Linux Server Security Configuration

1. ping/etc/rc is prohibited. d/rc. localecho 1>/proc/sys/net/ipv4/icmp_echo_ignore_all 2. permission Control for user and password files chmod 600/etc/passwdchmod 600/etc/shadowchmod 600/etc/groupchmod 600/etc/gshadow3. add unchangeable attributes to the following files: chattr + I/ etc/passwdchattr + I/etc/shadowchattr + I/etc/groupchattr + I/etc/gshadow 4. access Control for vsftp vi hosts. denyvsftpd: all-Disable all requests for vsftp vi hosts. allowvsftpd: 192.168.2.1-then allow Intranet vsftd requests. disable useless ports. Only common ports (21, 22, and 8) are enabled. 0, 443) service portmap stopchkconfig-level 35 portmap off-close port 111 netstat-nap | grep 32768 killall rpc. statd-disable port 32768 netstat-nap | grep 631 killall cupsd-disable port 631 service sendmail stopchkconfig-level 12345 sendmail off-disable port 25 6. apache Security Settings (back up httpd first. conf configuration file) vi/etc/httpd. confServerSignature OffServerTokens Prod-hide Apache version number and other sensitive information Options-ExecCGI-FollowSymLinks-Indexes-close CGI execution program, des Change UserDir public_html to UserDir disabled # ScriptAlias/cgi-bin "/usr/local/apache/cgi-bin/" to comment out manual7.vi/etc/profileHISTFILESIZE = 30 HISTSIZE = 30 -This indicates the ". the bash_history file can only store 30 old commands tmout = 600-the user will automatically log out of vi/etc/skel/after 10 minutes of no operation /. bash_logoutrm-f $ HOME /. bash_history-when a user logs out every time, all bash_history files are deleted. Vi/etc/inittabca: ctrlaltdel:/sbin/shutdown-t3-r now changed to: # ca: ctrlaltdel: /sbin/shutdown-t3-r now/sbin/init q-let the change take effect 8. delete accounts that cannot be created and the group userdel login lpuserdel syncuserdel shutdownuserdel haltuserdel mailuserdel newsuserdel restart invalid gamesuserdel ftpgroupdel restart lpgroupdel mailgroupdel newsgroupdel busy games ===================== ========================================================== = ======================================================= You the webserver supports TRACE and/or TRACK. TRACE and TRACK are the HTTP methods used to debug web server connections. The server that supports this method has a Cross-Site scripting vulnerability. When describing various browser defects, Cross-Site-Tracing is referred to as XST. Attackers can exploit this vulnerability to fool legitimate users and obtain their personal information. Solution: disable these methods. If you are using Apache, add the following statement to the configuration file of each virtual host: RewriteEngine onRewriteCond % {REQUEST_METHOD} ^ (TRACE | TRACK) RewriteRule. *-[F] ======================================== ========================================================== =========================================below is a simple example of how to modify the service Banner. apache completely removes the banner, modify httpd. h: Include/httpd. hDefine SERVER_BASEVENDOR "Apache Group" Define SERVER_PRODUCTVENDOR "Apache" Define SERVER_BASEVERSION "1.3.27" and then re-compile Apache Wu-ftp can be completely removed and modified in the hexadecimal Text Editor/usr/sbin/in. ftpd file, find the following lines:/var/log/lastlogcocould not write %. 100 s: %. 100 sVersion wu-2.6.1-16 changed to Microsoft FTP Service (Version 5.0) or Serv-u ftp Server v4.0 for WinSock ready... Telnet the banner to edit the file/etc/issue.net and find a line similar to this line (Linux content of different versions is not the same): Red Hat Linux release 8.0 (Psyche) kernel r on an m is changed to Microsoft Windows Version 5.00 (Build 2195) Welcome to Microsoft Telnet ServiceTelnet Server Build 5.00.99206.1 because issue.net will be automatically restored after restart, in order to maintain these forged information, you need to edit the file/etc/rc. add the "#" sign before these rows to comment out the recovery function: # echo "">/etc/issue # echo "$ R">/etc/issue # echo "Kernel $ (uname-r) on $ a $ SMP $ (uname-m) ">/etc/issu E # cp-f/etc/issue/etc/issue.net # echo> before installing Apache, find the httpd. h header file in the/src/include directory of the source file. This file defines apache version information, which must be called during apache installation. Edit http. h file, find the following lines: # define SERVER_BASEVENDOR "Apache Group" # define SERVER_BASEPRODUCT "Apache" # define SERVER_BASEREVISION "1.3.20" can be changed to other information as needed, I changed Microsoft-IIS/5.0. In the SSH edit file/etc/ssh/sshd_config, find this line: Banner/etc/issue.net. Add # In front of this line to comment out the SSH Banner. Sendmail is in sendmail. remove the $ v and $ z macros from the mc file and include the following content: define ('confsmtp _ LOGIN_MSG ', $ j Sendmail Secure/Rabid; $ B) then generate sendmail. cf file: # m4/etc/mail/sendmail. mc>/etc/sendmail. cf If sendmail. mc does not include ('/usr/share/sendmail-cf/m4/cf. m4 ') and the default configuration file cf. m4 is used together to generate the file sendmail. cf: # m4/usr/share/sendmail-cf/m4/cf. m4/etc/mail/sendmail. mc>/etc/sendmail. cfphpvi php. ini setting expose_php = Off