Shulou(Shulou.com)06/02 Report--

1 General server security policy:

1) it is best to use a hardware firewall, or if not, use iptables+TCP_Wrappers to build a security policy.

2) the password is absolutely secure, more than 24 digits

3) adopt key login to prevent violent cracking, prohibit root login, ordinary users + key authentication + IP restrictions + user restrictions

4) analyze the log files of the system regularly, such as last,lastlog

5) periodically use grep error / var/log/messages to check the server for hardware damage

6) stop unnecessary services and strengthen the kernel.

Iptables host firewall script:

#! / bin/bash

Iptables-F

Iptables-F-t nat

Iptables-X

Iptables-P INPUT DROP

Iptables-P OUTPUT ACCEPT

Iptables-P FORWARD ACCEPT

Iptables-An INPUT-p tcp-m multiport-- dport 80 22 ACCEPT 3306-j

TCP_Wrappers access Control:

[root@localhost] # rpm-Q tcp_wrappers

Tcp_wrappers-7.6-58.el6.i686

[root@localhost ~] # ldd / usr/sbin/sshd | grep 'libwrap'

Libwrap.so.0 = > / lib/libwrap.so.0 (0x00c4f000)

/ etc/hosts.allow: allow policy

/ etc/hosts.deny: reject policy

Basic principles of access control: first check / etc/hosts.allow, allow access if a matching policy is found, otherwise continue to find / etc/hosts.deny, deny access if a matching policy is found, and allow access if neither of the above two files is found.

Loose policy: allow all, reject the individual

Vim / etc/hosts.deny

Sshd:192.168.154.1

Strict policy: reject all, allow individual

Vim / etc/hosts.allow

Sshd:192.168.154.1

Vim / etc/hosts.deny

Sshd:ALL

ALL:103.197.244.10 # denies access to all services

(2) the general processing flow after the server suffers from *:

1) cut off the network

2) find * source: analyze system log files and login log files (if suspicious users are found, disconnect their remote connection)

Such as:

[root@localhost] # tail-f / var/log/messages

[root@localhost ~] # lastlog

[root@localhost ~] # lastb # View failed login records

[root@localhost ~] # tail-f / var/log/secure # View user-related security logs

[root@localhost] # pkill-kill-t pts/0 # kick out abnormal login users

3) analyze the causes and ways of * *

There are many reasons for suffering from *, which may be caused by system vulnerabilities or program vulnerabilities. You need to find * sources and ways to delete and fix vulnerabilities.

4) backup data

5) reinstall the system (depending on the actual situation, it is obviously not feasible to provide online services)

6) Fix programs or system vulnerabilities

7) restore data and network

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.