{"id":365,"date":"2015-10-27T07:05:05","date_gmt":"2015-10-27T07:05:05","guid":{"rendered":"http:\/\/onlinelab.info\/?p=365"},"modified":"2015-10-27T07:05:05","modified_gmt":"2015-10-27T07:05:05","slug":"huong-dan-tang-cuong-bao-mat-he-thong-may-chu-linux","status":"publish","type":"post","link":"https:\/\/www.asianux.org.vn\/index.php\/2015\/10\/27\/huong-dan-tang-cuong-bao-mat-he-thong-may-chu-linux\/","title":{"rendered":"H\u01b0\u1edbng d\u1eabn t\u0103ng c\u01b0\u1eddng b\u1ea3o m\u1eadt h\u1ec7 th\u1ed1ng m\u00e1y ch\u1ee7 Linux"},"content":{"rendered":"

H\u1ec7 \u0111i\u1ec1u h\u00e0nh Linux \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn l\u00e0 h\u1ec7 \u0111i\u1ec1u h\u00e0nh c\u00f3 t\u00ednh b\u1ea3o m\u1eadt cao tuy nhi\u00ean c\u1ea7n c\u00f3 th\u00eam m\u1ed9t s\u1ed1 c\u1ea5u h\u00ecnh nh\u1eb1m t\u0103ng \u0111\u1ed9 an to\u00e0n cho h\u1ec7 th\u1ed1ng. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 l\u1eddi khuy\u00ean h\u1eefu \u00edch d\u00e0nh cho h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n:<\/strong><\/p>\n

1. B\u1ea3o v\u1ec7 an to\u00e0n t\u1eeb ph\u1ea7n c\u1ee9ng (BIOS)<\/h4>\n

Khi kh\u1edfi \u0111\u1ed9ng h\u1ec7 th\u1ed1ng m\u00e1y t\u00ednh th\u00e0nh ph\u1ea7n \u0111\u1ea7u ti\u00ean \u0111\u01b0\u1ee3c ch\u1ea1y ch\u00ednh l\u00e0 BIOS. \u0110\u1ec3 \u0111\u1ea3m b\u1ea3o an to\u00e0n cho h\u1ec7 th\u1ed1ng, ng\u01b0\u1eddi qu\u1ea3n tr\u1ecb n\u00ean t\u1eaft ch\u1ebf \u0111\u1ed9 boot t\u1eeb c\u00e1c thi\u1ebft b\u1ecb nh\u01b0 \u1ed5 \u0111\u0129a CD\/DVD, c\u00e1c thi\u1ebft b\u1ecb ngo\u1ea1i vi, \u0111\u0129a m\u1ec1m.. trong c\u1ea5u h\u00ecnh BIOS. Sau \u0111\u00f3 c\u1ea7n t\u1ea1o m\u1eadt kh\u1ea9u cho BIOS v\u00e0 \u00a0GRUB nh\u1eb1m h\u1ea1n ch\u1ebf c\u00e1c truy c\u1eadp tr\u00e1i ph\u00e9p t\u1eeb ch\u00ednh h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n<\/p>\n

2. Ph\u00e2n v\u00f9ng \u1ed5 c\u1ee9ng<\/h4>\n

M\u1ed9t c\u00e1ch th\u1ee9c \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o an to\u00e0n d\u1eef li\u1ec7u tr\u01b0\u1edbc r\u1ee7i ro l\u00e0 n\u00ean ph\u00e2n v\u00f9ng \u1ed5 c\u1ee9ng cho h\u1ec7 th\u1ed1ng c\u1ee7a m\u00ecnh. B\u1eb1ng c\u00e1ch t\u1ea1o ra c\u00e1c ph\u00e2n v\u00f9ng kh\u00e1c nhau, d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c chia nh\u1ecf v\u00e0 nh\u00f3m l\u1ea1i. Khi c\u00f3 s\u1ef1 c\u1ed1 x\u1ea3y ra t\u1ea1i m\u1ed9t ph\u00e2n v\u00f9ng n\u00e0o \u0111\u00f3, ch\u1ec9 c\u00f3 nh\u1eefng d\u1eef li\u1ec7u \u1edf c\u00f9ng ph\u00e2n v\u00f9ng \u0111\u00f3 b\u1ecb h\u1ecfng c\u00f2n t\u1ea1i c\u00e1c ph\u00e2n v\u00f9ng kh\u00e1c d\u1eef li\u1ec7u an to\u00e0n. H\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n c\u1ea7n c\u00f3 c\u00e1c ph\u00e2n v\u00f9ng nh\u01b0 sau v\u00e0 ch\u1eafc ch\u1eafn c\u00e1c \u1ee9ng d\u1ee5ng c\u1ee7a b\u00ean th\u1ee9 3 c\u1ea7n \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t t\u1ea1i ph\u00e2n v\u00f9ng \/opt<\/strong><\/p>\n

    \n
  • \/<\/li>\n
  • \/boot<\/li>\n
  • \/usr<\/li>\n
  • \/var<\/li>\n
  • \/home<\/li>\n
  • \/tmp<\/li>\n
  • \/opt<\/li>\n<\/ul>\n

     <\/p>\n

    3. H\u1ea1n ch\u1ebf c\u00e1c d\u1ecbch v\u1ee5 kh\u00f4ng c\u1ea7n thi\u1ebft<\/h4>\n

