我们有干净的CentOS 5.6设置和virtualmin,就这些。 你认为什么types的安全措施是合适的?
http://www.wiredtree.com/supportservices/servershield.php这个网页有一个很好的清单我觉得总结。 哪些步骤是需要做的? 还是你有更好的build议,而不是那些安全强化:
(尤其是ddos和蛮力攻击保护似乎是个问题)
Firewall Protection: APF – Configure both ingress and egress firewall protection. BFD – Detect and prevent brute force attacks. CPHulk – Detect and prevent brute force attacks. HTTP Intrusion and DOS Protection: Mod_security – Install and configure mod_security for Apache with auto-updating ruleset. Mod_evasive – Install and configure DOS, DDOS, and brute force detection and suppression for Apache. PHP SuHosin – PHP Hardening through the Hardened PHP Project. Available on request. Server Hardening: Disable IP Source Routing – Enable protection against IP source route attacks. Disable ICMP Redirect Acceptance – Enable protection against ICMP redirect attacks. Enable syncookie protection – Enable protection against TCP Syn Flood attacks. Enable ICMP rate-limiting – Enable protection against ICMP flood attacks. Harden host.conf – Enable spoofing protection and protection against DNS poisoning attacks. Harden Apache – Prevent module and version disclosure information. Harden SSH – Allow only SSH version 2 connections. Harden Named – Enable protection against DNS recursion attacks. Ensure Filesystem Permissions – Fix permission on world writable directories and prevent against directory-transversal attacks. Harden temporary directory and shared memory locations – Enforce noexec, nosuid on tmp and shm mounts. Harden “fetching” utilities - Allows root-only access of wget, curl, and other utilties often used in web-based attacks. Remove unnecessary packages – removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space. Disable unused services – Disable services which are not used. Disable unneeded processes – Disable processes which are not needed for server operation. PAM Resource Hardening – Protects against exploits which use core dumps and against user resource exhausting through fork bombs and other shell attacks. PHP Hardening – Enable OpenBaseDir protection. Security Audits: Rootkit Hunter – Nightly scan to detect system intrusions. Chkrootkit – Nightly scan to detect system intrusions. Nobody Process Scanner – Scans for unauthorized "nobody" processes. 这是一个广泛的问题,我的第一个答案可能听起来粗鲁:
删除Virtualmin!
请不要误解,但有些点击打开某些门的可能性直接指向最大的安全线程:键盘和椅子之间的主题。
如果你想要一个安全的设置,你应该:
如果你有一个很大的自动化安全堆栈,那么你完全不理解,你可能有更大的被黑客攻击的风险,比你用一个小堆栈,你真的知道。
主机环境中最常见的错误是webapps和db(连接)设置。 好好照顾Joomla和朋友,让你的数据库只在本地主机上听。 尽可能限制地使用设置。 例如:避免chmod 777,读你的日志。 用nagios监视机器。 是偏执狂
我很确定,你会在这里find具体案例的帮助。 在很多情况下,“安全设置OS APPLICATION”会在您select的search引擎上生成有用的search结果。
除了强制SSH版本2,不要忘记禁用rootlogin,最好是禁用密码login和强制密钥基于身份validation。 另外,更改SSH的默认端口是一个非常好的主意。
对于防火墙,请确保将其默认规则设置为拒绝,然后明确允许规则接受。
我们还使用DenyHosts来禁止已知攻击者的机器,或者尝试login失败的机器。
如果你不明白如何configurationApache,那么你不应该是安全决策的负责人