/hvaonline/posts/list/12.html JForum - http://www.jforum.net

- use only Linux - use shadow password (Run pwconv as root) - setup LILO password - keep your Linux up-to-date - subscribe to bugtrack mailling liste - read the Linux Administrator Security Guide LASG and Securing-Optimizing-Linux-RH-Edition - Remove the services you don't use (don't forget inetd services in /etc/inetd.conf) - Replace inetd by xinetd Convert your old information: itox -t /usr/sbin/ < /etc/inetd.conf > /etc/xinetd.conf Update your /etc/hosts.allow to reflect service name and not binary name. - Your default policy must be deny (ALL:ALL in /etc/hosts.deny) - Setup a firewall with a default deny policy NetFilter - Use OpenSSH instead of telnet and configure it correctly (no X forwarding in client, limit simultaneous connection for your server) If you use Winx, you can get PuTTY, free win32 telnet/ssh client - Configure your servers to run as non root (Squid,Mysql,Apache,IPLog,Bind,PostFix...) - If you run an X server with XDM/KDM/GDM, use the last version of XFree server with Xwrapper and deny XDMCP: XDM, KDM : /etc/X11/xdm/Xaccess GDM : look for [security] and [xdmcp] in /etc/X11/gdm/gdm.conf - Chrooted BIND/DNS servers - IPLog: TCP/IP traffic logger - Nessus: Remote Security Scanner Use the option "-a 127.0.0.1" to only listen to loopback interface - Use PostFix instead of Sendmail Important parameters in main.cf are mydestination and relay_domains smtpd_banner = $myhostname ESMTP $mail_name - Use ProFTPD instead of Wu-FTPD To protect your Linux, In /etc/proftpd.conf, set SyslogFacility AUTH ExtendedLog /var/log/ftp.log AUTH ServerIdent Off - Restrict crontab users with /etc/cron.allow - NMAP port scanner The password cracker John The Ripper is avaible at http://www.openwall.com/john/. ---------------------------------- Chú ý: không phải server nào cũng get root được... chỉ 1 số ít server mới có thể bị get root......... ---------------------------------- ]]> /hvaonline/posts/list/957.html#3688 /hvaonline/posts/list/957.html#3688 GMT