1. Authorize the dns server to restrict the recursive query function of the name server, and the recursive DNS server should restrict the clients that access recursively (white list IP segment is enabled).
2.zonetransfer transmits in restricted areas, and enables white list within the scope of master-slave synchronous DNS servers. DNS servers that are not in the list are not allowed to synchronize zone files.
Allow transmission {0};
Allow updates to {0};
3. Enable blacklists and whitelists
Known attack IP is blacklisted by bind, or access is prohibited on the firewall;
Set IP network segments that are allowed to be accessed through acl;
Set IP network segments that are allowed to be accessed through acl; Set IP network segments that are allowed to be accessed through acl;
4. Hide the version information of BIND;
5. Root binding; Have non-super user rights;
4. Hide the version information of BIND;
5. Root binding; Have non-super user rights;
6. Delete unnecessary other services on DNS. Services such as Web, POP, gopher and NNTPNews should not be installed when creating DNS server system.
Installing the following software packages is not recommended:
1)X-Windows and related software packages; 2) Multimedia application software package; 3) Any unnecessary compiler and script interpretation language; 4) Any unused text editor; 5) harmful client programs; 6) Other unnecessary network services. To ensure the independence of the domain name resolution service, the server running the domain name resolution service cannot open the services of other ports at the same time. Authoritative domain name resolution service and recursive domain name resolution service need to be provided independently on different servers;
7. use dnstop to monitor DNS traffic
# yuminstalllibpcap-deven curses-devel
Download the source code/tools/dnstop/src/dnstop-20140915.tar.gz.
#;
9. Enhance the defense function of DNS server against Dos/DDoS.
Use SYNcookie
Adding backlog can alleviate the TCP connection blocking caused by a large number of SYN requests to some extent.
Shorten the number of retries: The default tcp_synack_retries for Linux system is 5 times.
Limit synchronous frequency
Guard against synchronous attacks: # echo1> /proc/sys/net/IPv4/TCP _ synccookies Add this command to the file /etc/rc.d/rc.local;
10.: Monitor whether the domain name service protocol is normal, that is, use the corresponding service protocol or use the corresponding test tool to send a simulation request to the service port, analyze the results returned by the server, and judge whether the current service is normal and whether the memory data has changed. If possible, deploy multiple detection points in different networks for distributed monitoring;
1 1. The number of servers providing domain name services should be no less than 2, and it is recommended that the number of independent name servers be 5. It is recommended to deploy servers in different physical network environments; Use intrusion detection system to detect man-in-the-middle attacks as much as possible; Deploy anti-attack equipment around the domain name service system to deal with such attacks; Use tools such as traffic analysis to detect DDoS attacks so as to take emergency measures in time;
12.: Restrict the service scope of recursive service, and only allow users of specific network segments to use recursive service;
13.: Focus on monitoring the analysis results of important domain names, and give an alarm prompt in time once the analysis data is found to be changed; Deploy dnssec;;
14. Establish a perfect data backup mechanism and log management system. All the analysis logs of the last three months should be kept, and it is recommended to adopt 7×24 maintenance mechanism for important domain name information systems, and the emergency response time should be no later than 30 minutes.
10 Infiltrate books?
Infiltrate the red team and help the "Internet Space-One Billion Guardian Program". Here I recommend 10 books related to Internet security, which have won many favorable comments. I hope it will help everyone. There is also an interactive book giving session at the end of the article. Welcome to participate.
Recommended list
0 1
Internet security construction from 0 to 1
Recommendation: This is a safety book suitable for the person in charge from safety to enterprise safety. Lin Peng, the author, integrated his rich safety experience for many years into this book, which is easy to understand, gentle and easy to understand. It can be used as a tool manual for security engineers to solve all kinds of common security problems, and can also guide security leaders to build enterprise security system from 0 to 1 system, which is highly recommended.
02
CTF special training camp: detailed technical explanation, problem solving methods and competition skills.
