Common security policy setting method under Linux

1. Prevent the system from responding to any external/internal ping request. Generally, the attacker first checks whether the host or IP is active through the ping command. If it can ping a host or IP, then the attacker thinks the system is active and then attacks or destroys. If no one can ping the machine and receive a response, then the security of the server can be greatly enhanced. Under Linux, the following settings can be performed to prohibit the ping request: [root@localhost ~]#echo “1”> /proc/Sys/net/ipv4/icmp_echo_ignore_all By default, the value of “icmp_echo_ignore_all” is “0”, indicating that the response is pinging. You can add the above line to the /etc/rc.d/rc.local file to run automatically after each system restart. 2. Do not use the Control-Alt-Delete key combination to restart the system. Under the default setting of linux, press the Control-Alt-Delete key and the system will restart automatically. This is very unsafe, so disable the Control-Alt-Delete key combination. System, just modify the /etc/inittab file: [root@localhost ~]#vi /etc/inittab Locate this line: ca::ctrlaltdel:/sbin/shutdown -t3 -r now before “#” Then execute: [root@localhost ~]#telinit q

3. Limiting Shell Record History Command Size By default, the bash shell stores up to 1000 command records in the file $HOME/.bash_history (the default number of records varies depending on the system). There is one such file under the home directory of each user in the system. It is certainly not safe to record so many historical commands, so you must limit the size of the file. You can edit the /etc/profile file and modify the options as follows: HISTSIZE=30 means that the last 30 history commands are recorded in the file $HOME/.bash_history. If you set “HISTSIZE” to 0, it means that the history command is not recorded, then you can't use the up and down keys of the keyboard to find the history command. 4. Delete system default unnecessary users and groups Linux provides various system accounts. After the system is installed, if you do not need some users or groups, you should delete it immediately, because the more accounts, the more unsafe the system is, the easier it is. being attacked. To delete unnecessary users, use the following command [root@localhost ~]# userdel username to delete unnecessary groups of the system with the following command: [root@localhost ~]# groupdel groupname The default users and groups that can be deleted in Linux system are: deleted Users, such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc. Deleted groups, such as adm, lp, news, uucp, games, dip, pppusers, popusers, slipusers, etc. 5. Shut down selinuxSELinux is short for Security-Enhanced Linux. It is a kernel mandatory access control security system. Currently SELinux has been integrated into the main line of Linux 2.6 kernel and most Linux distributions, due to SELinux and existing Linux applications and Linux. There are still some problems with kernel module compatibility. Therefore, it is recommended that beginners first shut down selinux. After the in-depth understanding of Linux, it is not too late to study in depth on selinux! To see if the Linux system selinux is enabled, you can use the getenforce command: [root@localhost ~]# getenforceDisabled to shut down selinux. In the redhat series distribution, you can directly modify the following files: [root@localhost ~]#vi /etc/sysconfig/selinux # This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - SELinux is fully disabled. SELINUX=enforcing# SELINUXTYPE= type of policy in use. Possible values ​​are:# targeted - Only targeted network daemons are protected.# strict - Full SELinux protection.SELINUXTYPE=targeted Modify SELINUX=enforcing to SELINUX=disabled, after rebooting the system Will stop SElinux. 6. Set tcp_wrappers firewall Tcp_Wrappers is a software for analyzing TCP/IP packets. Similar IP packet software and iptables. Linux installs this software by default. As a secure system, Linux itself has two layers of security firewalls. The iptables of the filtering mechanism implements the first layer of protection. The iptables firewall intuitively monitors the running status of the system, blocks some malicious attacks in the network, and protects the entire system from attack and damage. The implementation of iptables will be covered in detail in the next section. If the first layer of protection is passed, then the next layer of protection is tcp_wrappers. Tcp_Wrappers can be used to open, close, allow and disable certain services provided in the system, thus ensuring the safe operation of the system more effectively. The use of Tcp_Wrappers is very simple, only two configuration files: /etc/hosts.allow and /etc/hosts.deny(1) to see if Tcp_Wrappers[root@localhost ~]#rpm -q tcp_wrappers or [root@localhost] is installed on the system. ~]#rpm -qa |  Grep tcptcp_wrappers-7.6-37.2tcpdump-3.8.2-10.RHEL4 If there is similar output above, the system has installed the tcp_wrappers module. If it is not displayed, it may not be installed. You can find the corresponding RPM package from the Linux system installation disk for installation. (2) Limitations of tcp_wrappers firewall Whether a service in the system can use the tcp_wrappers firewall depends on whether the service applies the libwrapped library file. If it is applied, you can use the tcp_wrappers firewall. Some default services in the system are: sshd, Portmap, sendmail, xinetd, vsftpd, tcpd, etc. can use the tcp_wrappers firewall. (3) The rules set by tcp_wrappers The implementation of the tcp_wrappers firewall is done through the /etc/hosts.allow and /etc/hosts.deny files. First, look at the format: service:host(s) [: Action] service: represents the service name, such as sshd, vsftpd, sendmail, etc.  host(s): The host name or IP address can be multiple, such as 192.168.60.0, www.ixdba.net action: action, the action taken after the condition is met. Several keywords:  ALL: All services or all IPs.  ALL EXCEPT: All services or all IPs are removed. For example: ALL:ALL EXCEPT 192.168.60.132 means that except for the 192.168.60.132 machine, any machine is allowed or denied when executing all services. Once you understand the syntax, you can restrict access to the service below. For example, a Linux server on the Internet, the goal is to allow only 222.90.66.4, 61.185.224.66 and domain name softpark.com to remotely log in to the system through the SSH service, set as follows: