| |
1. When you install the system in addition to the ssh service do not install other services, text installation method is best to open the minimum services on the safety performance of the system will be better. When setting up the root user password must be more than eight (including numbers, letters, symbols) to prevent hackers using password dictionary.
2. The backup system several important file directory and data directory
[Root @ 208 ~] # tar jcvf back.tar.gz / etc / / home / / boot / / bin / / sbin / / usr / bin / / usr / sbin /
3. ssh service control
[Root @ 208 ~] # vim /etc/hosts.allow - which allows IP can use ssh connection
sshd: external network IP address of your
[Root @ 208 ~] # vim /etc/hosts.deny - other IP refuse
sshd: all
4. ssh server port to make changes, so that hackers can not attack my 22 port
[Root @ CentOS ~] # vim / etc / ssh / sshd_config - open ssh service profile
Port 222 - to enable, and modify the line
PermitRootLogin no - do not allow root user login
PermitEmptyPasswords no - do not allow empty passwords
AllowUsers tong @ extranet IP tong1 @ external network IP - only allows two users in the specified IP landing
[Root @ centos ~] # /etc/init.d/sshd restart
Stopping sshd: [OK]
Starting sshd: [OK]
[Root @ centos ~] # vim / etc / services
ssh 222 / tcp - modify these two lines, and you modify a port to
ssh 222 / udp
[Root @ centos ~] # vim / etc / sysconfig / iptables - Open the packet filter
-A INPUT -m state --state NEW -m tcp -p tcp --dport 222 -j ACCEPT
[Root @ centos ~] # /etc/init.d/iptables restart
iptables: Applying firewall rules: [OK]
[Root @ centos ~] #
5. Install the Linux file system check complete tool, it just adds to check files, modify, delete, access, no file backup and recovery, it is recommended before installing the software file backup at first, to prepare for future file recovery.
[Root @ 208 pub] # tar xvf tripwire-2.4.2.2-src.tar.bz2
[Root @ 208 pub] # cd tripwire-2.4.2.2-src
[Root @ 208 tripwire-2.4.2.2-src] # ./configure --prefix = / usr / local / tripwire /
...................... Input accept release
...................... Enter y OK
Enter the site password ......................
Enter the local password ......................
[Root @ 208 tripwire-2.4.2.2-src] # make
[Root @ 208 tripwire-2.4.2.2-src] # make install
[Root @ 208 tripwire-2.4.2.2-src] # cd / usr / local / tripwire / etc /
[Root @ 208 etc] # ll
total 60
-rw-r -----. 1 root root 931 Jan 6 11:44 208.184.97.119.broad.wh.hb.dynamic.163data.com.cn-local.key
-rw-r -----. 1 root root 931 Jan 6 11:44 site.key
-rw-r -----. 1 root root 4586 Jan 6 11:44 tw.cfg
-rw-r -----. 1 root root 598 Jan 6 11:44 twcfg.txt
-rw-r -----. 1 root root 598 Jan 6 11:44 twcfg.txt.default
-rw-r -----. 1 root root 4159 Jan 6 11:44 tw.pol
-rw-r -----. 1 root root 8679 Jan 6 13:03 twpol.txt
-rw-r -----. 1 root root 13806 Jan 6 11:44 twpol.txt.default
[Root @ 208 etc] # vim twpol.txt
(
rulename = "file", - define the rule name
)
{
/ -> $ (ReadOnly); - monitor the root directory files
/ Home -> $ (ReadOnly); - monitor home directory files
/ Usr -> $ (ReadOnly); - listening usr directory files
/ Var -> $ (ReadOnly); - listening var directory files
}
[Root @ 208 etc] # cd ../sbin/
[Root @ 208 sbin] # ./tripwire --init - generating a reference database
[Root @ 208 sbin] # ./tripwire --check - as long as the file is added to modify the definition monitor directory will be listed
[Root @ 208 sbin] # ./tripwire --check --rule-name "file" - Specifies rule name
[Root @ 208 sbin] # ./tripwire --check / home / usr - check the specified directory |
|
|
|