Stop all unwanted services
#chkconfig --list
|grep '3:on'
#chkconfig cups off
#chkconfig postfix
off
#chkconfig atd off
#chkconfig ip6tables
off
#chkconfig
lvm2-monitor off
#chkconfig mdmonitor
off
#chkconfig rpcidmapd
off
#chkconfig nfslock
off
#chkconfig mcelogd
off
#chkconfig xinetd
off
#chkconfig inetd off
Remove all unwanted packages
#rpm -e
Disable Root login
#vi
/etc/ssh/sshd_config
PermitRootLogin no
#service sshd
restart
Create a service account
with Sudo Access
- Create a service account
#useradd
#passwd
(provide a strong password)
- Provide Sudo Access to service account _ In this case i have given all root access
#visudo
lbadmin
ALL=(ALL) ALL
Disable alt+ctrl+del key
switch for reboot
#vi
"/etc/init/control-alt-delete.conf"
Hash both the lines
#start on control-alt-delete
#exec /sbin/shutdown -r now
"Control-Alt-Delete pressed"
Allow ssh access only from
specific subnets or IP address
#vi /etc/hosts.allow
sshd:
#vi /etc/hosts.deny
sshd: ALL
Restrict access to server for specific subnet.
# Generated by
iptables-save v1.4.7 on Fri Jun 12 15:39:00 2015
*filter
:INPUT ACCEPT
[75:5272]
:FORWARD ACCEPT
[0:0]
:OUTPUT ACCEPT
[68:5268]
-A INPUT -m state
--state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j
ACCEPT
-A INPUT -i lo -j
ACCEPT
-A INPUT -m state
--state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m
tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m
tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp
--dport 123 -j ACCEPT
-A INPUT -p udp
--sport 123 -j ACCEPT
-A OUTPUT -p tcp
--dport 123 -j ACCEPT
-A INPUT -p tcp
--sport 123 -j ACCEPT
-A INPUT -j REJECT
--reject-with icmp-host-prohibited
-A FORWARD -j REJECT
--reject-with icmp-host-prohibited
COMMIT
Set IP tables to
start at reboot
#chkconfig iptables
on
Apply the new IP table rules by running command
#service iptables
start
Check all accounts have
password set to them. No account should be without password less loging
grep -v ':x:'
/etc/passwd
No comments:
Post a Comment