the/etc/syslog.conf file join log settings of the server, syslog will save a copy in the log on the server. /Etc/syslog.con *. * & nbsp @ log_server_IP you can use color log filters. Color filter log, version loco is 0.32. Use the loco/var/log/messages | more reveals the colour of the log, clear marking out the root location and log exceptions. This reduces the analysis log people missing. Also for regular inspection of the log. RedHatLinux logwatch tools provided in the regular automatic checks log and send a message to the administrator mailbox. Need to modify/etc/log.d/conf/logwatch.conf file, MailTo = root parameter after the increase in the Administrator's e-mail address. Logwatch will periodically check the logs, filtering for use root, sudo, telnet, FTP login and other information to help administrators analyze day-to-day security. Check the suid and sgid machine has. With the suid and sgid files have considerable risk. Simply put is a normal user can use these command with superuser permissions, users go directly to the super user environment. Many commands require suid and sgid. In System Setup is found on these commands, as well as a standard to compare the problem machine can identify security issues. In addition to the suid and sgid, if you find some that do not belong to any user or security loopholes. The following command can be above the file list is saved to a file, the backup these files, later used to facilitate comparison. find/-xdev-typef-perm+600> 02 >/dev/null/root/backup/audit/suid.log find/-xdev-nouser-o-nogroup >/dev/null >/root/backup/audit/nouser.log find/-xdev-typef-perm-2 >/dev/null >/root/backup/audit/other.log use SS when administrators remotely manage the client, in addition to the Webmin convenient management via browser, command line use more quickly. While the telnet is clear, in order to prevent sniffer capture sensitive information, use the SSH is the best choice. SSH on the first connection in the communication between the two machines generate key, then the communication is transmitted via encrypted way, sniffer will not be able to effectively analyze the information. If you are using Linux SSH command will directly connect to other host, if you are connecting from Windows, you will need the support of the software, it is recommended to use PuTTY, you can download from http://www.chiark.greenend.org.uk/~sgtatham/putty/, current version is 0.52. SSH uses TCP port 22. Note do not use any of the r process, such as rlogin, rcp, etc. Use more secure FTP file transfer unless you need to transfer large amounts of files, or you can use SCP instead. With SSH, SCP is key to create an encrypted channel. In Windows, you can download from http://winscp.vse.cz/WinSCP, current version 2.0.0 (Build89). But if you need to transfer large files, the SCP will cause the processor to handle the encryption, consume too many resources, you can use proftp instead. RedHatLinux default use Wuftp services from http://www.proftpd.org/, the current version 1.2.4. Use the system snapshot system snapshot is to use the system file format database to discover system changes on a regular basis. Recommend the use of tripwire, current version is 2.3.1-10. Note that tripwire's configuration file is very comprehensive, but not necessarily suitable for your system, so you need to customize twpol.txt file. Customize the principle is the first installation of the complete system, then install tripwire, use the default configuration file making system snapshot. The error message when you are prompted to do so, use # shield off extra configuration information, and then rebuild the database. Rpmivhtripwire-2.3.1-10.i386.rpm # modify twpol.txt file masking off system file does not exist, then start installing/etc/tripwire/twinstall.s # installation will be asked to enter the password generated key and update the database password # note the replication key actions, or else be initialized in the prompt file does not exist error cp/etc/tripwire/$ HOSTNAME-local.key/etc/tripwire/localhost-local.key # initialize tripwire, generate database, which will require you to enter key tripwire--init # through system snapshots determine system changes, and sends messages to the specified user tripwire--check-M use host-based intrusion detection IDS can help administrators found the attempt to break security. In the enterprise host-based intrusion prevention is based on the network is more important, after all, enterprise network is behind a firewall. It is recommended that you use the snare, currently supported version RedHatLinux7.2 0.9-1, you can download the http://www.intersectalliance.com. Which is the core of snare-core daemon. Snare is the graphical interface of the program. After installation has named audit daemon. Snare concern is to root operation or modify the file permissions, and access sensitive data in the log. Through the configuration file to define a suitable system of intrusion detection log system. The default installation has provided a complete configuration to meet the General requirements. Other security tools use Bastille tool Bastille is a set of security settings for script collection, in front of a lot of settings you can use to automatically complete the Bastille. For the first time after you install the Bastille, BastilleBackEnd you can use the previous set of configuration files. Configure/etc/Bastille/config file can complete security script customization. Bastille General configuration parameters such as not including firewalls. If you want, you can install when you are finished using the InteractiveBastille.pl interactive installation. Bastille will start the wizard window, select Yes or no as can be generated for your system's configuration files. Bastille configuration scenarios. Use Trojans Checker chkrootkit is through checkout system is important in order to determine whether or not to be replaced because it was based on the Trojans and backdoor tool, it is necessary to pay attention to regular updates. Use auto run programs using crontab can reduce administrator work intensity. For example, adding regular calibration, verification of tripwire, and send chkrootkit results to develop mail administrators. Draw attention: at least one dayChi-server, and use different types of Linux version or operating system; all desktops need to be inside the firewall, and the prohibition of the use of a modem connection to the Internet; at least an intrusion detection system, multiple sensors distributed in the network; at least two mutual backup system administrator; do not use the direct login root; do not use telnet remote login; any system changes need to be documented; after all, a very sub prevention is better than cure. More than just simple describes the Enterprise Linux secure basic settings. If even the basic settings are not reached, the security issues will be plagued by the system administrator. There are many more complex security settings have not been introduced, such as limiting the network interaction, restrict resources, etc. Since the introduction of desktop firewall, firewall, mail server, file and Web server security settings are not to be a description, but is by no means says security according to do so, you can rest easy. These are just getting started, is still far from enough. A lot of specific use cases and deeper concern Linux security configured welcomes the Exchange administrator. (Responsibility edit Sunny)
No comments:
Post a Comment