Several details of system security 02/01 Update SLTechnology News&Howtos

Several details of system security

2025-02-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

# set the user to change the password for 90 days Remind UserList=$ 7 days in advance (ls / home/ | awk'{print $NF}'| grep-v lost+found) for user in $UserListdo chage-M 90-W 7$ userdone# disable pingecho 1 > / proc/sys/net/ipv4/icmp_echo_ignore_all# set the user expiration time 90 default password length 8-digit cp / etc/login.defs / etc/login.defs.baksed-I'/ PASS_MIN_LEN/s/ [0-9]\ {1J 6\} / 90 max' / etc/login.defssed-I'/ PASS_MIN_LEN/s/ [0-9]\ {1meme3\} / 8Universe'/ etc/login.defs# set user login Ordinary users login to identify more than 6 times lock 300s.echo "account required pam_tally2.so deny=100 no_magic_root reset" > > / etc/pam.d/system-authecho "auth required pam_tally2.so onerr=fail deny=6 unlock_time=300" > > / etc/pam.d/system-auth# hides the system version number mv / etc/issue / etc/isseumv / etc/issue.net / etc/isseu.netmv / etc/redhat-release / etc/rehdat-release# optimized configuration parameters. Echo'# Kernel sysctl configuration file for Red Hat Linux## For binary values, 0 is disabled, 1 is enabled. See sysctl (8) and# sysctl.conf (5) for more details.# Controls IP packet forwardingnet.ipv4.ip_forward = "Controls source route verificationnet.ipv4.conf.default.rp_filter =" Do not accept source routingnet.ipv4.conf.default.accept_source_route = "Controls the System Request debugging functionality of the kernelkernel.sysrq =" Controls whether core dumps will append the PID to the core filename# Useful for debugging multi-threaded applicationskernel.core_uses_pid = "Controls the use of TCP syncookiesnet.ipv4. Tcp_syncookies = permanent Controls the maximum size of a message In byteskernel.msgmnb = 6553 Controls the default maxmimum size of a mesage queuekernel.msgmax = 6553 Controls the maximum shared segment size, in byteskernel.shmmax = 6871947673 Controls the maximum number of shared memory segments In pageskernel.shmall = 429496729-Kernel Optimization-net.ipv4.tcp_max_tw_buckets = 60000net.ipv4.tcp_sack = 1net.ipv4.tcp_window_scaling = 1net.ipv4.tcp_rmem = 4096 87380 4194304net.ipv4.tcp_wmem = 4096 16384 4194304net.core.wmem_default = 8388608net.core.rmem_default = 8388608net.core.rmem_max = 16777216net.core.wmem_max = 16777216net. Core.netdev_max_backlog = 262144net.core.somaxconn = 262144net.ipv4.tcp_max_orphans = 3276800net.ipv4.tcp_max_syn_backlog = 262144net.ipv4.tcp_timestamps = 0net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_mem = 94500000 915000000 927000000net.ipv4.tcp_fin_timeout = 1net.ipv4.tcp_keepalive_time = 30net.ipv4.ipp _ Local_port_range = 1024 65000net.ipv4.ip_conntrack_max = 655360net.ipv4.netfilter.ip_conntrack_max = 655360net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = etc/sysctl.conf# effective sysctl-p# record histtory log echo'# history export HISTTIMEFORMAT= "% F% T `whoami`" USER_IP= `who-u ami 2 > / dev/null | awk'{print $NF}'| sed-e's / [()] / / g``HISTDIR=/usr/local/bin/. History if [- z $USER_IP] then USER_IP= `hostname` fi if [!-d $HISTDIR] then mkdir-p $HISTDIR chmod 777$ HISTDIR fi if [!-d $HISTDIR/$ {LOGNAME}] then mkdir-p $HISTDIR/$ {LOGNAME} chmod 300$ HISTDIR/$ {LOGNAME} fi export HISTSIZE=4000 DT= `date +% Y% m% dbath% H% M% S`export HISTFILE= "$HISTDIR/$ {LOGNAME} / ${USER_IP} .history. $DT" chmod 600$ HISTDIR/$ {LOGNAME} / * .history * 2 > / dev/null'> > / etc/profile# secure login / etc/hosts.allow## hosts.allow This file describes the names of the hosts which are# allowed to use the local INET services As decided# by the'/ usr/sbin/tcpd' server.###***sshd:111.1.1.1sshd:122.1.1.2##jumpsshd:10.0.1.1/etc/hosts.deny## hosts.deny This file describes the names of the hosts which are# * not* allowed to use the local INET services, as decided# by the'/ usr/sbin/tcpd' server.## The portmap line is redundant But it is left to remind you that# the new secure portmap uses hosts.deny and hosts.allow. In particular# you should know that NFS uses portmappings sHD xx123456' all # check firewall configuration (login to specified user address is open | Service address is open to user address range) iptables-save# create ordinary user useradd liangxiujunecho-e 'xx123456' | passwd liangxiujun-- stdin# forbids root login permissions sed-I' s/#PermitRootLogin yes/PermitRootLogin no/g' / etc/ssh/sshd_config# optimize ssh link slow problem sed-I 's/GSSAPIAuthentication yes/GSSAPIAuthentication no /'/ etc/ssh/sshd_configsed-I'/ # UseDNS yes/a\ UseDNS no' / etc/ssh/sshd_config/etc/init.d/sshd restart

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.