Linux server Security Configuration for server Security configuration

1. No ping

/etc/rc.d/rc.local
Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

2. Permissions control of user and password files
chmod 600/etc/passwd
chmod 600/etc/shadow
chmod 600/etc/group
chmod 600/etc/gshadow
3. Add non-change attributes to the following file
Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +i/etc/gshadow
4. Access Control for VSFTP
VI Hosts.deny
vsftpd:all– first to ban all VSFTP requests.
VI Hosts.allow
vsftpd:192.168.2.1– again allow the VSFTD request of Intranet
5. Turn off unwanted ports, only open regular ports (21, 22, 80, 443)
Service Portmap Stop
Chkconfig–level Portmap off– Close port 111
Netstat-nap |grep 32768
Killall rpc.statd– shutdown 32768 Port
Netstat-nap |grep 631
Killall cupsd– shutdown 631 Port
Service SendMail Stop
Chkconfig–level 12345 sendmail off– shutdown 25 Port
6.apache security settings (back up httpd.conf configuration file first)
Vi/etc/httpd/httpd.conf
Serversignature off
Servertokens prod-hides the Apache version number and other sensitive information

options-execcgi-followsymlinks-indexes– off CGI execution, includes, directory browsing

Change Userdir public_html to Userdir disabled
#ScriptAlias/cgi-bin "/usr/local/apache/cgi-bin/"
Comment out Manual
7.vi/etc/profile
Histfilesize=30
histsize=30– This means that each user's ". Bash_history" file can save only 30 old commands
tmout=600– user will automatically log out after 10 minutes of no action
Vi/etc/skel/.bash_logout
Rm-f $HOME/.bash_history– the ". Bash_history" file will be deleted each time the user logs off.
Vi/etc/inittab
Ca::ctrlaltdel:/sbin/shutdown-t3-r now
To
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now
/sbin/init q– Make changes work
8. Delete cannot account and group
Userdel Adm.
Userdel LP
Userdel Sync
Userdel shutdown
Userdel Halt
Userdel Mail
Userdel News
Userdel UUCP
Userdel operator
Userdel Games
Userdel FTP
Groupdel Adm.
Groupdel LP
Groupdel Mail
Groupdel News
Groupdel UUCP
Groupdel Games
==================================================================================================
Your webserver support for trace and/or TRACK methods. Trace and track are the HTTP methods used to debug Web server connections.
There are cross-site scripting vulnerabilities in servers that support this approach, and "cross-site-tracing" is often referred to as XST when describing various browser flaws.
Attackers can exploit this vulnerability to deceive legitimate users and get their private information.
Solution: Disable these methods.
If you are using Apache, add the following statement to each virtual host's configuration file:
Rewriteengine on
Rewritecond%{request_method} ^ (trace| TRACK)
Rewriterule. *–[f]
===================================================================================================
Here's a quick way to modify those services banner
Apache
Completely remove banner, modify Httpd.h:
Include/httpd.h
Define Server_basevendor "Apache Group"
Define Server_productvendor "Apache"
Define server_baseversion "1.3.27″
The new Apache will be able to completely remove
Wu-ftp
Modify the/usr/sbin/in.ftpd file with a hexadecimal text editor, and find the following lines:
/var/log/lastlog
Could not write%.100s:%.100s
Version wu-2.6.1-16
Change into
Microsoft FTP Service (Version 5.0)
Or
Serv-u FTP Server v4.0 for WinSock ready ...
Telnet Banner
Edit the file/etc/issue.net to find something similar to this line (different versions of Linux content are not the same):
Red Hat Linux Release 8.0 (psyche)
Kernel R on a m
Change into
Microsoft Windows Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99206.1
Because the issue.net is restored automatically after reboot, in order to maintain these forged information, you need to edit the file/etc/rc.local, add "#" Before these lines, and comment out the function of the recovery:
# echo "" >/etc/issue
# echo "$R" >>/etc/issue
# echo ' Kernel $ (uname-r) on $a $SMP $ (uname-m) ">>/etc/issue
# cp-f/etc/issue/etc/issue.net
# echo >>/etc/issue
Apache
Before you install Apache, locate the Httpd.h header file in the source file/src/include directory. This file defines the version information for Apache, which needs to be invoked when Apache is installed. Edit the Http.h file to find the following lines:
#define Server_basevendor "Apache Group"
#define SERVER_BASEPRODUCT "Apache"
#define Server_baserevision "1.3.20″
Can be changed according to their own wishes to other information, the author of the change is microsoft-iis/5.0.
Ssh
Edit File/etc/ssh/sshd_config, find this line:
Banner/etc/issue.net
Add a # Before this line to annotate the SSH banner.
Sendmail
Remove the $v, $z these two macros in the SENDMAIL.MC file, and include the following:
Define (' Confsmtp_login_msg ', $j Sendmail secure/rabid; $b)
Then generate the sendmail.cf file:
#m4/ETC/MAIL/SENDMAIL.MC >/ETC/SENDMAIL.CF
If you do not have the include ('/usr/share/sendmail-cf/m4/cf.m4′ ') line in SENDMAIL.MC, use it with the preset configuration file cf.m4 that SendMail provides to generate file sendmail.cf:
#m4/USR/SHARE/SENDMAIL-CF/M4/CF.M4/ETC/MAIL/SENDMAIL.MC >/ETC/SENDMAIL.CF
Php
VI php.ini
Set expose_php = Off