As we all know, network security is a very important issue, and network security server is the most critical link. Linux is considered a more secure Internet server, as an open source operating system, Linux system once found security vulnerabilities on the Internet volunteers from around the world will actively repair it. However, system administrators often do not get timely information and make corrections, which gives hackers an opportunity to exploit. However, with respect to these security vulnerabilities system itself, more security problems are caused by improper configuration created and can, through appropriate configuration to prevent. The more services running on the server, the chances of improper configuration appears the more, a security problem more likely. In this regard, this article describes some of the security-enhanced knowledge of Linux / Unix server system.
First, the system security log file
Within the operating system log file is to detect whether there is an important clue network intrusion. If your system is connected directly to the Internet, you see a lot of people on your system do Telnet / FTP login attempts, you can run "#more / var / log / secure grep refused" to check the system to attacks, in order to take appropriate measures, such as using SSH to replace Telnet / rlogin and so on.
Second, the startup and logon security
1. BIOS Security
Set BIOS passwords and modify boot order prohibiting boot from a floppy disk system.
2. User password
User password is a basic starting point for Linux security, many people use the user password is too simple, which is equal to the intruder opened the door, although in theory, as long as there is sufficient time and resources available, there is no can not crack users. password, but the password is difficult to select the proper break. Better user password is easy to remember those who only he himself and understand the string of characters, and never write it anywhere.
3. Default account
Should prohibit all the default operating system itself was initiated and unnecessary account, when you first install the system should do, Linux provides a number of default account, and the account more, the system more vulnerable to attack.
You can use the following command to delete the account.
# Userdel username
Or use the following command to delete the user group account.
# Groupdel username
4. Password file
chattr command to add the following file attributes can not be changed to prevent unauthorized users access privileges.
# Chattr + i / etc / passwd
# Chattr + i / etc / shadow
# Chattr + i / etc / group
# Chattr + i / etc / gshadow
5. Prohibition Ctrl + Alt + Delete command to restart the machine
Modify / etc / inittab file, "ca :: ctrlaltdel: / sbin / shutdown -t3 -r now" comment out the line. Then re-set at /etc/rc.d/init.d/ directory permissions of all files, run the following command:
# Chmod -R 700 /etc/rc.d/init.d/*
Thus only root can read, write, or execute all of the above script file.
6. Restrict su command
If you do not want anyone to be able to su as root, you can edit /etc/pam.d/su file, add the following two lines:
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group = isd
In this case, only the user can isd group su as root. Then, if you want the user admin be able to su as root, you can run the following command:
# Usermod -G10 admin
7. Cut the login information
By default, the login prompt release includes Linux kernel version name and server host name and so on. For a higher security requirements for this machine leaked too much information. You can edit the /etc/rc.d/rc.local the following line commented out system information output.
# This will overwrite / etc / issue at every boot. So, make any changes you
# Want to make to / etc / issue here or you will lose them when you reboot.
# Echo ""> / etc / issue
# Echo "$ R" >> / etc / issue
# Echo "Kernel $ (uname -r) on $ a $ (uname -m)" >> / etc / issue
# Cp -f / etc / issue /etc/issue.net
# Echo >> / etc / issue
Then, proceed as follows:
# Rm -f / etc / issue
# Rm -f /etc/issue.net
# Touch / etc / issue
# Touch /etc/issue.net
Third, restrict network access
1. NFS access
If you use the NFS network file system services, you should ensure that your / etc / exports with the most restrictive access permissions, that means do not use any wildcard, does not allow root write permission and can only be installed as read-only file system. Edit the file / etc / exports and add the following two lines.
/ Dir / to / export host1.mydomain.com (ro, root_squash)
/ Dir / to / export host2.mydomain.com (ro, root_squash)
/ Dir / to / export is the directory that you want to export, host.mydomain.com is the login directory machine name, ro means mount as read-only system, root_squash prohibit root write to the directory. To make the changes to take effect, run the following command.
# / Usr / sbin / exportfs -a
2. Inetd settings
First make sure the /etc/inetd.conf owner is root, and the file permissions set to 600. After the setup is complete, you can use the "stat" command to be checked.
# Chmod 600 /etc/inetd.conf
Then, edit the /etc/inetd.conf prohibit the following services.
ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth
If you installed the ssh / scp, can also ban out Telnet / FTP. To make the changes to take effect, run the following command:
#killall -HUP inetd
By default, most Linux systems allow all the requests, and enhance system security with TCP_WRAPPERS little effort, you can modify the /etc/hosts.deny and /etc/hosts.allow to increase access restrictions. For example, /etc/hosts.deny to "ALL: ALL" can be refused all access by default. Then add allowed access in /etc/hosts.allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" indicates that the IP address 192.168.1.10 and the hostname gate.openarch.com allowed to connect via SSH.
Once configured, you can use tcpdchk check:
tcpchk is TCP_Wrapper configuration checking tool to check your tcp wrapper configuration and reports any potential problems / presence of discovery.
3. Login terminal settings
/ Etc / securetty file specifies the tty device to allow root login, read by the / bin / login program, the format is a list of names is allowed, you can edit / etc / securetty and comment out the following line.
In this case, root can only log on tty1 terminal.
4. To avoid display system and version information.
If you want to remote login user can not see the system and version information, you can look at changing the /etc/inetd.conf file operations:
telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd -
Add -h indicates telnet does not display system information, but merely show "login:".
Fourth, to prevent attacks
1. If no one can prevent the ping ping through your system, security naturally increases. To do this, you can add the following line to the /etc/rc.d/rc.local file:
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
2. Prevent IP spoofing
Edit host.conf file and add the following lines to prevent IP spoofing attacks.
order bind, hosts
3. Prevent DoS attacks
All users of the system can be set resource limits prevent DoS type attacks. Such as the maximum number of processes and amount of memory to use. For example, you can add a few lines in /etc/security/limits.conf follows:
* Hard core 0
* Hard rss 5000
* Hard nproc 20
Then you must edit the file /etc/pam.d/login check the following line exists.
session required /lib/security/pam_limits.so
The above order prohibiting the debug files, limit the number of processes to 50, and restrict memory usage to 5MB.
After the above settings, your Linux server already vast majority of known security issues and network attacks have immunity, but still a good system administrator should always pay attention to network security dynamic, at any time and have been exposed potential security holes patched. (T002)