2015-07-01linux Security and Tuning

Content Summary:
I. Linux security
1. Linux distribution version
Choose the mainstream, update faster.
Get the installation image from the official website
2. Hardware and physical security
Set BIOS password
Set Grub Password
Set the system password
Select IDC Room with safety assurance
3. System and user aspects
Close services that are not available (HTTP://WWW.AMINGLINUX.COM/STUDY_V2/CHAPTER16.HTML#ID5)
Try to upgrade to the latest stable version of the package
Set up firewall rules (HTTP://WWW.AMINGLINUX.COM/STUDY_V2/CHAPTER16.HTML#ID3)
Users who do not need to log on to disable login
Root Telnet limit (http://www.aminglinux.com/bbs/thread-5546-1-1.html and http://www.aminglinux.com/bbs/thread-5545-1-1.html)
Turn on the system log to record all information
Configure the appropriate sudoer
4. File system security (ref. Http://www.aminglinux.com/bbs/thread-6917-1-2.html)
Use ext3 or EXT4
Strict control of directory and file permissions Umask
Use Suid/sgid permissions as little as possible
Important data or configuration files to make a backup plan
5. Pam (Reference Http://www.infoq.com/cn/articles/linux-pam-one)
/etc/pam.conf
/etc/pam.d/
Pam Type
Auth user authentication related requirements user input a password
Accounts user account management checks whether a user's account or password has expired
Sessions related to connection or session management such as logging user logon session information to a log
Password Password management
Pam level
Required: Indicates that the success of the line and the module involved is a necessary condition for the user to authenticate. In other words, the program can pass authentication only if all of the modules that correspond to the application are successful with the required tag. Also, if any module with the required tag has an error, Pam does not immediately return the error message to the application, but instead returns the error message to the program that called him after all the modules have been called. Anyway, it's just that all the modules must be executed once, and any one of the module validation errors, the validation will continue, and the error message will not be returned until the execution is complete. The purpose of this is to not let users know which module they are rejecting and to protect system services in a covert way. Like setting up a firewall rule, the Deny class rule is set to drop, so that when the user is unsuccessful in accessing the network, it is not possible to determine exactly whether it is rejected or the target network is unreachable.
Requisite: Similar to required, only if the module with this tag returns successfully, the user can pass the authentication. The difference is that once it fails, the other modules that follow the heap are no longer executed, and the authentication process ends, and an error message is returned immediately. Compared with the above required, it seems to appear more aboveboard.
Sufficient: Indicates that the line and the validation of the module involved are sufficient conditions for the user to pass the identification. That is, whenever a module marked as sufficient succeeds, Pam returns a successful result to the application without having to try any other module.
Optional: He says the user can still pass the authentication even if the module validation failed for the line involved.
6. Application Security
Various popular services FTP, Samba, NFS, rsync, MySQL, http
Web security (Vulnerability: File upload, XSS, SQL injection, CSRF, access control)
File upload: Just like the discuz forum image upload, if the image upload server directory can execute PHP script, then this means that users can upload Trojan script, and then can execute
XSS: Cross Site Scripting Vulnerability (Scripting) is a problem that Web applications have when outputting data to a Web page, which could allow an attacker to display constructed malicious data on a page's vulnerability. A cross-site scripting vulnerability is also called an HTML injection Vulnerability (HTML injection) because a cross-site scripting attack writes a malicious script or HTML code to the content of the Web page.
SQL injection: The so-called SQL injection, that is, by inserting a SQL command into a Web form to submit or enter a domain name or page request query string, and eventually to deceive the server to execute a malicious SQL command. php + MySQL Programming, the main cause of the SQL injection attack is two points: (1) PHP configuration file php.ini in the MAGIC_QUOTES_GPC option is not open, is set to off. (2) The developer does not check and escape the data type. 2nd most important, if there is no 2nd guarantee, the MAGIC_QUOTES_GPC option, whether on or off, can cause a SQL injection attack.
CSRF: (Cross-site requests forgery, cross-site request forgery) a forgery of a user's request to use a trusted website to do something that the user does not know. When a user accesses a Web site through a login operation will be identified by the cookie, without shutting down the browser is not logged off with a cookie, this situation may allow the attacker to forge the request. Because the CSRF is not easy to find, the user is usually not easily noticed but its harmfulness is obvious.