    M\u1ed9t h\u1ec7 th\u1ed1ng m\u00e1y t\u00ednh khi c\u00e0i \u0111\u1eb7t qu\u00e1 nhi\u1ec1u c\u00e1c g\u00f3i kh\u00f4ng c\u1ea7n thi\u1ebft, kh\u00f4ng nh\u1eefng l\u00e0m gi\u1ea3m hi\u1ec7u n\u0103ng c\u1ee7a h\u1ec7 th\u1ed1ng khi tranh gi\u00e0nh t\u00e0i nguy\u00ean v\u1edbi c\u00e1c d\u1ecbch v\u1ee5 kh\u00e1c m\u00e0 c\u00f2n l\u00e0m cho h\u1ec7 th\u1ed1ng xu\u1ea5t hi\u1ec7n c\u00e1c l\u1ed7 h\u1ed5ng t\u1eeb ch\u00ednh c\u00e1c g\u00f3i kh\u00f4ng c\u1ea7n thi\u1ebft \u0111\u00f3. M\u1ed9t c\u00e1ch gi\u1ea3m thi\u1ec3u r\u1ee7i ro l\u00e0 xo\u00e1 hay t\u1eaft c\u00e1c d\u1ecbch v\u1ee5 khi kh\u00f4ng c\u1ea7n thi\u1ebft. V\u00ed d\u1ee5 tr\u00ean h\u1ec7 \u0111i\u1ec1u h\u00e0nh CentOS b\u1ea1n c\u00f3 th\u1ec3 th\u1ef1c hi\u1ec7n nh\u01b0 sau:<\/p>\n

      \n
    • Ki\u1ec3m tra c\u00e1c d\u1ecbch v\u1ee5 trong h\u1ec7 th\u1ed1ng \u0111ang ch\u1ea1y \u1edf m\u1ee9c \u0111\u1ed9 3<\/li>\n<\/ul>\n
      # \/sbin\/chkconfig \u2013list | grep \u20183:on\u2019<\/strong><\/pre>\n
        \n
      • Khi t\u00ecm th\u1ea5y c\u00e1c d\u1ecbch v\u1ee5 kh\u00f4ng c\u1ea7n thi\u1ebft \u0111ang ch\u1ea1y b\u1ea1n th\u1ef1c hi\u1ec7n l\u1ec7nh sau \u0111\u1ec3 t\u1eaft d\u1ecbch v\u1ee5 n\u00e0y:<\/li>\n<\/ul>\n
        # chkconfig ten_dich_vu<\/em> off<\/strong><\/pre>\n
          \n
        • V\u00e0 c\u00f3 th\u1ec3 xo\u00e1 d\u1ecbch v\u1ee5 kh\u1ecfi h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n s\u1eed d\u1ee5ng l\u1ec7nh:<\/li>\n<\/ul>\n
          # yum -y remove ten_goi<\/em><\/strong><\/pre>\n
           <\/p>\n
          4. Ki\u1ec3m tra c\u00e1c c\u1ed5ng d\u1ecbch v\u1ee5 \u0111ang ch\u1edd k\u1ebft n\u1ed1i<\/h4>\n
          C\u0169ng nh\u01b0 khi h\u1ea1n ch\u1ebf c\u00e1c d\u1ecbch v\u1ee5 kh\u00f4ng c\u1ea7n thi\u1ebft, b\u1ea1n c\u0169ng n\u00ean t\u1ed1i thi\u1ec3u c\u00e1c c\u1ed5ng d\u1ecbch v\u1ee5 kh\u00f4ng c\u1ea7n thi\u1ebft \u0111\u1ec3 t\u0103ng hi\u1ec7u n\u0103ng c\u0169ng nh\u01b0 gi\u1ea3m thi\u1ec3u c\u00e1c l\u1ed7 h\u1ed5ng trong h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n. B\u1ea1n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng c\u00e2u l\u1ec7nh \u2018netstat<\/strong>\u2019 \u0111\u1ec3 xem t\u1ea5t c\u1ea3 c\u00e1c c\u1ed5ng \u0111\u01b0\u1ee3c m\u1edf v\u00e0 c\u00e1c ch\u01b0\u01a1ng tr\u00ecnh s\u1eed d\u1ee5ng k\u1ebft n\u1ed1i m\u1ea1ng. Khi ki\u1ec3m tra v\u00e0 ph\u00e1t hi\u1ec7n c\u00e1c d\u1ecbch v\u1ee5 m\u1ea1ng kh\u00f4ng c\u1ea7n thi\u1ebft b\u1ea1n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng \u2018chkconfig<\/strong>\u2019 \u0111\u1ec3 t\u1eaft c\u00e1c d\u1ecbch v\u1ee5 \u0111\u00f3.<\/p>\n
          S\u1eed d\u1ee5ng l\u1ec7nh sau \u0111\u1ec3 xem th\u00f4ng tin t\u1ea5t c\u1ea3 c\u00e1c c\u1ed5ng:<\/p>\n
          # netstat \u2013tulpn<\/strong><\/pre>\n
           <\/p>\n
          5. \u0110\u1ea3m b\u1ea3o an to\u00e0n d\u1ecbch v\u1ee5 SSH<\/h4>\n
          Tr\u1edf v\u1ec1 tr\u01b0\u1edbc, khi k\u1ebft n\u1ed1i \u0111i\u1ec1u khi\u1ec3n m\u00e1y ch\u1ee7 t\u1eeb xa s\u1eed d\u1ee5ng c\u00e1c giao th\u1ee9c telnet <\/strong>v\u00e0 rlogin, <\/strong>\u0111\u00e2y l\u00e0 c\u00e1c giao th\u1ee9c k\u1ebft n\u1ed1i kh\u00f4ng an to\u00e0n khi ch\u1ec9 k\u1ebft n\u1ed1i s\u1eed d\u1ee5ng b\u1ea3n r\u00f5 m\u00e0 kh\u00f4ng \u0111\u01b0\u1ee3c m\u00e3 ho\u00e1 khi g\u1eedi d\u1eef li\u1ec7u. Tuy nhi\u00ean hi\u1ec7n Secure Shell (SSH) l\u00e0 giao th\u1ee9c \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i b\u1edfi n\u00f3 s\u1eed d\u1ee5ng c\u00f4ng ngh\u1ec7 m\u00e3 ho\u00e1 khi giao ti\u1ebfp v\u1edbi m\u00e1y ch\u1ee7. Tuy nhi\u00ean \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o an to\u00e0n c\u1ea7n c\u1ea5u h\u00ecnh cho d\u1ecbch v\u1ee5 n\u00e0y nh\u01b0 sau :<\/p>\n
            \n
