Securing a Default Install of RedHat Linux 8.0/9.0
来源:互联网 发布:java 接口构造器 编辑:程序博客网 时间:2024/06/03 08:20
Securing a Default Install of RedHat Linux 8.0/9.0
1. Log in as root.
2. Run /usr/sbin/visudo. Add yourself. We recommend you use this sudoers template.
3. Log out.
4. Log in as yourself.
5. Run sudo /usr/sbin/setup. Enter "System Services" and disable everything you don't need. This includes:
- apmd
- gpm
- isdn
- kudzu
- lpd
- nfslock
- pppoe
- pcmcia
- portmap
- rawdevices
- rhnsd
6. As root, edit /etc/ntp.conf to set NTP servers. You may wish to view our sample configuration file. Use the 'setup' utility to ensure that ntpd is starting at boot.
7. Edit /etc/issue & /etc/issue.net to say:
UNAUTHORIZED ACCESS PROHIBITED
8. Edit /etc/motd to look like this.
9. Install rhupdate:
A. lynx http://www.jjminer.org/rhupdate/
B. download the latest rhupdate
C. Expand the file:
tar -xzlf rhupdate-whatever.tar.gz
D. Install:
cd rhupdate-whatever/
./configure
sudo make install
E. delete that stuff
cd ..
rm -rf rhupdate-whatever*
10. Download and install updates:
A. Create a download directory
mkdir /tmp/updates
B. Download the updates
/usr/local/bin/rhupdate --download /tmp/updates --server mirror.services.wisc.edu --dir /mirrors/linux/distributions/redhat/updates/ --hash
C. Install the updates:
sudo rpm -Uvh /tmp/updates/*.rpm
D. Delete the updates:
rm -f /tmp/updates/*
11. Prevent some DoS-denial attacks. Add the following lines to the end of /etc/rc.d/rc.local:
##### Begin DoS Prevention #####
# shut some DoS stuff down
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# increase the local port range
echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
# increase the SYN backlog queue
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 64000 > /proc/sys/fs/file-max
ulimit -n 64000
# stop source routing
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do echo 0 > $i done
# enable reverse-path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter
do echo 1 > $i done
##### End DoS Prevention #####
12. Edit /etc/logrotate.conf for the proper settings (compress, etc).
13. Edit /etc/sysctl.conf and change kernel.sysrq to equal 1:
# Enables the magic-sysrq key
kernel.sysrq = 1
14. Edit hosts.{allow,deny}: You will need to configure the hosts files to meet the needs of each individual server. As a rule, only allow what you need from where you need it. The best thing to do is start off denying everything and allow only sshd and then add services as you go. For more information see "man 5 hosts_access".
15. Edit /etc/ssh/sshd_config:
Change "PermitRootLogin yes" to "PermitRootLogin no"
Change "Protocol 1,2" to "Protocol 2"
16. Reboot the machine:
sudo /sbin/shutdown -r now
17. Bask in the glory of an updated and secure Linux installation. :-)
原文地址 http://post.doit.wisc.edu/linux/secure.html 发表于: 2007-05-22 ,修改于: 2007-05-22 15:14,已浏览104次,有评论0条 推荐 投诉
- Securing a Default Install of RedHat Linux 8.0/9.0
- How to change the default run level of a RedHat 9.0 or Fedora Core Linux system
- Securing a Linux Server
- Redhat Linux install Eclipse
- how to change the default mode of a linux device
- Oracle install for redhat Linux
- Install MySql For Redhat Linux
- How to Install and Configure a VNC Server on RedHat Enterprise Linux (RHEL) 6
- The problem with install redhat linux
- OpenStack install for RedHAT linux(概述)
- Linux RedHat git install---github客户端配置
- A typical scenario of default slice layout
- Default initial value of a field
- Linux kernel 2.6.X, a method that repace of the default logo in Ubuntu 10.04
- Linux Tips: How to Quickly Bind a Range of IPs on RedHat Based Systems
- A complete guide to securing a website
- Pass4Sure Cisco CCSP 642-524 also called Securing Networks with ASA Foundation is a CCSP exam of Cisco company.
- [LINUX LIVE USB]How to Make a bootable USB Drive to Install Fedora instead of using a physical DVD
- Linux系统中增加Swap分区文件步骤方法
- RedHat Linux常见的日志文件和常用命令
- Linux操作系统的口令安全问题详细解析
- Linux必学60个命令文件处理
- linux系统安全详解
- Securing a Default Install of RedHat Linux 8.0/9.0
- Linux系统下应用知识大荟萃(一)
- 深入理解linux启动过程
- locale 详解(转载)
- linux系统主机安全配置!
- 我是个菜鸟
- ACM练习建议
- How Much Sleep Do I Need?
- Smart Snacking