First make sure that all the software in the Linux system you are using is installed to the latest version.
The vulnerability under Linux is called a non-canonical roughly as follows:
User login, OpenSSL, CA certificate, grub encryption, SMB Password never expires, no files owned by user group, file permissions are 777, software used to severe lag, TCP Timstamp, database open access, ICMP Redirection, IP forward,
Default settings for umask values, weakness of disk partitions
1. Log in at the terminal using the root user.
Sed-i '/^tty[0-9]$/d '/etc/securetty
Sed-i '/^vc\/[0-9]$/d '/etc/securetty
2. Root Login with SSH protocol
Sed-i ' s/#PermitRootLogin \ yes/permitrootlogin\ no/'/etc/ssh/sshd_config
Sed-i ' s/#PermitRootLogin \ without-password/permitrootlogin\ no/'/etc/ssh/sshd_config
3. ICMP redirection problem
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
4. Open access for the database
Use Iptables to enhance access authentication for the database. Trusted host access, by setting the user host name in the database does not use% to match all hosts.
5. Certificate protocol used by SSL
Use a certificate of at least 2048bit or more without using a generic domain name certificate
The subject ' s common name (CN) field in the certificate should is fixed to reflect the name of the entity presenting The certificate (e.g, the hostname). This is do by generating a new certificate usually signed by a certification authority (CA) trusted by both the client A nd server.
Configure the server to require clients to use TLS version 1.2 using authenticated encryption with associated Data (aead) Capable ciphers.
There is no server-side mitigation available against the BEAST attack. The only option was to disable the affected protocols (SSLv3 and TLS 1.0). The only fully safe configuration was to use authenticated encryption with associated Data (aead), e.g. AES-GCM, aes-ccm in TLS 1.2.
Send the HTTP response headers with x-frame-options This instruct the browser to restrict framing where it was not allowed.
Configure the server to disable support for 3DES suite.
6. Problems with TCP timestamp responses
Net.ipv4.tcp_timestamps=0
7. IP Source Routing
The host is a configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet Shoul D take on the the-the-it destination (and on the the-back). Source routing is originally designed to is used when a host does not has proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.
Disable IP Source Routing
For Linux systems ensure the following SYSCTL value is set:
Net.ipv4.conf.all.accept_source_route=0
It is also advised this packet forwarding be disabled, unless there are a legitimate reason not to, by setting the Followin G Sysctl Values:
Net.ipv4.conf.all.forwarding=0
Net.ipv6.conf.all.forwarding=0
Net.ipv4.conf.all.mc_forwarding=0
Net.ipv6.conf.all.mc_forwarding=0
More Linux information can is found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/ Security_guide/sect-security_guide-server_security-disable-source-routing.html
8. Set the GRUB password
Enable GRUB Password
Configuration Remediation Steps
Set a password in the GRUB configuration file. This is often located in one of the several locations, but can really be anywhere:
/etc/grub.conf
/boot/grub/grub.conf
/boot/grub/grub.cfg
/boot/grub/menu.lst
For all files mentioned above ensure, a password is set or so the files do not exist.
To set a plain-text password, edit your GRUB configuration file and add the following line before the first uncommented Li Ne
Password <password>
To set a encrypted password, run Grub-md5-crypt and use it output when adding the following line before the first Uncomm Ented Line:
Password--md5 <encryptedpassword>
For either approach, choose an appropriately strong password.
9. How to mount the disk partition add Nodev parameter
Partition Mounting weakness
Configuration Remediation Steps
The specific-Modify the partition mount options varies from system to system. Consult your operating system ' s manual or Mount man page.
The following issues were discovered:
/boot partition does not has ' nodev ' option set.
/data partition does not has ' nodev ' option set.
10. General optimization of kernel parameters
Net.core.rmem_default = 2569600
Net.core.rmem_max = 2569600
Net.core.wmem_default = 2569600
Net.core.wmem_max = 2569600
Net.ipv4.tcp_timestamps = 0
Net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
Net.ipv4.tcp_keepalive_time = 600
Kernel.sem = 500 64000 200 256
Fs.file-max = 65536
Net.ipv4.ip_local_port_range = 1024 65000
Net.ipv4.ip_forward = 0
Net.ipv4.conf.default.rp_filter = 1
KERNEL.SYSRQ = 0
Kernel.core_uses_pid = 1
Net.ipv4.tcp_syncookies = 1
Net.ipv4.tcp_max_syn_backlog = 2048
Net.ipv4.tcp_synack_retries = 2
Net.ipv4.conf.all.accept_source_route = 0
Net.ipv4.conf.lo.accept_source_route = 0
Net.ipv4.conf.default.accept_source_route = 0
Net.ipv4.conf.all.rp_filter = 1
Net.ipv4.conf.lo.rp_filter = 1
Net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
Net.ipv4.conf.all.secure_redirects=0
Net.ipv4.conf.default.secure_redirects=0
Net.ipv4.tcp_timestamps=0
Iptables anti-attack
-A Forward-p TCP--syn-m limit--limit 1de>de >/sde> de >--limit-burst 5-j ACCEPT limit 5 new connections per second de>
-A Forward-p TCP--tcp-flags syn,ack,fin,rst rst-m limit--limit 1de>de >/sde> de >-j ACCEPT anti-port scan de>
-A forward-p ICMP--icmp-de>de >typede> de >echode>de >-request-m limit--limit 1de>de >/sde> De >-j ACCEPT de> prevent flood attacks
Linux system security Standard specification