          • M\u1edf file c\u1ea5u h\u00ecnh d\u1ecbch v\u1ee5 SSH v\u00e0 thay \u0111\u1ed5i m\u1ed9t s\u1ed1 c\u1ea5u h\u00ecnh:<\/li>\n<\/ul>\n
            # vi \/etc\/ssh\/sshd_config<\/strong><\/pre>\n
              \n
            • T\u00ecm t\u1edbi d\u00f2ng c\u1ea5u h\u00ecnh c\u1ed5ng v\u00e0 thay \u0111\u1ed5i c\u1ed5ng m\u1eb7c \u0111\u1ecbnh t\u1eeb c\u1ed5ng 22 sang c\u1ed5ng kh\u00e1c v\u00ed d\u1ee5 chuy\u1ec3n sang c\u1ed5ng 22000<\/li>\n<\/ul>\n
              Port 22000<\/strong><\/pre>\n
                \n
              • Kh\u00f4ng cho ph\u00e9p \u0111\u0103ng nh\u1eadp b\u1eb1ng t\u00e0i kho\u1ea3n root<\/strong>:<\/li>\n<\/ul>\n
                PermitRootLogin no<\/strong><\/pre>\n
                  \n
                • Ch\u1ec9 cho ph\u00e9p \u0111\u0103ng nh\u1eadp m\u1edfi m\u1ed9t s\u1ed1 ng\u01b0\u1eddi d\u00f9ng:<\/li>\n<\/ul>\n
                  AllowUsers tennguoidung<\/em><\/strong><\/pre>\n
                    \n
                  • S\u1eed d\u1ee5ng giao th\u1ee9c SSH phi\u00ean b\u1ea3n 2:<\/li>\n<\/ul>\n
                    Protocol 2<\/strong><\/pre>\n
                     <\/p>\n
                    6. Th\u01b0\u1eddng xuy\u00ean c\u1eadp nh\u1eadt c\u00e1c b\u1ea3n v\u00e1 l\u1ed7i c\u1ee7a nh\u00e0 ph\u00e1t h\u00e0nh<\/h4>\n
                    Lu\u00f4n lu\u00f4n \u0111\u1ec3 h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt b\u1ea3n m\u1edbi nh\u1ea5t v\u00e0 c\u00e1c b\u1ea3n v\u00e1 b\u1ea3o m\u1eadt. V\u00ed d\u1ee5 tr\u00ean h\u1ec7 \u0111i\u1ec1u h\u00e0nh CentOS:<\/p>\n
                    # yum updates<\/strong><\/pre>\n
                    # yum check-update<\/strong><\/pre>\n
                     <\/p>\n
                    7. V\u00f4 hi\u1ec7u ho\u00e1 c\u00e1c Cronjob<\/h4>\n
                    Cron l\u00e0 m\u1ed9t ti\u1ec7n \u00edch m\u00e0 ng\u01b0\u1eddi d\u00f9ng c\u00f3 th\u1ec3 cho ph\u00e9p ho\u1eb7c kh\u00f4ng cho ph\u00e9p c\u00e1c t\u00e1c v\u1ee5 (tasks) t\u1ef1 \u0111\u1ed9ng ch\u1ea1y n\u1ec1n tr\u00ean h\u1ec7 th\u1ed1ng theo \u0111\u1ecbnh k\u1ef3 b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng c\u00e1c cron daemon. N\u00f3 \u0111\u01b0\u1ee3c \u0111i\u1ec1u khi\u1ec3n b\u1edfi c\u00e1c file\/etc\/cron.allow <\/strong>v\u00e0 \/etc\/cron.deny<\/strong>. \u0110\u1ec3 kho\u00e1 ng\u01b0\u1eddi d\u00f9ng s\u1eed d\u1ee5ng cron, th\u00eam t\u00ean ng\u01b0\u1eddi d\u00f9ng \u0111\u00f3 v\u00e0ocron.deny <\/strong>; cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng s\u1eed d\u1ee5ng cron, th\u00eam t\u00ean ng\u01b0\u1eddi d\u00f9ng v\u00e0o file cron.allow<\/strong>. \u0110\u1ec3 v\u00f4 hi\u1ec7u ho\u00e1 t\u1ea5t ng\u01b0\u1eddi d\u00f9ng s\u1eed d\u1ee5ng cron, th\u00eam t\u1eeb kho\u00e1 \u2018ALL\u2019 <\/strong>v\u00e0o d\u00f2ng cu\u1ed1i c\u00f9ng c\u1ee7a file cron.deny<\/strong>. S\u1eed d\u1ee5ng c\u00e2u l\u1ec7nh:<\/p>\n
                    # echo ALL >> \/etc\/cron.deny<\/strong><\/pre>\n
                     <\/p>\n
                    8. T\u1eaft ch\u1ee9c n\u0103ng t\u1ef1 \u0111\u1ed9ng ph\u00e1t hi\u1ec7n c\u00e1c thi\u1ebft b\u1ecb c\u1eafm v\u00e0o c\u1ed5ng USB<\/h4>\n
                    C\u00e1c thi\u1ebft b\u1ecb USB tr\u1edf n\u00ean r\u1ea5t nguy hi\u1ec3m \u0111\u1ed1i v\u1edbi h\u1ec7 th\u1ed1ng khi tin t\u1eb7c c\u00f3 th\u1ec3 th\u00eam ch\u01b0\u01a1ng tr\u00ecnh ch\u1ea1y t\u1ef1 \u0111\u1ed9ng v\u00e0o thi\u1ebft b\u1ecb. Khi ch\u00fang \u0111\u01b0\u1ee3c c\u1eafm v\u00e0o h\u1ec7 th\u1ed1ng s\u1ebd c\u00f3 kh\u1ea3 n\u0103ng \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u. V\u00ec v\u1eady c\u1ea7n t\u1eaft c\u00e1c ch\u1ee9c n\u0103ng t\u1ef1 \u0111\u1ed9ng ph\u00e1t hi\u1ec7n USB \u0111\u1ea3m b\u1ea3o h\u1ec7 th\u1ed1ng tho\u00e1t kh\u1ecfi nguy c\u01a1 tr\u00ean. T\u1ea1o t\u1ec7p tin \/etc\/modprobe.d\/no-usb<\/strong> v\u00e0 th\u00eam d\u00f2ng d\u01b0\u1edbi \u0111\u00e2y:<\/p>\n
                    install usb-storage \/bin\/true<\/strong><\/pre>\n
                     <\/p>\n
                    9. Lu\u00f4n lu\u00f4n b\u1eadt c\u01a1 ch\u1ebf SELinux<\/h4>\n
                    Security-Enhanced Linux (SELinux) <\/strong>l\u00e0 m\u1ed9t c\u01a1 ch\u1ebf b\u1ea3o m\u1eadt \u0111i\u1ec1u khi\u1ec3n truy c\u1eadp b\u1eaft bu\u1ed9c quy \u0111\u1ecbnh trong nh\u00e2n. Nhi\u1ec1u h\u1ec7 th\u1ed1ng v\u00ec \u01b0u ti\u00ean hi\u1ec7u n\u0103ng h\u1ec7 th\u1ed1ng n\u00ean \u0111\u00e3 t\u1eaft c\u01a1 ch\u1ebf n\u00e0y. V\u00f4 hi\u1ec7u ho\u00e1 SELinux c\u00f3 ngh\u0129a l\u00e0 t\u1ef1 lo\u1ea1i b\u1ecf c\u01a1 ch\u1ebf b\u1ea3o m\u1eadt c\u1ee7a h\u1ec7 th\u1ed1ng. V\u00ec v\u1eady c\u1ea7n suy ngh\u0129 khi l\u1ef1a ch\u1ecdn hi\u1ec7n n\u0103ng v\u00e0 m\u1ee9c \u0111\u1ed9 b\u1ea3o m\u1eadt c\u1ee7a h\u1ec7 th\u00f4ng khi \u0111\u01b0a v\u00e0o ho\u1ea1t \u0111\u1ed9ng<\/p>\n
                    SELinux cung c\u1ea5p 3 ch\u1ebf \u0111\u1ed9 c\u01a1 b\u1ea3n:<\/p>\n
                      \n
                    • Enforcing<\/strong>: \u0110\u00e2y l\u00e0 ch\u1ebf \u0111\u1ed9 m\u1eb7c \u0111\u1ecbnh cho ph\u00e9p th\u1ef1c hi\u1ec7n t\u1ea5t c\u1ea3 c\u00e1c ch\u00ednh s\u00e1ch b\u1ea3o m\u1eadt tr\u00ean h\u1ec7 th\u1ed1ng<\/li>\n
                    • Permissive<\/strong> : \u1ede ch\u1ebf \u0111\u1ed9 n\u00e0y SELinux kh\u00f4ng th\u1ef1c thi c\u00e1c ch\u00ednh s\u00e1ch b\u1ea3o m\u1eadt m\u00e0 n\u00f3 cung c\u1ea5p c\u00e1c c\u1ea3nh b\u00e1o v\u1ec1 c\u00e1c ho\u1ea1t \u0111\u1ed9ng. Ch\u1ebf \u0111\u1ed9 n\u00e0y r\u1ea5t h\u01b0u \u00edch \u0111\u1ec3 h\u1ea1n ch\u1ebf c\u00e1c v\u1ea5n \u0111\u1ec1 c\u1ee7a SELinux<\/li>\n
                    • Disable<\/strong> : T\u1eaft c\u01a1 ch\u1ebf SELinux<\/li>\n<\/ul>\n
                      \u0110\u1ec3 xem tr\u1ea1ng th\u00e1i hi\u1ec7n t\u1ea1i c\u1ee7a c\u01a1 ch\u1ebf n\u00e0y s\u1eed d\u1ee5ng c\u00e2u l\u1ec7nh :<\/p>\n
                      # sestatus<\/strong><\/pre>\n
                      N\u1ebfu n\u00f3 \u0111ang t\u1eaft c\u1ea7n b\u1eadt b\u1edfi c\u00e2u l\u1ec7nh:<\/p>\n
                      # setenforce enforcing<\/strong><\/pre>\n
                      Trong h\u1ec7 \u0111i\u1ec1u h\u00e0nh CentOS c\u00e1c c\u1ea5u h\u00ecnh c\u1ee7a SELinux \u0111\u01b0\u1ee3c qu\u1ea3n l\u00fd b\u1edfi file \u2018\/etc\/selinux\/config\u2019<\/strong><\/p>\n
                      10. Lo\u1ea1i b\u1ecf giao di\u1ec7n KDE\/GNOME<\/h4>\n
                      Khi h\u1ec7 th\u1ed1ng c\u00f3 m\u1ee5c \u0111\u00edch s\u1eed d\u1ee5ng ch\u00ednh l\u00e0 h\u1ec7 th\u1ed1ng web (LAMP server) kh\u00f4ng c\u1ea7n s\u1eed d\u1ee5ng t\u1edbi c\u00e1c giao di\u1ec7n X Window nh\u01b0 KDE hay GNOME. V\u00ec v\u1eady n\u00ean t\u1eaft ho\u1eb7c lo\u1ea1i b\u1ecf ch\u00fang \u0111\u1ec3 c\u1ea3i thi\u1ec7n an to\u00e0n c\u0169ng nh\u01b0 hi\u1ec7u n\u0103ng c\u1ee7a h\u1ec7 th\u1ed1ng. M\u1ed9t c\u00e1ch \u0111\u01a1n gi\u1ea3n t\u1eaft ch\u00fang l\u00e0 m\u1edf t\u1ec7p tin \u2018\/etc\/inittab\u2019 <\/strong>v\u00e0 \u0111\u1eb7t ch\u00fang ch\u1ea1y \u1edf m\u1ee9c \u0111\u1ed9 3. Xo\u00e1 ch\u00fang kh\u1ecfi h\u1ec7 th\u1ed1ng s\u1eed d\u1ee5ng c\u00e2u l\u1ec7nh\u201d<\/p>\n
