Securing a Default Install of RedHat Linux 8.0/9.0

转载 2007年09月28日 02:15:00

Securing a Default Install of RedHat Linux 8.0/9.0

1. Log in as root.

2. Run /usr/sbin/visudo. Add yourself. We recommend you use this sudoers template.

3. Log out.

4. Log in as yourself.

5. Run sudo /usr/sbin/setup. Enter "System Services" and disable everything you don't need. This includes:

- apmd
- gpm
- isdn
- kudzu
- lpd
- nfslock
- pppoe
- pcmcia
- portmap
- rawdevices
- rhnsd

6. As root, edit /etc/ntp.conf to set NTP servers. You may wish to view our sample configuration file. Use the 'setup' utility to ensure that ntpd is starting at boot.

7. Edit /etc/issue & /etc/ to say:


8. Edit /etc/motd to look like this.

9. Install rhupdate:

A. lynx

B. download the latest rhupdate

C. Expand the file:

tar -xzlf rhupdate-whatever.tar.gz

D. Install:

cd rhupdate-whatever/
sudo make install

E. delete that stuff

cd ..
rm -rf rhupdate-whatever*

10. Download and install updates:

A. Create a download directory

mkdir /tmp/updates

B. Download the updates

/usr/local/bin/rhupdate --download /tmp/updates --server --dir /mirrors/linux/distributions/redhat/updates/ --hash

C. Install the updates:

sudo rpm -Uvh /tmp/updates/*.rpm

D. Delete the updates:

rm -f /tmp/updates/*

11. Prevent some DoS-denial attacks. Add the following lines to the end of /etc/rc.d/rc.local:

##### Begin DoS Prevention #####
# shut some DoS stuff down
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# increase the local port range
echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range

# increase the SYN backlog queue
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog

echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

echo 64000 > /proc/sys/fs/file-max

ulimit -n 64000

# stop source routing
for i in /proc/sys/net/ipv4/conf/*/accept_source_route

echo 0 > $i

# enable reverse-path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter

echo 1 > $i

##### End DoS Prevention #####

12. Edit /etc/logrotate.conf for the proper settings (compress, etc).

13. Edit /etc/sysctl.conf and change kernel.sysrq to equal 1:

# Enables the magic-sysrq key
kernel.sysrq = 1

14. Edit hosts.{allow,deny}: You will need to configure the hosts files to meet the needs of each individual server. As a rule, only allow what you need from where you need it. The best thing to do is start off denying everything and allow only sshd and then add services as you go. For more information see "man 5 hosts_access".

15. Edit /etc/ssh/sshd_config:

Change "PermitRootLogin yes" to "PermitRootLogin no"

Change "Protocol 1,2" to "Protocol 2"

16. Reboot the machine:

sudo /sbin/shutdown -r now

17. Bask in the glory of an updated and secure Linux installation. :-)

发表于: 2007-05-22 ,修改于: 2007-05-22 15:14,已浏览104次,有评论0条 推荐 投诉


How to change the default run level of a RedHat 9.0 or Fedora Core Linux system

During the boot process for Redhat 9.0 and Fedora Core systems the init command opens the /etc/ini...
  • hhcjb
  • hhcjb
  • 2011-12-15 13:21
  • 309

Linux redhat 9.0 中挂载U盘的方法!

1、挂载U盘之前,运行命令cat /proc/partitions或者fdisk –l先看看系统有哪些分区;插上U盘后,再次运行上述命令,看看多出来什么分区(通常是sda1,如果是在虚拟机下安装,通常...

虚拟机VMware下安装RedHat Linux 9.0 图解


Redhat Linux 9.0 在vmware下,桥接不能上网的解决方法

Redhat Linux 9.0 在vmware下,桥接不能上网的解决方法   2009-08-07 12:20:52|  分类: CentOS |  标签: |字号大中小 订阅 ...

Windows XP SP3中用VMware6.5安装RedHat Linux 9.0上网详细设置(图文详解)

Windows XP SP3中用VMware6.5安装RedHat Linux 9.0上网详细设置(图文详解)


终于完成了redhat linux9.0的配置,对于大多数老手来说,可能是非常简单,但对于我们新手来说,我感觉还是有点复杂,所以,我想把我的配置过程详悉的写出来,希望对新手能有所帮助.   1.安装...

第二章 RedHat Linux 9.0的安装

一. RedHat Linux 9.0安装前准备 1. 硬件要求 CPU:Intel、ADM、VIA(133MHZ) 内存:最低(不安装X-WINDOWS)4M,X-WINDOWS 64M 硬...

在 VMware Workstation 上安装 Redhat Linux 9.0

在 VMware Workstation 上安装 Redhat Linux 9.0 1.下载Redhat Linux 9.0的光盘映像文件(共有三个) 2.在VM上新建虚拟机New V...

VMware安装RedHat Linux 9.0上网详细设置

1.先安装VMare 6.5再在这个虚拟机中安装RedHat Linux 9.0,为了能一步到位,请先关闭XP的内置防火墙,杀毒软件防火墙(瑞星,360等),Linux中的防火墙(开始-系统设置-系统...