2019.7.17
Strategy reinforcement
- Enable logging of NAT logs.
Log information records user online behavior, UMC receives session log port: 9505
- Configure DOS and DDOS attack protection function
Configure TCP protection, ICMP protection, UDP protection, and fragmented message protection, set protection thresholds for different types of messages, and configure actions to be performed when the protection thresholds are exceeded.
- Firewall access rule configuration
The firewall realizes the division and isolation of network security domains, configures firewall rules between different security domains, and implements access control to data packets based on source IP, destination IP, source port, destination port and protocol. At the same time, it records the logs of firewall rejection and discarded packets.
- Configure NAT address translation to hide the internal network host address
- Block ports and access to common vulnerabilities
- The external network port closes the Ping packet response
- Firewall access rules deny all traffic on the last day
- Access rule arrangement
- Turn off unnecessary services
Protocol hardening
- Apr deception reinforcement
- Check the validity of arp packets: use the ARP packet validity check function to detect the ARP received by the device, discard illegal ARP packets, and process legal ARP packets. For ARP trusted ports, no check is performed. For ARP untrusted ports, packets with illegal MAC addresses and IP addresses need to be filtered.
- Check the legitimacy of arp users: User legitimacy detection is based on the source IP address and source MAC address in the ARP packet to check whether the user is a legitimate user on the port where the VLAN belongs, including static ARP entry-based check and DHCP Snooping security Check of entries.
- Arp gateway protection: terminal ip+mac address binding
- Dhcp reinforcement
Dhcp snooping technology: The port connecting the legitimate server and DHCP Snooping is set as a trusted port, and the remaining ports are untrusted ports.
- Security hardening of routing protocol
The dynamic routing protocol password requires MD5 encryption to be configured to prevent unauthorized devices from accessing the network to establish neighbor relationships with existing devices after authentication is enabled, and to prevent the risk of routing table contamination.
- Security Hardening of Spanning Tree Protocol
BPDU protection, point-to-point link configuration, edge port, open ROOT protection, open loop protection, designated root bridge.
Equipment reinforcement
- User account assignment
Network equipment should assign accounts to managers in accordance with the principle of minimization, and different managers assign accounts with different permissions, so as to manage user accounts with different permissions to avoid unauthorized operations and risk of misoperation.
Delete useless accounts
- Password security configuration: avoid weak passwords
- Password encryption storage: It is recommended that static passwords must be encrypted with an irreversible encryption algorithm and stored in the configuration file
- Authorized security configuration: It is recommended to configure the minimum required permissions according to the user's business requirements when configuring device permissions.
- NTP protocol configuration: to ensure the accuracy of the log
- Close unused ports
- Exit security configuration over time
- Console port password protection
- Device management address configuration: only allow specific addresses to access. Prevent unauthorized network segment users from connecting to network devices through TELNET and SSH to threaten network security.
- Appropriate port description
- For routers that do not use ARP proxy, turn off the arp proxy function
- Snmp protocol security:
The system should close the unused SNMP protocol and the unused RW authority
The system should modify the Community default password of SNMP, and the password should meet the password strength requirements.
The system should be configured as SNMP V2 or above
Set SNMP access security restrictions to allow only specific hosts to access network devices through SNMP.
Windows hardening
- Patch management: automatic updates
- User account and password security: password policy, account lock, user permissions, disable guest account, modify administrator account name, delete unused
- Log and audit
- Service optimization
- Security protection: screen protection, file sharing, anti-virus management, enable firewall, delete default sharing, restrict anonymous user access, detect network service suspension time, turn off the automatic operation of the drive, check login timeout settings, detect encryption or digital signature security channels Data settings, detection of session restrictions, and shutdown of unnecessary self-starting items
- Gpedit.msc\eventvwr\services.msc
Linux hardening
- Device management: use ssh instead of telnet\ftp
- User account and password security
- Log and audit: chmod 400 /etc/syslog.conf
- Service optimization: chkconfig --list
- Security protection: chown root:root/etc/passwd/etc/shadow/etc/group
Chmod 644 /etc/passwd/etc/group
Chomd 400 /etc/shadow
Edit /etc/profile and modify the value of HISTSIZE to 5
SQL injection reinforcement
- Deploy security equipment: network management equipment
- Parameterized query: asp+sqlserver, etc.
- Filter special characters: regular expression
CSRF hardening
- Token verification: attach a part of information to each HTTP request (session identifier, independent session random number, dependent session random number, session identifier HMAC)
- Referer verification: Referer identifies where the request was initiated
- Custom HTTP header: Use XMLHttpRequest and attach a custom header to reject all requests without custom headers
XSS reinforcement
- Deploy security equipment
- HTML Entity encoding
- Filter special characters
M ysql database reinforcement
- Account security: modify root password and account name
- Delete the default database and database user: delete test
- Run as an independent user
- Prohibit remote connection: /etc/my.cnf
- Limit the number of users
- Command history protection: .bash_history