Access control:
Apache Configuration:
Apache order allow deny http://www.aminglinux.com/bbs/thread-832-1-1.html
Apache restricts php files under a directory from executing permissions http://www.aminglinux.com/bbs/thread-1000-1-1.html
Apache restricts IP http://www.aminglinux.com/bbs/thread-5365-1-1.html for access URIs
Several methods of restricting IP http://www.aminglinux.com/bbs/thread-6519-1-1.html
Nginx Configuration
Restrict access to only one IP http://www.aminglinux.com/bbs/thread-450-1-1.html
Disable access to the site via IP http://www.aminglinux.com/bbs/thread-38-1-1.html
Disable an IP or IP segment to access the site's Setup method http://www.aminglinux.com/bbs/thread-546-1-1.html
Using User_agent to control client access http://www.aminglinux.com/bbs/thread-846-1-1.html
7. Intrusion detection
Snort (https://www.snort.org/)
Snort Chinese Brochure: http://www.360doc.com/content/08/0114/14/25127_972488.shtml
Two. Linux Tuning
Resources:
Http://os.51cto.com/art/201303/385726.htm (Tuning those things)
Http://www.111cn.net/sys/linux/58433.htm (io/System/Memory performance tuning)
http://hong.im/2013/04/20/linux-tcp-tuning/(high traffic, large concurrent Linux TCP performance tuning)
Http://wenku.baidu.com/view/0985c9dba58da0116c1749ae.html (Summary of library--linux performance tuning methods)
http://my.oschina.net/sharelinux/blog?catalog=289503 (on Linux Performance Tuning series)
http://colobu.com/2014/09/18/linux-tcpip-tuning/(TCP/IP protocol stack)
https://blog.linuxeye.com/379.html (MySQL tuning)
HTTP://WWW.TUICOOL.COM/ARTICLES/RBUNN2 (nignx+php-fpm high concurrency parameter configuration and Linux kernel parameter optimization)
http://blog.csdn.net/wangsg2014/article/details/38804873 (nignx parameter optimization)
http://os.51cto.com/art/201003/192112.htm (Apache parameter optimization)
http://www.phpboy.net/apache/488.html (Apache parameter optimization)
http://www.360doc.com/relevant/178008993_more.shtml (Apache parameter Optimization document library)
http://www.cnblogs.com/R-zqiang/archive/2012/06/12/2545768.html (php.ini parameter optimization)
Http://www.cnblogs.com/ggjucheng/archive/2013/04/16/3024731.html (Tomcat tuning)
Http://www.php-oa.com/2008/02/03/squidyouhua.html (squid tuning)
http://www.neters.cn/archives/548.html (Squid optimization guide)
http://handao.blog.techweb.com.cn/archives/134.html (Squid optimization-related kernel parameter tuning)
"Hardware Aspects"
1. CPU
2. Memory (Increase memory)
3. Storage (using RAID, using SSD)
4. Network card (using a gigabit NIC, or a dual-NIC binding)
"System aspects"
1. Kernel parameter optimization (network-related, memory-related, buffer cache related)
2. File system aspects (partition tuning, when formatted according to the storage file characteristics, specify the appropriate block size, noatime, log isolation, soft raid, effective use of/DEV/SHM, shut down unnecessary services)
3. CPU optimization (process binding, interrupt binding)
NUMA Architecture cpu:http://blog.csdn.net/jollyjumper/article/details/17168175
Taskset bind the process and CPU http://blog.csdn.net/ttyttytty12/article/details/11726569
"Application Aspects"
1. Nginx, Apache, PHP-FPM, MySQL, tomcat, squid and other applications, can be adjusted by adjusting the parameters to achieve performance optimization.
2. Web optimization, such as the user request can be merged (JS, CSS merge), using CDN to speed up static page access speed, the picture document compression reduce bandwidth transmission,
3. Optimize website Program
"Architectural aspects"
1. Use a simple and stable architecture scheme
2. Multi-use cache (Squid,varnish,memcache,nosql Related: REDIS,MONGODB)
Redis Data Analysis http://www.apelearn.com/bbs/thread-7422-1-1.html
MongoDB Rollup http://www.apelearn.com/bbs/thread-7423-1-1.html

2015-07-01linux Security and Tuning