Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Linux System Tuning for Security Protection 2

Tech May 10 2

1、Restrict NFS Access

NFS (Network File System) simplifies file sharing between services but poses security risks if access isn't restricted. To enhance security, configure the /etc/exports file to enforce read - only (ro) access and prevent root - level writes from clients (root_squash).

[root@ECS - PROXY ~] vim /etc/exports
/dir1/share 192.168.1.200 (ro, root_squash)
/dir2/share hostname (ro, root_squash)
  • /dir1/share and /dir2/share are the directories to share. Append the IP or domain (with DNS resolution) of the accessing host. ro sets read - only access, and root_squash blocks client - side root users from writing. After editing, reload the configuration with:
[root@ECS - PROXY ~] exportfs -ra

2、Disable ICMP Echo Responses

Blocking ICMP (ping) responses boosts security by:

  • Hiding online status: No ping responses mean no information about system availability is leaked.
  • Preventing network scans: Attackers often use ping to identify active hosts for further attacks.
  • Reducing service info leakage: ICMP responses won't reveal OS details.
  • Mitigating DDoS risks: Avoids ping - flood - style attacks.

To disable responses, add to /etc/sysctl.conf:

[root@ECS - PROXY ~] echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
[root@ECS - PROXY ~] sysctl -p /etc/sysctl.conf

3、Change SSH Port

The default SSH port (22) is a target for automated attacks. Changing it reduces scan risks. Edit /etc/ssh/sshd_config:

[root@ECS - PROXY ~] vim /etc/ssh/sshd_config
Port 10022

Restart SSH:

[root@ECS - PROXY ~] systemctl restart sshd

Now use ssh -p 10022 <IP> to connect.

4、Set GRUB Password

GRUB menus allow boot - time modifications (e.g., rescue mode). A password prevents unauthorized root - password resets. Use grub2 - setpassword:

[root@ECS - PROXY ~] /sbin/grub2 - setpassword
Enter password: 
Confirm password: 
[root@ECS - PROXY ~] vim /boot/grub2/user.cfg
# Contains the hashed password

To remove the password, delete /boot/grub2/user.cfg.

5、Limit User Resources

/etc/security/limits.conf restricts resource usage (e.g., file descriptors, file size). Configure soft (warning) and hard (enforced) limits:

[root@ECS - PROXY ~] vim /etc/security/limits.conf
root soft nofile 65535
root hard nofile 65535
* soft nofile 65535
* hard nofile 10000

This prevents resource - exhaustion attacks (e.g., fork bombs).

Tags: LinuxSystem Tuning
Back to List

Prev: Efficient Linux System Backup and Restoration Using Tar Archives

Next: Essential Linux Commands and System Fundamentals

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top