I. disk partition 1. if the system is newly installed, security should be considered for disk partitions: 1) root directory (/), user directory (/home), temporary directory (/tmp) and/var directories should be separated to different disk partitions; 2) the disk space of the partitions where the directories are located should be fully considered to avoid partition for some reason
I. Disk partitioning
1. if the system is newly installed, consider the security of disk partitions:
1) the root directory (/), user directory (/home), temporary directory (/tmp), and/var directory should be separated to different disk partitions;
2) the disk space of the partitions where the directories are located should be fully taken into account to avoid system crash due to insufficient partition space due to some reasons;
2. for partitions in the/tmp and/var directories, programs with the suid attribute are not required in most cases, so the nosuid attribute should be added for these partitions;
Method 1: modify the/etc/fstab file and add the nosuid attribute. For example:
/Dev/hda2/tmp ext2 exec, dev, nosuid, rw 0 0
Method 2: If you are not familiar with the operations on the/etc/fstab file, we recommend that you use the Linuxconf program.
Run the Linuxconf program;
Select "Access local drive" under "File systems ";
Select the disk partition for which you want to modify the attribute;
Select "No setuid programs allowed;
Select other options as needed;
Exit normally. (The system will usually prompt you to re-mount the partition)
II. Installation
1. too many software packages should not be installed on non-tested hosts. This reduces the possibility of security vulnerabilities caused by software packages.
2. for non-test hosts, do not select a non-essential service when selecting a host to start the service. Such as routed and ypbind.
III. security configuration and enhancement
Kernel upgrade. Upgrade to 2.2.16 or later.
Upgrade the GNU libc shared library. (Warning: you cannot try it easily if you have no experience. Can be suspended .)
Disable dangerous network services. Echo, chargen, shell, login, finger, NFS, RPC, etc.
Disable non-essential network services. Talk, ntalk, pop-2, etc.
Security Configuration and upgrade of common network services
Make sure that the version used by the network service is the latest and safest version.
Cancel anonymous FTP access
Unless necessary suid program
Use tcpwrapper
Use ipchains firewall
Syslogd
Some details:
1. the log file in the operating system is an important clue for detecting network intrusion. of course, this assumes that your logfile is not damaged by the intruders, if you have a server that uses a leased line to connect directly to the Internet, this means that your IP address is a permanent fixed address, you will find that many people try to telnet/ftp login to your system and try to run # more/var/log/secure | grep refused to check.
2. restrict the number of programs with the SUID permission flag. programs with this permission flag run as root, which is a potential security vulnerability. of course, some programs must have this flag, like the passwd program.
3. BIOS security. Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.
4. user password. User passwords are the most basic starting point for linux Security. many users use simple 'password', which opens the door to intruders, although theoretically there is no uncertain user password, it can be used as long as there is enough time and resources. A good user password is a string of characters that can only be easily remembered and understood by himself, and should never be written anywhere.
5./etc/exports file. If you use the NFS network file system service, make sure that your/etc/exports has the strictest access permission settings. This does not mean that you do not use any wildcards and do not allow root write permissions, mount the file to a read-only file system. Edit the/etc/exports file and add: for example:
/Dir/to/export host1.mydomain.com (ro, root_squash)
/Dir/to/export host2.mydomain.com (ro, root_squash)
/Dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs on to this directory,
Ro means to mount the file to a read-only system. root_squash prohibits root from writing data to this directory.
To make the above changes take effect, run/usr/sbin/exportfs-
6. make sure that the owner of/etc/inetd. conf is root and the file permission is set to 600.
[Root @ deep] # chmod 600/etc/inetd. conf
ENSURE that the owner is root.
[Root @ deep] # stat/etc/inetd. conf
File: "/etc/inetd. conf"
Size: 2869 Filetype: Regular File
Mode: (0600/-rw -------) Uid: (0/root) Gid: (0/root)
Device: 8, 6 Inode: 18219 Links: 1
Access: Wed Sep 22 16:24:16 1999 (00000.00: 10: 44)
Modify: Mon Sep 20 10:22:44 1999 (00002.06: 12: 16)
Change: Mon Sep 20 10:22:44 1999 (00002.06: 12: 16)
Edit/etc/inetd. conf to disable the following services:
Ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger,
Auth, etc. unless you really want to use it.
