Configure a safer Server in Linux

Configure the more secure Server in Linux-Linux Enterprise Application-Linux Server application information. The following is a detailed description. 1. Start in text mode

Vi/etc/inittab

Find "id: 5: initdefault"

Changed to "id: 3: initdefault"

2. Set language parameters (solve terminal garbled characters in text mode)

Vi/etc/sysconfig/i18n

Find "LANG =" en_US.UTF-8 ""

Change to "LANG =" zh_CN.GB18030 ""

3. Essential Services in Linux (can be modified using ntsysv)

Atd # As mentioned in routine commands, make sure to start the one-time scheduled execution service.

Crond # The Circular execution commands mentioned in routine commands must be started (some Linux versions are cron)

Iptables # firewall software. Enable it for security purposes.

Keytables # Set the letter format on the keyboard (this option is not available in some Linux versions)

Network # network functions

Random # Quickly saves the system status to the image file at random time, which is very important to the system! Because after the boot,

# The system will quickly return to the status before shutdown (some Linux versions do not have this option)

Syslog # system logs

Xined # Another Service Manager, super daemon!

Xfs # this service is required for the run-level = 5 graphic interface. If you log on only in text mode, you can not start

# You can enable appropriate services as needed, such as sshd, vsftp, httpd, mysqld, and spamssion.

4. firewall configuration (you can enable the port as needed. The script below is for the Samba server)

Touch/etc/rc. d/firewall

Chmod u + x/etc/rc. d/firewall

Vi/etc/rc. d/rc. local

/Etc/rc. d/firewall

Vi/etc/rc. d/firewall

#! /Bin/bash

Export PATH =/sbin:/usr/sbin:/bin:/usr/bin

Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Echo 0>/proc/sys/net/ipv4/conf/all/accept_source_route

Echo 0>/proc/sys/net/ipv4/conf/all/accept_redirects

Echo 1>/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Echo 1>/proc/sys/net/ipv4/conf/all/log_martians

Echo 1>/proc/sys/net/ipv4/tcp_syncookies

Echo 1>/proc/sys/net/ipv4/ip_forward

Iptables-F

Iptables-X

Iptables-Z

Iptables-t nat-F

Iptables-t nat-X

# Enable local interface pass

Iptables-a input-I lo-j ACCEPT

Iptables-a output-o lo-j ACCEPT

# Allow State

Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT

# Iptables-a input-I eth1-p tcp -- dport 22-j ACCEPT

Iptables-a input-p tcp -- dport 22-j ACCEPT

Iptables-a input-p tcp -- dport 139-j ACCEPT

# Anything else not allowed

Iptables-a input-j DROP

5. Disable Ctrl + Alt + Delete restart

Vi/etc/inittab

Comment out the line "ca: ctrlaltdel:/sbin/shutdown-t3-r now"

6. Modify important File Permissions

Chmod-R 700/etc/rc. d/init. d /*

7. Prohibit ssh direct root Login

Vi/etc/ssh/sshd_config

Remove "#" before PermitRootLogin yes and change "yes" to "no.

8. Restrict the su list

Vi/etc/pam. d/su

Add auth required/lib/security/$ ISA/pam_wheel.so use_uid

Add a user to the wheel group and set the password.

Useradd-g wheel leo4364088

Passwd leo4364088

9. Restrict the ssh user list
Vi/etc/pam. d/sshd
Auth required pam_listfile.so item = user sense = allow file =/etc/ssh_users onerr = fail
Create the/etc/ssh_users file.
Echo leo4364088>/etc/ssh_users

10. prevent IP Spoofing

Vi/etc/host. conf

Order bind, hosts

Multi off

Nospoof on

11. Lock the password file (we recommend that you configure the server and then lock it. The UNLOCK Command is chattr-I/etc/passwd)

Chattr + I/etc/passwd

Chattr + I/etc/shadow

Chattr + I/etc/group

Chattr + I/etc/gshadow

12. Create a task (for example, restart the machine at every day)

Crontab-e

00 03 *** reboot