Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ The most common and most effective security settings under linux     - Ubuntu Live CD by updating Grub resume boot the Boot Menu (Linux)

- JavaScript notes --Objects (Programming)

- LinSSID: a graphical Wi-Fi scanner under Linux (Linux)

- Ubuntu 14.04 compile, install, configure, the latest development version GoldenDict (Linux)

- DOM event handlers add notes (Programming)

- Spark read more HBase tables a RDD (Server)

- Linux iptables firewall settings (Linux)

- Oracle 11g users to create, authorize and import dmp file (Database)

- Effect MongoDB plan cache (Database)

- Using IntelliJ IDEA 13 integrated development environment to build Android (Linux)

- OpenSUSE / Linux network configuration (Linux)

- Installation through the network Debian 7 (Wheezy) (Linux)

- Redis Linux system installation guide (Database)

- Ubuntu 14.04 LTS next upgrade gcc to gcc-4.9, gcc-5 version (Linux)

- Android Activity launchMode (Programming)

- Setting Derby as Linux / Windows running as a service from the start (Server)

- CentOS terminal display Chinese (Linux)

- Use Swift remove the spaces in the string (Programming)

- To create and manage virtual machines on Ubuntu Redhat (Linux)

- Computer security perimeter recommendations (Linux)

 
         
  The most common and most effective security settings under linux
     
  Add Date : 2017-08-31      
         
       
         
  CentOS or Red Had Enterprise Linux 4 users should first open SElinux, by modifying the / etc / selinux / config file SELINUX = "" is enforcing. It can ensure that your system is not abnormal collapse. Some people think we should close, and I strongly recommend, of course, only be used to play the centos, not for the actual server does not matter.
 
2, enable the iptables firewall to increase system security has many advantages. Setting rules for good firewall.
 
3, execute setup close those unnecessary services, remember to open a small service, less a danger.
 
4, prohibiting Control-Alt-Delete keyboard shutdown command
Comment out this line (using #) in the "/ etc / inittab" file:
ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
Read:
#ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
To make this change work, enter the following command:
# / Sbin / init q
 
5, to "/etc/rc.d/init.d" under the script file to set permissions
Or close the program to execute the script executed at startup file to set permissions.
# Chmod -R 700 /etc/rc.d/init.d/*
This means that only root is allowed to read, write, execute script files in the directory.
 
6, modify the "/etc/host.conf" file
"/etc/host.conf" Shows how to resolve the address. Edit "/etc/host.conf" file (vi /etc/host.conf), add the following line:
# Lookup names via DNS first then fall back to / etc / hosts.
order bind, hosts
# We have machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
nospoof on
The first setting first resolves the IP address via DNS, and then analyzed by the hosts file. The second entry is set to detect whether "/ etc / hosts" file whether the host has multiple IP addresses (for example, there are multiple Ethernet NICs). The third set of instructions to pay attention to the machine unauthorized spoofing.
 
7, so that "/ etc / services" file immunization
So that "/ etc / services" file immunization to prevent unauthorized deletion or addition of services:
# Chattr + i / etc / services
 
8. prevent your system to respond to any ping request from external / internal come.
Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command line to /etc/rc.d/rc.local, so to run automatically each time you start.
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
 
9, all user settings on your system resource limits can prevent the type of DoS attacks (denial of service attacks)
Such as the maximum number of processes, amount of memory. For example, all users like the following restrictions:
vi /etc/security/limits.conf
 
The following code example, all users in each session is limited to 10 MB, and allow four simultaneous logins. The third line disables everyone's core dump. The fourth line removes all limits users to the bin. ftp allows 10 concurrent sessions (especially useful for anonymous ftp account); the number of members of the process group of managers is limited to 40. developers have 64 MB of memlock restrictions, members wwwusers can not create a file larger than 50 MB.
 