                      # yum groupremove \"X Window System\"<\/strong><\/pre>\n
                       <\/p>\n
                      11. T\u1eaft giao th\u1ee9c Ipv6<\/h4>\n
                      Giao th\u1ee9c IPv6 l\u00e0 giao th\u1ef1c \u01b0u vi\u1ec7t \u0111\u1ec3 thay th\u1ebf IPv4 khi giao th\u1ee9c \u0111ang d\u1ea7n c\u1ea1n ki\u1ec7n IP, tuy nhi\u00ean hi\u1ec7n nay h\u1ea7u h\u1ebft c\u00e1c h\u1ec7 th\u1ed1ng \u0111\u1ec1u s\u1eed d\u1ee5ng IPv4 n\u00ean giao th\u1ee9c IPv6 l\u00e0 kh\u00f4ng c\u1ea7n thi\u1ebft v\u00e0 n\u00ean t\u1eaft giao th\u1ef1c n\u00e0y. M\u1edf t\u1eadp tin c\u1ea5u h\u00ecnh m\u1ea1ng v\u00e0 th\u00eam c\u00e1c d\u00f2ng c\u1ea5u h\u00ecnh sau \u0111\u1ec3 t\u1eaft.<\/p>\n
                      M\u1edf file:<\/p>\n
                      # vi \/etc\/sysconfig\/network<\/strong><\/pre>\n
                      Th\u00eam c\u00e1c d\u00f2ng c\u1ea5u h\u00ecnh:<\/p>\n
                      NETWORKING_IPV6=no<\/strong><\/pre>\n
                      IPV6INIT=no<\/strong><\/pre>\n
                       <\/p>\n
                      12. H\u1ea1n ch\u1ebf ng\u01b0\u1eddi d\u00f9ng s\u1eed d\u1ee5ng c\u00e1c m\u1eadt kh\u1ea9u c\u0169<\/h4>\n
                      Trong h\u1ec7 th\u1ed1ng s\u1ebd l\u00e0 r\u1ea5t h\u1eefu \u00edch n\u1ebfu kh\u00f4ng cho ph\u00e9p c\u00e1c ng\u01b0\u1eddi d\u00f9ng s\u1eed d\u1ee5ng c\u00e1c m\u1eadt kh\u1ea9u c\u0169 gi\u1ed1ng nhau \u0111\u1ec3 h\u1ea1n ch\u1ebf c\u00e1c nguy c\u01a1 m\u1ea5t an to\u00e0n cho h\u1ec7 th\u1ed1ng. Trong c\u00e1c h\u1ec7 \u0111i\u1ec1u h\u00e0nh RHEL \/ CentOS \/ Fedora passwork c\u0169 \u0111\u01b0\u1ee3c l\u01b0u l\u1ea1i trong t\u1ec7p tin \u201c\/etc\/security\/opasswd\u201d <\/strong>v\u00e0 \u0111\u01b0\u1ee3c qu\u1ea3n l\u00fd b\u1edfi module PAM<\/strong>. \u0110\u1ec3 c\u1ea5u h\u00ecnh ng\u01b0\u1eddi d\u00f9ng kh\u00f4ng \u0111\u01b0\u1ee3c d\u00f9ng m\u1ed9t m\u1eadt kh\u1ea9u c\u0169 qu\u00e1 5 l\u1ea7n b\u1ea1n l\u00e0m theo h\u01b0\u1edbng d\u1eabn sau :<\/p>\n
                        \n
                      • M\u1edf t\u1ec7p tin \/etc\/pam.d\/system-auth<\/strong><\/li>\n<\/ul>\n
                        # vi \/etc\/pam.d\/system-auth<\/strong><\/pre>\n
                          \n
                        • Th\u00eam d\u00f2ng sau v\u00e0o d\u00f2ng c\u00f3 t\u1eeb kho\u00e1 \u201cauth\u201d<\/strong><\/li>\n<\/ul>\n
                          \u00a0auth\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sufficient\u00a0\u00a0\u00a0 pam_unix.so likeauth nullok<\/strong><\/pre>\n
                            \n
                          • S\u1eeda d\u00f2ng c\u00f3 t\u1eeb kho\u00e1 \u201cpassword<\/strong>\u201d \u0111\u1ec3 kh\u00f4ng cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng s\u1eed d\u1ee5ng l\u1ea1i m\u1eadt kh\u1ea9u qu\u00e1 5 l\u1ea7n:<\/li>\n<\/ul>\n
                            password\u00a0\u00a0 sufficient\u00a0\u00a0\u00a0 pam_unix.so nullok use_authtok md5 shadow remember=5<\/strong><\/pre>\n
                             <\/p>\n
                            13. C\u1ea5u h\u00ecnh s\u1eed d\u1ee5ng m\u1eadt kh\u1ea9u m\u1ea1nh.<\/h4>\n
