Linux system with its stable and source code publicly available, on the Internet are being used to make the Web server and database server has been more and more, along with it, Linux system security has also been increasingly attach importance to the reinforcement of Linux systems for many people, is imminent.
So, to better consolidation of Linux system to deal with all kinds of emergencies and hacker attacks, we need to start from what? 1. install and upgrade to use the latest Linux distributions, unplug the network cable before installing, disconnect, installs when the physical connections use custom custom installation packages, as well as a small number. Generally speaking, the server is not necessary to install lilo/X-windows, grub boot loader and password restrictions that prevent to physical contact by malicious users. Because Linux install CD rescue mode can bypass this limit, it shall be given to BIOS plus password or locked the server chassis. /Var,/home,/usr, and the use of independent/root etc directory of the physical partitions that prevent garbage data and log filling up the hard drive causing d.o.s attacks. The root account to give strong password. Installed immediately with up2date or apt upgrade system software, sometimes upgrade kernel is necessary because the kernel problems will also provide an opportunity for attackers. Apt is a powerful DebianGNULinux package management tool that can also be used for other versions of Linux. 2. account number if the system user, you can edit/etc/login.defs, change the password policy to delete system unnecessary accounts and groups, if not open anonymous FTP, you can also delete the ftp account. Delete account command as follows: root @ ayazero/] # userdel-r username is the most secure way, but the local maintenance is not very practical, but still need to limit the root remote access, administrators can use an ordinary account to log on remotely, and then su to root, we can use the su users added to the wheel group to improve security. In/etc/pam.d/su file in the head to the following two lines of code: edit/etc/securetty, comment out all allow remote login console root, and the prohibition of the use of all the console program, its commands are as follows: login using ssn is encrypted, if the administrator only from fixed terminal login, you should restrict legitimate ssn client, prevent sniffing and-the-middle attack. At the same time, it will command history back to zero, as the hidden things you did, the command is: 3. service adopts the principle of least service, any unneeded services are commented out. In/etc/inetd.conf in unneeded services with a "#", a higher version already not inetd, but replaced with Xinetd; abolition of post automatically run under the service, do not need to run/etc/rc.d/rc3.d's fertilizer services of first letter "S" to "K", other unchanged. If you want simple, you can use/etc/host.allow and/etc/host.deny these two files, but is recommended to use iptables firewall, so I do not go into the details. (To be continued)
No comments:
Post a Comment