我们已安装好 CentOS 5.6 并安装了 virtualmin,仅此而已。您建议采取哪种安全措施比较合适?
http://www.wiredtree.com/supportservices/servershield.php我认为此页面对清单进行了很好的总结。需要执行其中哪些步骤?或者您是否有比这些安全强化措施更好的建议:
(特别是 DDoS 和暴力攻击防护似乎是一个问题)
Firewall Protection:
APF – Configure both ingress and egress firewall protection.
BFD – Detect and prevent brute force attacks.
CPHulk – Detect and prevent brute force attacks.
HTTP Intrusion and DOS Protection:
Mod_security – Install and configure mod_security for Apache with auto-updating ruleset.
Mod_evasive – Install and configure DOS, DDOS, and brute force detection and suppression for Apache.
PHP SuHosin – PHP Hardening through the Hardened PHP Project. Available on request.
Server Hardening:
Disable IP Source Routing – Enable protection against IP source route attacks.
Disable ICMP Redirect Acceptance – Enable protection against ICMP redirect attacks.
Enable syncookie protection – Enable protection against TCP Syn Flood attacks.
Enable ICMP rate-limiting – Enable protection against ICMP flood attacks.
Harden host.conf – Enable spoofing protection and protection against DNS poisoning attacks.
Harden Apache – Prevent module and version disclosure information.
Harden SSH – Allow only SSH version 2 connections.
Harden Named – Enable protection against DNS recursion attacks.
Ensure Filesystem Permissions – Fix permission on world writable directories and prevent against directory-transversal attacks.
Harden temporary directory and shared memory locations – Enforce noexec, nosuid on tmp and shm mounts.
Harden “fetching” utilities - Allows root-only access of wget, curl, and other utilties often used in web-based attacks.
Remove unnecessary packages – removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space.
Disable unused services – Disable services which are not used.
Disable unneeded processes – Disable processes which are not needed for server operation.
PAM Resource Hardening – Protects against exploits which use core dumps and against user resource exhausting through fork bombs and other shell attacks.
PHP Hardening – Enable OpenBaseDir protection.
Security Audits:
Rootkit Hunter – Nightly scan to detect system intrusions.
Chkrootkit – Nightly scan to detect system intrusions.
Nobody Process Scanner – Scans for unauthorized "nobody" processes.
答案1
这个问题涉及面很广,我的第一个回答可能听起来很粗鲁:
删除 Virtualmin!
请不要误会,但只需点击几下即可打开一些门的可能性直接指向最大的安全线索:键盘和椅子之间的主题。
如果您想要一个安全的设置,您应该:
- 仅安装所需的内容
- 仅运行,正确配置
- 检查你安装的所有软件的安全公告
- 如果您是的话,请务必检查软件文档的“偏执”部分。
- 尝试使用可能安装的技术(apparmor、SELinux)
如果您拥有一个大型的自动化安全堆栈,而您完全不了解,那么您遭受黑客攻击的风险可能会比拥有一个小型堆栈时更大,您真的知道。
托管环境中最常见的错误是 webapps 和 db(连接)设置。好好照顾 Joomla 和朋友们,让您的数据库只监听本地主机。始终尽可能严格地使用设置。例如:避免 chmod 777,阅读您的日志。使用 nagios 监控机器。保持警惕。
我确信,您会在这里找到针对具体情况的帮助。在很多情况下,“安全设置操作系统应用程序”会在您选择的搜索引擎上产生有用的搜索结果。
答案2
除了强制 SSH 升级到版本 2 之外,别忘了禁用 root 登录,最好禁用密码登录并强制使用基于密钥的身份验证。此外,更改 SSH 的默认端口也是一个好主意。
对于防火墙,确保将每个规则的默认规则设置为拒绝,然后特别允许规则为接受。
我们还使用拒绝主机禁止已知攻击者或登录尝试失败次数过多的机器。
答案3
如果你不明白如何配置 Apache,那么你就不应该成为负责制定安全决策的人