MYSQL
/ SSHD COPY-ID / SSH-DISABLE-CHECK
/ SSHD-PORT / TCP-WRAPPER
/ NESSUS / $IPT-LIST
MYSQL SECURITY CHANGE ROOT USER
mysql> use
mysql;
Reading table information for completion
of table and
column names
You can turn off this feature to get a
quicker
startup with -A
Database changed
Change user root to
others
mysql> update user
set
user="dbaroot" where user="root";
Query OK, 3 rows affected (0.00 sec)
Rows matched: 3 Changed: 3
Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
Login with new root
user
# mysql
-u dbaroot
-p
Enter password:
noc@sol-11:~$
ssh root@server186 -p 2268
Warning:
Permanently added
'server186,216.214.78.186' (RSA) to the list of known
hosts.
root@server186's
password:
noc@sol-11:~$ ssh
root@server186
-p 2269
Warning:
Permanently added
'server186,216.214.78.186' (RSA) to the list of known
hosts.
root@server186's
password:
noc@sol-11:~$ cat ~/.ssh/config
Host server186
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
TCP
WRAPPER
=
/etc/hosts.deny
and
/etc/hosts.allow
# hosts.deny This file
describes
the names of the
hosts which are
# *not* allowed to use
the local
INET services, as decided
# by the
'/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind
you that
# the new secure portmap uses hosts.deny and
hosts.allow. In
particular
# you should know that NFS uses portmap!
sshd:ALL
#
hosts.allow
This file describes the names of the
hosts which are
# allowed to use the
local INET
services, as decided
# by the
'/usr/sbin/tcpd' server.
#
sshd:120.140* 120.141*
218.111.47*
192.168.1* 175.136.247* localhost
BLOCK
ALL
IP
EXCEPT
IN THE ALLOWED LIST
[root@transit ~]# pwd
/root
[root@transit ~]# cat
iptables-allow-list
192.168.1.166
[root@transit ~]# cat myfirewall-1
#!/bin/bash
_input=/root/iptables-allow-list
IPT=/sbin/iptables
_pub_if="eth0"
$IPT -F
$IPT -N iptables-allow-list
# DROP and close everything
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Unlimited lo access
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Allow all outgoing connection but no
incoming
stuff by default
$IPT -A OUTPUT -o ${_pub_if} -m state --state
NEW,ESTABLISHED,RELATED
-j ACCEPT
$IPT -A INPUT -i ${_pub_if} -m state --state
ESTABLISHED,RELATED -j
ACCEPT
while IFS= read -r ip
do
# Append
everything to
iptables-allow-list in the root path
$IPT -A iptables-allow-list -i ${_pub_if}
-s $ip -j
LOG --log-prefix " Allowed IP List "
$IPT -A iptables-allow-list -i ${_pub_if}
-s $ip -j
ACCEPT
done <"${_input}"
# Allow it
$IPT -I INPUT -j iptables-allow-list
$IPT -I OUTPUT -j iptables-allow-list
$IPT -I FORWARD -j iptables-allow-list
ADVANCE
FROM
NO7
INLUDE
WITH "iptables-allow-list-dport80"
[root@zvps-lan69 ~]# cat /root/iptables-allow-list
192.168.68.66
[root@zvps-lan69 ~]# cat
/root/iptables-allow-list-dport80
192.168.68.68
[root@zvps-lan69 ~]# cat
/etc/sysconfig/myfirewall
#!/bin/bash
_input=/root/iptables-allow-list
_input2=/root/iptables-allow-list-dport80
IPT=/sbin/iptables
_pub_if="eth0"
$IPT -F
$IPT -N iptables-allow-list
$IPT -N iptables-allow-list-dport80
# DROP and close everything
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Unlimited lo access
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Allow all outgoing connection but no incoming stuff by
default
$IPT -A OUTPUT -o ${_pub_if} -m state --state
NEW,ESTABLISHED,RELATED
-j ACCEPT
$IPT -A INPUT -i ${_pub_if} -m state --state
ESTABLISHED,RELATED -j
ACCEPT
while IFS= read -r ip
do
# Append
everything to
iptables-allow-list in the root path
$IPT -A iptables-allow-list -i ${_pub_if}
-s $ip -j
LOG --log-prefix " Allowed IP List "
$IPT -A iptables-allow-list -i ${_pub_if}
-s $ip -j
ACCEPT
done <"${_input}"
while IFS= read -r ip
do
$IPT -A iptables-allow-list-dport80
-i
${_pub_if} -p tcp --dport 80 -s $ip -j ACCEPT
done <"${_input2}"
# Allow it
$IPT -I INPUT -j iptables-allow-list
$IPT -I OUTPUT -j iptables-allow-list
$IPT -I FORWARD -j iptables-allow-list
$IPT -I INPUT -j iptables-allow-list-dport80
$IPT -I OUTPUT -j iptables-allow-list-dport80
$IPT -I FORWARD -j iptables-allow-list-dport80