                            C\u00f3 r\u1ea5t nhi\u1ec1u ng\u01b0\u1eddi th\u01b0\u1eddng s\u1eed d\u1ee5ng c\u00e1c m\u1eadt kh\u1ea9u y\u1ebfu v\u00e0 c\u00e1c m\u1eadt kh\u1ea9u c\u1ee7a h\u1ecd th\u01b0\u1eddng b\u1ecb c\u00e1c tin t\u1eb7c d\u1ec5 d\u00e0ng l\u1ea5y \u0111i th\u00f4ng tin t\u1eeb c\u00e1c ph\u01b0\u01a1ng th\u1ee9c t\u1ea5n c\u00f4ng b\u0103ng c\u00e1c ph\u01b0\u01a1ng ph\u00e1p t\u1ea5n c\u00f4ng t\u1eeb \u0111i\u1ec3n ho\u1eb7c t\u1ea5n c\u00f4ng d\u00f2 qu\u00e9t m\u1eadt kh\u1ea9u. V\u00ec v\u1eady c\u1ea7n c\u00f3 m\u1ed9t c\u01a1 ch\u1ebf \u00e9p c\u00e1c ng\u01b0\u01a1i d\u00f9ng s\u1eed d\u1ee5ng c\u00e1c m\u1eadt kh\u1ea9u m\u1ea1nh. \u0110\u1ec3 th\u1ef1c hi\u1ebfn \u0111i\u1ec1u n\u00e0y c\u1ea7n th\u00eam c\u1ea5u h\u00ecnh trong modun \u2018pam_cracklib<\/strong>\u2019 nh\u01b0 sau:<\/p>\n
                              \n
                            • M\u1edf t\u1eadp tin c\u1ea5u h\u00ecnh<\/li>\n<\/ul>\n
                              # vi \/etc\/pam.d\/system-auth<\/strong><\/pre>\n
                                \n
                              • V\u00e0 th\u00eam d\u00f2ng c\u00f3 c\u1ea5u h\u00ecnh y\u00eau c\u1ea7u c\u00e1c th\u00f4ng s\u1ed1 \u0111\u1ed9 d\u00e0i t\u1ed1i thi\u1ec3u c\u1ee7a m\u1eadt kh\u1ea9u, s\u1eed d\u1ee5ng c\u1ea3 ch\u1eef in th\u01b0\u1eddng, ch\u1eef in hoa, ch\u1eef s\u1ed1, k\u00ed hi\u1ec7u \u0111\u1eb7c bi\u1ec7t c\u00f3 trong m\u1eadt kh\u1ea9u nh\u01b0 sau :<\/li>\n<\/ul>\n
                                \/lib\/security\/$ISA\/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1<\/strong><\/pre>\n
                                 <\/p>\n
                                14. B\u1eadt ch\u1ebf \u0111\u1ed9 t\u01b0\u1eddng l\u1eeda<\/h4>\n
                                S\u1ebd l\u00e0 r\u1ea5t t\u1ed1t khi b\u1eadt ch\u1ebf \u0111\u1ed9 t\u01b0\u1eddng l\u1eeda trong h\u1ec7 th\u1ed1ng, \u0111\u1ea3m b\u1ea3o an to\u00e0n tr\u01b0\u1edbc c\u00e1c truy c\u1eadp tr\u00e1i ph\u00e9p \u0111\u1ed1i v\u1edbi h\u1ec7 th\u1ed1ng. H\u1ec7 th\u1ed1ng c\u1ea7n \u0111\u01b0\u1ee3c th\u00eam c\u00e1c lu\u1eadt trong iptables \u0111\u1ec3 l\u1ecdc c\u00e1c g\u00f3i tin \u0111\u1ebfn, g\u00f3i tin \u0111i v\u00e0 g\u00f3i tin chuy\u1ec3n ti\u1ebfp t\u1edbi h\u1ec7 th\u1ed1ng. V\u00e0 c\u00f3 th\u1ec3 ch\u1ec9 \u0111\u1ecbnh r\u00f5 c\u00e1c \u0111\u1ecba ch\u1ec9 \u0111\u00edch, \u0111\u1ecba ch\u1ec9 ngu\u1ed3n cho ph\u00e9p ho\u1eb7c kh\u00f4ng cho ph\u00e9p s\u1eed d\u1ee5ng c\u00e1c c\u1ed5ng v\u00e0 giao th\u1ee9c \u0111\u01b0\u1ee3c ch\u1ec9 \u0111\u1ecbnh.<\/p>\n
                                \u0110\u1ec1 xem c\u00e1c lu\u1eadt c\u00f3 trong h\u1ec7 th\u1ed1ng s\u1eed d\u1ee5ng l\u1ec7nh sau:<\/p>\n
                                # iptables -L -n -v <\/strong><\/pre>\n
                                 <\/p>\n
                                15. Ki\u1ec3m tra c\u00e1c t\u00e0i kho\u1ea3n kh\u00f4ng c\u00f3 m\u1eadt kh\u1ea9u<\/h4>\n
                                Trong h\u1ec7 th\u1ed1n m\u1ed7i t\u00e0i kho\u1ea3n c\u00f3 m\u1eadt kh\u1ea9u r\u1ed7ng c\u00f3 ngh\u0129a l\u00e0 \u0111\u00e3 \u0111\u1ec3 l\u1ed9 c\u00e1c ph\u01b0\u01a1ng th\u1ee9c x\u00e1c th\u1ef1c tr\u00e1i ph\u00e9p m\u00e0 t\u1ea5t c\u1ea3 m\u1ecdi ng\u01b0\u1eddi c\u00f3 th\u1ec3 th\u1ef1c hi\u1ec7n, \u0111\u00f3 l\u00e0 m\u1ed9t m\u1ed1i nguy hi\u1ec3m l\u1edbn \u0111\u1ed1i v\u1edbi h\u1ec7 th\u1ed1ng. V\u00ec v\u1eady c\u1ea7n ch\u1eafc ch\u1eafn r\u1eb1ng t\u1ea5t c\u1ea3 c\u00e1c t\u00e0i kho\u1ea3n c\u1ea7n c\u00f3 m\u1eadt kh\u1ea9u m\u1ea1nh v\u00e0 kh\u00f4ng ai kh\u00e1c \u0111\u01b0\u1ee3c cho ph\u00e9p truy c\u1eadp. V\u00ec v\u00e2y c\u1ea7n ki\u1ec3m tra c\u00e1c t\u00e0i kho\u1ea3n kh\u00f4ng c\u00f3 m\u1eadt kh\u1ea9u nh\u01b0 c\u00e2u l\u1ec7nh d\u01b0\u1edbi \u0111\u00e2y v\u00e0 c\u1ea7n xem xet kho\u00e1 c\u00e1c t\u00e0i kho\u1ea3n n\u00e0y l\u1ea1i.<\/p>\n
