Linux System Deployment Specification v1.0

2. Linux System Deployment Specification v1.0
4. Objective:
6. 1, to minimize the operation of the line;
8. 2, as far as possible to achieve automated deployment;
10. 3, as far as possible to reduce installation services and start-up services;
12. 4, the use of security protocols as far as possible to provide services;
14. 5, as far as possible to make business systems single;
16. 6, as far as possible to monitor all the information can be monitored;
18. 7, as far as possible to control all controllable security policies;
20. 8. Update patches to patch bugs as regularly as possible;
24. Specific specifications:
26. A, account and password
28. Account:
30. 1. For each system maintenance personnel to establish a separate general rights account, for monitoring machine to establish a monitoring account, respectively, for daily system maintenance and system monitoring;
32. 2. FTP server configuration virtual account;
34. 3. Except the root account, the system maintenance personnel account and the monitoring machine account for all accounts outside the use of shell permissions;
36. 4. Lock all accounts that are automatically created when the system is installed;
38. Password:
40. 1. Strength: 15 or more; Contains letters (uppercase and lowercase letters), numbers and special symbols; English words are not allowed;
42. 2. Change frequency: 120 days;
44. 3. Recommended way to choose a password: Come up with a sentence, with each word of the first letter and its inclusion, and replace the letter with its similar numbers or symbols to generate a password, but according to the first rule;
48. B, program deployment
50. 1, before deployment pay attention to check whether there are conflicting business ports and programs;
52. 2, the use of automated installation scripts deployed to the Convention directory;
54. 3. Delete temporary files and information files with confidentiality restrictions after deployment;
56. 4, the command operation should not be directly with the password operation, such as: mysql–uroot–p123456
58. 5, after the completion of service deployment, it is easy not to change the system environment, so as not to cause business failure;
62. C, System optimization
64. Adjust the following kernel parameters to improve the system's ability to prevent IP spoofing and Dos attacks:
66. Example:
68. Net.ipv4.ip_forward = 0 # for LVS, gateways or VPN servers, to be set to 1
70. Net.ipv4.tcp_syncookies = 1
72. Net.ipv4.conf.all.accept_source_route = 0
74. net.ipv4.conf.all.accept_redirects = 0
76. Net.ipv4.conf.all.rp_filter = 1 # for LVS back-end servers, set to 0
78. Net.ipv4.icmp_echo_ignore_broadcasts = 1
80. net.ipv4.icmp_ignore_bogus_error_responses = 1
82. Net.ipv4.conf.all.log_martians = 1
84. KERNEL.SYSRQ = 0
86. Kernel.core_uses_pid = 1
90. D. Service Optimization and security
92. 1, the specific performance optimization, according to the hardware , the general need to modify less, depending on the circumstances;
94. 2. Service Security
96. For reference only:
98. Apache
100. 1, hidden version number
102. Servertokens productonly
104. Serversignature OFF
106. Or
108. Servertokens Prod
110. Serversignature OFF
114. 2. Disable Symbolic Links
116. 3. Run nobody with a specific user
118. 4, specify the listening port and IP (if no multi-IP service required)
120. 5. root directory Permissions
122. 6. Mod_security is an open source Web Application Security program (or Web application firewall) that integrates intrusion detection and defense engine functionality. It runs as a module of the Apache Web server, and the goal is to enhance the security of the Web application. Prevent Web applications from being exposed to known or unknown attacks.
