This article and everyone to share is mainly Linux under the Common Security policy settings of some methods, take a look at it, hope to everyoneLearn Linuxhelpful.
Safety First "the Linux management community and even the computer are also a primary concern. The security of encryption relies on the password itself rather than the algorithm! Moreover, the security mentioned here refers to the integrity of the data, thus, the authentication security and integrity of the data is higher than the private security of the data, that is, the uncertainty of the data sender and the integrity of the data is not guaranteed, the privacy of the data when not talk about!
1. Prevent the system from responding to any external/internal ping requests an attacker would normally first detect if the host or IP is active through a ping command, and if it is able to ping a host or IP, the attacker considers the system active and then attacks or destroys it. If no one can ping the machine and receive a response, it can greatly enhance the security of the server, Linux can do the following settings, prohibit ping requests:
[[email protected] ~] #echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all by default the value of "Icmp_echo_ignore_all" is "0", Represents a response to a ping operation.
You can add the above line of commands to the/etc/rc.d/rc.local file so that it runs automatically after each system restart.
2. Disable Control-alt-delete combination restart system
in the default settings of Linux, at the same time press the Control-alt-delete key, the system will be automatically restarted, which is very insecure, so to prevent Control-alt-delete key combination to restart the system, just modify the/etc/inittab file:
The code is as follows:
[[email protected] ~] #vi/etc/inittab
find this line: Ca::ctrlaltdel:/sbin/shutdown-t3-r now before adding "#"
then execute:
The code is as follows:
[[email protected] ~] #telinit q
3. Limit shell record history command size
by default, bash Shell holds up to 1000 command records in the file $home/.bash_history (depending on the system, the default number of record bars is different). There is one such file under each user's home directory in the system.
With so many historical command records, it is definitely unsafe, so you must limit the size of the file.
You can edit the/etc/profile file and modify the following options:
histsize=30
represents the most recent 30 history commands recorded in the file $home/.bash_history. If you set "Histsize" to 0, it means that the history command is not recorded, then you cannot use the keyboard's up and down keys to find the history command.
4. Remove unnecessary users and groups from the system by default
Linux provides a variety of system accounts, when the system is installed, if you do not need some users or groups, it is necessary to delete it immediately, because the more accounts, the system is more insecure, the more vulnerable to attack.
Remove System unnecessary users with the following command
The code is as follows:
[email protected] ~]# Userdel username
Delete System unnecessary groups with the following command:
The code is as follows:
[email protected] ~]# Groupdel groupname
the default users and groups that can be deleted from the Linux system are:
Delete the user, such as Adm,lp,sync,shutdown,halt,news,uucp,operator,games,gopher.
Delete the group, such as Adm,lp,news,uucp,games,dip,pppusers,popusers,slipusers.
5. Turn off SELinux
SELinux is the abbreviation for security-enhanced Linux, a kernel mandatory access control security system, currently selinux is integrated into the main line of the Linux 2.6 kernel and most Linux distributions, Because SELinux has some problems with existing Linux applications and Linux kernel module compatibility, it is recommended that beginners turn off SELinux first, and then after a thorough understanding of Linux, it is not too late to delve into SELinux!
to see if the Linux system SELinux is enabled, you can use the Getenforce command:
The code is as follows:
[email protected] ~]# Getenforce
Disabled
To turn off SELinux, in the Redhat series release, you can modify the following files directly:
The code is as follows:
[[email protected] ~] #vi/etc/sysconfig/selinux# This file controls the state of the SELinux on the system.
selinux= can take one of these three values:
Enforcing–selinux security policy is enforced.
Permissive–selinux prints warnings instead of enforcing.
Disabled–selinux is fully disabled.
selinux=enforcing
selinuxtype= type of policy in use. Possible values are:
targeted–only targeted Network daemons is protected.
strict–full SELinux protection.
selinuxtype=targeted
change the selinux=enforcing to selinux=disabled and the SELinux will stop after rebooting the system.
6. Set Tcp_wrappers firewall
Tcp_wrappers is a software used to analyze TCP/IP packets, similar IP packet software and Iptables,linux are installed by default, as a secure system, Linux itself has two layers of security firewall, Through the IP filtering mechanism of the iptables implementation of the first layer of protection, iptables firewall through the intuitive monitoring of the health of the system, blocking some malicious attacks in the network, to protect the entire system to run properly, from attack and destruction. The implementation of Iptables is described in detail in the next section. If you pass the first layer of protection, then the next layer of protection is tcp_wrappers, through the tcp_wrappers can achieve some of the services provided in the system to open and close, allow and prohibit, so as to more effectively ensure the system safe operation.
the use of tcp_wrappers is simple, with only two profiles:/etc/hosts.allow and/etc/hosts.deny (1) to see if the system has Tcp_wrappers installed
[ [email protected] ~] #rpm-Q tcp_wrappers or [[email protected] ~] #rpm-qa | grep tcp
tcp_wrappers-7.6-37.2
Tcpdump-3.8.2-10.rhel4
If there is a similar output above, the system already has the Tcp_wrappers module installed. If it is not displayed, it may not be installed, and you can find the corresponding RPM package from the Linux system installation disk for installation.
(2) Limitations of Tcp_wrappers firewall
whether a service in the system can use the Tcp_wrappers firewall, depending on whether the service has a libwrapped library file applied, and if it can use the Tcp_wrappers firewall, some of the default services in the system such as: sshd, Portmap, SendMail, xinetd, VSFTPD, TCPD, and so on can all use the Tcp_wrappers firewall.
(3) Rules set by Tcp_wrappers
Tcp_wrappers Firewall is implemented through the/etc/hosts.allow and/etc/hosts.deny two files to complete, first look at the format set:
Service:host (s) [: Action]
L Service: Represents the services name, such as sshd, VSFTPD, SendMail, and so on.
l Host (s): Host name or IP address, can have multiple, such as 192.168.60.0,Www.ixdba.netlAction : Actions to be taken when the condition is met.
several key words:
L All: all services or all IPs.
L All EXCEPT: Any service or all IP is removed from the specified.
Example: All:all EXCEPT 192.168.60.132
indicates that any machine performs all services or is allowed or denied except 192.168.60.132 the machine.
Once you understand the syntax of the setting, you can restrict access to the service below.
For example, a Linux server on the Internet, the goal is to allow only 222.90.66.4, 61.185.224.66 and domain names softpark.com telnet to the system via the SSH service, set the following:
first, set the Allow log on the computer, that is, configure the/etc/hosts.allow file, the settings is very simple, as long as you modify the/etc/hosts.allow (if you do not have this file, build it yourself) This file can be.
simply add the following rules to/etc/hosts.allow.
sshd:222.90.66.4 61.185.224.66 softpark.com then sets the machine that is not allowed to log on, which is the configuration/etc/hosts.deny file.
In General, Linux will first determine/etc/hosts.allow this file, if the remote login computer to meet the file/etc/hosts.allow settings, will not use/etc/ Hosts.deny file, on the contrary, if you do not meet the Hosts.allow file set rules, will go to use Hosts.deny file, if the rules of Hosts.deny, this host is restricted to the Linux server, if also does not meet the Hosts.deny settings, This host can access the Linux server by default, so when the/etc/hosts.allow file access rule is set, you only need to set/etc/hosts.deny to "All computers cannot log on".
Sshd:all
In this way, a simple tcp_wrappers firewall is set up.
Source: Ops Tribe
How do I set up common security policies under Linux?
