Layered and in-depth defense all hacker intrusions are flat clouds

Source: Internet
Author: User
Tags ssh port

At present, in view of the promotion of many hacking technologies, everyone is happy to try, for fear of less learning a little day to live, it is really unable to see it, just I am engaged in e-commerce website construction, based on your actual abilities, you can express your views for reference only.
In fact, we do not know what we have learned is a few hundred years behind non-military hacker technology, such as metasploit, backtarck5 penetration infiltration, nmap scanning, Stack Overflow Vulnerability intrusion, nmap scanning, and other hacker technologies, I think the military will not use these things at least. It has long fallen behind and has no core value to use. If you really want to become a master, I suggest that you first win the world's top 500 super machines, master the mainstream encryption algorithm technology, and use the super computer to crack the target confidential file, or decrypt and analyze the entire network traffic, crack all sha, md5 keys, certificates, ssl encrypted data, and capture the target password.
At present, what we should be most afraid of is not intrusion at all. Ordinary people do not have any secrets to intrude into. As long as the security mechanism is enhanced at ordinary times, it is hard for us to intrude into you! The most terrible thing for small and medium-sized enterprises is traffic attacks. This is a non-technical attack. It is a combination of strength, money, resources, and bandwidth. There is basically no way to defend, unless the joint efforts of the whole society are used to establish a broad network defense alliance and sound legal mechanisms, which have been explained in my previous articles. Of course, a small number of attacks can still reduce the loss by using CDN partitions, or diy high-performance firewall. at least ensure that the server cannot be down before traffic is used up!
I can only give guidance suggestions on in-depth layered defense due to my limited technical capabilities. Please test and perform the following operations:
1. Find a safe place for our server:
It is best to drop it into the safe, and then discard all the keyboards, monitors, and keys. No one wants to open it (my school's server in one machine room has been in the cabinet for more than three years, the hard drive broke again. Our Computer Administrator wanted to open the cabinet and found that the lock was rusty and could not be opened ). Physical security is the first priority, and no one can access it unless it is necessary. Unless something goes wrong, the cmos password is always on the cloud, so there is no security!
Ii. Strengthen basic linux System Security Configuration:
1. When installing the system, download the iso file from the debian and centos official websites, verify the md5 and sha signatures, and check whether the image file is secure. This is very important, the official website is not necessarily safe!
2. After the system is installed, use the default kernel to start the computer. dmsg to view all hardware configurations (the hardware manual is also available when buying the server!
3. Install all required server software vsftpd. nginx, php. mysql, varnish, and so on. Remember to check the official md5 and sha signatures and compile gcc with the fstack-protect-all anti-overflow compilation option. The optimization level cannot exceed O2 ,. After debugging the function, set the nginx connection concurrency settings to prevent cc attacks, patch sohusin-php security reinforcement, disable all useless functions, and set the account for mysql, the database permission cancels the root local login permission and creates a Management Computer login. All server software is disguised and nginx is installed as apache, mysql-> mssql, f, and so on. If necessary, do not install all the server software on one or more servers separately. For example, do not place nginx and databases on one server, and make the load cluster ready.
4. After all the software has been debugged, perform basic linux security reinforcement, including creating special accounts for all the server software, such as nginx, php, and mysql, delete all other useless system accounts, set system resource limit, disk quota, web root directory permissions, ssh certificate logon, acl, and permissions for Key Directory files, especially sensitive passwd, shadow,/boot directory, and other files.
5. sort out and streamline all the built-in commands in the directory/bin,/sbin,/usr/bin,/usr/sbin, etc, rename all commands that are easy to use and difficult to delete by hackers, such as ls and vi, to 001,002 and other strange names. Commands that are easy to be hacked for information collection should not be deleted or renamed. For example, setting a running uname result is a realistic kernel name! For linux or ssh Login, please use the one-time password login mechanism, or use pam, U disk key login!
