Security Settings after Linux Installation

1. Do not install other services except the ssh service when installing the system. It is best to install the services in text mode. Enabling the least services will improve the security performance of the system. The root User Password must contain more than 8 characters (including numbers, letters, and symbols) to prevent hackers from cracking the password dictionary.

2. Several important file directories and Data Directories In the backup system
[Root @ 208 ~] # Tar jcvf back.tar.gz/etc/home/boot // bin // sbin // usr/bin // usr/sbin/

3. Control the ssh service
[Root @ 208 ~] # Vim/etc/hosts. allow -- which IP address can be connected by ssh
Sshd: Your Internet IP Address
[Root @ 208 ~] # Vim/etc/hosts. deny -- reject other IP addresses
Sshd: all

4. Modify the ssh server port to prevent hackers from attacking port 22.
[Root @ CentOS ~] # Vim/etc/ssh/sshd_config -- open the ssh service configuration file
Port 222 -- enable and modify this line
PermitRootLogin no -- root users are not allowed to log on
PermitEmptyPasswords no -- do not allow empty password login
AllowUsers tong @ Internet IP tong1 @ Internet IP -- only allow the two users to log on to the specified IP Address
[Root @ centos ~] #/Etc/init. d/sshd restart
Stopping sshd: [OK]
Starting sshd: [OK]
[Root @ centos ~] # Vim/etc/services
Ssh 222/tcp -- modify the two rows.
Ssh 222/udp
[Root @ centos ~] # Vim/etc/sysconfig/iptables -- enable package filtering
-A input-m state -- state NEW-m tcp-p tcp -- dport 222-j ACCEPT
[Root @ centos ~] #/Etc/init. d/iptables restart
Iptables: Applying firewall rules: [OK]
[Root @ centos ~] #

5. the file integrity check tool installed in Linux only checks the addition, modification, deletion, and access of files, and does not back up or restore files. Therefore, we recommend that you back up the files before installing the software, for future file recovery.
[Root @ 208 pub] # tar xvf tripwire-2.4.2.2-src.tar.bz2
[Root @ 208 pub] # cd tripwire-2.4.2.2-src
[Root @ 208 tripwire-2.4.2.2-src] #./configure -- prefix =/usr/local/tripwire/
.............................. Enter accept to allow
............ Enter y to confirm
.............. Enter the site password
............ Enter the local Password
[Root @ 208 tripwire-2.4.2.2-src] # make
[Root @ 208 tripwire-2.4.2.2-src] # make install
[Root @ 208 tripwire-2.4.2.2-src] # cd/usr/local/tripwire/etc/
[Root @ 208 etc] # ll
Total 60
-Rw-r -----. 1 root 931 Jan 6 11: 44 208.184.97.119.broad.wh.hb.dynamic.163data.com.cn-local. key
-Rw-r -----. 1 root 931 Jan 6 11: 44 site. key
-Rw-r -----. 1 root 4586 Jan 6 11: 44 tw. cfg
-Rw-r -----. 1 root 598 Jan 6 11: 44 twcfg.txt
-Rw-r -----. 1 root 598 Jan 6 11: 44 twcfg.txt. default
-Rw-r -----. 1 root 4159 Jan 6 11: 44 tw. pol
-Rw-r -----. 1 root 8679 Jan 6 13:03 twpol.txt
-Rw-r -----. 1 root 13806 Jan 6 11: 44 twpol.txt. default
[Root @ 208 etc] # vim twpol.txt
(
Rulename = "file", -- Define the rule name
)
{
/-> $ (ReadOnly); -- listens to files in the root directory
/Home-> $ (ReadOnly); -- listens to files in the home Directory
/Usr-> $ (ReadOnly); -- listens to files in the usr directory
/Var-> $ (ReadOnly); -- listens to files in the var directory
}
[Root @ 208 etc] # cd ../sbin/
[Root @ 208 sbin] #./tripwire -- init -- generate a benchmark database
[Root @ 208 sbin] #./tripwire -- check -- any modification file added to the definition listening directory will be listed
[Root @ 208 sbin] #./tripwire -- check -- rule-name "file" -- view the specified rule name
[Root @ 208 sbin] #./tripwire -- check/home/usr -- view the specified directory