Securing a Default Install of RedHat Linux 8.0/9.0

最新推荐文章于 2024-09-23 13:05:18 发布

chinalinuxzend

最新推荐文章于 2024-09-23 13:05:18 发布

阅读量714

点赞数

分类专栏： linux安全文章标签： redhat linux download dos delete filter

linux安全专栏收录该内容

98 篇文章 1 订阅

订阅专栏

原贴：http://blog.chinaunix.net/u/17030/showart_307034.html

Securing a Default Install of RedHat Linux 8.0/9.0

1. Log in as root.

2. Run /usr/sbin/visudo. Add yourself. We recommend you use this sudoers template.

3. Log out.

4. Log in as yourself.

5. Run sudo /usr/sbin/setup. Enter "System Services" and disable everything you don't need. This includes:

- apmd
- gpm
- isdn
- kudzu
- lpd
- nfslock
- pppoe
- pcmcia
- portmap
- rawdevices
- rhnsd

6. As root, edit /etc/ntp.conf to set NTP servers. You may wish to view our sample configuration file. Use the 'setup' utility to ensure that ntpd is starting at boot.

7. Edit /etc/issue & /etc/issue.net to say:

UNAUTHORIZED ACCESS PROHIBITED

8. Edit /etc/motd to look like this.

9. Install rhupdate:

A. lynx http://www.jjminer.org/rhupdate/

B. download the latest rhupdate

C. Expand the file:

tar -xzlf rhupdate-whatever.tar.gz

D. Install:

cd rhupdate-whatever/
./configure
sudo make install

E. delete that stuff

cd ..
rm -rf rhupdate-whatever*

10. Download and install updates:

A. Create a download directory

mkdir /tmp/updates

B. Download the updates

/usr/local/bin/rhupdate --download /tmp/updates --server mirror.services.wisc.edu --dir /mirrors/linux/distributions/redhat/updates/ --hash

C. Install the updates:

sudo rpm -Uvh /tmp/updates/*.rpm

D. Delete the updates:

rm -f /tmp/updates/*

11. Prevent some DoS-denial attacks. Add the following lines to the end of /etc/rc.d/rc.local:

##### Begin DoS Prevention #####
# shut some DoS stuff down
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# increase the local port range
echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range

# increase the SYN backlog queue
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog

echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

echo 64000 > /proc/sys/fs/file-max

ulimit -n 64000

# stop source routing
for i in /proc/sys/net/ipv4/conf/*/accept_source_route

do

echo 0 > $i

done

# enable reverse-path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter

do

echo 1 > $i

done

##### End DoS Prevention #####

12. Edit /etc/logrotate.conf for the proper settings (compress, etc).

13. Edit /etc/sysctl.conf and change kernel.sysrq to equal 1:

# Enables the magic-sysrq key
kernel.sysrq = 1

14. Edit hosts.{allow,deny}: You will need to configure the hosts files to meet the needs of each individual server. As a rule, only allow what you need from where you need it. The best thing to do is start off denying everything and allow only sshd and then add services as you go. For more information see "man 5 hosts_access".

15. Edit /etc/ssh/sshd_config: