Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux system security norms     - Network traffic monitoring ntopng (Linux)

- Docker deployment practices in Ubuntu (Server)

- Help you enhance Python programming languages 27 (Programming)

- Zombie process under Linux (Linux)

- Docker commonly used commands Description (Linux)

- Binary search -Java achieve (Programming)

- MySQL5.6.12 Waiting for commit lock lead to hang from the library housing problem analysis (Database)

- LVM management reduces swap partition space to the root partition (Linux)

- C language binary tree counts words (Programming)

- To teach you a trick to find the real IP address (Linux)

- Install Visual Studio Code in Ubuntu (Linux)

- Debian 8 Jessie install LAMP server tutorial (Server)

- Linux network monitoring tools ntopng installation (Linux)

- Ten correct use Redis skills (Database)

- Ubuntu configuration SVN and http mode access (Server)

- Dual system Linux (Ubuntu) into the Windows NTFS partition's mount error (Linux)

- MyCAT log analysis (Database)

- Android HTTP request with Get Information (Programming)

- VPS xen openvz kvm (Server)

- Root of AVL Tree- achieve balanced search trees AVL tree (Programming)

 
         
  Linux system security norms
     
  Add Date : 2017-01-08      
         
       
         
  Basic principles:. A timely update all the services, in order to prevent the latest threats
b. Linux system to use as security protocol
c. as far as possible to provide only one service each machine
d. Strict monitoring of all machines and found that malicious behavior
e. subscription system related security mailing list

One. Account and password
(I) The account
1. Maintenance personnel to establish a separate account for each ordinary privileges system, established to monitor machine monitor
Account, respectively, for routine maintenance and system monitoring;
2. FTP server configuration virtual account number;
3. In addition to prohibiting the root account, the system maintains all accounts other than the use of personnel accounts and account monitoring machine
SHELL authority;
4. Lock all install the system automatically created an account;
. A system to find out unlocked accounts: egrep -v '*: \ * |:.! \' / Etc / shadow | awk -F: '{print $ 1}'
. B Lock: usermod -L
(II). Password
1. Strength: a 10 bits or more; includes letters (uppercase and lowercase), numbers and special characters; not contain English words;.
. B: Configure in the file /etc/pam.d/system-auth;
password requisite /lib/security/$ISA/pam_cracklib.so retry = 3 minlen = 10 lcredit = -1 ucredit = -1 dcredit = -1 ocredit = -1)
2. Changing frequency: a 120 days;.
. B configure the new account's default frequency of changes: Set pass_max_days in the file /etc/login.defs = 120
c modify the current user to change the frequency:. chage -M 120
3. History: a 10 times.
. B: Configure in the file /etc/pam.d/system-auth
password requisite /lib/security/$ISA/pam_cracklib.so retry = 3 minlen = 10 lcredit = -1 ucredit = -1 dcredit = -1 ocredit = -1 difok = 3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember = 10)
4. The recommended method for choosing a password: come up with a sentence, which in line with the first letter of each word and contains letters and replace it with a similar number or symbol to generate a password;
5. Good password example: Zhongguoliantong10010))), Beijingquhao010));!!!

Two. Remote Login
(I). SSH
1. Only supports SSH v.2;
2. Do not directly use the root account to log in, only allows the use of ordinary privileges account log in directly;
3. Change the default port (to 22222);
(II). Login banner
1. Join Login Warning / etc / issue file
#cat> / etc / issue << EOF
=======================================
Warning: The system is owned by xxxxxx,
Unauthorized access to this system is prohibited !!!
=======================================
2. Add the login successful warning in / etc / motd file
#cat> / etc / motd << EOF
=======================================
Warning: The system is owned by xxxxxx,
What you do will be monitored and logged !!!
=======================================

Three. Kernel parameters
1. Adjust the following kernel parameters to improve the ability of the system to prevent IP spoofing and DOS attacks:
net.ipv4.ip_forward = 0 # For LVS, gateway or VPN server must be set in
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1 # for LVS back-end server,
# To set to 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
kernel.sysrq = 0
kernel.core_uses_pid = 1

four. File system
1. mount options: / ro # first / root directory to / home / root
/ Boot ro
/ Usr ro
/ Var noexec, nosuid
/ Tmp noexec, nosuid
2. SUID, SGID file: run a cron job every day to see if there are new SUID / SGID files appear,
If so, send e-mail to the maintenance personnel;
3. Everyone can write directory: run a cron job every day, to see if there are new owners
Write directory appears. If so, send e-mail to the maintenance personnel;
4. ACL: When assigning permissions to a file or directory for multiple users, modify user belongs prohibited
Implementation, use ACL to achieve;
5. umask: configured for 0022 or 0055 (in / etc / bashrc configured);

