Linux system Security Web site security detail settings

[System Aspects]

Action 1: Comment out the unused user

Method: Edit the/etc/passwd file and comment out the adm,ip,sync,shutdown,half,news,uucp,operator,games.

Action 2: Comment out the unused user group

Method: Edit the/etc/group file and comment out the adm,ip,news,uucp,games,dip,ppusers.

Action 3: Delete login information

Method:/etc/issue/etc/issue.net These file name suffixes with bak or delete them.

Action 4: Modify the SSH port

Method: Edit/etc/ssh/sshd_config to remove #port 22 comments, plus port 22222 restart SSH service, use 22222 port SSH successfully, the port 22 deleted.

Action 5: Cancel root Login

Method: Edit/etc/ssh/sshd_config, remove Permitrootlogin Yes, and modify to No, and then restart the SSHD service, and create a user to SSH switch to root user.

Action 6: Set a specific group to be SU to root

Method: Edit the/etc/pam.d/su file and find the line auth required pam_wheel.so Use_uid Remove the previous comment and add the authorized user to the wheel group Usermod-a-G Wheel username.

Action 7: Enable Iptables Firewall

Methods: According to specific requirements to specific settings, basic to some ports to open and close.

Action 8: Only allow the/etc/init.d/service to be operated on root

Methods: chmod 700-r/etc/init.d/.

Action 9: Do not upgrade the kernel when updating the system with Yum update only the package

Method: Edit the Yum configuration file/etc/yum.conf add exclude=kernel* at the end of [main].

Action 10: Modify the history command record

Methods: Edit the/etc/profile file and change the histsize=100 to histsize=50.

Action 12: Prohibit non-root modification important

Methods: chmod 700/etc/passwd/etc/group/etc/shadow/etc/services

Operation 13:selinux Modification

Methods: Modify/etc/selinux/config modified into selinux=disabled

Action 14: Modify hostname

Method: Edit/etc/sysconfig/network, put hostname= the name you want and save the execution hostname= the name you want, and then log off and it goes into effect.

Action 15: Close Ipv6

Methods: Edit/etc/modprobe.d/dist.conf, add alias net-pf-10 off alias IPv6 off two lines at the end

Operation 16: Server Ban Ping

Method: Enter the Sysctl-w net.ipv4.icmp_echo_ignore_all=1 under the terminal if you want to ping, you can change 1 to 0.

Operation 17: System kernel Optimization

Action 18: Forwarding important or error logs to our own mailbox

Method: Edit/etc/aliases to add root under Mailer-daemon:postmaster postmaster:root: your email

Operation 19: Resist SYN

Method:

1. Increase the SYN Queue Length: Sysctl-w net.ipv4.tcp_max_syn_backlog=2048

2. Open the SYN cookie function: Sysctl-w net.ipv4.tcp_syncookies=1 3. Reduce retry times: sysctl-w net.ipv4.tcp_synack_retries=3 sysctl-w Net.ipv4.tcp_syn_retries=3 to maintain the above configuration for restart, write files to/etc/rc.d/rc.local files

Action 20: Increase DNS

Method: Edit/etc/resolv.conf, add nameserver DNS address

Action 21: Do not allow root logging from different consoles

Method: Edit the/etc/securetty and annotate the front number of the TTY device that is not logged in.

Action 22: Automatically delete command records when logging off

Method: Edit/etc/skel/.bash_logout, add rm-rf $HOME/.bash_history This line, if you want to target specific users, you can modify/$HOME/.bash_logout in the user's home directory, and add the above line.

Action 23: Set up an IP that allows remote SSH

Methods: 22-s/ip-j input-i eth0-p TCP ACCEPT network segment in iptables plus rule iptables-a.

[Web aspect]

Action 24: Turn off the Apache default directory browsing

Method: Edit the httpd.conf file and clear "Indexs" for each "Directory" directive.

Action 25: Clear the server information in Apache header information

Method: Edit the httpd.conf file, add two lines to the configuration file, Servertokens productonly Server Signature off

Action 26: Disable some of the PHP security functions involved

Method: Disables the correlation function in the php.ini file Passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,get_cfg_var

Action 27: Clear default annotation

Method: Remove the default annotation in httpd.conf to facilitate reading

Action 28: Disable user loading. htaccess file

Method: Edit httpd.conf file and configure AllowOverride to No

Operation 29:nfs Protection

Method:

1. Use the iptables firewall to set up the connection to NFS server iptables-a input-i eth0-p tcp-s network segment/IP--dport 111-j accept iptables-a input-i eth0 -P udp-s Network segment/IP--dport 111-j Accept

2. Modify the default NFS port

3. A reasonable set of/etc/exports directories to share out, it is best to use anonuid,anongid so that the client Mount to NFS server has only the least permissions, preferably do not use Root_squash