Some key files in the system, such as passwd and passwd. old, passwd. _, shadow, and shadown. _, inetd. conf, services, and Lilo. conf and so on can be modified to prevent accidental modification and viewing by common users. For example, change the inetd file attribute to 600:
# Chmod 600/etc/inetd. conf
In this way, ensure that the file owner is root, and set it to unchangeable:
# Chattr + I/etc/inetd. conf
In this way, any changes to the file will be prohibited. You may want to ask: Can't I modify it myself? Of course, we can set it to be modified only after the root user resets the reset flag:
# Chattr-I/etc/inetd. conf
About user resources
Setting resource limits for all users on your system can prevent DoS attacks, such as the maximum number of processes and the number of memories. For example, to restrict all users, add the following lines to edit/etc/security/limits. Con:
* Hard core 0
* Hard RSS 5000
* Hard nproc 20
You must also edit the/etc/PAM. d/login file to check the existence of this line:
Session required/lib/security/pam_limits.so
The preceding command disables core files "core 0", limits the number of processes to "nproc 50", and limits the memory usage to 5 MB "RSS 5000 ".
About NFS servers
You must be careful when dealing with NFS server vulnerabilities. If you want to use the NFS Network File System Service, make sure that your/etc/exports has the strictest access permission settings. This does not mean that you do not use any wildcards or allow root write permissions, mount the file to a read-only file system. You can edit the/etc/exports file and add:
Here,/DIR/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs on to this directory, RO means to mount it into a read-only system, and root_squash prohibits root from writing to this directory. Finally, to make the preceding changes take effect, run/usr/sbin/exportfs-.
About the enabled service
By default, Linux is a powerful system that runs many services. However, many services are not required and may cause security risks. This file is/etc/inetd. conf, which defines the services to be listened to by/usr/sbin/inetd. You may only need two of them: Telnet and FTP, and other classes such as shell, login, exec, talk, NTALK, IMAP, pop-2, pop-3, finger, auth, etc. unless you really want to use it. Otherwise, close all of them.
Use the following command to display services that are not commented out:
Grep-V "#"/etc/inetd. conf
This command counts the total number of services in front of the Service:
PS-EAF | WC-l
We recommend that you disable the following three service vulnerabilities: s34yppasswdd (NIS Server), s35ypserv (NIS Server), and s60nfs (NFS server ).
We can run # killall-hup inetd to disable unnecessary services. Of course, you can also run:
# Chattr + I/etc/inetd. conf
If you want to enable the inetd. conf file to have attributes that cannot be changed, and only root can unbind them, run the following command:
# Chattr-I/etc/inetd. conf
After you close some services, run the preceding command again to check how many services are missing. The fewer services run, the safer the system. We can use the following command to check which services are running:
Netstat-na -- IP
If you use RedHat, it is much more convenient. Pai_^ RedHat provides a tool to help you close the service, input/usr/sbin/setup, and then select "system services" to customize the services that the system runs at startup. Another option is the chkconfig command, which is provided by many Linux systems. The numbers in the script name are in the starting order. The numbers starting with an uppercase key are used to kill the process.
About logs
All logs are under/var/log (for Linux systems only). By default, Linux logs are powerful, except for FTP. Therefore, we can modify/etc/ftpaccess or/etc/inetd. conf to ensure that every FTP connection log can be recorded. The following is an example of modifying inetd. conf. assume there is a next line:
Ftp stream tcp Nowait root/usr/sbin/tcpd in. ftpd-L-l-I-o
Note:
-L each FTP connection is written to syslog;
-L records every user command;
-I file stored ed, records to xferlog;
-O file transmitted, record to xferlog.
However, you should not trust logs too much, because most hackers have the "good" habit of "wiping footprints! If you are not at ease, you 'd better install an sniffer.
About TCP_WRAPPERS
By default, RedHat Linux allows all requests, which is dangerous. If you use TCP_WRAPPERS to enhance the security of our site, you can put all requests not allowed into "All: All" to/etc/hosts. deny, and then put the explicitly allowed requests to/etc/hosts. allow, for example:
The IP address 192.168.1.10 and the host name gate.openarch.com can be connected through SSH. After the configuration is complete, run the tcpdchk check and you can directly execute: tcpdchk. Here, tcpchk is the tcp_wrapper configuration check tool, which checks your TCP Wrapper configuration and reports all detected potential/existing problems.
About Patches
You should always go to the home page of the Linux system publisher you have installed to find the latest patch. For example, for a RedHat system, you can say "Neon hold" in the http://www.redhat.com/corp/suppo? /A> a later version of redhat6.1 comes with an automatic upgrade tool up2date, which can automatically determine which RPM packages need to be upgraded, and then automatically download and complete the installation from the RedHat site. This is a good news for some lazy administrators!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
