Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Red Hat Linux security settings document     - Ubuntu install Scala 2.10.x version (Linux)

- Zabbix monitoring different versions of RAID installation and monitoring and MySQL master-slave monitor (Server)

- NGINX Plus now fully supports HTTP / 2 (Server)

- Diagnose and resolve the SSH connection slow (Linux)

- Using Linux command line and execute PHP code (Programming)

- Dynamic programming Android (Programming)

- How the program is executed (Programming)

- Node.js v4.0.0 installation configuration on Ubuntu 14.04 / 15.04 (Linux)

- Dockerfile use to build a mirror-based CentOS 7 (Linux)

- A key installation Gitlab 7 on RHEL6.4 and Setup Mail TX (Linux)

- tar command to extract a file error: stdin has more than one entry (Linux)

- Java is simple to read and write HDFS Demo (Programming)

- Android media library of analysis: MediaProvider (Programming)

- OpenSSH server configuration file for each Common Definition (Server)

- Linux Mint 17.2 64 bit installation Docker and management software seagull (Linux)

- JDK tools jstat (Linux)

- C ++ Supplements - malloc free and new delete the same and different (Programming)

- How to avoid two Chrome icon appears in ELementary OS Freya (Linux)

- Compile Android libwebcore.so error occurs when solving (Programming)

- Difference between TCP and UDP protocols (Linux)

  Red Hat Linux security settings document
  Add Date : 2018-11-21      
  1, To minimize the security system, remove unnecessary software, turn off unnecessary services.
# Ntsysv
The following list only need to activate the service, the service is not listed in the recommendation will be closed, essential services are running and then one by one to open.

2. Remove finger program, as follows
#rpm -e finger

3, BOIS security settings

4, account security settings
Modify /etc/login.def file
PASS_MAX_DAYS 120? Set password expiration date
PASS_MIN_DAYS 0? Set a minimum password change date
PASS_MIN_LEN 10? Set the minimum password length
PASS_WARN_AGE 7? Set expiration warning days in advance
Make sure / etc / shadow for the read-only root
Make sure / etc / passwd root to read and write

Regular password tools to detect the user's password strength

5, / etc / exports
If the file sharing through NFS out, be sure to configure the "/ etc / exports" file, such as strict access restrictions. That is, do not use wildcards, not allowed to have write access to the root directory, but only as much as possible give read permissions in / etc / exports file on:
/ Dir / to / export host1.mydomain.com (ro, root_squash)
/ Dir / to / export host2.mydomain.com (ro, root_squash)
It is not recommended to use NFS.

6, inetd.conf or xinetd.conf
If the recommendation is inetd.conf comment out all the procedures at the beginning of r, exec etc.
7, TCP_Wrappers
Join allow service in /etc/hosts.allow, add this line in ALL in /etc/hosts.deny: ALL

8, / etc / aliases file
Aliases file management if management errors or carelessness will cause a safety hazard. The definition of "decode" alias delete rows from the aliases file.
Edit aliases, delete or comment the following lines:
#games: root
#ingres: root
#system: root
#toor: root
#uucp: root
#manager: root
#dumper: root
#operator: root
#decode: root
Run / usr / bin / nesaliases reload.

9, to prevent unauthorized users being sendmail abuse
Edit sendmail.cf
The PrivacyOptions = authwarnings
Instead PrivacyOptions = authwarnings, noexpn, novrfy

10, does not respond to ping
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all

11, so that TCP SYN Cookie protection to take effect
Echo 1> / proc / sys / net / ipv4 / tcp_syncookies

12, removing unnecessary users and groups of users
Deleted user, such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc.
Delete group, such as adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers etc.
You can set the position can not be changed
chattr + i / etc / passwd
chattr + i / etc / shadow
chattr + i / etc / group
chattr + i / etc / gshadow

13, to prevent anyone can use the su command to become root
Editing su file (vi /etc/pam.d/su), add the following two lines
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group = wheel
To be able to su to the root user group added wheel
usermod -G10 username

14, so that the shutdown Control + Alt + Delete key is invalid
Edit inittab file, comment out
Ca: ctrlaltdel: / sbin / shutdown -t3 -r now
Run / sbin / init q to make the settings take effect

15, create a hard copy of all important log files
If the server is more important, you can consider ssh, mail, and other guidance information printed add a line in the /etc/syslog.conf file.:
Authpriv *;. Mail *;. Local7 *;. Auth *;. Daemon.info / dev / lp0
Executive /etc/rc.d/init.d/syslog restart
Or other servers to send logs to save
Such as
authpriv. * / var / log / secure
To have it sent to, so you can modify
authpriv. * @ / var / log / secure

16, change the access permissions /etc/rc.d/init.d directory script file
chmod -R 700 /etc/rc.d/init.d/*
Note: This security setting juditiously

17, / etc / rc.d / rc.local
The information in this document has nothing to do all comments, do not let anyone see any information about the host.
issue and issue.net delete / etc under

18-bit program with S
You can clear the s-bit program include, but are not limited to:
? Never use the program;
? Do not want non-root users to run the program;
? Occasionally used, but do not mind to use the su command to become root before running.
find / -type f \ (-perm 04000 -o -perm -02000 \) -print
chmod a-s program name

19 view hidden files
find / -name ". *" -print

20, to find anyone write permission of files and directories
find / -type f \ (-perm -2 -o perm -20 \) ls
find / -type f \ (-perm -2 -o -perm -20 \) ls

21, the system does not find the owner of the file
find / -nouser -o -nogroup

22 Find .rhosts file
find / home -name ".rhosts"
If so, please remove it.

23, to recover the system compiler permissions or delete
Such as: chmod 700 / usr / bin / gcc
- CentOS 6.5 install VNC-Server (Linux)
- Java synchronization mechanism: synchronized, wait, notify (Programming)
- MySQL5.6.12 Waiting for commit lock lead to hang from the library housing problem analysis (Database)
- Linux system security (Linux)
- Android realize RippleEffect water (Programming)
- JavaScript is implemented without new keywords constructor (Programming)
- Java Foundation - The relationship between abstract classes and interfaces (Programming)
- Build Eclipse + Maven + Scala-IDEA the Scala Web development environment (Server)
- Nginx concerning the location and rewrite applications proxy_pass (Server)
- Compile Android libwebcore.so error occurs when solving (Programming)
- PostgreSQL log classification and management (Database)
- Five Linux user space debugging tool (Linux)
- Installation Strongswan: on a Linux IPsec-based VPN tool (Linux)
- Installation and configuration to compile MySQL 5.6.10 under CentOS 5.9 (Database)
- Linux rename command usage in learning to modify the file name (Linux)
- HBase table data processing tab (Database)
- Android memory optimization of the optimal load Bitmap (Linux)
- How to install the client sqlplus under linux (Database)
- Oracle 11g principle study Dataguard (Database)
- Linux System Administrator Network Security Experience (Linux)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.