Linux Optimization & Security Operations & Hacker attack

optimization :

User can be deleted: Adm,lp,sync,shutdown,halt,news,uucp,operator,games,gopher. : Userdel Games

To delete a group: Adm,lp,news,uucp,games,dip,pppusers,popusers,slipusers. : Groupdel Games

Users who do not require user login, such as www for Apache users can turn off their login function: usermod-s/sbin/nologin www

Remove Redundant login welcome information:/ETC/ISSUE,/ETC/ISSUE.NET,/ETC/REDHAT-RELEASE,/ETC/MOTD. #如果需要用户登录完之后显示/etc/issue.net information in/etc/ssh/sshd_config join

Banner/etc/issue.net

Other files that contain system information:/etc/redhat-release, #/etc/motd The file is displayed in the user terminal, you can write some notifications for example: Welcome login.

Turn off shortcut key restart: vim/etc/init/control-alt-delete.conf #exec/sbin/shutdown-r Now "Control-alt-delete pressed"

to turn off redundant services :

Services not required under normal circumstances:

Anacron,auditd,autofs,avahi-daemon,avahi-dnsconfd,bluetooth,cpuspeed,firsboot,gpm,haldaemon,hidd,

IP6TABLES,IPSEC,ISDN,LPD,MCSTRANS,MESSAGEBUS,NETFS,NFS,NFSLOCK,NSCD,PCSCD Portmap,readahead_early,restorecond,

Rpcgssd,rpcidmapd,rstatd,sendmail,setroubleshoot,yppasswdd Ypsery. : Chkconfig--level 345 Anacron off

      services that the system must run:

service name	Service Content
acpid	power management
 APMD	Advanced Power Management to monitor battery performance
kudzu	detects hardware changes
crond	provides running service   for automatically scheduled processes under Linux;
atd	Scheduled task function acquaintance
keytables	mount the mirrored keyboard
iptables	built-in firewall
xinetd	Core daemon support for multiple network services
xfs	x Windows required service
network	to start the Network service
sshd	remote secure login
syslog	Records System Log service

Close password login, use key login: Vim/etc/ssh/sshd_config #PasswordAuthentication No

Restart sshd:/etc/rc.d/init.d/sshd restart

System security

User Rights : vim/etc/sudoers

A command that allows an ordinary user to execute a right: Username all= (All) Nopasswd:all #该用户可以提权sudo Su-

Allows a normal user to execute only one privileged command: User01 All=/bin/more/etc/shadow, User01 all=nopasswd:/etc/init.d/httpd restart

Simple firewall configuration: /etc/hosts.allow/etc/host.deny #先匹配hosts. Allow to end if there is a match, and no to continue matching. Common Services (Sshd,vsftpd,sendmail)

Example: Vim/etc/hosts.allow #sshd: 1.1.1.1 vim/etc/host.deny #sshd: All #拒绝除1. sshd Service connections outside of 1.1.1.

File system security

　　　　　: Chattr-r +i #锁定该文件的权限 lsattr [-adlrvv] Query file properties.

File permissions check and modify:

Sudi and Sgid Explanation: http://www.cnblogs.com/cp-miao/p/5519123.html

Find files and directories where all users have write access: Find/-type f-perm-2-o-perm-20 | Xargs ls-al:find/-type f-perm-2-o-perm-20 | Xargs Ls-ld

Find the program containing the ' s ' bit: Find/-type f-perm-4000-o-pperm-2000-print | Xargs Ls-al #有S位可提权, as low as possible.

　　　　　　Find all files with Sudi and Sgid: Find/-user root-perm-2000-print-exec md5sum {} \; Find/-user root-perm-4000-print-exec md5sum {} \;

　　　　　　　　　　#可把该结果保存在一个文件里面, can be used later to compare permissions to see if server files have been tampered with

Find/-nouser-o-nogroup #找出可以属主的文件 to avoid hacker exploits.

Permissions control for the TMP temp directory: Create a new directory to give permission control after the mount to TMP.

 1 dd-f=/dev/zero of =/dev/tmpfs bs=1m Count=10002 mke2fs-j/dev/tmpfs 3 cp-av/tmp/tmp.old< Span style= "color: #008080;" >4 mount-o loop,noexec,nosuid,rw/dev/tmpfs/tmp5 chmod 1777/tmp6 mv-f/tmp.old/*/tmp /7 rm-rf/tmp.old       

Vim/etc/fstab

/dev/tmpfs/tmp ext3 LOOP,NOSUID,NOEXEC,RW 0 0 #如果tmp目录直接是挂载目录的话直接添加:loop,nosuid,noexec. Write a shell script in/TMP and run the test.

/dev/shm #共享内存设备, Mount Properties modified: Tmpfs/dev/shm tmpfs DEFAULTS,NOSUID,NOEXEC,RW 0 0.

　

Hacker attack

　　　　　　Chkrootkit Backdoor rootkit Detection Tool, www.chkrootkit.org #用法/usr/local/chkrootkit/chkrootkit

Backup the system commands needed to chkrootkit intrusion detection:

mkdir /usr/share/. Commandscp 'whichawkcutecho  FindegrepIDheadlspsseduname'/usr /share/. Commands/usr/local/chkrootkit/chkrootkit-p/usr/share/.commands/

　　　　　　

Linux Optimization & Security Operations & Hacker attack