Recommendation: The first technical analysis book of CTF competition in China was written by FlappyPig, a senior CTF team, and it was fully developed from three dimensions: safety technology, problem solving methods and competition skills. Web, Reverse, PWN, Crypto, APK and IoT6 have 6 chapters and 30 chapters, with a thickness of 5 18 pages. Three-time Pwn2Own champion, flanker and CTF event are pioneers in China. Considering that there are many CTF students and there will be more student groups, the author team strongly demands that the book pricing be reduced, and only 1% royalties are used for charitable donations symbolically.
03
Python security attacks and defenses: a practical guide to penetration testing
Recommendation: In the field of network security, whether you have programming ability is the essential difference between "script kiddies" and real hackers. This book focuses on the application of Python in various fields of network security penetration testing. Through a large number of illustrations, the code is analyzed from the actual attack and defense scenes to help beginners quickly master the method of network security programming using Python, and explain how to use Python in penetration testing in a simple way, making Python a magic weapon in the hands of readers. Produced by MS08067 Safety Laboratory.
04
KaliLinux Advanced Penetration Testing (3rd Edition)
Recommended language: the third edition of the original book is fully upgraded, and KaliLinux penetration test is classic. This book examines the network framework from the attacker's point of view, introduces in detail the specific steps of the attacker's "killing the chain", contains a large number of examples, and provides the source code.
05
Linux system security: defense in depth, security scanning and intrusion detection.
Recommendation: This is a book that systematically explains the security of Linux system from two aspects: technical principle and engineering practice, and explains in detail how to build a Linux protection system like an iron wall from three dimensions: defense in depth, security scanning and intrusion detection. Author Xu Feng is a senior expert in Linux system security and operation and maintenance technology, with 13 years experience. This book has been highly praised by many industry experts from well-known enterprises such as Tencent and Ali. The book not only contains a large number of engineering practice cases, but also draws mind maps for various core knowledge points.
06
Design and Practice of Data Security Architecture
Recommended: data security bestseller. With the advent of the data age, the security architecture has gradually changed from "network-centric" (called network security) to "data-centric" (called data security). This book will use the concept of data security-and focus on the safe collection or generation, safe use, safe transmission, safe storage, safe disclosure, safe circulation and tracking, and safe destruction of data-to see through the whole security system-and then integrate the concept of security architecture into the product development process, security technology system and process-to better serve the security objectives of enterprises.
07
Cyberspace Security Defense and Situation Awareness
Recommendation: This book brings together academic articles on cyberspace security defense and situational awareness, comprehensively covers the theoretical points of cyberspace security situational awareness research, and contains a wealth of practice-oriented experimental data and lessons, which is of great guiding significance to readers engaged in cyberspace security situational awareness research and development, and also has great reference value to the vast number of network security practitioners.
08
Analysis of Malware Based on Data Science
Recommendation: It is the first practical guide to systematically expound malware analysis from the perspective of data analysis in China. JoshuaSaxe and HillarySanders are both chief data scientists of first-line security company Sophos. Based on their rich practical experience, they fully demonstrated how to apply data science and technology to solve major network security problems. Cao Jiannong, Xiao, Zhou Hong _, highly recommended!
09
Essentials of Linux network security
Recommendation: This book emphasizes the part of network security, which is often ignored in Linux books or courses. Starting from the basic knowledge of Linux, it covers users and user groups, file and data storage, automation, network, process and log management, software package management, security tasks and so on. The original English version was selected as "10 new book for learning Linux" by BookAuthority20 19+09, covering the key topics of CompTIALinux+ and LPIC- 1 exam.
10
Effective safety (Chinese version)
Suggestion: Effective network security is difficult to achieve. Many organizations have invested a lot of manpower and material resources and formulated best practice documents and standards for implementing and evaluating network security. This book reasonably organizes, strengthens and explains all these materials so that security practitioners can use them effectively.
How to protect the web bounce shell?
The rebound shell actually communicates through the socket technology of linux. This process needs to establish TCP three-way handshake, and then communicate through fixed ports. For Centos6.9, the TCP communication port of the rebound shell is a random port. We only need to arbitrarily limit the input or output chain of the filter table of iptables to make its TCP connection unsuccessful, so we can limit the rebound shell.
It should be noted that the default policy of iptables in linux is ACCEPT. At this time, the firewall actually uses the blacklist strategy, which is easy to be bypassed, which is why many attackers often successfully bounce back to the shell.