Security settings for a linux Server

1. ping prohibited
 
/Etc/rc. d/rc. local
Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
 
2. Permission control over users and password files
Chmod 600/etc/passwd
Chmod 600/etc/shadow
Chmod 600/etc/group
Chmod 600/etc/gshadow
3. Add unchangeable attributes to the following file
Chattr + I/etc/passwd
Chattr + I/etc/shadow
Chattr + I/etc/group
Chattr + I/etc/gshadow
4. Access Control for vsftp
Vi hosts. deny
Vsftpd: all -- disable all vsftp requests first
Vi hosts. allow
Vsftpd: 192.168.2.1 -- allow vsftd requests from the Intranet
5. Disable useless ports. Only common ports (21, 22, 80, 443) are enabled)
Service portmap stop
Chkconfig -- level 35 portmap off -- disable port 111
Netstat-nap | grep 32768
Killall rpc. statd -- disable port 32768
Netstat-nap | grep 631
Killall cupsd -- disable port 631
Service sendmail stop
Chkconfig -- level 12345 sendmail off -- disable port 25
6. apache Security Settings (first back up the httpd. conf configuration file)
Vi/etc/httpd. conf
ServerSignature Off
ServerTokens Prod --- hide Apache version and other sensitive information
<Directory>
Options-ExecCGI-FollowSymLinks-Indexes -- disable CGI execution programs, Des, and directory browsing.
</Directory>
Change UserDir public_html to UserDir disabled
# ScriptAlias/cgi-bin "/usr/local/apache/cgi-bin /"
Comment out manual
7. vi/etc/profile
HISTFILESIZE = 30
HISTSIZE = 30 -- this indicates that each user's ". bash_history" file can only save 30 old commands
Tmout = 600 -- the user will log out automatically after 10 minutes of no operation
Vi/etc/skel/. bash_logout
Rm-f $ HOME/. bash_history -- each time a user logs out, the ". bash_history" file is deleted.
Vi/etc/inittab
Ca: ctrlaltdel:/sbin/shutdown-t3-r now
Changed:
# Ca: ctrlaltdel:/sbin/shutdown-t3-r now
/Sbin/init q -- make changes take effect
8. delete accounts and groups that cannot be created
Userdel adm
Userdel lp
Userdel sync
Userdel shutdown
Userdel halt
Userdel mail
Userdel news
Userdel uuucp
Userdel operator
Userdel games
Userdel ftp
Groupdel adm
Groupdel lp
Groupdel mail
Groupdel news
Groupdel uuucp
Groupdel games
========================================================== ========================================================== ============================
Your webserver supports TRACE and/or TRACK. TRACE and TRACK are the HTTP methods used to debug web server connections.
The server that supports this method has a Cross-Site scripting vulnerability. When describing various browser defects, the Cross-Site-Tracing vulnerability is referred to as XST.
Attackers can exploit this vulnerability to fool legitimate users and obtain their personal information.
Solution: disable these methods.
If you are using Apache, add the following statement to the configuration file of each Virtual Host:
RewriteEngine on
RewriteCond % {REQUEST_METHOD} ^ (TRACE | TRACK)
RewriteRule. *-[F]
========================================================== ========================================================== ==============================
The following describes how to modify the service Banner.
Apache
Thoroughly remove the banner and modify httpd. h:
Include/httpd. h
Define SERVER_BASEVENDOR "Apache Group"
Define SERVER_PRODUCTVENDOR "Apache"
Define SERVER_BASEVERSION "1.3.27"
Then, you can completely remove Apache from the new compilation.
Wu-ftp
Modify the/usr/sbin/in. ftpd file in the hexadecimal text editor and find the following lines:
/Var/log/lastlog
Cocould not write %. 100 s: %. 100 s
Version wu-2.6.1-16
Change
Microsoft FTP Service (Version 5.0)
Or
Serv-u ftp Server v4.0 for WinSock ready...
Telnet banner
Edit the/etc/issue.net file and find a line similar to this line (Linux content of different versions is not the same ):
Red Hat Linux release 8.0 (Psyche)
Kernel \ r on an \ m
Change
Microsoft Windows Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99206.1
Since issue.net will be automatically restored after restart, in order to keep the forged information, you need to edit the file/etc/rc. add the "#" sign before these rows to comment out the recovery function:
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ SMP $ (uname-m)">/etc/issue
# Cp-f/etc/issue/etc/issue.net
# Echo>/etc/issue
Apache
Find the httpd. h header file in the/src/include directory of the source file before installing Apache. This file defines apache version information, which must be called during apache installation. Edit the http. h file and find the following lines:
# Define SERVER_BASEVENDOR "Apache Group"
# Define SERVER_BASEPRODUCT "Apache"
# Define SERVER_BASEREVISION "1.3.20"
You can change it to other information as needed. The author changes it to Microsoft-IIS/5.0.
SSH
Edit the/etc/ssh/sshd_config file and find this line:
Banner/etc/issue.net
Add # To the front of this line to comment out the SSH Banner.
Sendmail
Remove the $ v and $ z macros from the sendmail. mc file and include the following content:
Define ('confsmtp _ LOGIN_MSG ', $ j Sendmail Secure/Rabid; $ B)
Then generate the sendmail. cf file:
# M4/etc/mail/sendmail. mc>/etc/sendmail. cf
If sendmail. mc does not include ('/usr/share/sendmail-cf/m4/cf. m4 ') and the default configuration file cf. m4 is used together to generate the file sendmail. cf:
# M4/usr/share/sendmail-cf/m4/cf. m4/etc/mail/sendmail. mc>/etc/sendmail. cf
Php
Vi php. ini
Set expose_php = Off