Shulou(Shulou.com)06/01 Report--

This article to share with you is about how to set security policy in Linux, Xiaobian feel quite practical, so share to everyone to learn, I hope you can gain something after reading this article, not much to say, follow Xiaobian to see it.

1. The attacker usually first detects whether the host or IP is active by ping command. If a host or IP can be pinged, the attacker considers the system to be active and then attacks or destroys it. If no one can ping the machine and receive a response, then you can greatly enhance the security of the server. Under Linux, you can implement the following settings to prohibit ping requests:

[root@localhost ~]#echo "1"> /proc/sys/net/ipv4/icmp_echo_ignore_all By default,"icmp_echo_ignore_all" has a value of "0" to indicate a response to ping.

You can add the above line to the/etc/rc.d/rc.local file to make it run automatically after each system restart.

2. Disable Control-Alt-Delete key combination to restart system

In Linux default settings, press Control-Alt-Delete at the same time, the system will automatically restart, which is very unsafe, so to prohibit Control-Alt-Delete key combination to restart the system, just modify the/etc/inittab file:

The code is as follows:

[root@localhost ~]#vi /etc/inittab

Find this line: ca::ctrlaltdel:/sbin/shutdown -t3 -r now preceded by "#"

Then execute:

The code is as follows:

[root@localhost ~]#telinit q

3. Limit Shell Record History Command Size

By default, the bash shell stores up to 1000 command records in the file $HOME/.bash_history (the default number varies depending on the system). There is one such file in the home directory of every user in the system.

This much command history must be unsafe, so limit the file size.

You can edit the/etc/profile file and modify the options as follows:

HISTSIZE=30

Indicates that the last 30 historical commands are recorded in the file $HOME/.bash_history. If "HISTSIZE" is set to 0, it means that historical commands are not recorded, so you cannot use the up and down keys of the keyboard to find historical commands.

4. Delete unnecessary users and groups by default

Linux provides a variety of system accounts, after the system is installed, if you do not need certain users or groups, you must immediately delete it, because the more accounts, the less secure the system is and the more vulnerable it is to attack.

Remove unnecessary users from the system with the following command

The code is as follows:

[root@localhost ~]# userdel username

Remove unnecessary groups from the system with the following command:

The code is as follows:

[root@localhost ~]# groupdel groupname

Default users and groups that can be deleted in Linux are:

Deleted users, such as adm,lp,sync,shutdown,halt,news,uucp,operator,games,gopher, etc.

Delete groups such as adm,lp,news,uucp,games,dip, ppusers,popusers,slipusers, etc.

5. Close selinux

SELinux is short for Security-Enhanced Linux, which is a kernel mandatory access control security system. At present, SELinux has been integrated into the mainline of Linux 2.6 kernel and most Linux distributions. Because there are still some problems in the compatibility of SELinux with existing Linux applications and Linux kernel modules, it is recommended that beginners close selinux first. After they have a deep understanding of Linux, it is not too late to study selinux in depth!

To see if selinux is enabled on linux, use the getenforce command:

The code is as follows:

[root@localhost ~]# getenforce

Disabled

With selinux turned off, the following files can be modified directly in redhat series distributions:

The code is as follows:

[root@localhost ~]#vi /etc/sysconfig/selinux# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - SELinux is fully disabled.

SELINUX=enforcing

# SELINUXTYPE= type of policy in use. Possible values are:

# targeted - Only targeted network daemons are protected.

# strict - Full SELinux protection.

SELINUXTYPE=targeted

Change SELINUX=enforcing to SELINUX=disabled to stop SElinux after restarting the system.

6. Set tcp_wrappers firewall

TCP_Wrappers is a software used to analyze TCP/IP packets. Similar IP packet software and iptables are installed by default in Linux. As a secure system, Linux itself has two layers of security firewall. The first layer of protection is achieved through iptables of IP filtering mechanism. iptables firewall visually monitors the running status of the system, blocks some malicious attacks in the network, and protects the normal operation of the entire system from attacks and destruction. The implementation of iptables is described in detail in the next section. If the first layer of protection is passed, then the next layer of protection is tcp_wrappers. TCP_Wrappers can open and close, allow and prohibit certain services provided in the system, so as to ensure the safe operation of the system more effectively.

TCP_Wrappers is easy to use, just two configuration files: /etc/hosts.allow and/etc/hosts.deny (1) Check whether TCP_Wrappers is installed on the system

[root@localhost ~]#rpm -q tcp_wrappers or [root@localhost ~]#rpm -qa| grep tcp

tcp_wrappers-7.6-37.2

tcpdump-3.8.2-10.RHEL4

If there is output similar to the above, the tcp_wrappers module is installed. If it does not appear, it may not be installed, you can find the corresponding RPM package from the linux system installation disk to install.

(2) Limitations of tcp_wrappers firewall

Whether a service in the system can use tcp_wrappers firewall depends on whether the service applies libwrapped library file. If it is applied, tcp_wrappers firewall can be used. Some default services in the system, such as sshd, portmap, sendmail, xinetd, vsftpd, tcp pd, etc., can use tcp_wrappers firewall.

(3)tcp_wrappers rules

tcp_wrappers firewall is implemented through the/etc/hosts.allow and/etc/hosts.deny files to complete, first look at the settings format:

service:host(s) [:action]

l service: stands for service name, such as sshd, vsftpd, sendmail, etc.

l host(s): host name or IP address, there can be multiple, such as 192.168.60.0, www.ixdba. netl action: action, the action taken after meeting the conditions.

A few keywords:

ALL: All services or all IP.

ALL EXCEPT: All services or all IPs except those specified.

Example: ALL:ALL EXCEPT 192.168.60.132

Indicates that any machine except 192.168.60.132 is permitted or denied when performing all services.

Now that you understand the configuration syntax, you can restrict access to services.

For example, a linux server on the Internet that achieves the goal of allowing only 222.90.66.4, 61.185.224.66, and the domain softpark.com to remotely log into the system via SSH services is configured as follows:

First set up the computer allowed to log in, that is, configure the/etc/hosts.allow file. The setting is very simple. Just modify the/etc/hosts.allow file (if there is no such file, please create it yourself).

Just add the following rule to/etc/hosts.allow.

sshd: 222.90.66.4 61.185.224.66 softpark.com Then set the machines that are not allowed to log in, that is, configure the/etc/hosts.deny file.

In general, linux will first determine the file/etc/hosts.allow, if the remote login computer meets the file/etc/hosts.allow settings, it will not use the/etc/hosts.deny file, on the contrary, if the rules set by the hosts.allow file are not met, it will use the hosts.deny file, if the rules set by hosts.deny are met, this host will be restricted to inaccessible linux servers, if the settings set by hosts.deny are not met, This host can access linux servers by default, so after setting the access rules for the/etc/hosts.allow file, just set/etc/hosts.deny to "all computers cannot log in".

sshd:ALL

A simple tcp_wrappers firewall is set up.

The above is how to set security policies in Linux, Xiaobian believes that some knowledge points may be seen or used in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.