打造LINUX系统安全(2)
……
加入或修改下面这几行:
*hard core 0 //禁止创建core文件
*hard rss 5000 //除root外,其它用户内存使用为5M
*hard nproc 20 //限制最多进程为20
vi /etc/pam.d/login
=================================================
……
session required /lib/security/pam_limits.so
//在文件末尾加入上面这一行
7、设置自动注销帐号的登录
vi /etc/profile
===================================================
……
HOSTNAME='/bin/hostname'
HISTSIZE=1000 //这是历史记录数,越小越好
tmout=300 //添加此行,表示系统在五分钟内没有任何操作,将自动这个帐号注销
8、/etc/securetty文件安全设置
vi /etc/securetty
====================================================
tty1
#tty2
……
#tty11 //在默认的内容中注释掉除tty1外的所有tty,表示root只能在tty1终端登录
9、禁止外来PING请求,防止补攻击
vi /etc/rc.d/rc.local
====================================================
echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
//添加上面一行,可阻止系统响应任何外来的PING请求
10、限制显示出系统版本信息
当用户进入LINUX系统时系统将告诉用户LINUX版本号,内核版本号和服务器主机名。
vi /etc/rc.d/rc.local
=====================================================
在里面添加如下:
……
#This will overwrite /etc/issue at every boot.So,make any changesyou
#want to make to /etc/issue here oryou will lose them when you reboot.
#echo""> /etc/issue
#echo"$R">> /etc/issue
#echo"Kernel $(uname -r)on$a $(uname -m)">>/etc/issue
#
#cp -f /etc/issue /etc/issue.net
#echo >>/etc/issue
……
然后,执行下面几行命令
#rm -f /etc/issue
#rm -f /etc/issue.net
#touch /etc/issue
#touch /etc/issue.net
也可以单独编辑一个命令(telnet),如修改/etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h
这样,用户TELNET服务器时,就不会显示出系统版本信息等了,只显示“login:”。
11、设置文件/etc/host.conf,防止IP欺骗
vi /etc/host.conf
===================================================
……
#Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts
#We don't have machines with multipe IP addresses on the same card
(likevirtual server,IP Aliasing).
multi off
#Chesk for IP address spoofing.
nospoof on
IP Spoofing:IP-Spoofing is a security exploit that works by trichking
computers in a trust relationship that you are someone that you really aren.
- 最新评论