                                # cat \/etc\/shadow | awk -F: '($2==\"\"){print $1}'<\/strong><\/pre>\n
                                 <\/p>\n
                                16. T\u1eadp trung log c\u1ee7a c\u00e1c m\u00e1y ch\u1ee7 v\u1ec1 m\u00e1y ch\u1ee7 chuy\u00ean d\u1ee5ng<\/h4>\n
                                Di chuy\u1ec3n c\u00e1c log ghi l\u1ea1i ho\u1ea1t \u0111\u1ed9ng c\u1ee7a h\u1ec7 th\u1ed1ng v\u1ec1 c\u00e1c m\u00e1y ch\u1ee7 chuy\u00ean d\u1ee5ng l\u00e0 c\u00e1ch \u0111\u1ec3 ph\u00f2ng ng\u1eeba c\u00e1c tin t\u1eb7c thay \u0111\u1ed5i d\u1eef li\u1ec7u khi ch\u00fang c\u00f3 quy\u1ec1n tryu c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o h\u1ec7 th\u1ed1ng. V\u00ec v\u1eady c\u00f3 th\u1ec3 ch\u1eafc ch\u1eafn h\u1ec7 th\u1ed1ng \u0111ang an to\u00e0n. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 h\u00f4ng tin v\u1ec1 c\u00e1c t\u1eadp tin log m\u1eb7c \u0111\u1ecbnh v\u00e0 c\u00e1ch s\u1eed d\u1ee5ng c\u1ee7a ch\u00fang.<\/p>\n
                                  \n
                                • \/var\/log\/message\u2013 Ghi l\u1ea1i c\u00e1c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a to\u00e0n h\u1ec7 th\u1ed1ng<\/li>\n
                                • \/var\/log\/auth.log\u2013 Log x\u00e1c th\u1ef1c h\u1ec7 th\u1ed1ng<\/li>\n
                                • \/var\/log\/kern.log\u2013 Log c\u1ee7a nh\u00e2n<\/li>\n
                                • \/var\/log\/cron.log\u2013 Log c\u00e1c ti\u1ebfn tr\u00ecnh \u0111\u01b0\u1ee3c t\u1ef1 \u0111\u1ed9ng ch\u1ea1y<\/li>\n
                                • \/var\/log\/maillog\u2013 Log d\u1ecbch v\u1ee5 mail<\/li>\n
                                • \/var\/log\/mysqld.log\u2013 Log d\u1ecbch v\u1ee5 h\u1ec7 qu\u1ea3n tr\u1ecb d\u1eef li\u1ec7u mysql<\/li>\n
                                • \/var\/log\/utmpor\u00a0\/var\/log\/wtmp\u00a0: L\u1ecbch s\u1eed \u0111\u0103ng nh\u1eadp<\/li>\n
                                • \/var\/log\/yum.log: Log d\u1ecbch v\u1ee5 YUM<\/li>\n<\/ul>\n
                                   <\/p>\n
                                  17. Sao l\u01b0u d\u1eef li\u1ec7u quan tr\u1ecdng<\/h4>\n
                                  Trong m\u1ed9t h\u1ec7 th\u1ed1ng s\u1ea3n xu\u1ea5t, th\u1ef1c s\u1ef1 c\u1ea7n thi\u1ebft khi sao l\u01b0u v\u00e0 gi\u1eef c\u00e1c gi\u1eef li\u1ec7u quan tr\u1ecdng m\u1ed9t c\u00e1ch c\u1ea9n th\u1eadn. Khi c\u00f3 r\u1ee7i ro trong h\u1ec7 th\u1ed1ng c\u00f3 th\u1ec3 d\u1ec5 d\u00e0ng ph\u1ee5c h\u1ed3i b\u1edfi c\u00e1c d\u1eef li\u1ec7u \u0111\u00e3 \u0111\u01b0\u1ee3c sao l\u01b0u.<\/p>\n
                                  18. Kh\u00f4ng cho ph\u00e9p thay \u0111\u1ed5i th\u01b0 m\u1ee5c \/boot<\/h4>\n
                                  Nh\u00e2n h\u1ec7 th\u1ed1ng v\u00e0 c\u00e1c t\u1eadp tin li\u00ean quan \u0111\u01b0\u1ee3c \u0111\u1eb7t \u1edf th\u01b0 m\u1ee5c \/boot<\/strong>, n\u00f3 \u0111\u01b0\u1ee3c \u0111\u1eb7t m\u1eb7c \u0111\u1ecbch cho ph\u00e9p \u0111\u1ecdc v\u00e0 s\u1eeda. C\u1ea7n thay \u0111\u1ed5i \u0111\u1ec3 ch\u1ec9 cho ph\u00e9p \u0111\u1ecdc th\u01b0 m\u1ee5c n\u00e0y l\u00e0 th\u1ef1c s\u1ef1 c\u1ea7n thi\u1ebft \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o cho h\u1ec7 th\u1ed1ng \u0111\u01b0\u1ee3c ho\u1ea1t \u0111\u1ed9ng \u1ed5n \u0111\u1ecbnh. \u0110\u1ec3 th\u1ef1c hi\u1ec7n \u0111i\u1ec1u n\u00e0y c\u1ea7n th\u1ef1c hi\u1ec7n theo c\u00e1c b\u01b0\u1edbc sau:<\/p>\n
                                    \n
                                  • M\u1edf t\u1ec7p tin \u201c\/etc\/fstab\u201d:<\/li>\n<\/ul>\n
