RedHatLinux Security Settings Guide

Article Title: RedHatLinux Security Settings guide. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

1. Minimize the security system, delete unnecessary software, and disable unnecessary services.

# Ntsysv
Only services to be started are listed below. All services not listed are recommended to be closed, and services that need to be run are opened one by one.
Atd
Crond
Irqbalance
Microcode_ctl
Network
Sshd
Syslog

2. Delete the finger program as follows:

# Rpm? E finger

3. BOIS Security Settings

4. Account Security Settings

Modify the/etc/login. def File
PASS_MAX_DAYS 120? Set Password Expiration Date
PASS_MIN_DAYS 0? Set minimum password change date
PASS_MIN_LEN 10? Set Minimum Password Length
PASS_WARN_AGE 7? Set days of advance warning for expiration
Make sure that/etc/shadow is read-only as root.
Make sure/etc/passwd is root read/write

Periodically use password tools to check user password strength

5,/etc/exports

If you share files through NFS, you must configure the "/etc/exports" file to make the access restrictions as strict as possible. that is to say, do not use wildcards, do not allow write permission on the root directory, and try to only give read permission. add the following to the/etc/exports file:
/Dir/to/export host1.mydomain.com (ro, root_squash)
/Dir/to/export host2.mydomain.com (ro, root_squash)
We recommend that you do not use NFS.

6. inetd. conf or xinetd. conf
If it is inetd. conf, it is recommended to comment out all programs starting with r, exec, etc.

7, TCP_Wrappers
Add the allowed service to/etc/hosts. allow and add the line "ALL: ALL" to/etc/hosts. deny.

8,/etc/aliases file

If the Aliases file is incorrectly managed or carelessly managed, security risks may occur. Delete the line defining the "decode" alias from the aliases file.
Edit aliases and delete or comment out the following rows:
# Games: root
# Ingres: root
# System: root
# Toor: root
# Uucp: root
# Manager: root
# Dumper: root
# Operator: root
# Decode: root
Run/usr/bin/nesaliases to reload.

9. Prevent Unauthorized users from abusing sendmail.

Edit sendmail. cf
Set PrivacyOptions = authwarnings
Change to PrivacyOptions = authwarnings, noexpn, novrfy

10. ping is not responded.

Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

11. Enable tcp syn Cookie Protection

Echo 1>/proc/sys/net/ipv4/tcp_syncookies

12. Delete unnecessary users and group users

Deleted users, such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, and gopher
Deleted groups, such as adm, lp, news, uucp, games, dip, pppusers, popusers, and slipusers.
You can set unchangeable bits.
Chattr + I/etc/passwd
Chattr + I/etc/shadow
Chattr + I/etc/group
Chattr + I/etc/gshadow

13. prevent anyone from using the su command to become the root user.

Edit the su file (vi/etc/pam. d/su) and add the following two lines:
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_wheel.so group = wheel
Add su root users to the wheel group
Usermod-G10 username

14. The Control + Alt + Delete key is invalid.

Edit and comment out the inittab file.
Ca: ctrlaltdel:/sbin/shutdown? T3? R now
Run/sbin/init q to make the settings take effect

15. Create hard copies of all important log files

If the server is important, you can print out ssh, mail, and boot information. Add a line to the/etc/syslog. conf file .:
Authpriv. *; mail. *; local7. *; auth. *; daemon.info/dev/lp0
Run/etc/rc. d/init. d/syslog restart.
Or Send Logs to other servers for storage.
For example
Authpriv. */var/log/secure
To send it to 192.168.0.2, you can modify it like this.
Authpriv. * @ 192.168.0.2/var/log/secure

16. Change the access permission for the script file under the/etc/rc. d/init. d directory.

Chmod? R 700/etc/rc. d/init. d /*
Note: Modify the security settings with caution.

17,/etc/rc. d/rc. local

Comment out all irrelevant information in this file, so that no one can see any information about the host.
Delete issue and issue.net under/etc

18. Programs with S-bit

Programs that can clear s-bit include but are not limited:
Never used programs;
Programs that do not require non-root users to run;
It is used occasionally, but you don't mind changing it to root by using the su command before running it.
Find/-type f \ (-perm 04000? O? Perm-02000 \)-print
Chmod a-s program name

19. view system hidden files

Find/-name ". *"? Print

20. Search for files and directories with write permissions for anyone

Find/-type f \ (-perm-2-o perm-20 \) ls
Find/-type f \ (-perm-2? O? Perm-20 \) ls

21. Search for files without a master in the system.

Find/-nouser? O? Nogroup

22. search for the. rhosts file.

Find/home-name ". rhosts"
If yes, delete it.

23. revoke or delete the permissions of the system compiler.

Example: chmod 700/usr/bin/gcc