Linux Paper reinforcement

Translation of beach, continue sharing
Directory:
1. BIOS
2. SSH Security
3. Disable telnet
4. disable code compilation
5. ProFTP
6. TCPwrappers
7. Create an SU group
8. root notification
9. history Security
10. welcome information
11. Disable all special accounts
12. chmod dangerous files
13. Specify the TTY device that allows root login
14. Select a Secure Password
15. Check Rootkit
16. Install patches
17. Hide Apache Information
18. Hide php Information
19. Disable unused services
20. Check the listening port
21. Disable opened ports and services
22. delete unused rpm packages
23. Disable dangerous php letters
24. install and configure the firewall
25. install and configure BFD
26. kernel reinforcement (sysctl. conf)
27. Change the SSH port
28./tmp/var/tmp,/dev/shm partition Security
29. PHP IDS

Summary
========================================================== ======================================
Jieshao

This tutorial will guide you step by step to make your Linux system secure.
Any operating system installed by default is not safe enough. This article will guide you how to establish
A safe Linux system.
========================================================== ======================================
1. BIOS
You should always set a BIOS password and disable booting from the CD-ROM and floppy disk at system startup.
This will prevent some people from accessing your system without permission and changing BIOS settings

2. SSH Security
SSH is a protocol that allows you to log on to a remote system or execute system commands remotely,
Root Login is allowed by default, and sshv1 has defects. We should
Sshd_config disables root access and uses sshv2 to make ssh more secure.

Method:
Vi/etc/ssh/sshd_config
Change protocol to 2
PermitRootLogin = no
Restart sshd/etc/rc. d/init. d/sshd restart

3. Disable telnet
In earlier Linux, the telnet service was enabled by default. telnet, ftp, and rlogin were all plain text transmission protocols.
It is easy to be sniffed, Which is why secure versions (sftp, scp, ssh) are recommended.
If you must use telnet, at least the banner information should be hidden.

Method:
Modify/etc/xinetd. d/telnet
Disable = yes

4. disable code compilation
You can disable code compilation and only assign the compilation permission to a user group.
Method:
Add compilation user group/usr/sbin/groupadd compiler, cd/usr/bin
Assign the group to which the common compiler belongs to the compilation user group.
Chgrp compiler * cc *
Chgrp compiler * ++ *
Chgrp compiler ld
Chgrp compiler
Set access to mysqlaccess
Chgrp root mysqlaccess
Set permissions
Chmod 750 * cc *
Chmod 750 * ++ *
Chmod 750 ld
Chmod 750
Chmod 755 mysqlaccess
Add a user to a group
Modify/etc/group
Compiler: x: 520: user1, user2

5. ProFTP
You can disable root login by modifying proftpd. conf.
Method:
Modify/etc/proftpd. conf
Add RootLogin off
Restart proftpd/sbin/service proftpd stop
/Sbin/service proftpd start

6. TCP wrappers
Edit hosts. allow and hosts. deny to restrict or allow access to the inet service.

Method:
Restrict access to inet services
Modify/etc/hosts. allow
Recommended format:
# Approved IP addresses
ALL: 192.168.0.1
ALL: 192.168.5.2
# CSV uploader machine
Proftpd: 10.0.0.5
# Pop3 from antwhere
Ipop3: ALL
Modify/etc/hosts. deny
ALL: ALL privileges t localhostENY

7. Create a SU User Group
Because we have disabled access by the root user and telnet in SSH, we should
Assign su permissions to some users to obtain the root privilege.

Method:
Vi/etc/group
Add a row of wheel: x: 10: root, user1, user2
Chgrp wheel/bin/su
Chmod o-rwx/bin/su

8. root notification
Send mail when a user with root permission logs on
Method:
Edit. bashrc under/root. An email notification is sent when a user with root permission logs on.
Echo ALERT-Root Shell Access (Server Name) on: 'date' who '| mail-s