                                    # vi \/etc\/fstab<\/strong><\/pre>\n
                                      \n
                                    • V\u00e0 c\u1ea7n th\u00eam d\u00f2ng sau v\u00e0o cu\u1ed1i c\u1ee7a t\u1ec7p tin:<\/li>\n<\/ul>\n
                                      LABEL=\/boot\u00a0\u00a0\u00a0\u00a0 \/boot\u00a0\u00a0\u00a0\u00a0 ext2\u00a0\u00a0\u00a0\u00a0 defaults,ro\u00a0\u00a0\u00a0\u00a0 1 2<\/strong><\/pre>\n
                                      C\u1ea7n ghi l\u1ea1i \u0111i\u1ec1u n\u00e0y m\u00e0 thay \u0111\u1ed5i quy\u1ec1n c\u1ee7a th\u01b0 m\u1ee5c khi c\u1eadp nh\u1eadt nh\u00e2n trong t\u01b0\u01a1ng lai.<\/p>\n
                                      19. Ch\u1eb7n c\u00e1c g\u00f3i tin ICPM v\u00e0 c\u00e1c y\u00eau c\u1ea7u Broadcast<\/h4>\n
                                      Nhi\u1ec1u tin t\u1eb7c s\u1eed d\u1ee5ng c\u00e1c g\u00f3i tin ICMP \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh c\u00e1c \u0111\u1ecba ch\u1ec9 IP v\u00e0 t\u1ea5n c\u00f4ng c\u00e1c m\u00e1y ch\u1ee7 c\u00f3 IP n\u00e0y. \u0110\u1ec3 ng\u0103n ch\u1eb7n \u0111i\u1ec1u n\u00e0y c\u1ea7n ng\u0103n ch\u1eb7n c\u00e1c g\u00f3i tin theo c\u00e1ch thay \u0111\u1ed5i t\u1eadp tin \u201c\/etc\/sysctl.conf<\/strong>\u201d \u0111\u1ec3 ch\u1eb7n ping<\/strong>ho\u1eb7c c\u00e1c y\u00eau c\u1ea7u broadcast.<\/p>\n
                                        \n
                                      • Ch\u1eb7n c\u00e1c g\u00f3i tin ICMP:<\/li>\n<\/ul>\n
                                        net.ipv4.icmp_echo_ignore_all = 1<\/strong><\/pre>\n
                                          \n
                                        • Ch\u1eb7n c\u00e1c y\u00eau c\u1ea7u broadcast:<\/li>\n<\/ul>\n
                                          net.ipv4.icmp_echo_ignore_broadcasts = 1<\/strong><\/pre>\n
                                          \u0110\u1ec3 c\u1eadp nh\u1eadt c\u00e1c thay \u0111\u1ed5i c\u1ea7n ch\u1ea1y c\u00e2u l\u1ec7nh :<\/p>\n
                                          # sysctl \u2013p<\/strong><\/pre>\n
                                          Tr\u00ean \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 m\u1eb9o \u0111\u1ec3 c\u1ea3i thi\u1ec7n an to\u00e0n cho h\u1ec7 th\u1ed1ng Linux h\u00e3y ki\u1ec3m tra v\u00e0 b\u1ed5 sung \u0111\u1ec3 h\u1ec7 th\u1ed1ng tr\u00e1ch g\u1eb7p c\u00e1c r\u1ee7i do \u0111\u00e1ng ti\u1ebfc<\/p>\n","protected":false},"excerpt":{"rendered":"
                                          H\u1ec7 \u0111i\u1ec1u h\u00e0nh Linux \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn l\u00e0 h\u1ec7 \u0111i\u1ec1u h\u00e0nh c\u00f3 t\u00ednh b\u1ea3o m\u1eadt cao tuy nhi\u00ean c\u1ea7n c\u00f3 th\u00eam m\u1ed9t s\u1ed1 c\u1ea5u h\u00ecnh nh\u1eb1m t\u0103ng \u0111\u1ed9 an to\u00e0n cho h\u1ec7 th\u1ed1ng. D\u01b0\u1edbi \u0111\u00e2y…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,5],"tags":[],"class_list":["post-365","post","type-post","status-publish","format-standard","hentry","category-linux","category-security"],"_links":{"self":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/comments?post=365"}],"version-history":[{"count":0,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/365\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/media?parent=365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/categories?post=365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/tags?post=365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}