Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Red Hat Linux security settings document     - Ubuntu 14.04 / 14.10 how to install FFmpeg 2.5.1 (Linux)

- Linux_Logo - output color ANSI Linux distributions logo command-line tool (Linux)

- Virt Related Command Summary (Linux)

- Teach you how to synchronize Microsoft OneDrive in Linux (Linux)

- CentOS7 + Redis Live Installation and Configuration (Linux)

- CentOS7 management of systemd (Linux)

- Learning how to teach safety system to prevent your own IP leakage (Linux)

- Eight kinds of techniques to solve hard problems Linux (Linux)

- C ++ sequence containers basics summary (Programming)

- PHP call a Python program (Programming)

- Linux kernel IPv6 protocol closed manner (Linux)

- Installation and deployment of MariaDB under CentOS (Database)

- Linux User Management (Linux)

- PL / SQL -> UTL_FILE use presentation package (Database)

- How MySQL tracking sql statement (Database)

- Linux environment variables inside (Linux)

- What is Unikernel? (Linux)

- Linux Troubleshooting: How to save the status of the SSH session is closed (Linux)

- MySQL 5.6.26 source install (Database)

- Linux Operating System Security Management describes the top ten tricks (Linux)

 
         
  Red Hat Linux security settings document
     
  Add Date : 2018-11-21      
         
         
         
  1, To minimize the security system, remove unnecessary software, turn off unnecessary services.
# Ntsysv
The following list only need to activate the service, the service is not listed in the recommendation will be closed, essential services are running and then one by one to open.
atd
crond
irqbalance
microcode_ctl
network
sshd
syslog

2. Remove finger program, as follows
#rpm -e finger

3, BOIS security settings

4, account security settings
Modify /etc/login.def file
PASS_MAX_DAYS 120? Set password expiration date
PASS_MIN_DAYS 0? Set a minimum password change date
PASS_MIN_LEN 10? Set the minimum password length
PASS_WARN_AGE 7? Set expiration warning days in advance
Make sure / etc / shadow for the read-only root
Make sure / etc / passwd root to read and write

Regular password tools to detect the user's password strength

5, / etc / exports
If the file sharing through NFS out, be sure to configure the "/ etc / exports" file, such as strict access restrictions. That is, do not use wildcards, not allowed to have write access to the root directory, but only as much as possible give read permissions in / etc / exports file on:
/ Dir / to / export host1.mydomain.com (ro, root_squash)
/ Dir / to / export host2.mydomain.com (ro, root_squash)
It is not recommended to use NFS.

6, inetd.conf or xinetd.conf
If the recommendation is inetd.conf comment out all the procedures at the beginning of r, exec etc.
7, TCP_Wrappers
Join allow service in /etc/hosts.allow, add this line in ALL in /etc/hosts.deny: ALL

8, / etc / aliases file
Aliases file management if management errors or carelessness will cause a safety hazard. The definition of "decode" alias delete rows from the aliases file.
Edit aliases, delete or comment the following lines:
#games: root
#ingres: root
#system: root
#toor: root
#uucp: root
#manager: root
#dumper: root
#operator: root
#decode: root
Run / usr / bin / nesaliases reload.

9, to prevent unauthorized users being sendmail abuse
Edit sendmail.cf
The PrivacyOptions = authwarnings
Instead PrivacyOptions = authwarnings, noexpn, novrfy

10, does not respond to ping
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all

11, so that TCP SYN Cookie protection to take effect
Echo 1> / proc / sys / net / ipv4 / tcp_syncookies

12, removing unnecessary users and groups of users
Deleted user, such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc.
Delete group, such as adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers etc.
You can set the position can not be changed
chattr + i / etc / passwd
chattr + i / etc / shadow
chattr + i / etc / group
chattr + i / etc / gshadow

13, to prevent anyone can use the su command to become root
Editing su file (vi /etc/pam.d/su), add the following two lines
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group = wheel
To be able to su to the root user group added wheel
usermod -G10 username

14, so that the shutdown Control + Alt + Delete key is invalid
Edit inittab file, comment out
Ca: ctrlaltdel: / sbin / shutdown -t3 -r now
Run / sbin / init q to make the settings take effect

15, create a hard copy of all important log files
If the server is more important, you can consider ssh, mail, and other guidance information printed add a line in the /etc/syslog.conf file.:
Authpriv *;. Mail *;. Local7 *;. Auth *;. Daemon.info / dev / lp0
Executive /etc/rc.d/init.d/syslog restart
Or other servers to send logs to save
Such as
authpriv. * / var / log / secure
To have it sent to 192.168.0.2, so you can modify
authpriv. * @ 192.168.0.2 / var / log / secure

16, change the access permissions /etc/rc.d/init.d directory script file
chmod -R 700 /etc/rc.d/init.d/*
Note: This security setting juditiously

17, / etc / rc.d / rc.local
The information in this document has nothing to do all comments, do not let anyone see any information about the host.
issue and issue.net delete / etc under

18-bit program with S
You can clear the s-bit program include, but are not limited to:
? Never use the program;
? Do not want non-root users to run the program;
? Occasionally used, but do not mind to use the su command to become root before running.
find / -type f \ (-perm 04000 -o -perm -02000 \) -print
chmod a-s program name

19 view hidden files
find / -name ". *" -print

20, to find anyone write permission of files and directories
find / -type f \ (-perm -2 -o perm -20 \) ls
find / -type f \ (-perm -2 -o -perm -20 \) ls

21, the system does not find the owner of the file
find / -nouser -o -nogroup

22 Find .rhosts file
find / home -name ".rhosts"
If so, please remove it.

23, to recover the system compiler permissions or delete
Such as: chmod 700 / usr / bin / gcc
     
         
         
         
  More:      
 
- Node.js form --formidable (Programming)
- Parse Server supports iOS and Android push messaging (Programming)
- Linux 0.12 kernel and modern kernels difference in memory management (Linux)
- Based on a complete solution RMI service to transfer large files (Programming)
- VMware clone Linux find eth0 (Linux)
- Tmux create the perfect terminal management tool under CentOS (Linux)
- CentOS 7 How to connect to a wireless network (Linux)
- How to force Linux users to change the initial password the first time you log in (Linux)
- Linux system installation and usage instructions Wetty (Linux)
- Oracle data files deleted recover after physical (Database)
- CentOS 5.11 Open VNC access (Linux)
- Python Multithreaded Programming (Programming)
- Git uses a small mind (Linux)
- With screenfetch linux logo and basic hardware information display with cool Linux logo (Linux)
- Python calls the API interface in several ways (Programming)
- About Linux backdoor (Linux)
- Java in the inverter and covariance (Programming)
- DRBD installation configuration, working principle and Recovery (Server)
- C # Future: Tracking null reference (Programming)
- Spark build standalone version cluster (Server)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.