Centos专用服务器安全性

Question

我们有干净的CentOS 5.6设置和虚拟程序，仅此而已。您认为哪些类型的安全步骤是合适的？

http://www.wiredtree.com/supportservices/servershield.php这个页面有一个很好的清单摘要，我认为。需要对这些步骤执行哪些步骤？或者你是否有更好的建议，而不是那些安全加固：

(特别是ddos和蛮力攻击保护似乎是一个问题)

Firewall Protection:

    APF – Configure both ingress and egress firewall protection.
    BFD – Detect and prevent brute force attacks.
    CPHulk – Detect and prevent brute force attacks.

HTTP Intrusion and DOS Protection:

    Mod_security – Install and configure mod_security for Apache with auto-updating ruleset.
    Mod_evasive – Install and configure DOS, DDOS, and brute force detection and suppression for Apache.
    PHP SuHosin – PHP Hardening through the Hardened PHP Project. Available on request.

Server Hardening:

    Disable IP Source Routing – Enable protection against IP source route attacks.
    Disable ICMP Redirect Acceptance – Enable protection against ICMP redirect attacks.
    Enable syncookie protection – Enable protection against TCP Syn Flood attacks.
    Enable ICMP rate-limiting – Enable protection against ICMP flood attacks.
    Harden host.conf – Enable spoofing protection and protection against DNS poisoning attacks.
    Harden Apache – Prevent module and version disclosure information.
    Harden SSH – Allow only SSH version 2 connections.
    Harden Named – Enable protection against DNS recursion attacks.
    Ensure Filesystem Permissions – Fix permission on world writable directories and prevent against directory-transversal attacks.
    Harden temporary directory and shared memory locations – Enforce noexec, nosuid on tmp and shm mounts.
    Harden “fetching” utilities - Allows root-only access of wget, curl, and other utilties often used in web-based attacks.
    Remove unnecessary packages – removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space.
    Disable unused services – Disable services which are not used.
    Disable unneeded processes – Disable processes which are not needed for server operation.
    PAM Resource Hardening – Protects against exploits which use core dumps and against user resource exhausting through fork bombs and other shell attacks.
    PHP Hardening – Enable OpenBaseDir protection.

Security Audits:

    Rootkit Hunter – Nightly scan to detect system intrusions.
    Chkrootkit – Nightly scan to detect system intrusions.
    Nobody Process Scanner – Scans for unauthorized "nobody" processes.

Answer 1

这是一个范围很广的问题，我的第一个回答可能听起来很粗鲁：

移除Virtualmin！

请不要搞错了，但是打开一些门的可能性直接指向最大的安全线程:键盘和椅子之间的主题。

如果你想要一个安全的设置，你应该：

• 只需安装，需要什么
• 只运行，适当配置什么？
• 检查所有软件的安全顾问，您将安装
• 如果是的话，一定要检查软件文档中的“偏执”部分。
• 尝试使用可能已安装的技术(设备、SELinux)

如果你有一个大的自动化安全栈，你根本不明白，你可能有更大的风险被黑客攻击，比你有一个小堆栈，你真的知道。

托管环境中最大的常见错误是webapps和db(connection)设置。好好照顾Joomla和朋友，让DB只听本地主机。始终尽可能严格地使用设置。例如:避免chmod 777，读取日志。用nagios监视机器。疑神疑鬼。

我很肯定，你会在这里找到帮助的。在许多情况下，“安全安装OS应用程序”会在您选择的搜索引擎上生成有用的搜索结果。

Answer 2

在强制SSH到版本2的同时，不要忘记禁用根登录，最好是禁用密码登录和强制基于密钥的身份验证。另外，更改SSH的默认端口也是一个非常好的主意。

对于防火墙，请确保为每个防火墙设置默认规则以拒绝，然后特别允许规则接受。

我们还使用DenyHosts来禁止已知的攻击者或失败了太多尝试登录的机器。

Answer 3

如果您不知道如何配置apache，那么您就不应该是负责安全决策的人。