Listing 3. Setting quotas and restrictions
 
* Hard rss 10000
* Hard maxlogins 4
* Hard core 0
bin -
ftp hard maxlogins 10
@managers hard nproc 40
@developers hard memlock 64000
@wwwusers hard fsize 50000

To activate these limits, you need to add the following /etc/pam.d/login bottom line: session required /lib/security/pam_limits.so.
10. Comment out unnecessary users and groups.
vipw
root: x: 0: 0: root: / root: / bin / bash
bin: x: 1: 1: bin: / bin: / sbin / nologin
daemon: x: 2: 2: daemon: / sbin: / sbin / nologin
adm: x: 3: 4: adm: / var / adm: / sbin / nologin
lp: x: 4: 7: lp: / var / spool / lpd: / sbin / nologin
sync: x: 5: 0: sync: / sbin: / bin / sync
shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown
halt: x: 7: 0: halt: / sbin: / sbin / halt
mail: x: 8: 12: mail: / var / spool / mail: / sbin / nologin
news: x: 9: 13: news: / etc / news:
uucp: x: 10: 14: uucp: / var / spool / uucp: / sbin / nologin
operator: x: 11: 0: operator: / root: / sbin / nologin
games: x: 12: 100: games: / usr / games: / sbin / nologin
gopher: x: 13: 30: gopher: / var / gopher: / sbin / nologin
ftp: x: 14: 50: FTP User: / var / ftp: / sbin / nologin
nobody: x: 99: 99: Nobody: /: / sbin / nologin
dbus: x: 81: 81: System message bus: /: / sbin / nologin
vcsa: x: 69: 69: virtual console memory owner: / dev: / sbin / nologin
rpm: x: 37: 37 :: / var / lib / rpm: / sbin / nologin
haldaemon: x: 68: 68: HAL daemon: /: / sbin / nologin
netdump: x: 34: 34: Network Crash Dump user: / var / crash: / bin / bash
nscd: x: 28: 28: NSCD Daemon: /: / sbin / nologin
sshd: x: 74: 74: Privilerpc: x: 32: 32: Portmapper RPC user: /: / sbin / nologin
rpcuser: x: 29: 29: RPC Service User: / var / lib / nfs: / sbin / nologin
nfsnobody: x: 65534: 65534: Anonymous NFS User: / var / lib / nfs: / sbin / nologin
mailnull: x: 47: 47 :: / var / spool / mqueue: / sbin / nologin
smmsp: x: 51: 51 :: / var / spool / mqueue: / sbin / nologin
pcap: x: 77: 77 :: / var / arpwatch: / sbin / nologin
xfs: x: 43: 43: X Font Server: / etc / X11 / fs: / sbin / nologin
ntp: x: 38: 38 :: / etc / ntp: / sbin / nologin
gdm: x: 42: 42 :: / var / gdm: / sbin / nologin
pegasus: x: 66: 65: tog-pegasus OpenPegasus WBEM / CIM services: / var / lib / Pegasus: / sbin / nologin
htt: x: 100: 101: IIIMF Htt: / usr / lib / im: / sbin / nologin
wangjing: x: 500: 500 :: / home / wangjing: / bin / bash
mysql: x: 101: 102: MySQL server: / var / lib / mysql: / bin / bash
apache: x: 48: 48: Apache: / var / www: / sbin / nologin
ge-separated SSH: / var / empty / sshd: / sbin / nologin
 
Users do not need to add all # commented out. Note that I do not recommend directly deleted when you need a user for some reason he again will be very troublesome.
 
vi / etc / group
root: x: 0: root
bin: x: 1: root, bin, daemon
daemon: x: 2: root, bin, daemon
sys: x: 3: root, bin, adm
adm: x: 4: root, adm, daemon
tty: x: 5:
disk: x: 6: root
lp: x: 7: daemon, lp
mem: x: 8:
kmem: x: 9:
wheel: x: 10: root
mail: x: 12: mail
news: x: 13: news
uucp: x: 14: uucp
man: x: 15:
games: x: 20:
gopher: x: 30:
dip: x: 40:
ftp: x: 50:
lock: x: 54:
nobody: x: 99:
users: x: 100:
dbus: x: 81:
floppy: x: 19:
vcsa: x: 69:
rpm: x: 37:
haldaemon: x: 68:
utmp: x: 22:
netdump: x: 34:
nscd: x: 28:
slocate: x: 21:
sshd: x: 74:
rpc: x: 32:
rpcuser: x: 29:
nfsnobody: x: 65534:
mailnull: x: 47:
smmsp: x: 51:
pcap: x: 77:
xfs: x: 43:
ntp: x: 38:
gdm: x: 42:
pegasus: x: 65:
htt: x: 101:
wangjing: x: 500:
mysql: x: 102:
apache: x: 48:
 
For all groups of users do not need a # commented out. Note that I do not recommend directly deleted, when for some reason you need a user group that he would be in trouble again.
 