Fives. Journal
1. Log stored centrally to the log host, locally saved four weeks of log backup;
2. Log client configuration: Reference << linux system specifications >> 8. Configuring the system log;
3. Log host configuration: Reference << linux log host Configuration Guide >>;

six. application
(I). MySQL
1. Mysql user to run MySQL;
2. To rename the administrator account root (ht-mysql-admin);
3. Administrator account to set a strong password key;
4. Delete the database test;
5. Delete unwanted accounts MySQL automatically created during installation,
Create an account ban not absolutely necessary;
6. Prohibit any plain text passwords stored in the database;
7. Prohibition choose passwords from the dictionary;
8. Strict control of user rights: to give users the minimum permissions required to complete their work only;
Prohibit granting PROCESS, SUPER, FILE privilege to non-administrative account;
9. Prohibited granted to outside users read and write permissions mysql MySQL data directory other OS users;
10. Subscribe to the mailing list: MySQL Announcements;
(II). Resin
1. Users running resin with resin;
2. APACHE integrated with the use of prohibited operation to provide WEB services directly in standalone mode;
(III). Apache
1. Compile just the modules must be used;
2. Daemon daemon user group to run APACHE;
3. Close all diagnostic pages and automatic directory indexing service;
4. Remove cgi-bin directory and manul directory;
5. Do not expose his true identity as far as possible;
6. Use chrooting apache restrict access to the file system (in the case of a centralized storage
More difficult to achieve);
7. Installation modsecurity module;
8. The use of identity-based authentication to control access to the host management page;
9. Logs centralized storage and analysis;
10. Subscribe to the mailing list: Apache HTTP Server Announcements List;

Seven. Firewall
(I) Software: iptables
(II) Rules
1. Loading important iptables module: ip_tables, iptable_filter, ip_conntrack,
ip_conntrack_ftp;
2. Press the network interface cards (eth0, eth1, ...) and packet type (TCP, UDP, ICMP)
Custom rule sets;
3. Configure each rule set policy to ACCEPT, but be sure to match any explicitly DROP the rule set at the end of each rule set, but does not allow packets (iptables -A -j DROP);
4. DROP invalid data packet, IP spoof packets;
5. Open only to meet the business needs of the least-port;
(III). Configuration
Reference << linux system specifications >> 10. Configuring security 3) firewall;

Eight. Intrusion detection and prevention
1. Tools: OSSEC;
2. Strategy: installed on a server OSSEC HIDS server needs to be installed in OSSEC HIDS Agent on a host intrusion detection and prevention, and file integrity testing server, the agent will send information to the HIDS server, which unified analysis and processing;
3. Configuration;

Nine. security audit
-------------------------------------------------- -------------
Audit Object tool frequency
-------------------------------------------------- ---------
Linux system nmap 1 month
Nessus 3 months
Automatic real-time log analysis
Artificial log analysis, if necessary
Password file John the ripper 3 months
APACHE nikto 6 months
Appscan 6 months
     
         
       
         
  More:      
 
- Source Analysis: Java object memory allocation (Programming)
- To install Gitolite in Ubuntu / Fedora / CentOS (Linux)
- Java and Python use make way dictionary word search script (Programming)
- The REVERSE function of DB2 (Database)
- C # Future: Method Contract (Programming)
- Go powerful development server simple example (Server)
- Eclipse, Tomcat configuration JNDI connection Oracle data source example (Server)
- Oracle Database Delete Delete million or more common method of heap table data (Database)
- Ubuntu 14.04 Solution login interface infinite loop (Linux)
- CentOS 7 update source - the use of domestic sources 163 yum (Linux)
- Java precision four operations (Programming)
- Hadoop 0.23 compile common errors (Server)
- How do you turn on and off IPv6 address on Fedora (Linux)
- Installation and Configuration OpenVPN server and client on Ubuntu 15.04 (Server)
- Python when automated operation and maintenance often used method (Programming)
- Linux Apache server security (Linux)
- Programmers Do not neglect debugging techniques (Programming)
- Linux User Rights Study Notes (Linux)
- Linux installed Cisco Packet Tracer (Linux)
- After restarting network services, DNS address failure (Linux)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.