linux的安全设置

 

linux的安全设置
平台Redhad linux 9.0
1,禁止普通用户使用su


only the user who belongs to the wheel group permits su command.

add following content in /etc/pam.d/su:

“auth required /lib/security/$ISA/pam_wheel.so use_uid “
2,禁止root远程登录

prohibits root user login from remote..
Describe "PermitRootLogin no" in /etc/ssh/sshd_config.
3,禁止telnet
telnet shoud be prohibited.
Add following description in configuration file: /etc/xinetd.d/telnet :
「disable = yes」.
4,禁止IP转发
IP forwarding function should be disabled.
Add description in configuration file /etc/sysctl.conf:

“net.ipv4.ip_forward = 0. “
5,防范IP Spoofing attack
"IP Spoofing attack" protection should be enabled.
Add description in configuration file /etc/sysctl.conf:
“net.ipv4.conf.all.rp_filter = 1.”

6,禁止ICMP redirection packet
OS should not accept ICMP redirection packet..
Add description in configuration file /etc/sysctl.conf:

“net.ipv4.conf.all.accept_redirects = 0.”

7,禁止relay ICMP redirection packet

OS should not relay ICMP redirection packet..

Add description in configuration file /etc/sysctl.conf:

“net.ipv4.conf.all.send_redirects = 0.”
8,禁止reply to broadcast ICMP packet.

OS should not reply to broadcast ICMP packet.

Add description in configuration file /etc/sysctl.conf:

“

net.ipv4.icmp_echo_ignore_broadcasts = 1.”
9,禁止时间戳

OS should avoid the time stamp.

Add description in configuration file /etc/sysctl.conf:

“

net.ipv4.tcp_timestamps = 0.”
10,禁止伪造广播帧

OS should restrain the warning of the replying of the imitation to the broadcast frame.

Add description in configuration file /etc/sysctl.conf:

“

net.ipv4.icmp_ignore_bogus_error_responses = 1.”