| |
About Linux User Resources
All users set resource limits on your Linux system can prevent the type of DoS attacks, such as the maximum number of processes, amount of memory. For example, users of all restrictions, edit /etc/security/limits.con add the following lines:
* Hard core 0
* Hard rss 5000
* Hard nproc 20
You must also edit /etc/pam.d/login file, check for the presence of this line:
session required /lib/security/pam_limits.so
The above order prohibiting core files "core 0", limit the number of processes to "nproc 50", and restrict memory usage to 5M "rss 5000".
About the NFS server
Because NFS server vulnerability more, you must be careful. If you want to use the NFS network file system services, so make sure your / etc / exports with the most stringent access permissions set, does not mean do not use any wildcard, does not allow root write permissions, mount into a read-only file system. You can edit the file / etc / exports and add:
/ Dir / to / export host1.mydomain.com (ro, root_squash)
/ Dir / to / export host2.mydomain.com (ro, root_squash)
Where / dir / to / export is the directory you want to output, host.mydomain.com is the login directory machine name, ro means mount as read-only system, root_squash prohibit root write to the directory. Finally, in order to make the above changes to take effect, but also run the / usr / sbin / exportfs -a
Linux open the service
The default linux is a powerful system to run a lot of services. But there are many services are not needed, it is easy to cause a security risk. This file is /etc/inetd.conf, it has developed / usr / sbin / inetd will listen service, you may only need two of them: telnet and ftp, other classes such as shell, login, exec, talk, ntalk , imap, pop-2, pop-3, finger, auth, etc. unless you really want to use it. Otherwise, all the close.
You first use the following command to display the service has not been commented out:
grep -v "#" /etc/inetd.conf
The total number of service order statistics before:
ps -eaf | wc -l
Need to remind you that a lot of loopholes in the following three services, we strongly recommend that you close them: S34yppasswdd (NIS server), S35ypserv (NIS server) and S60nfs (NFS server).
We can run #killall -HUP inetd to turn off unneeded services. Of course, you can also run
#chattr + i /etc/inetd.conf
If you want to make inetd.conf file has the attribute can not be changed, but only root can unlock, hit the following command
#chattr -i /etc/inetd.conf
When you close some services after the re-run the above command to see how much less service. The fewer services running, the more secure the system naturally. We can use the following command to see which services are running:
netstat -na --ip
If you are using RedHat it is much more convenient. ^ _ ^ Redhat provides a tool to help you shut down the service, enter / usr / sbin / setup, and then select the "system services", which you can customize the service to run at system startup. Another option is chkconfig command, many linux version of the system comes with this tool. The name of the script sequence number is started, beginning with uppercase K is used to kill the process. |
|
|
|