Shulou(Shulou.com)06/01 Report--

This article mainly introduces what Red Hat Linux security settings have, which can be used for reference by interested friends. I hope you can learn a lot after reading this article.

1. Minimize security systems, remove unnecessary software, and turn off unnecessary services.

# ntsysv

Only the services that need to be started are listed below. All services not listed are recommended to be turned off, and the necessary services to run are turned on one by one.

Atd

Crond

Irqbalance

Microcode_ctl

Network

Sshd

Syslog

two。 Delete the finger program as follows

# rpm-e finger

3.BOIS Security Settings

4. Account security settings

Modify / etc/login.def file

PASS_MAX_DAYS 120? Set password expiration date

PASS_MIN_DAYS 0? Set the minimum password change date

PASS_MIN_LEN 10? Set the minimum password length

PASS_WARN_AGE 7? Set the number of days of advance warning of expiration

Make sure / etc/shadow is root read-only

Make sure / etc/passwd is root read and write

Regularly use password tools to detect the strength of users' passwords

5./etc/exports

If you share files through NFS, be sure to configure the "/ etc/exports" file to make access restrictions as strict as possible. That is to say, do not use wildcards, do not allow write access to the root directory, and give read permission as much as possible. In the / etc/exports file, add:

/ dir/to/export host1.mydomain.com (ro,root_squash)

/ dir/to/export host2.mydomain.com (ro,root_squash)

It is recommended not to use NFS.

6.inetd.conf or xinetd.conf

If it is inetd.conf, it is recommended to comment out all programs that begin with r, exec, etc.

7.TCP_Wrappers

Add the allowed services in / etc/hosts.allow and the line ALL:ALL in / etc/hosts.deny

8./etc/aliases file

Aliases files can cause security risks if they are mismanaged or carelessly managed. Remove the line that defines the alias "decode" from the aliases file.

Edit aliases and delete or comment the following lines:

# games: root

# ingres: root

# system: root

# toor: root

# uucp: root

# manager: root

# dumper: root

# operator: root

# decode: root

Run / usr/bin/nesaliases reload.

9. Prevent sendmail from being abused by unauthorized users

Edit sendmail.cf

Put PrivacyOptions=authwarnings

Change to PrivacyOptions=authwarnings,noexpn,novrfy

10. Do not respond to ping

Echo 1 > / proc/sys/net/ipv4/icmp_echo_ignore_all

11. Make TCP SYN Cookie protection effective

Echo 1 > / proc/sys/net/ipv4/tcp_syncookies

twelve。 Delete unnecessary users and group users

Deleted users, such as adm,lp,sync,shutdown,halt,news,uucp,operator,games,gopher, etc.

Deleted groups such as adm,lp,news,uucp,games,dip,pppusers,popusers,slipusers, etc.

You can set the unchangeable bit

Chattr + I / etc/passwd

Chattr + I / etc/shadow

Chattr + I / etc/group

Chattr + I / etc/gshadow

13. To prevent anyone from becoming a root with the su command

Edit the su file (vi / etc/pam.d/su) and add the following two lines

Auth sufficient / lib/security/pam_rootok.so debug

Auth required / lib/security/pam_wheel.so group=wheel

Add users who can su as root to the wheel group

Usermod-G10 username

14. Invalidate the Control+Alt+Delete shutdown key

Edit the inittab file and comment it out

Ca:ctrlaltdel:/sbin/shutdown-T3-r now

Run / sbin/init Q to make the settings take effect

15. Create hard copies of all important log files

If the server is important, consider printing out ssh,mail, boot information, etc. Add a line to the / etc/syslog.conf file. :

Authpriv.*;mail.*;local7.*;auth.*;daemon.info / dev/lp0

Execute / etc/rc.d/init.d/syslog restart

Or send the log to another server to save

Such as

Authpriv.* / var/log/secure

To send it to 192.168.0.2, you can modify it like this

Authpriv.* @ 192.168.0.2 / var/log/secure

16. Change the access permission for script files in the / etc/rc.d/init.d directory

Chmod-R 700 / etc/rc.d/init.d/*

Note: modify this security setting carefully

17./etc/rc.d/rc.local

Comment all the irrelevant information in this file so that no one can see any information about the host.

Delete issue and issue.net under / etc

18. A program with S bits

Programs that can clear the s bit include, but are not limited to:

A program that is never used

Programs that you do not want non-root users to run

Use it occasionally, but you don't mind changing the su command to root before running it.

Find /-type f\ (- perm 04000-o-perm-02000\)-print

Chmod Amurs program name

19. View system hidden files

Find /-name ". *"-print

20. Find files and directories where anyone has write permission

Find /-type f\ (- perm-2-o perm-20\) ls

Find /-type f\ (- perm-2-o-perm-20\) ls

21. Find files in the system that do not have an owner

Find /-nouser-o-nogroup

twenty-two。 Find out. Rhosts file

Find / home-name ".rhosts"

If so, please delete it.

23. Revoke the permissions of the system compiler or delete

For example, chmod 700 / usr/bin/gcc

Thank you for reading this article carefully. I hope the article "what are the Red Hat Linux security settings" shared by the editor will be helpful to you? at the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.