The most common such as the IPSec protocol. Ipsec There are three modes, one must be mandatory, and the other is the recipient requested, and the third is not used. When a host A to host B to send data files, the host A and B will host the first consultation, including the need to adopt technologies on IPSec packet is encrypted. The first is to be used, that is to say, whether the host A or B host must support IPSec, otherwise, the transmission will end in failure. Second, we request the use of such consultations in the process, ask the host A host B, the need for using IPSec. If the answer does not need to adopt the host B, then use an express delivery, unless the A’s host IPSec policy settings that must be made mandatory. If the answer is that the host B can be encrypted IPSec, A host of the first packet will be encrypted and then sent. After the technical IPSec encrypted data, the general has been very difficult to break. Moreover, it is important that the encryption and decryption of the work for the user, is transparent. In other words, we need to configure the network administrator of IPSec good strategy, no additional staff movements. Whether or not to use IPSec encryption, will not be adopted to achieve any results, and so on, staff will be among the hosts for their own consultations, without the need for our additional control.

Password aging is a mechanism for the system, mandatory password for a specific length of time after failure. For users, this may bring some trouble, but it will ensure that the password change on a regular basis, is a very good safety measures. By default, the vast majority of sub-installed versions of Linux do not have a password to open statute of limitations, but it is very easy to open.

     By editing / etc / login.defs, you can specify a number of parameters to set the default password setting results:

PASS_MAX_DAYS 99999

PASS_MIN_DAYS 0

PASS_WARN_AGE 7

     When setting a password for the number of days spent 99,999 hours, equivalent to actually closed Aging password. A more sensible set of generally 60 days - every 2 months enforce a password change.

     PASS_MIN_DAYS parameters are set in the revised code, change your password the next time allowed before the required number of days at least. PASS_WARN_AGE settings are specified in a password before the failure to inform the user how many days to change your password (usually the user has just landed when the system will receive a warning notice).

You will also edit / etc / default / useradd documents, and search for INACTIVE two EXPIRE Key words:

INACTIVE = 14

EXPIRE =

     This will indicate how long the password immediately after the expiration of time, if the password does not change, they will account for the failure to change the state. In this case, this is the time to 14 days. EXPIRE and settings are used for all new users to set a clear time password failure (the specific format for the “year - the month - the date”).

     It is clear that these settings changes, can only affect new users. At present, to amend the existing users to set specific, chage need to use the tools.

# Chage-M 60 joe

This command will be set up on the joe user PASS_MAX_DAYS 60, and corresponding amendments to the shadow file.

     You can use the chage-l option, listed in the current account of limitations, the use of option-m is set PASS_MIN_DAYS, by-W is set PASS_WARN_AGE, and so on. chage tool lets you modify a particular account password for all of the state statute of limitations.

     Attention, chage only apply to the local system account, if you use in a way similar to the LDAP authentication system, the tool will be ineffective. If you are using LDAP as an authentication, and you intend to use the chage, then, even if just trying to users listed in the statute of limitations password, you will find in chage simply does not work.

     To develop a strategy to define how long a password must be changed, then the enforcement strategy is a good practice. In the dismissal of an employee after the statute of limitations password strategy will be to ensure that the employee can not be dismissed at 3 months after he discovered the password is still available. Even if the system administrators neglected to delete his account, the account password as a result of the limitation strategy will be automatically locked. Of course, this should not be delayed for the deletion of the account of the reasons employees, but this strategy does provide an additional layer of security, especially in the past often ignored in time to clear account of the

Service Set IDentification service set identifier also known as network name, a unique identifier, as wireless devices connected to the WLAN when the password. In specific settings, manufacturers can change the default Service Set IDentification name to set up, and close the “open Service Set IDentification broadcasting” election option, this will not be the Service Set IDentification router to the wireless network, the host broadcaster. To join the other computer networks, the need to manually enter a default Service Set IDentification name, logo Service Set IDentification can join the wireless network, can largely improve the security of wireless networks.

1.Strengthen anti-antivirus

Wi-Fi wireless networking is not the biggest security threat comes from the wireless network itself, but Internet network, or LAN transmission and disk transfer. Internet users in the network to facilitate access to knowledge, while also by the various networks from Internet security threats.

     Viruses, worms and Trojan horses have become cause your computer is running slow and information on your computer and damage to vital information compromised the main security threat.