In particular, prohibit those r commands. if you use ssh/scp, you can also disable telnet/ftp.
To make the change take effect, run # killall-HUP inetd
You can also run # chattr + I/etc/inetd. conf to make the file unchangeable.
Only the root user can unlock it. use the command
# Chattr-I/etc/inetd. conf
7. TCP_WRAPPERS
By default, Redhat Linux allows all requests and uses TCP_WRAPPERS to enhance the security of your site.
You can put
"ALL: ALL" to/etc/hosts. deny to deny ALL requests, and then put those explicitly allowed requests
/Etc/hosts. allow, for example:
Sshd: 192.168.1.10/255.255.255.0 gate.openarch.com
The IP address 192.168.1.10 and the host name gate.openarch.com can be connected through ssh.
After the configuration is complete, use tcpdchk to check
[Root @ deep] # tcpdchk
Tcpchk is the TCP_Wrapper configuration check tool,
It checks your tcp wrapper configuration and reports all detected potential/existing problems.
8. alias file aliases
Edit the alias file/etc/aliases (or/etc/mail/aliases) and delete/comment the following line.
# Basic system aliases -- these MUST be present.
MAILER-DAEMON: postmaster
Postmaster: root
# General redirections for pseudo do accounts.
Bin: root
Daemon: root
# Games: root? Remove or comment out.
# Ingres: root? Remove or comment out.
Nobody: root
# System: root? Remove or comment out.
# Toor: root? Remove or comment out.
# Uucp: root? Remove or comment out.
# Well-known aliases.
# Manager: root? Remove or comment out.
# Dumper: root? Remove or comment out.
# Operator: root? Remove or comment out.
# Trap decode to catch security attacks
# Decode: root
# Person who shocould get roots mail
# Root: marc
After the last update, do not forget to run/usr/bin/newaliases to make the change take effect.
9. prevent your system from responding to any external/internal ping requests.
Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command to/etc/rc. d/rc. local to run automatically after each startup.
Echo 1>;/proc/sys/net/ipv4/icmp_echo_ignore_all
10. do not display the operating system and version information.
If you want someone to remotely log on to your server without displaying the operating system and version information, you can change
The line in/etc/inetd. conf is as follows:
Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h
Add the-h sign to the end so that the telnet background does not display system information, but only login:
11. The/etc/host. conf file
Edit the host. conf file (vi/etc/host. conf) and add the following line:
# Lookup names via DNS first then fall back to/etc/hosts.
Order bind, hosts
# We dont have machines with multiple IP addresses on the same card
(Like virtual server, IP Aliasing ).
Multi off
# Check for IP address spoofing.
Nospoof on
IP Spoofing: IP-Spoofing is a security exploit that works by tricking
Computers in a trust relationship that you are someone that you really arent.
12. The/etc/securetty file
This file specifies the tty device that allows root login./etc/securetty is read by the/bin/login program.
The format is a list of permitted names. for example, you can edit/etc/securetty and comment out the following rows.
Tty1
# Tty2
# Tty3
# Tty4
# Tty5
# Tty6
# Tty7
# Tty8
This means that the root user is only allowed to log on to the tty1 terminal.
13. Special Account
Disable all accounts that are started by the operating system and do not need it by default. this check should be performed when you install the system for the first time. Linux provides various accounts, which you may not need, if you do not need this account, remove it. the more accounts you have, the more vulnerable you will be to attacks.
To delete users on your system, run the following command:
[Root @ deep] # userdel username
To delete a group user account on your system, run the following command:
[Root @ deep] # groupdel username
Run the following command on the terminal to delete the following users.
[Root @ deep] # userdel adm
[Root @ deep] # userdel lp
[Root @ deep] # userdel sync
[Root @ deep] # userdel shutdown
[Root @ deep] # userdel halt
[Root @ deep] # userdel mail
If you do not need the sendmail server, pr