Ldfa Posté(e) le 31 décembre 2019 Partager Posté(e) le 31 décembre 2019 Network security consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Control and configure Linux kernel and networking settings sysctl.conf is a simple file containing sysctl values to be read in and set by sysctl.$ sudo vim /etc/sysctl.conf # Avoid a smurf attacknet.ipv4.icmp_echo_ignore_broadcasts = 1# Turn on protection for bad icmp error messagesnet.ipv4.icmp_ignore_bogus_error_responses = 1# Turn on syncookies for SYN flood attack protectionnet.ipv4.tcp_syncookies = 1# Turn on and log spoofed, source routed, and redirect packetsnet.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1# No source routed packets herenet.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0# Turn on reverse path filteringnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1# Make sure no one can alter the routing tablesnet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0# Don't act as a routernet.ipv4.ip_forward = 0net.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0# Turn on execshildkernel.exec-shield = 1kernel.randomize_va_space = 1# Tuen IPv6net.ipv6.conf.default.router_solicitations = 0net.ipv6.conf.default.accept_ra_rtr_pref = 0net.ipv6.conf.default.accept_ra_pinfo = 0net.ipv6.conf.default.accept_ra_defrtr = 0net.ipv6.conf.default.autoconf = 0net.ipv6.conf.default.dad_transmits = 0net.ipv6.conf.default.max_addresses = 1# Optimization for port usefor LBs# Increase system file descriptor limitfs.file-max = 65535# Allow for more PIDs (to reduce rollover problems); may break some programs 32768kernel.pid_max = 65536# Increase system IP port limitsnet.ipv4.ip_local_port_range = 2000 65000# Increase TCP max buffer size setable using setsockopt()net.ipv4.tcp_rmem = 4096 87380 8388608net.ipv4.tcp_wmem = 4096 87380 8388608# Increase Linux auto tuning TCP buffer limits# min, default, and max number of bytes to use# set max to at least 4MB, or higher if you use very high BDP paths# Tcp Windows etcnet.core.rmem_max = 8388608net.core.wmem_max = 8388608net.core.netdev_max_backlog = 5000net.ipv4.tcp_window_scaling = 1 Reload Changes:# sysctl -p Turn off nginx version number displayed To turn off nginx version number displayed on all auto generated error pages, add the following in /etc/nginx/conf.d/default.conf:server_tokens off Limit Available Methods If a web server does not require the implementation of all available methods, they should be disabled.The following will filter and only allow GET, HEAD and POST methods:## Only allow these request methods ##if ($request_method !~ ^(GET|HEAD|POST)$ ) {return 444;}## Do not accept DELETE, SEARCH and other methods ## Controlling Buffer Overflow Attacks Edit nginx.conf: $ sudo vim /etc/nginx/nginx.conf Set the buffer size limitations for all clients:## Start: Size Limits & Buffer Overflows ##client_body_buffer_size 1K;client_header_buffer_size 1k;client_max_body_size 1k;large_client_header_buffers 2 1k;## END: Size Limits & Buffer Overflows ## client_body_buffer_size 1k – (default is 8k or 16k) The directive specifies the client request body buffer size. client_header_buffer_size 1k – Directive sets the headerbuffer size for the request header from client. For the overwhelming majority of requests a buffer size of 1K is sufficient. Increase this if you have a custom header or a large cookie sent from the client (e.g., wap client). client_max_body_size 1k- Directive assigns the maximum accepted body size of client request, indicated by the line Content-Length in the header of request. If size is greater the given one, then the client gets the error “Request Entity Too Large” (413). Increase this when you are getting file uploads via the POST method. large_client_header_buffers 2 1k – Directive assigns the maximum number and size of buffers for large headers to read from client request. By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K, if at the end of working request connection converts to state keep-alive, then these buffers are freed. 2x1k will accept 2kB data URI. This will also help combat bad bots and DoS attacks. Control timeouts to improve server performance: ## Start: Timeouts ##client_body_timeout 10;client_header_timeout 10;keepalive_timeout 5 5;send_timeout 10;## End: Timeouts ## client_body_timeout 10; – Directive sets the read timeout for the request body from client. The timeout is set only if a body is not get in one readstep. If after this time the client send nothing, nginx returns error “Request time out” (408). The default is 60. client_header_timeout 10; – Directive assigns timeout with reading of the title of the request of client. The timeout is set only if a header is not get in one readstep. If after this time the client send nothing, nginx returns error “Request time out” (408). keepalive_timeout 5 5; – The first parameter assigns the timeout for keep-alive connections with the client. The server will close connections after this time. The optional second parameter assigns the time value in the header Keep-Alive: timeout=time of the response. This header can convince some browsers to close the connection, so that the server does not have to. Without this parameter, nginx does not send a Keep-Alive header (though this is not what makes a connection “keep-alive”). send_timeout 10; – Directive assigns response timeout to client. Timeout is