Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Red Hat Linux security settings document     - How to build Mono 3.4.0 / 3.4.1 on Windows (Linux)

- When Linux Detailed time zone and common function of time (Linux)

- Sniffer Linux Environment (Linux)

- WordPress plug-ins installed in Ubuntu, enter the subject of FTP and not create directory problem (Server)

- Linux server security settings to close unused ports (Linux)

- Oracle lag () and lpad () function (Database)

- Debian installation (Linux)

- Linux use chattr and lsattr commands to manage file and directory attributes (Linux)

- GNU Linux use diff to generate a patch with the patch (Linux)

- Using VMware vSphere Client Linux virtual machine installation CentOS6.4 system (Linux)

- Openfire achieve load balancing cluster by Nginx (Server)

- Java rewrite equals method (Programming)

- Linux_Logo - output color ANSI Linux distributions logo command-line tool (Linux)

- Partition contrast manifestations under Windows and Linux (Linux)

- 14 useful example Linux Sort command (Linux)

- How to improve the performance of Ruby On Rails (Linux)

- Security Features Linux and Unix operating system, programming (Linux)

- Use IP address spoofing Intrusion Prevention Firewall (Linux)

- Hadoop 2.5 Pseudo distribution installation (Server)

- Linux using DenyHosts prevents ssh cracks (Linux)

 
         
  Red Hat Linux security settings document
     
  Add Date : 2018-11-21      
         
         
         
  1, To minimize the security system, remove unnecessary software, turn off unnecessary services.
# Ntsysv
The following list only need to activate the service, the service is not listed in the recommendation will be closed, essential services are running and then one by one to open.
atd
crond
irqbalance
microcode_ctl
network
sshd
syslog

2. Remove finger program, as follows
#rpm -e finger

3, BOIS security settings

4, account security settings
Modify /etc/login.def file
PASS_MAX_DAYS 120? Set password expiration date
PASS_MIN_DAYS 0? Set a minimum password change date
PASS_MIN_LEN 10? Set the minimum password length
PASS_WARN_AGE 7? Set expiration warning days in advance
Make sure / etc / shadow for the read-only root
Make sure / etc / passwd root to read and write

Regular password tools to detect the user's password strength

5, / etc / exports
If the file sharing through NFS out, be sure to configure the "/ etc / exports" file, such as strict access restrictions. That is, do not use wildcards, not allowed to have write access to the root directory, but only as much as possible give read permissions in / etc / exports file on:
/ Dir / to / export host1.mydomain.com (ro, root_squash)
/ Dir / to / export host2.mydomain.com (ro, root_squash)
It is not recommended to use NFS.

6, inetd.conf or xinetd.conf
If the recommendation is inetd.conf comment out all the procedures at the beginning of r, exec etc.
7, TCP_Wrappers
Join allow service in /etc/hosts.allow, add this line in ALL in /etc/hosts.deny: ALL

8, / etc / aliases file
Aliases file management if management errors or carelessness will cause a safety hazard. The definition of "decode" alias delete rows from the aliases file.
Edit aliases, delete or comment the following lines:
#games: root
#ingres: root
#system: root
#toor: root
#uucp: root
#manager: root
#dumper: root
#operator: root
#decode: root
Run / usr / bin / nesaliases reload.

9, to prevent unauthorized users being sendmail abuse
Edit sendmail.cf
The PrivacyOptions = authwarnings
Instead PrivacyOptions = authwarnings, noexpn, novrfy

10, does not respond to ping
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all

11, so that TCP SYN Cookie protection to take effect
Echo 1> / proc / sys / net / ipv4 / tcp_syncookies

12, removing unnecessary users and groups of users
Deleted user, such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc.
Delete group, such as adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers etc.
You can set the position can not be changed
chattr + i / etc / passwd
chattr + i / etc / shadow
chattr + i / etc / group
chattr + i / etc / gshadow

13, to prevent anyone can use the su command to become root
Editing su file (vi /etc/pam.d/su), add the following two lines
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group = wheel
To be able to su to the root user group added wheel
usermod -G10 username

14, so that the shutdown Control + Alt + Delete key is invalid
Edit inittab file, comment out
Ca: ctrlaltdel: / sbin / shutdown -t3 -r now
Run / sbin / init q to make the settings take effect

15, create a hard copy of all important log files
If the server is more important, you can consider ssh, mail, and other guidance information printed add a line in the /etc/syslog.conf file.:
Authpriv *;. Mail *;. Local7 *;. Auth *;. Daemon.info / dev / lp0
Executive /etc/rc.d/init.d/syslog restart
Or other servers to send logs to save
Such as
authpriv. * / var / log / secure
To have it sent to 192.168.0.2, so you can modify
authpriv. * @ 192.168.0.2 / var / log / secure

16, change the access permissions /etc/rc.d/init.d directory script file
chmod -R 700 /etc/rc.d/init.d/*
Note: This security setting juditiously

17, / etc / rc.d / rc.local
The information in this document has nothing to do all comments, do not let anyone see any information about the host.
issue and issue.net delete / etc under

18-bit program with S
You can clear the s-bit program include, but are not limited to:
? Never use the program;
? Do not want non-root users to run the program;
? Occasionally used, but do not mind to use the su command to become root before running.
find / -type f \ (-perm 04000 -o -perm -02000 \) -print
chmod a-s program name

19 view hidden files
find / -name ". *" -print

20, to find anyone write permission of files and directories
find / -type f \ (-perm -2 -o perm -20 \) ls
find / -type f \ (-perm -2 -o -perm -20 \) ls

21, the system does not find the owner of the file
find / -nouser -o -nogroup

22 Find .rhosts file
find / home -name ".rhosts"
If so, please remove it.

23, to recover the system compiler permissions or delete
Such as: chmod 700 / usr / bin / gcc
     
         
         
         
  More:      
 
- Ubuntu and derivatives installation Atom 0.104.0 (Linux)
- Ubuntu uses the / etc / profile file to configure the JAVA environment variable (Linux)
- Deploy Mono 4 and Jexus 5.6 on CentOS7 (Server)
- SQL Beginner Guide (Database)
- Java code JIT compiler-friendly Mody (Programming)
- Open log in Hibernate (Programming)
- Getting jQuery - progress bar (Programming)
- SSH security note (Linux)
- 3 tips Linux command (Linux)
- Linux Learning --- disk partition / relational representation + mount (Linux)
- Linux SVN installation and configuration graphic tutorials (Server)
- Shorewall firewall settings under Ubuntu (Linux)
- Linux program analysis tool: ldd and nm (Linux)
- Based Docker build stand-alone high-availability cluster Hadoop2.7.1 Spark1.7 (Server)
- Linux environment SSH login password instead of using the RSA Certificate (Linux)
- MongoDB version 3.2 WiredTiger storage engine performance tests (Database)
- Java MVC CRUD examples (Programming)
- Ubuntu study notes and related problem solving (Linux)
- Configuring DNS process under CentOS 6.5 (Server)
- Linux disk virtualization (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.