Choice and difference of the server's highest security defense strategy

With the popularization and development of linx / bsd technology, everyone recognizes the benefits of open source systems, such as free, customizable, high performance, high scalability, and the security we want to study today-an eternal Topic, well, nonsense, let's cut to the point!

I personally think that the security defense of the system should not be placed on a certain level or a certain point. It should be from the corporate website framework. From the beginning of the construction, there should be an overall plan, global deployment, and the defense mechanism should be configured from the physical layer. To the web application layer and finally to the system kernel layer, although it is not necessary to do like the national security department, but at least we can use existing, open source, free, and tested security tools to strengthen our security, of course for performance , Cost, we can temporarily turn off some security defense functions, but can not be deleted, we have to open when encountering hacker attacks! Let ’s take a look at the specific security mechanisms that need to be deployed by us:

1. Physical layer defense

1. The purchased server must be a brand dell, hp.ibm server, with multiple power supplies, multi-disk RAID, chassis protection (open alarm, power switch lock door lock), of course, for data security, it is best to have a disk encryption chip.

2. It is best to choose optical fiber network to prevent electromagnetic leakage, and it is best not to use monitors, keyboard lights, and USB ports.

3. The server must be placed in a computer room that meets various electrical standards.

Second, the network layer defense (1-6 layer tcp / ip)

1. Static mac or enable openvpn network completely static arp protocol to prevent arp fraud attacks.

2. Set switch security, place mac-port table attacks, and divide the network into exclusive VLANs.

3. Configure the dhcp server to place IP address resource allocation attacks. Limit the number of requests per network card and lease time.

4. If it is not a large-scale network, please do not use routers and direct switches in segmented IP. If necessary, use manual configuration of the routing table. Do not use various dynamic configuration routing table protocols to prevent protocol vulnerability attacks.

5. The whole network Collet, tcpdump, sniff and other packages analyze and manually monitor the network, and find mixed monitoring of illegal network cards, various scans, dos, ddos ​​attacks, and various unknown attacks.

6. If conditions permit, please purchase a professional anti-DDOS, non-x86 architecture firewall is best to support the 7-layer application layer firewall function, if the bandwidth is not so large, you can choose a firewall composed of DIY freebsd + pf, and configure syn proxy handshake in and out of nat rnt Filter to prevent external, internal, local and other attacks (freebsd polling can also rotate the network card mode, which has a wonderful effect against high-interrupt syn attacks). The general application layer firewall defense web is not used. If you want to deploy it, you can also choose ipfw-classi or iptable-7lay of freebsd, but you must use Collet and sniff for the regular development of 7-layer special diagnosis! Or existing rules Too far behind! Among the large-scale ddos ​​attacks, it is not a firewall that can be defended. It can only be solved by increasing the broadband, joint telecommunications government departments, and purchasing CDN national distribution servers.

7. Use suricata (snort performance is too poor, outdated) to enable nvdia CUDA acceleration, pring acceleration, select intel network card to enable dma, miix2, queue acceleration to achieve 10G traffic intrusion analysis! At the same time support IDS / IPS function, of course, we do n’t just Realize the communication between the intrusion detection system and the firewall, and also realize the communication between the intrusion detection system and the system shell, voice, and mail alarm! Especially the discovery of infiltration scanning, killing infiltration attacks and cradle!

8. DNS is the most vulnerable network core function, so there is no need to use bind to build an NDS server to accelerate the network, just use the DNS on the network. If you really want to deploy, please choose the openbsd system to build, at the code layer Prevent overflow, or use the mac mentioned later to enforce hard access security control! When it is necessary to deploy nds network-wide spoofing attack defense (use network analysis package tool to do), to prevent intranet poisoning from sending nds fake packets and deceiving hijacking!

3. Application layer defense

1. All systems and server software must use the default version of the distribution, and md5, sha signature certification, and it is necessary to download the corresponding distribution source code using gcc-4.6-4.7 version plus parameters -fstack-protect-all protection Compile and install, and the optimization level should not exceed O2. There is also the need to modify the source code version.h to disrupt the server software name and version! For example, nginx becomes bws, gws, apache, etc., mysql becomes redis, postgresl!

2. The web server, database server, cache server, and php application server must be installed on separate computers and set up with their own dedicated accounts. It is convenient for the future minimum permission control and directory permission control!

3. The website can be statically best, and it needs to be dynamic. You can use suhosin to harden the php virtual machine, disable various useless functions, use tomoyo security analysis software to analyze the various permissions required for the normal use of the website, and perform php, mysql, nginx, apapche minimum permission management, analyze the best permissions of the web root directory, prevent various overflow attacks, and at the same time perform all php input filtering on all data, pictures, and options entered by the user, prevent SQL injection, exaggeration, drag library Wait for an attack, please choose the NOSQL database if possible, such as redis instead of msyql!

4. If the 7-layer application layer firewall is not deployed in the previous section, then we can use nginx and apache to set up concurrency and connection control to prevent ccs attacks. At the same time, all server software must run under MAC mandatory access control such as grsecurity selinux tomoyo!

5. The mandatory access to mac is actually very simple, that is, a more powerful control function layer is added on the basis of the original autonomous access control. In general, the role control layer type (subject object) control layer is added. The main purpose is for information security. The set object access level control generally has the following tools:

selinux: full-featured selinux implements role control, tpyeenfore type domain control and mls control, but our commonly used centos, rhel by default only enable typeenfore type control, which is the castration version of selinux, whether it is role control, type control, Msl control is nothing more than two four steps:

a. Write the classification and grouping tags of role control, type control and msl control to the file security extended attributes

b. Use the automatic learning mode, or manually write the role, type, and mls permission control rules of the policiy file (in rhel, centos has provided existing common software strategies)

c, enable permission debugging mode, try to run the software, check the log is a log that violates regulations

d, adjust the strategy, repeat the first two operations, know no errors

The full version of strict is used to implement the user: role: TE: mls four-layer control, and can protect the entire system, not just the critical process!

