Fedoracore server security settings tutorial

Preface I have long wanted to write an article on Linux security settings. One advantage of writing an article is that you can understand your own ideas, and you will be able to remember it if you forget to write an article later. This article is just some of my experiences in my daily work and study. if something is wrong, I hope you can correct it. 1. set startup

Preface

I wanted to write an article about Linux security for a long time.Set. One advantage of writing an article is that you can understand your own ideas, and you will be able to remember it if you forget to write an article later. This article is just some of my experiences in my daily work and study. if something is wrong, I hope you can correct it.

1. set startupService

After installing the system, run # netstat? You can see that many network-related services are started by default, so many ports are opened for LISTENING ). We know that the more open ports, the more likely the system will be infiltrated from the outside, so we should try to close some unnecessary startup services, so as to close the ports as much as possible to provide the system'sSecurity.

Here I will directly provide the startup service to keep the system running normally, and other services can be closed. Run # ntsysv to start only the following services.

II. Netfilter/IptablesFirewall settings

# Touch/etc/rc. d/firewall # Chmod u + x/etc/rc. d/firewall # Vi/etc/rc. d/rc. local Write a row:/etc/rc. d/firewall Note: the content of/etc/rc. d/firewall is as follows:

1. single Nic host settings

Note: This setting applies to setting up a host dedicated to providing web services or FTP services.

# First clear all firewall rules #! /Bin/bash PATH =/sbin:/bin:/usr/sbin:/usr/bin # Prevent syn flood attacks Echo "1">/proc/sys/net/ipv4/tcp_syncookies Iptables-F Iptables-X Iptables? Z # Disable all packages Iptables-P INPUT DROP Iptables-P OUTPUT DROP Iptables-P FORWARD DROP # Allow Communication on local loopback devices Iptables? A input-I lo-p all-j ACCEPT Iptables-a output-o lo-p all-j ACCEPT # Let response packets that have been established or related to our host pass through Iptables-a input-p tcp-m state -- state ESTABLISHED, RELATED-j ACCEPT # Allow SSH remote host management Iptables-a input-p tcp -- dport 22-j ACCEPT Iptables-a output-p tcp -- sport 22-j ACCEPT # Limit the number of IP fragmentation to prevent IP fragmentation attacks Iptables-a input-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT # If your host provides web services, open port 80. Iptables-a input-p tcp-m tcp -- sport 80-j ACCEPT Iptables-a output-p tcp-m tcp -- dport 80-j ACCEPT # Set the icmp protocol to allow the host to perform the ping operation to test the network, but other hosts are not allowed to ping the host. Iptables? A output-p icmp -- icmp-type echo-request? J ACCEPT Iptables? A input? P icmp -- icmp-type echo-reply? J ACCEPT

With the above settings, this host only opens ports and 80 to the network, ensuring the maximum security of the host.

2. NAT host settings

Note: This setting applies to NAT gateways.ServerType of host. Eth0 is an Internet Nic, and eth1 is an intranet Nic. The intranet CIDR block is 192.168.1.0/24.

#! /Bin/bash PATH =/sbin:/bin:/usr/sbin:/usr/bin # L Internet Nic interface connecting to the Internet EXTIF = "eth0" # Set the IP address of the Internet Nic. EXTIFIPADDR = "219.150.46.98" # Interface for connecting the intranet Nic of the Lan INIF = "eth1" # Intranet CIDR block INNET = "192.168.1.0/24" # Enable the IP forwarding function of the system kernel to change Linux to a vro. Echo "1">/proc/sys/net/ipv4/ip_forward # Prevent syn flood attacks Echo "1">/proc/sys/net/ipv4/tcp_syncookies # Sort out the list of modules supported by the kernel /Sbin/depmod? A # Load the list of supported modules Modprobe ip_tables Modprobe iptable_nat Modprobe ip_nat_ftp Modprobe ip_nat_irc Modprobe ip_conntrack Modprobe ip_conntrack_ftp Modprobe ip_conntrack_irc # Clear the rules and restore them to the state without a firewall Iptables-F Iptables-X Iptables? Z Iptables-F-t nat Iptables-X-t nat Iptables-Z-t nat Iptables-P INPUT DROP Iptables-P OUTPUT DROP Iptables-P FORWARD ACCEPT Iptables-t nat-P PREROUTING ACCEPT Iptables-t nat-P POSTROUTING ACCEPT Iptables-t nat-P OUTPUT ACCEPT # Set the host Security # Allow Communication on local loopback devices Iptables? A input-I lo-p all-j ACCEPT Iptables-a output-o lo-p all-j ACCEPT # Let response packets that have been established or related to our host pass through Iptables-a input-p tcp-m state -- state ESTABLISHED, RELATED-j ACCEPT # Allow SSH remote host management Iptables-a input-p tcp -- dport 22-j ACCEPT Iptables-a output-p tcp -- sport 22-j ACCEPT # Limit the number of IP fragmentation to prevent IP fragmentation attacks Iptables-a input-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT # Set the icmp protocol to allow the host to perform the ping operation to test the network, but other hosts are not allowed to ping the host. Iptables? A output-p icmp -- icmp-type echo-request? J ACCEPT Iptables? A input? P icmp -- icmp-type echo-reply? J ACCEPT # Next we will configure NAT # If you want intranet access to the Internet, you must set SNAT. Iptables-t nat-a postrouting? P all-s $ INNET-o $ EXTIF-j SNAT -- to $ EXTIFIPADDR # If you have a web server (IP: 192.168.1.10) on the internal network and want to access the Internet, you must set DNAT. Iptables? T nat? A prerouting? P tcp? I $ EXTIF -- dport 80? J DNAT -- to 192.168.1.10: 80

