ياليت احد يساعدنا
ويعطينا رايه من الخبراء
should be added to the file right above it, using whatever shell editor you choose (vi, pico, etc).
in /etc/sysctl.conf, add
كود:
# disable packet forwarding
net.ipv4.ip_forward = 0
# enable source route verification
net.ipv4.conf.all.rp_filter = 1
# ignore broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable syn cookies
net.ipv4.tcp_syncookies = 1
# size of syn backlog
net.ipv4.tcp_max_syn_backlog = 512
# disable automatic defragmentation
# set max files
fs.file-max = 32768
# Enable IP spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1
What does this do?
This sets a variety of code for the linux OS to use itself. It tells the system to ignore pings, icmp, enable SYN protection, disable network forwarding and more.
Please note
After doing this, you will need to restart your network (generally rebooting the server works fine).
in /etc/rc.local, add
كود:
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 >
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 >
done
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This does much of the same thing as the above, it's more repetitive, but it's another layer of 'security' as it were. ICMP is denied, broadcasts denied, tcp syn is denied.
in /etc/host.conf, the following is added (if it doesn't exist already)
كود:
# Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts
# We have machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
nospoof on
The comments are quite clear on this one. The first uses bind, then hosts to lookup domain names. The second says we have machines with multiple ip addresses (in many cases it's important). The third (somewhat) prevents individuals from "spoofing" an ip address and hitting up your server.
In /etc/hosts.deny, the following line is added:
More "spoof" protection there.
From there, it's time for the firewall. The firewall is the most important thing to a linux server. Without it, you can be literally killed. With it, you are somewhat defended and protected. While no good firewall will fully protect a Linux server, it's an extra layer of security, which is a very good thing.
Personally, I use APF which maintains a decent ballance between blocking ports you don't want accessed and limiting traffic. There's also a wonderful attempt at a ddos protection system in place there. While (again) no ddos protection can work on a TRUE ddos, it'll stop a number of attacks.
From there, it's time for the kernel. Look around for a tutorial on kernels. You can either custom compile the kernel (not recommended unless you're highly familliar with Linux) or use an RPM (or whatever package system you're using).
Compiling a kernel is NOT recommended on non local machines. Why? Because if you screw something up, you have no chance at hitting that power down button, starting up in single user mode and recompiling it. You have to wait for the datacenter to respond to the ticket, which (usually) is slow and very costly.
There are a variety of other (personal) configuration changes that I make to applications, to prevent them from overloading, such as:
proftpd:
in /etc/proftpd.conf, I add:
كود:
TimeoutIdle 600
TimeoutNoTransfer 600
TimeoutLogin 300
MaxInstances 30
MaxClientsPerHost 2
at the top. This is pretty much self explanatory
for mysql:
in /etc/my.cnf (or wherever my.cnf is located)
كود:
[mysqld]
port = 3306
skip-locking
set-variable = max_connections=100
set-variable = max_user_connections=20
set-variable = key_buffer=16M
set-variable = join_buffer=4M
set-variable = record_buffer=4M
set-variable = sort_buffer=6M
set-variable = table_cache=1024
set-variable = myisam_sort_buffer_size=32M
set-variable = interactive_timeout=100
set-variable = wait_timeout=100
set-variable = connect_timeout=10
set-variable = thread_cache_size=128
And finally, in /etc/rc.local, I add:
كود:
TMOUT=180
export TMOUT
at the bottom. This logs everyone off if they're idle for more than 3 minutes. Adjust that at will, it goes by seconds, so say 300 seconds would be 5 minutes, 600 would be 10 minutes idle, etc.
There's a number of other security tricks that I use , such as:
limiting ssh access
in /etc/hosts.deny
in /etc/hosts.allow
كود:
sshd: host.ip.number.1,host.ip.number.2,etc