     The virus is attached to the program or file in a section of computer code, it can spread from computer to computer. It spread side of the side infected computers. Virus can damage software, hardware and documents.

     Worm virus is a sub-category. Usually, the worm spread without user operation, and through its own distribution network or a complete copy of the changes. Worms consume memory or network bandwidth, which could lead to computer crashes. And the spread of worms do not have to “host” program or file, so you can sneak into the system and allow others to remote control your computer. As against the larger well-known “shock wave (Worm.Sasser)”, “Shock Waves (Worm.Blaster)” are the representatives of worms.

     Trojan horse is a malicious program, which quietly running on the host machine, the user not aware of the circumstances, allow an attacker to obtain remote access and control system of privileges. Generally speaking, most Trojans are imitating some of the regular remote control software functions. Trojan horse attacks are often hidden in some small games or software, the lure careless users in their own machines to run on. The most common situation is that users either never taken the formal operation of the site and download the software with malicious code, either accidentally clicked on the malicious code with the e-mail attachments. On behalf of its software includes Back Orifice, SubSeven, and so on.

     Trojan horses have captured a user’s screen, and every time the ability to keystrokes, which means that an attacker could easily steal the user’s password, directory path, drive mapping, and even medical records, bank accounts and credit cards, personal communication of information . If the PC with a microphone, eavesdropping Trojan horse to the transcript. If the PC with a camera, many Trojan horses can turn it on, capture video content.

     Therefore, in order to network and Internet access to basic security, with the latest anti-virus software are necessary, otherwise you may unknowingly suffered heavy losses.

Block allocation: a file on disk blocks allocated to the documents needed to avoid a waste of storage space. However, expansion of documents, paper documents will cause the block is not continuous, resulting in excessive disk seek time.

             Each time the file extension, the block allocation algorithm on the need to write to file information block structure, which is meta-dada. meta-data and documents to always write storage devices, document changes in the operation have to wait until all the meta-data operations have been completed before,

             Therefore, meta-data of the whole operation will significantly reduce the file system performance.

     Expansion of distribution: to create documents, a series of one-time allocation for the block, when the file extension, also allocated a lot of pieces. meta-data included in the document creation, when the file size no more than the paper on the distribution of all block size, do not have to write meta-data, until the need for redistribution of documents when the block.

                 Group to expand distribution of a block allocation of the way, the SCSI devices to reduce the time to write data, in order to read documents with a good performance, but the documents were read, and a similar block allocation.

                 Documents the group or block block cluster (block cluster) is the size of the compiler determined at the time. The size of the cluster file system performance has greatly affected.

     Note: meta-data meta-information: the relevant information and documents, such as authority, the owner and to create, access or change the time, and so on.

Show Svchost in a number of services

     To learn more about each Svchost process in the end the number of systems to provide services in Win 2000 command prompt window, enter “tlist-s” command to view, the order is Win 2000 support tools available. In Win XP using “tasklist / svc” order.

     Windows system into the process of the independence process and the process of sharing two, “Svchost.exe” document exists in the “% systemroot% system32″ directory, it belongs to the process of sharing. With the growing Windows system services, in order to save system resources, Microsoft made a lot of shared services, by Svchost.exe process to start.

     Svchost process but only as a service host, and can not be achieved any services that it can only provide the conditions for other services here was activated, and its own can not provide any services. That these services is how to achieve it »

     These services are the original system dynamic link library (dll) achieved in the form, they point to the executable Svchost, from the corresponding services Svchost called the dynamic link library to start the service. That Svchost also know how the services of a system called dynamic link library which is «This is the system registry services in the parameters set to achieve.

     From the start of the parameters that service is to start on the Svchost.

     See whether there is a virus in the Svchost process

     Svchost process started because of various services, viruses, Trojans also want ways to use it in an attempt to use its features to confuse users to infection, intrusion, the purpose of destruction. However, Windows systems with multiple Svchost process is normal in the infected machine in the end the process which is a virus? »Here cite just one example to illustrate.

     Assume that Windows XP system was infected with the virus. Normal Svchost document exists in the “c: \ Windows \ system32″ directory, if we find that the document appears in other directory should be careful of. The virus exists in the “c: \ Windows \ system32 \ Wins” directory, the use of process management to view Svchost process of the implementation of the file path can easily find the system infected with the virus.

