Linux中国  设为主页
 收藏本站
 
当前位置: > 首页 ->Linux技术 ->发行版专区 ->CentOS ->使用Bastille完美加固CentOS Linux系统
  相关分类: 
CentOS
ubuntu
turbolinux
Suse
slackware
Redhat
Mepis
mandriva
Mandrake
knoppix
Gentoo
Fedora
Debian
红旗
  站内搜索: 
热门文章排行
热门文章排行 CentOS4.4(32位)完美安装过程 (04-22)
《社区操作系统》(CentOS 5)V5.0[ISO(04-20)
CentOS系统安装后的初始环境设置 (04-22)
CentOS安装及初始环境设置 (04-22)
在CentOS 4.4上安装配置OpenVZ (04-22)
精采文章排行
精采文章排行 用SSH客户端软件登录到服务器 (04-22)
CentOS下用OpenSSH构建SSH服务器 (04-22)
入侵监测系统的构建(chkrootkit ) (04-22)
在CentOS 4.4上安装配置OpenVZ (04-22)
使用Bastille完美加固CentOS Linux系(04-22)
  ·CentOS下用OpenSSH构建SSH服务器 ·入侵监测系统的构建(chkrootkit ) ·在CentOS 4.4上安装配置OpenVZ ·使用Bastille完美加固CentOS Linux系统 ·CentOS系统安装后的初始环境设置 ·CentOS安装及初始环境设置 ·CentOS4.4(32位)完美安装过程 ·centos配置 apache、php、jdk、resin ·《社区企业操作系统》(CentOS (Community

使用Bastille完美加固CentOS Linux系统

作者:treed    来源:howtoforge   点击:   日期:2007-04-22 [收藏] [投稿]

  IE是否经常中毒?推荐您

This article shows how to secure a CentOS server using psad, Bastille, and some other tweaks. psad is a tool that helps detect port scans and other suspicious traffic, and the Bastille hardening program locks down an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise.

Create an additional account for Systems Administration

The "adduser" command will create an account.

adduser service

The "passwd" command will set the password for the "service" account.

passwd service

 

Creating a directory for downloads.

This will create a directory to download the RPMs and other files.

mkdir /downloads
cd /downloads

 

Installing PSAD

psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze Netfilter log messages to detect port scans and other suspicious traffic. More information can be found here.

wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm
rpm -Uvh psad-1.4.6-1.i386.rpm

 

Installing Bastille

The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system's current state of hardening, granularly reporting on each of the security settings with which it works. More information can be found here.

wget http://easynews.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.0.9-1.0.noarch.rpm
wget ftp://ftp.icm.edu.pl/vol/rzm4/linux-dag/redhat/el4/en/i386/RPMS.dag/perl-Curses-1.12-1.2.el4.rf.i386.rpm

rpm -ivh Bastille-3.0.9-1.0.noarch.rpm
rpm -Uvh perl-Curses-1.12-1.2.el4.rf.i386.rpm

 

Running Bastille

This will start the interactive prompt.

/usr/sbin/bastille -c

 

Interactive prompt response

These settings are recommendations for the Perfect Setup install. There may be certian values that may need to change if other software or packages have been installed.

accept

<ENTER>

Would you like to set more restrictive permissions on the administration utilities? -> YES

<ENTER>

Would you like to disable SUID status for mount/umount? -> YES
Would you like to disable SUID status for ping? -> YES
Would you like to disable SUID status for at? -> YES
Would you like to disable the r-tools? -> YES
Would you like to disable SUID status for usernetctl? -> YES
Would you like to disable SUID status for traceroute? -> YES
Should Bastille disable clear-text r-protocols that use IP-based authentication? -> YES
Would you like to enforce password aging? -> YES
Do you want to set the default umask? -> YES
What umask would you like to set for users on the system? -> 007
Should we disallow root login on tty's 1-6? -> NO
Should Bastille ask you for extraneous accounts to delete? -> NO
Would you like to password-protect the GRUB prompt? -> NO
Would you like to disable CTRL-ALT-DELETE rebooting? -> YES
Would you like to password protect single-user mode? -> NO
Would you like to set a default-deny on TCP Wrappers and xinetd? -> NO
Would you like to display "Authorized Use" messages at log-in time? -> YES
Who is responsible for granting authorization to use this machine? -> YOUR COMPANY NAME
Would you like to put limits on system resource usage? -> YES

<ENTER>

Should we restrict console access to a small group of user accounts? -> YES
Which accounts should be able to login at console? -> root
Would you like to set up process accounting? -> NO

<ENTER>

Would you like to disable acpid and/or apmd? -> YES
Would you like to disable PCMCIA services? -> YES
Would you like to disable GPM? -> YES
Would you like to deactivate the HP OfficeJet (hpoj) script on this machine? -> YES
Would you like to deactivate the ISDN script on this machine? -> YES
Would you like to deactivate kudzu's run at boot? -> YES
Do you want to stop sendmail from running in daemon mode? -> YES
Would you like to deactivate named, at least for now? -> NO
Would you like to deactivate the Apache web server? -> NO
Would you like to bind the Web server to listen only to the localhost? -> NO
Would you like to bind the web server to a particular interface? -> NO

<ENTER>

 如果您对本文有任何疑问或者建议,请到讨论区发表您的意见: >> 论坛入口 <<

上一页12 下一页

上一篇:CentOS系统安装后的初始环境设置   下一篇:在CentOS 4.4上安装配置OpenVZ
文章评论】 【收藏本文】 【推荐好友】 【打印本文】 【我要投稿】 【论坛讨论

   相关文章:
·用SSH客户端软件登录到服务器

   文章评论:(1条)
  
 请留名: 匿名评论   点击查看所有评论 论坛讨论
 

 声明:刊登此文章是为了传递更多信息,文章内容仅供参考,转载请注明出处。