Linux security reinforcement
--- 1. use the Shell history Command record function #/etc/bashrcHISTFILESIZE = 4000 HISTSIZE = 4000 HISTTIMEFORMAT = '% F % t' export HISTTIMEFORMAT source/etc/bashrc --- 2. delete system logon welcome information --- 2.1 Delete record the operating system name and version # vi/etc/ssh/sshd_config # Add the following record Banner/etc/issue.net --- 2.2 Delete All or more new content you want to add # vi/etc/motd --- 3. system timeout 5 minite auto logoutecho "TMOUT = 300">/etc/profilesource/etc/profile ---- 4. reinforcement # chmod dangerous file chmod 700/bin/pingchmod 700/us R/bin/fingerchmod 700/usr/bin/whochmod 700/usr/bin/wchmod 700/usr/bin/locatechmod 700/usr/bin/whereischmod 700/sbin/ifconfigchmod 700/ usr/bin/piw.mod 700/bin/vichmod 700/usr/bin/whichchmod 700/usr/bin/gccchmod 700/usr/bin/makechmod 700/bin/rpm # history Security chattr + a/root /. bash_historychattr + I/root /. bash_history # chattr/etc/passwd/etc/shadowchattr + I/etc/passwdchattr + I/etc/shadowc Hattr + I/etc/groupchattr + I/etc/gshadow # add syncookie enable/etc/sysctl. confecho "net. ipv4.tcp _ syncookies = 1 ">/etc/sysctl. confsysctl-p # modify the configuration file vi/etc/login. defsPASS_MAX_DAYS 90 # maximum number of days for creating a user's password PASS_MIN_DAYS 0 # minimum number of days for creating a user's password PASS_WARN_AGE 7 # Number of days for reminding new users of Password Expiration PASS_MIN_LEN 9 # Minimum Password Length: 9-5. restrict which accounts can switch to root1) # vi/etc/pam. d/suauth required/lib/security/pam_wheel.so group = dba # usermod-Gdba test use Add the user to the dba group --- 6. system Kernel Security vi/etc/sysctl. conf # Kernel sysctl configuration file for Red Hat Linux # For binary values, 0 is disabled, 1 is enabled. see sysctl (8) and # sysctl. conf (5) for more details. # Controls IP packet forwardingnet. ipv4.ip _ forward = 0 # Controls source route verificationnet. ipv4.conf. default. rp_filter = 1 # Controls the System Request debugging functionality of the kernelkernel. sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel. core_uses_pid = 1 # Prevent SYN attacknet. ipv4.tcp _ syncookies = 1net. ipv4.tcp _ max_syn_backlog = 2048net. ipv4.tcp _ synack_retries = 2 # Disables packet forwardingnet. ipv4.ip _ forward = 0 # Disables IP source routingnet. ipv4.conf. all. accept_source_route = 0net. ipv4.conf. lo. accept _ Source_route = 0net. ipv4.conf. eth0.accept _ source_route = 0net. ipv4.conf. default. accept_source_route = 0 # Enable IP spoofing protection, turn on source route verificationnet. ipv4.conf. all. rp_filter = 1net. ipv4.conf. lo. rp_filter = 1net. ipv4.conf. eth0.rp _ filter = 1net. ipv4.conf. default. rp_filter = 1 # Disable ICMP Redirect Acceptancenet. ipv4.conf. all. accept_redirects = 0net. ipv4.conf. lo. accept_redirec Ts = 0net. ipv4.conf. eth0.accept _ redirects = 0net. ipv4.conf. default. accept_redirects = 0 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packetsnet. ipv4.conf. all. log_martians = 1net. ipv4.conf. lo. log_martians = 1net. ipv4.conf. eth0.log _ martians = 1 # Disables IP source routingnet. ipv4.conf. all. accept_source_route = 0net. ipv4.conf. lo. accept_source_route = 0net. ipv4.conf. eth0.accept _ source _ Route = 0net. ipv4.conf. default. accept_source_route = 0 # Enable IP spoofing protection, turn on source route verificationnet. ipv4.conf. all. rp_filter = 1net. ipv4.conf. lo. rp_filter = 1net. ipv4.conf. eth0.rp _ filter = 114net. ipv4.conf. default. rp_filter = 1 # Disable ICMP Redirect Acceptancenet. ipv4.conf. all. accept_redirects = 0net. ipv4.conf. lo. accept_redirects = 0net. ipv4.conf. eth0.accept _ redirects = 0ne T. ipv4.conf. default. accept_redirects = 0 # Disables the magic-sysrq keykernel. sysrq = 0 # Modify system limits for Ensim WEBppliancefs. file-max = 65000 # Decrease the time default value for tcp_fin_timeout connectionnet. ipv4.tcp _ fin_timeout = 15 # Decrease the time default value for tcp_keepalive_time connectionnet. ipv4.tcp _ keepalive_time = 1800 # Turn off the tcp_window_scalingnet.ipv4.tcp_window_scal Ing = 0 # Turn off the tcp_sacknet.ipv4.tcp_sack = 0 # Turn off the tcp_timestampsnet.ipv4.tcp_timestamps = 0 # Enable tcp syn Cookie Protectionnet. ipv4.tcp _ syncookies = 1 # Enable ignoring broadcasts requestnet. ipv4.icmp _ echo_ignore_broadcasts = 1 # Enable bad error message Protectionnet. ipv4.icmp _ ignore_bogus_error_responses = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packetsnet. ipv4.co Nf. all. log_martians = 1 # Set maximum amount of memory allocated to shm to 256MBkernel. shmmax = 268435456 # Improve file system performancevm. bdflush = 100 1200 128 512 15 5000 500 2 # Improve virtual memory performancevm. buffermem = 90 10 60 # Increases the size of the socket queue (effectively, q0 ). net. ipv4.tcp _ max_syn_backlog = 1024 # Increase the maximum total TCP buffer-space allocatablenet. I Pv4.tcp _ mem = 57344 57344 65536 # Increase the maximum TCP write-buffer-space allocatablenet. ipv4.tcp _ wmem = 32768 65536 52428815 # Increase the maximum TCP read-buffer space allocatablenet. ipv4.tcp _ rmem = 98304 196608 1572864 # Increase the maximum and default receive socket buffer sizenet. core. rmem_max = 524280net. core. rmem_default = 524280 # Increase the maximum and default send socket buffer sizen Et. core. wmem_max = 524280net. core. wmem_default = 524280 # Increase the tcp-time-wait buckets pool sizenet. ipv4.tcp _ max_tw_buckets = 1440000 # Allowed local port rangenet. ipv4.ip _ local_port_range = 16384 65536 # Increase the maximum memory used to reassemble IP fragmentsnet. ipv4.ipfrag _ high_thresh = 512000net. ipv4.ipfrag _ low_thresh = 446464 # Increase the maximum amount of option memory buffersnet. core. Optmem_max = 57344 # Increase the maximum number of skb-heads to be cachednet. core. hot_list_length = 1024 # do not remove the following line! # Nsobuilt: 20051206 sysctl-p