III. system settings

1. restrict Shell logging

Bash shell in "~ /. Bash_history "(" ~ /"Indicates the user directory.) the file saves 500 used commands, which makes it easy to enter the used long commands. Each user with an account in the system has a ". bash_history" file in his Directory. Bash shell should save a small number of commands and delete these historical commands every time the user logs out.

Step 1:

The "HISTSIZE" line in the "/etc/profile" file determines the number of old command lines that can be saved in the ". bash_history" file of all users. We strongly recommend that you set the "HISTSIZE" value in the "/etc/profile" file to a smaller value, such as 30. Edit the profile File (vi/etc/profile) and change the following line:

This means that each user's ". bash_history" file can only save 30 old commands.

Step 2:

The network administrator should also go to "/etc/skel/. bash_logout"

Add the following line "rm-f $ HOME/. bash_history" to the file ".

In this way, the ". bash_history" file will be deleted every time you log out.

Edit the. bash_logout File (vi/etc/skel/. bash_logout) and add the following line:

Rm-f $ HOME/. bash_history

2. modify the SSH connection port

Using SSH, we can remotely manage Linux hosts. However, improper configuration may also be exploited by hackers to intrude into the system. The default SSH connection port is 22. In practice, I found that port 22 of the host is frequently scanned and tried to forcibly log on to the host using brute force methods. Fortunately, the password setting is complicated, is not intruded. Therefore, I thought that I could change the SSH connection port. for example, I could set the connection port to 10000 or above. in this way, the thief could not find the door and how to steal the house. The specific modification method is as follows:

Vi/etc/ssh/sshd_config Set # Port 22 Change Port 20068

Then we need to connect to SSH through Port 20068.

Then, add "DenyUser *" to prohibit normal users from logging on to the system. In this way, you can prevent the daemon account from accessing the system. for example, make sure that the following daemon account cannot access the system:

DenyUsers daemon bin sync adm lp shutdown halt mail News uucp nobody operator sympa, squid, IPVs, Gopher,Postfix, Xfs.

3. set TCP_WRAPPERS

By default, RedhatLinux allows all requests, which is dangerous. If you use TCP_WRAPPERS to enhance the security of our site, you can put ALL requests not allowed into "ALL: ALL" to/etc/hosts. deny, and then put the explicitly allowed requests to/etc/hosts. allow, for example:

Sshd: 192.168.1.10/255.255.255.0 gate.openarch.com

The IP address 192.168.1.10 and the host name gate.openarch.com can be connected through ssh. After the configuration is complete, run the tcpdchk check and you can directly execute: tcpdchk. Here, tcpchk is the TCP_Wrapper configuration check tool that checks your tcpwrapper configuration and reports all detected potential/existing problems.

Postscript

When the webmaster researched and set up the Netfilter/iptables firewall, he once learned slowly due to the lack of multi-host network environment. Fortunately, after installing the vmwarevm, He virtualized two machines under WinXP at home.FedoraCore2, and form a LAN, so that the study continues. If you are suffering from a lack of network environment, please try Vmware. I believe it will surprise you!

In factSecurity SettingsIt is far more than that. due to the limited level of the webmaster, I can only write it here, but the webmaster will continue to update this article in the future. I hope you can give more valuable comments!

(T117)