established not on entire transfer of answer, but only between two operations of reading, if after this time client will take nothing, then nginx is shutting down the connection. Nginx And PHP Security Tips Edit /etc/php.ini as follows:# Disallow dangerous functionsdisable_functions = phpinfo, system, mail, exec## Try to limit resources ### Maximum execution time of each script, in secondsmax_execution_time = 30# Maximum amount of time each script may spend parsing request datamax_input_time = 60# Maximum amount of memory a script may consume (8MB)memory_limit = 8M# Maximum size of POST data that PHP will accept.post_max_size = 8M# Whether to allow HTTP file uploads.file_uploads = Off# Maximum allowed size for uploaded files.upload_max_filesize = 2M# Do not expose PHP error messages to external usersdisplay_errors = Off# Turn on safe modesafe_mode = On# Only allow access to executables in isolated directorysafe_mode_exec_dir = php-required-executables-path# Limit external access to PHP environmentsafe_mode_allowed_env_vars = PHP_# Restrict PHP information leakageexpose_php = Off# Log all errorslog_errors = On# Do not register globals for input dataregister_globals = Off# Minimize allowable PHP post sizepost_max_size = 1K# Ensure PHP redirects appropriatelycgi.force_redirect = 0# Disallow uploading unless necessaryfile_uploads = Off# Enable SQL safe modesql.safe_mode = On# Avoid Opening remote filesallow_url_fopen = Off Restrictive Iptables Based Firewall The following firewall script blocks everything and only allows:Incoming HTTP (TCP port 80) requestsIncoming ICMP ping requestsOutgoing ntp (port 123) requestsOutgoing smtp (TCP port 25) requestsiptables -Fiptables -A INPUT -i lo -p all -j ACCEPTiptables -A OUTPUT -o lo -p all -j ACCEPT# allow outgoing smtpiptables -A OUTPUT -o eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPTiptables -A INPUT -i eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT# allow incoming http port 80iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPTiptables -A OUTPUT -o eth0 -p tcp --sport 80 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT# allow incoming ssh port 22iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPTiptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPTiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROP Limiting access By type of files This refuses all requests for files beginning with the characters .ht from nginx:#Contents of nginx.conflocation ~ /\.ht {deny all;} By Ip Address This directive limit access to the docs directory#Contents of nginx.conflocation /docs/ {## block one workstationdeny 192.168.54.1;## allow anyone in 192.168.54.0/24allow 192.168.54.0/24;## drop rest of the worlddeny all;} Password Protect The Directory Creating the password file and adding a username:# mkdir /usr/local/nginx/conf/.htpasswd/# htpasswd -c /usr/local/nginx/conf/.htpasswd/passwd UserNameThis directive protects the required directories:### Password Protect /personal-files/ and /omega/ directories ###location ~ /(personal-files/.*|omega/.*) {auth_basic "Restricted";auth_basic_user_file /usr/local/nginx/conf/.htpasswd/passwd;}Adding users:# htpasswd -s /usr/local/nginx/conf/.htpasswd/passwd UserName Load Balancing Load balancing is a computer networking methodology to distribute workload across multiple computers or a computer cluster, network links, central processing units, disk drives, or other resources, to achieve optimal resource utilization, maximize throughput, minimize response time, and avoid overload. upstream myServer {ip_hash;server 192.168.0.5:80;server 192.168.0.6:80;}server {location / {proxy_pass http://myServer;}}The ip_hash causes nginx to attempt to ensure that requests originating from a single IP address remain attached to a specific element of the cluster. Remember that the ip_hash directive cannot be combined with server components that specify these additional arguments:upstream appcluster {server 192.168.2.32:8801;server 192.168.2.32:8802 weight=1;server 192.168.2.32:8803 weight=2 max_fails=2;server 192.168.2.32:8804 weight=2 max_fails=2 fail_timeout=20;server 192.168.2.32:8805 weight=4;server 192.168.2.32:8806 weight=4 fail_timeout=4;server 192.168.2.32:8807 weight=2 fail_timeout=20;} The argument weight=[number] specifies by default, unless explicitly specified, components in an upstream cluster have a weight of 1. If you would like certain servers to receive a greater proportion of the traffic, set weights for some or all of the components in the upstream. The max_fails=[number] specifies the number of unsuccessful attempts at communication with an upstream component before it is considered inoperative. To prevent components from ever being marked as inoperative, even if they are unreachable, set this value to 0. The default value for max_fails is 1. The fail_timeout=[time-in=seconds] argument determines the span of time within which the max_fails number of unsuccessful attempts must occur in order to mark a component of the server inoperative. Note, servers that return a 404 response are considered operative, and this value does not affect timeouts for established proxy connections. Afficher l’article complet Lien vers le commentaire Partager sur d’autres sites More sharing options...
Messages recommandés
Archivé
Ce sujet est désormais archivé et ne peut plus recevoir de nouvelles réponses.