11, with the chattr command to add the following file attributes can not be changed.
[Root @ deep] # chattr + i / etc / passwd
[Root @ deep] # chattr + i / etc / shadow
[Root @ deep] # chattr + i / etc / group
[Root @ deep] # chattr + i / etc / gshadow
 
Note that the implementation of this action, as root user can not add to or modify the system password. If we want to add a user or change the password. You should first use the chattr -i / etc / passwd and other command disarmament can not be written to set before proceeding.
 
12, change the default port sshd
SSHD is the default port 22, the Earth people know that the best method is usually in the absence of precise targets hacker case to find Linux machine is the machine to scan all open ports 22 and then placed in a list, one by one to explore its vulnerability.
Nmap4 new features such as nmap -v -iR 10000 -P0 -p 22 random in 10000 IP 22 machine to go to find open ports. Of course, it can also be targeted to ip of Japan or other countries add another scan.
Usually in accordance with the corresponding regular service ports to scan, unless the use of full-port 1-65535, but unless it is focused on a scanning machine, otherwise this is not efficient. www.britepic.org
The default port is changed to step 60022 as follows:
vi / etc / ssh / sshd_config
 
Find #Port 22, identifies the default port 22, you need to change to 8888 to remove the comment symbol # in front revised as: Port 60022
Then restart the service process
# /etc/init.d/sshd Restart
 
sshd_config other security options
The #PermitRootLogin yes to PermitRootLogin no to prevent root remote landing
The change #Protocol 1,2 Protocol 2, without SSH protocol 1 protocol, using only 2
 
Of course, there are some options, as required, such as: Banner forgery, after failed login lock time, whether to allow empty account login password, and other bits of server key, allowing the user landing and IP.
 
13, the kernel parameter adjustment
sysctl -w net.ipv4.conf.default.accept_source_route = 0
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts = 1
#sysctl -w net.ipv4.icmp_echo_ignore_all = 1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses = 1
sysctl -w net.ipv4.ip_conntrack_max = 65535
sysctl -w net.ipv4.tcp_syncookies = 1
sysctl -w net.ipv4.tcp_syn_retries = 1
sysctl -w net.ipv4.tcp_fin_timeout = 5
sysctl -w net.ipv4.tcp_synack_retries = 1
sysctl -w net.ipv4.tcp_syncookies = 1
sysctl -w net.ipv4.route.gc_timeout = 100
sysctl -w net.ipv4.tcp_keepalive_time = 500
sysctl -w net.ipv4.tcp_max_syn_backlog = 10000
 
14, regularly check the system log. Located in the main system log / var / log / directory. Preventive measures.
 
The above settings of your system in general is more secure. Of course, security and insecurity is the Road and demons fight.
     
         
       
         
  More:      
 
- JavaScript closures and the scope chain (Programming)
- Linux system boot process ARM platforms (Linux)
- Spring multi data source configuration (Programming)
- Postgres-X2 deployment steps (Database)
- Ubuntu 14.10 Apache installation and configuration (Server)
- CentOS7 virtual machine starts appear Permission denied (Linux)
- Spark On YARN cluster installation deployment (Server)
- Based on a complete solution RMI service to transfer large files (Programming)
- STL spatial Configurator (Programming)
- Linux GCC 5.1.0 compiler installation (Linux)
- Linux Troubleshooting: How to save the status of the SSH session is closed (Linux)
- Ubuntu 14.04 compile and install Apache (Server)
- Elaborate .NET Multithreading: Concepts (Programming)
- How Glances monitoring system on Ubuntu (Linux)
- To use Android RecyclerView (Programming)
- Overall Physical Migration of Oracle Database with (Database)
- Getting Started Linux Shell Scripting (Programming)
- DataGuard a hardware issue warnings found (Database)
- Oracle 11g How dataguard master repository to Oracle single instance data recovery (Database)
- Android Action Compendium (Programming)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.