6. Set the iptables firewall or put the firewall on the front-end of the server to close all useless ports. If it is just a domestic user, it will shield all foreign ip addresses, also, if you want ssh, use the knock software and open the ssh port when you knock on the door! The front-end has a jump firewall, Cisco, and so on, and the freebsd pf firewall can be used directly without any conditions.
7. Optimize the sysctl. conf kernel parameters, and do your best to set user data, form filtering system, and SQL anti-injection settings for php applications. Close all useless processes and keep a record, especially the programs listed in netstat-l!
3. The core settings:
1. Download the linux Standard Main Line 2.6.32 branch stable kernel (www.kernel.org) www.2cto.com to streamline the linux kernel, and streamline the linux Kernel Based on the dmsg record and hardware model information in the hardware purchase manual, you can combine make localmodconfig to streamline the system, and then make menuconfig to streamline it in depth. Enable the fstack-protect O2 option in the kernel, and debug, network, and drive all unused resources, delete all file systems, sound cards, video cards, and security modules to keep the kernel file at around MB!
2. Restart and use the new thin kernel to check whether the kernel can be started, test the software of each server under pressure, run properly, and use all functions.
3. decompress the downloaded Linux kernel source code and add grsecurity and tomyo-ccs security patches. The former is a set of kernel reinforcement patches designed to deal with advanced hacker kernel overflow attacks, and global protection of passive objects. The latter is the full version of linux lsm tomyo (with network protection) to implement the process protection mechanism for the main key tasks, which can effectively control the root program permissions after overflow, implement the selinux simple protection service software process function.
4. After patching, make menuconfig is responsible for streamlining the previous config file to the source code directory. make menuconfig to enable grsecurity and tomoyo security functions. You must carefully and enable the functions with your own security requirements, all meetings have a high loss of system performance, with a maximum loss of about 50%.
5. After the kernel is compiled, install and use (the kernel compilation is nothing more than make menuconfig make all make modules install). First, configure grsecutitydui to set the root Startup Password and the admin password, set the key permissions for directories such as/boot/passwd/etc/nginx. Do not set the permissions for the main body such as nginx, php, mysql, and so on. This is handled by tomoyo-ccs and set tomoyo-ccs, perform the minimum security settings for main programs such as nginx php msyql. After that, no matter whether they are running properly or legally, it will be useless even if it overflows or is infiltrated, what are php and mysql reading passwd files? They are all off the cloud! Even if php, nginx, and mysql have vulnerabilities, we are not afraid of them. We are immune and worried about daily upgrades!
6. When grsecuriy is set to control global resources, tomyo-ccs controls the behavior of key programs and then runs nginx and php. mysql has been tested, and the performance loss point does not matter. We need to ensure security and no performance until the behavior security mechanism is configured perfectly.
7. Next step is very important. Install Tripwire to protect the system files, web static files, PHP files, and signature of various configuration files, and set the security password. Perform regular tripwire verification. If the server can afford it, perform rootkit scanning at the same time!
8. The last step of local protection is to back up the data. If you are safe, you must keep one hand to back up key data and configuration files. Remember to use truecrypt to encrypt the data! If necessary, you can regularly refresh key file systems. For example, you can refresh the passwd security configuration file once every one hour and use a non-writable CD! Let hackers recover files that have been hard-coded once an hour and crash them!
4. After local security reinforcement, the weather forecast for network intrusion is now available. Please release our old snort which is free of charge and installed on the replication port of the switch, perform 24-hour monitoring, scanning, and intrusion detection on port 80 or other dangerous ports, and then send feedback to firewalls, grsecurit, and tomoyo-ccs for Proactive Defense and Security System warnings! We 'd better match the voice system for broadcasting. For example, "Hello, someone is scanning your port 80 !"
OK, perform the above configuration. It may take some time to learn and test. You can read more information, perform more operations, and perform more tests. The hacker will not be hacked and you will be taken a detour! Well, take a rest. Don't take it easy.
 
Author steamed BSD braised LINUX

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.