Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Red Hat Linux security settings document     - To assign multiple IP addresses NIC on the CentOS 7 (Linux)

- High-performance open-source http accelerator Varnish introduce (Server)

- C ++ Supplements - malloc free and new delete the same and different (Programming)

- CentOS 7 x64 compiler installation Tengine 2.0.3 Comments (Server)

- Java how to achieve bubble sort the problem Arraylist (Programming)

- Java is simple to read and write HDFS Demo (Programming)

- iscsiadm command usage (Linux)

- SVN hook code set to synchronize Web directory (Server)

- Linux System Getting Started Learning: The Linux anacron command (Linux)

- To disable the function by pressing Ctrl-Alt-Del to restart the system in RHEL / CentOS 5/6 (Linux)

- Oracle 12C RAC on temporary table space Enlighten (Database)

- How to protect your eyes automatically adjust the screen brightness on Linux (Linux)

- Linux kernel RCU (Read Copy Update) lock Brief (Linux)

- MySQL Installation Troubleshooting (Database)

- MySQL partition table Comments (Database)

- How to determine whether the Linux server was hacked (Linux)

- Linux system server network security management tips (Linux)

- Physical backup and recovery SYSTEM table space (Database)

- CentOS 7 install Hadoop-cdh-2.5 on Mesos (Server)

- The difference between vi and nano (Linux)

 
         
  Red Hat Linux security settings document
     
  Add Date : 2018-11-21      
         
       
         
  1, To minimize the security system, remove unnecessary software, turn off unnecessary services.
# Ntsysv
The following list only need to activate the service, the service is not listed in the recommendation will be closed, essential services are running and then one by one to open.
atd
crond
irqbalance
microcode_ctl
network
sshd
syslog

2. Remove finger program, as follows
#rpm -e finger

3, BOIS security settings

4, account security settings
Modify /etc/login.def file
PASS_MAX_DAYS 120? Set password expiration date
PASS_MIN_DAYS 0? Set a minimum password change date
PASS_MIN_LEN 10? Set the minimum password length
PASS_WARN_AGE 7? Set expiration warning days in advance
Make sure / etc / shadow for the read-only root
Make sure / etc / passwd root to read and write

Regular password tools to detect the user's password strength

5, / etc / exports
If the file sharing through NFS out, be sure to configure the "/ etc / exports" file, such as strict access restrictions. That is, do not use wildcards, not allowed to have write access to the root directory, but only as much as possible give read permissions in / etc / exports file on:
/ Dir / to / export host1.mydomain.com (ro, root_squash)
/ Dir / to / export host2.mydomain.com (ro, root_squash)
It is not recommended to use NFS.

6, inetd.conf or xinetd.conf
If the recommendation is inetd.conf comment out all the procedures at the beginning of r, exec etc.
7, TCP_Wrappers
Join allow service in /etc/hosts.allow, add this line in ALL in /etc/hosts.deny: ALL

8, / etc / aliases file
Aliases file management if management errors or carelessness will cause a safety hazard. The definition of "decode" alias delete rows from the aliases file.
Edit aliases, delete or comment the following lines:
#games: root
#ingres: root
#system: root
#toor: root
#uucp: root
#manager: root
#dumper: root
#operator: root
#decode: root
Run / usr / bin / nesaliases reload.

9, to prevent unauthorized users being sendmail abuse
Edit sendmail.cf
The PrivacyOptions = authwarnings
Instead PrivacyOptions = authwarnings, noexpn, novrfy

10, does not respond to ping
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all

11, so that TCP SYN Cookie protection to take effect
Echo 1> / proc / sys / net / ipv4 / tcp_syncookies

12, removing unnecessary users and groups of users
Deleted user, such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc.
Delete group, such as adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers etc.
You can set the position can not be changed
chattr + i / etc / passwd
chattr + i / etc / shadow
chattr + i / etc / group
chattr + i / etc / gshadow

13, to prevent anyone can use the su command to become root
Editing su file (vi /etc/pam.d/su), add the following two lines
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group = wheel
To be able to su to the root user group added wheel
usermod -G10 username

14, so that the shutdown Control + Alt + Delete key is invalid
Edit inittab file, comment out
Ca: ctrlaltdel: / sbin / shutdown -t3 -r now
Run / sbin / init q to make the settings take effect

15, create a hard copy of all important log files
If the server is more important, you can consider ssh, mail, and other guidance information printed add a line in the /etc/syslog.conf file.:
Authpriv *;. Mail *;. Local7 *;. Auth *;. Daemon.info / dev / lp0
Executive /etc/rc.d/init.d/syslog restart
Or other servers to send logs to save
Such as
authpriv. * / var / log / secure
To have it sent to 192.168.0.2, so you can modify
authpriv. * @ 192.168.0.2 / var / log / secure

16, change the access permissions /etc/rc.d/init.d directory script file
chmod -R 700 /etc/rc.d/init.d/*
Note: This security setting juditiously

17, / etc / rc.d / rc.local
The information in this document has nothing to do all comments, do not let anyone see any information about the host.
issue and issue.net delete / etc under

18-bit program with S
You can clear the s-bit program include, but are not limited to:
? Never use the program;
? Do not want non-root users to run the program;
? Occasionally used, but do not mind to use the su command to become root before running.
find / -type f \ (-perm 04000 -o -perm -02000 \) -print
chmod a-s program name

19 view hidden files
find / -name ". *" -print

20, to find anyone write permission of files and directories
find / -type f \ (-perm -2 -o perm -20 \) ls
find / -type f \ (-perm -2 -o -perm -20 \) ls

21, the system does not find the owner of the file
find / -nouser -o -nogroup

22 Find .rhosts file
find / home -name ".rhosts"
If so, please remove it.

23, to recover the system compiler permissions or delete
Such as: chmod 700 / usr / bin / gcc
     
         
       
         
  More:      
 
- Linux user groups, file permissions Detailed (Linux)
- CentOS 5.5 kernel upgrade installation iftop (Linux)
- Android engineers interview questions (Programming)
- Using iptables achieve NAT (Linux)
- Android shutdown (reboot) process (Programming)
- Download Google Android source code under Ubuntu 4.4 (Linux)
- Linux rename command usage in learning to modify the file name (Linux)
- Ordinary users how the Linux system shutdown (Linux)
- CentOS 6.4 dial-up Raiders (Linux)
- Linux System Getting Started tutorial: Ubuntu desktop using the command line to change the system proxy settings (Linux)
- 7 JavaScript interview questions (Programming)
- Upgrading to MySQL 5.7 partitioning problem solving (Database)
- Java interview questions in nine radio (Programming)
- Kibana use installation (Linux)
- CV: Linux command displays the progress of the run command (Linux)
- CRF ++ Linux use (Linux)
- Linux Operating System Security Study (Linux)
- Analysis of Java exception (Programming)
- To install and deploy PHP environment under the CentOS (Server)
- Linear table with a Java implementation of the iterator (Programming)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.