124. 7, Mod_evasive is an Apache (httpd) server anti-DDoS module
126. 8, Mod_cband module, can limit the user and virtual host bandwidth. Includes: bandwidth limit, maximum download speed, Access request speed per second, and maximum number of concurrent access IP connections
130. Php
132. 1, hidden version number
134. 2. Prohibit remote file function
136. 3. Improve program Security
138. 4, does not display the error message, needs to check the wrong turn on
140. 5. Prohibit global variables (subject to availability)
142. Sed-i ' s/expose_php = on/expose_php = Off/g '/home/system/php/lib/php.ini
144. Sed-i ' S/allow_url_fopen = On/allow_url_fopen = Off/g '/home/system/php/lib/php.ini
146. Sed-i ' S/MAGIC_QUOTES_GPC = OFF/MAGIC_QUOTES_GPC = On/g '/home/system/php/lib/php.ini
148. Sed-i ' s/display_errors = on/display_errors = Off/g '/home/system/php/lib/php.ini
150. Sed-i ' s/register_globals= on/register_globals= off/g '/home/system/php/lib/php.ini
152. 5, Php-ids
154. 6. Strengthen PHP scripting language security with Suhosin
158. Mysql
160. 1. Modify the root user password to remove the empty password
162. 2. Delete the default test database
164. 3. Run MSYQL with an independent user
166. 4. Disable remote connection to the database (turn on specific IP as required)
168. 5. Limit the number of connected users
170. 6, strict control of user rights: To give users only the minimum required to complete their work, prohibit the grant process, SUPER, FILE permissions to non-administrative accounts;
172. 7, prohibit the MySQL data directory to grant Read and write permissions to the MySQL user outside the OS user;
174. E, System security
176. Security measures for reference only, because the basic software implementation of only a small number of attacks effective, encountered a lot of attacks by the hardware firewall processing.
178. Security measures for the CentOS system
180. 1. Open Iptables
182. Limit port scanning;
184. Open the appropriate port for the business;
186. Restricted port access for source IP restrictions;
188. 2. Install Ossec-hids Intrusion Detection Program
190. Ossec is an open-source intrusion detection system, including log analysis, comprehensive detection, rook-kit detection.
192. 3. Protection against attacks
194. Protection against a small number of Syn-flood attacks
196. echo "1″>/proc/sys/net/ipv4/tcp_syn_retries
198. echo "1″>/proc/sys/net/ipv4/tcp_synack_retries
200. echo "1″>/proc/sys/net/ipv4/tcp_syncookies
202. echo "4096″>/proc/sys/net/ipv4/tcp_max_syn_backlog
204. Protection against a small number of DDoS attacks
206. The first method:
208. Installation
210. wget http://www.inetbase.com/scripts/ddos/install.sh
212. Chmod 0700 install.sh
214. ./install.sh
218. Uninstallation
220. wget Http://www.inetbase.com/scripts/ddos/uninstall.ddos
222. Chmod 0700 Uninstall.ddos
224. ./uninstall.ddos
228. The second method:
230. [Email protected]]# cat ddos.sh
232. #!/bin/bash
234. /bin/netstat-na|grep Established|awk ' {print $ $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-rn|head-10|grep-v-e ' 192.168 |127.0′|awk ' {if ($2!=null && $1>4) {print $}} ' >/tmp/dropip
236. For I in $ (CAT/TMP/DROPIP)
238. Do
240. /sbin/iptables-i input-s $i-j DROP
242. /sbin/iptables-d input-s 122.228.193.245-j DROP
244. echo "$i kill at ' Date '" >>/var/log/ddos
246. Done
248. [Email protected] ddos]#
252. Protection against ARP attacks
254. Binding to Ip+mac on a hardware device
256. To the computer room to do two-way binding (pay)
258. Protection against CC attacks
260. Limit the number of connections per unit of time:
264. Protection for Windows Server
266. (1), install [Symantec Terminal Protection 12. Small Business Edition]. Endpoint_12, the virus and port scanning and other protection;
268. (2), open firewall, IPSec.
272. F. Security audits
276. Frequency of Audit object tools
278. Linux system nmap 1 months
280. Nessus 3 months
282. Password file John the Ripper 3 months
284. Web Business Nikto 1 months
286. AppScan 1 months
288. Zed Attack Proxy 1 months
290. Skipfish 1 months
292. Note: Newly installed servers must undergo security audits before they are allowed into the product environment;
294. After the new application is released, security audits must be conducted immediately;
298. G, monitoring and alerting
300. 1, using Nagios for different hardware and different services to monitor, to give the corresponding thresholds, to provide alarm;
302. 2, using cacti to generate performance charts for system history data, easy to troubleshoot and prevent;
306. Summarize:
308. The above specifications are limited to understand the implementation of the system deployment needs to be noted, can be understood as, installation deployment, performance security, fault alarm and other stages of the work content, each need to be specific implementation of the operation, although not strictly according to the document description of an item completed, but must be in each phase of the corresponding treatment to ensure that the business system

Http://www.brentron.com/xitong/linux/6344.html