     Windows comes with the task management system is not able to view the process of the path, you can use third-party process management software, these tools can easily see all the Svchost process of the implementation of the file path, once found it unusual for the implementation of the road The location should be an immediate detection and treatment.

then enter the instructions and press enter.

1.Remote Assistance

Remote Assistance provides a way for you to get the help you need when

you run into problems with your computer. If you’re an experienced

user, you can even be the one to use Remote Assistance to directly help

your friends and family members.

instructions: msra.exe

2.Computer Management

Computer Management is a collection of Windows administrative tools

that you can use to manage a local or remote computer. The tools are

organized into a single console, which makes it easy to view

administrative properties and to gain access to the tools that are

necessary to perform your computer-management tasks.

instructions:compmgmt.msc

3.System Restore

System Restore is designed to automatically monitor and record changes

made to the core Windows system files and to the registry. System

Restore can then allow you to undo (or “roll back”) a change that

caused instability in your system. This is accomplished by periodically

recording a “Restore Point” (or System CheckPoint) that gives you the

ability to roll your system back to the point in time when your

computer was known to function properly.

instructions:rstrui.exe

4.Disabled User Account Control (UAC)

User Account Control (UAC) is a new feature that helps prevent

malicious programs, also known as “malware,” from damaging a system.

UAC stops the automatic installation of unauthorized applications. UAC

also prevents unintended changes to system settings.

instructions:cmd.exe /k %windir%\System32\reg.exe ADD HKLM\ SOFTWARE\

Microsoft\ Windows\ CurrentVersion\ Policies\ System /v EnableLUA /t

REG_DWORD /d 0 /f
if you want to return to normal User Account Control (UAC)

instructions: cmd.exe /k %windir%\System32\reg.exe ADD HKLM\ SOFTWARE\

Microsoft\ Windows\ CurrentVersion\ Policies\ System /v EnableLUA /t

REG_DWORD /d 1 /f

5.registry

instructions:regedit32.exe or regedit

6.vista Version

instructions: winver.exe

7.Windows Task Manager

instructions: taskmgr.exe

8.IP Configuration

instructions:  cmd.exe /k %windir%\system32\ipconfig.exe
 

To prevent the network from DoS attack strategy

 While network security experts are in the focus on the development of anti-DoS attacks approaches, but with little success, because the use of the TCP DoS attack the weakness of the agreement itself. Switch on the set, and install specialized DoS identification and prevention tool that can minimize the losses caused by DoS attacks.

 The establishment of a comprehensive exchange of the three-tier network security system, which must be based on a three-tier switching and routing at the core of the intelligent network, a sound security strategy over the three-tier management tool.

 LAN -

 In the local area network layer, can take many preventive measures. For example, despite the complete elimination of IP packet is almost impossible to fake, but network management can build a filter, if the data within the network with the source address, by limiting the importation of data traffic, reduce internal fake IP attacks. Filters can also limit the external IP packet flow, to prevent counterfeiting of IP DoS attack is deemed intermediate system.

 There are other ways: to close or restrict specific services, such as UDP services allow only limited in-house network of networks for diagnostic purposes.

 However, these restrictions may have legitimate applications (such as the use of UDP as a transport mechanism of RealAudio) have a negative impact.

 Network Transport Layer

 Following the network transport layer over the lack of control can be supplemented.

 Independent of the layers of wire-speed quality of service (QoS) and access control can be configured with intelligent software, independent of the level of QoS and access control function of the emergence of wire-speed multi-layer switch, to improve the network transmission equipment to protect the integrity of the data flow Capacity.

 In traditional routers, authentication mechanisms (such as filtering with the fake address of the internal division) request flow at the edge routers, and in particular access control list in line with the standards. However, maintaining access control lists not only time-consuming, but also greatly increase the router overhead.

 In contrast, wire-speed multi-layer switch can be flexible to achieve the various policy-based access control.

 This is independent of the level of security access control decision-making and ability to network decision-making structure completely separate, so that members of the network management and effective deployment of the DoS prevention measures, without the use of sub-optimal routing or exchange of topology. The results, network management and members of the service providers can MAN, data center or enterprise network environment policy-based control standards to seamlessly integrate, not used regardless of the complexity of the core router-based services, Or relatively simple second-tier exchange. In addition, wire-speed processing of data in the background certification can be implemented, not the basic performance of delay.

