安装时尽可能安装最少的服务和组件,尽量不安装编译器.
1 关掉所有不必要的服务,脚本如下:
chkconfig xinetd off
for name in `chkconfig --list | awk '{ print $1}'`
do
if [ $name != "sshd" -a $name != "syslog" -a $name != "network" -a $name != "iptables" -a $name != "snmpd541" -a $name != "crond" ];
then
echo $name >> chkconfig.info
chkconfig $name off
fi
done
开启必要的服务:
chkconfig yum-updatesd on
chkconfig sshd on
chkconfig syslog on
chkconfig network on
chkconfig iptables on
chkconfig vsftpd on
chkconfig xinetd on
chkconfig snmpd541 on
chkconfig named on
chkconfig --level 5 xfs on
2 删除所有不必要的用户和组,修订其不必要的shell
userdel mail
userdel news
userdel ccup
userdel games
userdel mailnull
userdel gopher
groupdel mail
groupdel news .....
修订shell成:
ricci:x:102:103::/var/lib/ricci:/sbin/nologin
3 配置防火墙:
apt-get remove ufw -y (ubuntu才做的,ufw性能太弱且我不想而且没必要去多熟悉它.)
cat /etc/sysconfig/iptables(as centos )(ubuntu:/etc/iptables.rules)
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#accept 10.0.4.x clu ok
-A RH-Firewall-1-INPUT -s 10.0.4.0/24 -j ACCEPT
#accept any to my 80
#-A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901:5903 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -j REJECT
-A OUTPUT -j ACCEPT
COMMIT
4 升级
yum update; yum check-update; yum upgrade -y (as5 centos3/4/5)
up2date -u (as2/3/4);
apt-get update;apt-get dist-upgrade;apt-get upgrade (ubuntu)
5 修订ssh和ftp的安全
编译升级实施ssh版本到最新稳定版, 修改其配置文件:vi /etc/ssh/ssh
将#Protocol 2,1行为Protocol 2
修改vsftp的配置文件:vi /etc/vsftpd/vsftpd.conf
将anonymous_enable=YES行改成anonymous_enable=NO
在chroot行后加一行:chroot_local_user=YES
6 amp的安全
编译安装最新稳定版本的,编译时取消不必要或者不使用的模块。
php启用safe模式,取消系统函数调用,限定php执行文件目录。
mysql安装后删除test帐号,取消mysql的非本地访问权限。
7 修订文件或目录不可修改。
8 reboot
阅读(2245) | 评论(0) | 转发(0) |
