Linux中国 Linux中国门户站!
设为主页 设为主页
收藏本站 收藏本站
 
当前位置 :首页 ->Linux技术 ->发行版专区 ->CentOS ->正文

使用Bastille完美加固CentOS Linux系统

来源:howtoforge 作者:treed  时间:2007-04-22 点击: [收藏] [投稿]


Would you like to deactivate the following of symbolic links? -> YES
Would you like to disable printing? -> YES
Would you like to install TMPDIR/TMP scripts? -> NO
Would you like to run the packet filtering script? -> YES

<ENTER>

Do you need the advanced networking options? -> NO
DNS Servers: [0.0.0.0/0] -> **LEAVE DEFAULT**
Public interfaces: -> eth+
TCP services to audit: -> telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh
UDP services to audit: -> 31337
ICMP services to audit: -> **BLANK**
TCP service names or port numbers to allow on public interfaces: -> 21 22 25 53 80 110 111 143 443 631 953 993 995 3306
UDP service names or port numbers to allow on public interfaces: -> **BLANK**
Force passive mode? -> YES
TCP services to block: -> 2049 2065:2090 6000:6020 7100
UDP services to block: -> 2049 6770
ICMP allowed types: -> destination-unreachable echo-reply time-exceeded
Enable source address verification? -> YES
Reject method: -> DENY
Interfaces for DHCP queries: -> **BLANK**
NTP servers to query: -> **BLANK**
ICMP types to disallow outbound: -> destination-unreachable time-exceeded
Should Bastille run the firewall and enable it at boot time? -> YES
Would you like to setup psad? -> YES
psad check interval: -> 15
Port range scan threshold: -> 1
Enable scan persistence? -> NO
Scan timeout: -> 3600
Show all scan signatures? -> NO
Danger Levels: -> 5 50 1000 5000 10000
Email addresses: -> root@localhost
Email alert danger level: -> 1
Alert on all new packets? -> YES
Enable automatic blocking of scanning IPs? -> NO
Should Bastille enable psad at boot time? -> YES
Are you finished answering the questions, i.e. may we make the changes? -> YES

<TAB>

 

Edit SSH Configuration

This will take an extra step to secure SSH. The following settings will:

  • ensure that SSHv2 is used
  • the root user cannot log on directly via SSH
  • accounts with no passwords will not be permitted to log in
  • a login banner will be displayed.

vi /etc/ssh/sshd_config

Edit the following lines and remove the remark. Do not forget to save and exit.

#Protocol 2,1 -> Protocol 2
#PermitRootLogin yes -> PermitRootLogin no
#PermitEmptyPasswords no -> PermitEmptyPasswords no
#Banner /some/path -> Banner /etc/issue

 

Reboot the system

Please reboot the system as a final check. Ensure everything starts properly.

reboot

原文链接:http://www.howtoforge.com/bastille_firewall_centos



 如果您对本文有任何疑问或者建议,请到讨论区发表您的意见: >> 论坛入口 <<

上一页 1 2下一页


上一篇:CentOS系统安装后的初始环境设置   下一篇:在CentOS 4.4上安装配置OpenVZ

文章评论】 【收藏本文】 【推荐好友】 【打印本文】 【我要投稿】 【论坛讨论
更多相关文章
·用SSH客户端软件登录到服务器
·CentOS下用OpenSSH构建SSH服务器
·入侵监测系统的构建(chkrootkit )
·在CentOS 4.4上安装配置OpenVZ
·使用Bastille完美加固CentOS Linux系统
·CentOS系统安装后的初始环境设置
·CentOS安装及初始环境设置
·CentOS4.4(32位)完美安装过程
·centos配置 apache、php、jdk、resin
·《社区企业操作系统》(CentOS (Community Enterp
推荐文章
·CentOS系统安装后的初始环境设置
·使用Bastille完美加固CentOS Linux
·在CentOS 4.4上安装配置OpenVZ
·《社区企业操作系统》(CentOS)4.3[I
·《社区操作系统》(CentOS 5)V5.0[IS
·CentOS下用OpenSSH构建SSH服务器
·《社区企业操作系统》(CentOS (Comm
·CentOS安装及初始环境设置
精彩文章
·在CentOS 4.4上安装配置OpenVZ
·CentOS下用OpenSSH构建SSH服务器
·centos配置 apache、php、jdk、resi
·使用Bastille完美加固CentOS Linux
·CentOS系统安装后的初始环境设置
·用SSH客户端软件登录到服务器
·入侵监测系统的构建(chkrootkit )
·《社区企业操作系统》(CentOS (Comm
·《社区操作系统》(CentOS 5)V5.0[IS
·CentOS安装及初始环境设置
·CentOS4.4(32位)完美安装过程
·《社区企业操作系统》(CentOS)4.3[I
Power by linux-cn.com 粤ICP备05006655号