1, To minimize the security system, remove unnecessary software, turn off unnecessary services.
The following list only need to activate the service, the service is not listed in the recommendation will be closed, essential services are running and then one by one to open.
2. Remove finger program, as follows
#rpm -e finger
3, BOIS security settings
4, account security settings
Modify /etc/login.def file
PASS_MAX_DAYS 120? Set password expiration date
PASS_MIN_DAYS 0? Set a minimum password change date
PASS_MIN_LEN 10? Set the minimum password length
PASS_WARN_AGE 7? Set expiration warning days in advance
Make sure / etc / shadow for the read-only root
Make sure / etc / passwd root to read and write
Regular password tools to detect the user's password strength
5, / etc / exports
If the file sharing through NFS out, be sure to configure the "/ etc / exports" file, such as strict access restrictions. That is, do not use wildcards, not allowed to have write access to the root directory, but only as much as possible give read permissions in / etc / exports file on:
/ Dir / to / export host1.mydomain.com (ro, root_squash)
/ Dir / to / export host2.mydomain.com (ro, root_squash)
It is not recommended to use NFS.
6, inetd.conf or xinetd.conf
If the recommendation is inetd.conf comment out all the procedures at the beginning of r, exec etc.
Join allow service in /etc/hosts.allow, add this line in ALL in /etc/hosts.deny: ALL
8, / etc / aliases file
Aliases file management if management errors or carelessness will cause a safety hazard. The definition of "decode" alias delete rows from the aliases file.
Edit aliases, delete or comment the following lines:
Run / usr / bin / nesaliases reload.
9, to prevent unauthorized users being sendmail abuse
The PrivacyOptions = authwarnings
Instead PrivacyOptions = authwarnings, noexpn, novrfy
10, does not respond to ping
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
11, so that TCP SYN Cookie protection to take effect
Echo 1> / proc / sys / net / ipv4 / tcp_syncookies
12, removing unnecessary users and groups of users
Deleted user, such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc.
Delete group, such as adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers etc.
You can set the position can not be changed
chattr + i / etc / passwd
chattr + i / etc / shadow
chattr + i / etc / group
chattr + i / etc / gshadow
13, to prevent anyone can use the su command to become root
Editing su file (vi /etc/pam.d/su), add the following two lines
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group = wheel
To be able to su to the root user group added wheel
usermod -G10 username
14, so that the shutdown Control + Alt + Delete key is invalid
Edit inittab file, comment out
Ca: ctrlaltdel: / sbin / shutdown -t3 -r now
Run / sbin / init q to make the settings take effect
15, create a hard copy of all important log files
If the server is more important, you can consider ssh, mail, and other guidance information printed add a line in the /etc/syslog.conf file.:
Authpriv *;. Mail *;. Local7 *;. Auth *;. Daemon.info / dev / lp0
Executive /etc/rc.d/init.d/syslog restart
Or other servers to send logs to save
authpriv. * / var / log / secure
To have it sent to 192.168.0.2, so you can modify
authpriv. * @ 192.168.0.2 / var / log / secure
16, change the access permissions /etc/rc.d/init.d directory script file
chmod -R 700 /etc/rc.d/init.d/*
Note: This security setting juditiously
17, / etc / rc.d / rc.local
The information in this document has nothing to do all comments, do not let anyone see any information about the host.
issue and issue.net delete / etc under
18-bit program with S
You can clear the s-bit program include, but are not limited to:
? Never use the program;
? Do not want non-root users to run the program;
? Occasionally used, but do not mind to use the su command to become root before running.
find / -type f \ (-perm 04000 -o -perm -02000 \) -print
chmod a-s program name
19 view hidden files
find / -name ". *" -print
20, to find anyone write permission of files and directories
find / -type f \ (-perm -2 -o perm -20 \) ls
find / -type f \ (-perm -2 -o -perm -20 \) ls
21, the system does not find the owner of the file
find / -nouser -o -nogroup
22 Find .rhosts file
find / home -name ".rhosts"
If so, please remove it.
23, to recover the system compiler permissions or delete
Such as: chmod 700 / usr / bin / gcc