Grsecurity: implements role control, similar to selinux-typeenfce function, but without mls function, but it has many unmatched functions of selinux, such as online disk partition read-only mode, trust-path control, and more terrible pax kernel prevention The overflow reinforcement is simply the most perfect MAC. I give him 200 points !! If you want to achieve the highest defense of the system, Grsecurity is indispensable !! It can also protect the entire system!

Tomoyo (ccs) and suse approm have only implemented the functions implemented with rhel's selinux-targets strategy. They reinforce the key processes and cannot protect the entire system! At the same time, they are based on paths and do not have to be given by selinux. Documents are tagged!

Finally, the Trustbsd project mac started by freebsd, which mainly implements the TE subject and object control of the layer control. Mls / low, hig, equal The high layer can only write but can not read the low layer can only read can not write, equality can read and write. !! And the biba module is just the opposite. The upper layer can read but not write, the lower layer can write and cannot read!

In short, the mandatory access is actually the system program permission firewall! Personally recommend to enable selinux on rhel, centos, other linux to enable grsecurity, freebsd is because the firewall, no one logs in, no server program does not need to open MAC!

Fourth, the system layer defense

1. We have to choose a suitable system. The systems currently available for selection include rhel, centos, oracle-linux, debian, ubuntu, freebsd, openbsd, netbsd, suse, etc. Personally think:

Firewall system: choose freebsd + pf for performance and choose openbsd + pf for security. (Application-level filtering ipfw-classic) or panabit is a pity to charge

Embedded CPU firewall: netbsd + pf / npf

web server: centos for free

Database: oracle-linux

Static web, cache server: freebsd / centos

vps vendor (host): centos

vps client (guest): debian

openstack private cloud: ubuntu

Massive parallel computing: sentific linux

In general, the performance is mainly based on the rhel / centos series of security, and the debian + grsecurity hardened firewall stability is selected as the bsd series.

2. In addition to rhel's commercially supported systems, other free systems must be carefully compiled and streamlined, remove all useless drivers, functions, debugging, add grsecutity ccs security hardening MAC! At the same time set sysctl. Kernel parameters to increase resistance DDOS, shorten timewait, increase tcp, upd cache and other optimization parameters.

3. Delete all useless users in the system, bin / sbin, enable the trust-path function of grsecurity, anyone can only run the root-certified program, turn off the sysctl real-time control function of mac, for configuration files that do not need to be changed, static The page can open the grsecurity read-only partition function, no one can change the file, including yourself!

4. Enable md5, sha to sign key files including kernel, kernel module, configuration file, key commonly used programs, prevent rootkits, Trojans, you can use the tool front or manually shell batch processing yourself!

5. Enable grsecurity, or selinux role to control all user-independent processes, enable / proc and other virtual file system security protection, including / tmp, enable grsecurity pax to release overflow, link attack, random address and other protection!

6. Set basic linux / freebsd file management authority, user authority, chattr + i protection! Close useless server software, try not to use ssh server, if you want to use it, please knock on the door, open the firewall channel, use ssh!

7. Customize safe and reliable server versions, vulnerabilities, security patch upgrades, and pay attention to the list of network vulnerabilities at any time.

V. System defense

1. Password system, password length must be set to 16-bit or 32-bit md5 16 32-bit confusion, at the same time must meet letter case, special symbols, numbers, etc. . High-strength password, change the password regularly. You can also refer to the "One-Time Password" article I wrote earlier. Use one-time password!

2. The security reset mechanism of the resignation personnel to prevent the leakage of the passwords and confidential files of the resignation personnel. Whether important files are stored or backed up, truecrypt high-strength encryption must be used !! Especially database encryption!

3. The in-service personnel safety audit system prevents in-service personnel from accessing highly confidential files, illegal operations, hard disk copying and other unsafe actions and system illegal operations (open the system audit function).

4. Regular backup, disaster acting, penetration test, stability performance test!

5. Regularly hold security defense and attack learning training, form a security group or a small circle for discussion, innovate thinking, and train security talents

So far, there is a preliminary overall plan for security hardening and defense. My blog will not be discussed without need. I will move to the web application development stage in the future. Thank you for your support.

Plywood is a sheet material made from layers of rotary or peeled wood veneer, which are paved perpendicularly with adjacent layers then joint closely by grades of glue and times of hot press.

It`s an effective alternative to solid wood.

Product Name
Bintangor/Okoume / Pine faced Commercial Plywood
Face/Back
Okoume, Bintangor, Poplar, Pine, Pencil Cedar, Ash, etc.
Core 
Poplar, Birch, Eucalyptus, Hardwood, mixed core., etc.
Grade 
BB/CC,BB/BB,C/D,E/F,AAA,AA,A,A/B,DBB/CC or as your requests
Glue
MR, E0, E1, E2, WBP, MELAMINE
Dimension
1220x2440mm, 1250x2500mm,915X1830mm,915X2135mm,915X2440mm,1220X1830mm
or as request etc
Thickness
3-30mm
Tolerance 
≤6mm,,
±0.2mm 
>6mm, ±0.5mm

Ordinary Plywood

Ordinary Plywood,Stable Ordinary Plywood,Bintangor Ordinary Plywood,Ordinary Plywood For Furniture

Shouguang Bailing Wood Industry Co., LTD. , http://www.bailingfurniture.com