 Customizable filters and “confidence-neighbor” mechanism

 Intelligent Multi-Access Control Another advantage is that can be customized to achieve simple filtering operations, such as customized according to specific criteria on the size of control system response. Multi-exchange division can be pushed to the limit specified the maximum bandwidth of the specific QoS profile, rather than be a DoS attack on the group developed a simple “through” or “abandoned” the decision-making. In this way, can prevent DoS attacks, may also reduce the discarded packets of legal risk.

 Another advantage is access to customized routing strategy, specific support system between the “trust neighbor” relations, to prevent unauthorized use of internal routing.

 Customized network configuration log

 The only sign of a network user name and password, users are allowed to enter the pre-certification status. Web log from the user’s browser to Dynamic Host Configuration Protocol (DHCP) submitted to the switch, switch capture the user and send a request to the RADIUS server, authentication, certification only after the switch to allow the user’s traffic division Flows through the network.

   1. Httpd.conf.

   This document is the main configuration file, mainly used to launch the server set up the basic environment, which means it is responsible for arranging WEB server how to run. Set the parameters for its relevance:

   ServerType standalone / inetd: This option is the role of designated manner in which the operation WEB server. These parameters that WEB standalone service process to a separate waiting process in the background listening whether the client’s request, if there is to generate a process of its services, its more efficient. Is the main server process interception set up a specific port address, to: Port [number] (default 80).

   Inetd relatively standalone mode and it is more secure, this mode is also running Apache RedHatLinux the default mode. If your version is not RedHat, would in / etc / inetd.conf file a new line by adding the following: httpd stream tcp nowait httpd / etc / httpd / bin / httpd-f / etc / httpd / conf / httpd.conf; Then / etc / services in the same document to add a new line: httpd 80/tcp httpd to.

   ErrorLog: used to record the document specified the wrong name and path. Formats such as: ErrorLog / var / httpd / error.log.

   ServerRoot: server will be used to specify the configuration and where to store the log files. Formats such as: ServerRoot / etc / httpd.

   Server Admin: WEB administrator set up the E-Mail address. Formats such as: Server Admin XXX@XXXX.com.

   2. Srm.conf

   This is Apache’s resource profile, role for the server you want to tell the WWW site to provide the resources and how to provide, the main parameters:

   DocumentRoot: the main document used to specify the address. Formats such as: DocumentRoot / home / httpd / html.

   DirectoryIndex: windows platform with the IIS installed, used to specify the name Home. As we all know, generally to Home “index.html” or “index.htm” as the file name. When these two is set to file name, as long as users sent WEB request to be transferred to “index.html” or “index.htm” named after the home page. Formats such as: DirecotryIndex index.html index.htm.

   After more than a simple configuration, you have the WEB server with the basic function. Next to do is restart WEB services to enable the configuration to take effect earlier, we can use the following command to complete:

   / etc / rc.d / init.d / httpd restart

   Finally, we take a look at Apache based on the security services. Apache server through the certification system can control which hosts can access certain sites. Specifically, it achieved in two ways:

   One is the address of the host-based authentication, but because the majority of current Internet users are using the dynamic address, so this way the number of no practical significance;

   Another way is based on the user name / password authentication, self-evident, in a way more suitable for today’s network status, and for specific user name / password authentication to achieve, not to discuss the scope of this paper, we can see the relevant information For further study.

Generally speaking, all the Linux version of this package should include the installation, if you install Linux system does not install this package, from the installation CD or http://www.apache.org/ found on the website of its installation file ( There are two versions of the Internet attention: one is to be re-compiled after downloading the source code, and the other is simply to extract the executable file can be used), then you run the installation.

   1. If you download is an executable file packages such as: apache_1.2.4.e.tar.gz (which, as you download the digital version may be, this is an example), which is relatively simple and more suitable for Linux compiler Not familiar with the primary users, simply: tar xvzf apache_1.2.3.4.tar.gz to complete the installation.

   2. If the download is the source code such as: apache_1.2.4.rpm, is to use rpm-ivh apache_1.2.4.rpm installation and implementation of the src directory “. / Configure”; then the implementation of “make” an order compile Apache; Then will be compiled into an executable file copy / etc / httpd / bin directory, then the Apache configuration files: httpd.conf, access.conf, srm.conf and mime.types copied to the / etc / httpd / conf directory , To complete the installation.