Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ About enhanced Linux / Unix server system security program     - C / C ++ various data types Conversion Summary (Programming)

- Install Xshell on Mac OS X (Linux)

- Linux mount command Detailed (Linux)

- CentOS6 installed Tomcat (Server)

- How to Install Suricata IDS on a Linux system (Server)

- Handle large data problems Bit-map method (Programming)

- C ++ free store and heap (Programming)

- Linux and Windows virtual machine shared folders ---- Linux install VMware tools (Linux)

- Oracle 11g RAC manually playing GI PSU patch ( (Database)

- Java implementation linear table - represents the order of representation and chain (Programming)

- Workaround CentOS error message during compilation PHP5 common (Linux)

- Download Manager uGet 2.0 installed in Debian, Ubuntu, Linux Mint and Fedora (Linux)

- Ubuntu 15.10 15.04 14.10 14.04 Install Ubuntu Tweak (Linux)

- Ubuntu 14.04 build Hadoop 2.5.1 standalone and pseudo-distributed environment (32-bit) (Server)

- Physical structure and process disk IO (Linux)

- PostgreSQL query lock and kill the process (Database)

- Configuring Haproxy log support (syslog logging support) (Server)

- Ubuntu in Vim editor display processing method Chinese garbled (Linux)

- Copy files between two Linux hosts (Linux)

- Figlet use (Linux)

  About enhanced Linux / Unix server system security program
  Add Date : 2016-12-18      
  As we all know, network security is a very important issue, and network security server is the most critical link. Linux is considered a more secure Internet server, as an open source operating system, Linux system once found security vulnerabilities on the Internet volunteers from around the world will actively repair it. However, system administrators often do not get timely information and make corrections, which gives hackers an opportunity to exploit. However, with respect to these security vulnerabilities system itself, more security problems are caused by improper configuration created and can, through appropriate configuration to prevent. The more services running on the server, the chances of improper configuration appears the more, a security problem more likely. In this regard, this article describes some of the security-enhanced knowledge of Linux / Unix server system.
First, the system security log file

Within the operating system log file is to detect whether there is an important clue network intrusion. If your system is connected directly to the Internet, you see a lot of people on your system do Telnet / FTP login attempts, you can run "#more / var / log / secure grep refused" to check the system to attacks, in order to take appropriate measures, such as using SSH to replace Telnet / rlogin and so on.

Second, the startup and logon security

1. BIOS Security

Set BIOS passwords and modify boot order prohibiting boot from a floppy disk system.

2. User password

User password is a basic starting point for Linux security, many people use the user password is too simple, which is equal to the intruder opened the door, although in theory, as long as there is sufficient time and resources available, there is no can not crack users. password, but the password is difficult to select the proper break. Better user password is easy to remember those who only he himself and understand the string of characters, and never write it anywhere.

3. Default account

Should prohibit all the default operating system itself was initiated and unnecessary account, when you first install the system should do, Linux provides a number of default account, and the account more, the system more vulnerable to attack.

You can use the following command to delete the account.

# Userdel username

Or use the following command to delete the user group account.

# Groupdel username

4. Password file

chattr command to add the following file attributes can not be changed to prevent unauthorized users access privileges.

# Chattr + i / etc / passwd

# Chattr + i / etc / shadow

# Chattr + i / etc / group

# Chattr + i / etc / gshadow

5. Prohibition Ctrl + Alt + Delete command to restart the machine

Modify / etc / inittab file, "ca :: ctrlaltdel: / sbin / shutdown -t3 -r now" comment out the line. Then re-set at /etc/rc.d/init.d/ directory permissions of all files, run the following command:

# Chmod -R 700 /etc/rc.d/init.d/*

Thus only root can read, write, or execute all of the above script file.

6. Restrict su command

If you do not want anyone to be able to su as root, you can edit /etc/pam.d/su file, add the following two lines:

auth sufficient /lib/security/pam_rootok.so debug

auth required /lib/security/pam_wheel.so group = isd

In this case, only the user can isd group su as root. Then, if you want the user admin be able to su as root, you can run the following command:

# Usermod -G10 admin

7. Cut the login information

By default, the login prompt release includes Linux kernel version name and server host name and so on. For a higher security requirements for this machine leaked too much information. You can edit the /etc/rc.d/rc.local the following line commented out system information output.

# This will overwrite / etc / issue at every boot. So, make any changes you

# Want to make to / etc / issue here or you will lose them when you reboot.

# Echo ""> / etc / issue

# Echo "$ R" >> / etc / issue

# Echo "Kernel $ (uname -r) on $ a $ (uname -m)" >> / etc / issue

# Cp -f / etc / issue /etc/issue.net

# Echo >> / etc / issue

Then, proceed as follows:

# Rm -f / etc / issue

# Rm -f /etc/issue.net

# Touch / etc / issue

# Touch /etc/issue.net

Third, restrict network access

1. NFS access

If you use the NFS network file system services, you should ensure that your / etc / exports with the most restrictive access permissions, that means do not use any wildcard, does not allow root write permission and can only be installed as read-only file system. Edit the file / etc / exports and add the following two lines.

/ Dir / to / export host1.mydomain.com (ro, root_squash)

/ Dir / to / export host2.mydomain.com (ro, root_squash)

/ Dir / to / export is the directory that you want to export, host.mydomain.com is the login directory machine name, ro means mount as read-only system, root_squash prohibit root write to the directory. To make the changes to take effect, run the following command.

# / Usr / sbin / exportfs -a

2. Inetd settings

First make sure the /etc/inetd.conf owner is root, and the file permissions set to 600. After the setup is complete, you can use the "stat" command to be checked.

# Chmod 600 /etc/inetd.conf

Then, edit the /etc/inetd.conf prohibit the following services.

ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth

If you installed the ssh / scp, can also ban out Telnet / FTP. To make the changes to take effect, run the following command:

#killall -HUP inetd

By default, most Linux systems allow all the requests, and enhance system security with TCP_WRAPPERS little effort, you can modify the /etc/hosts.deny and /etc/hosts.allow to increase access restrictions. For example, /etc/hosts.deny to "ALL: ALL" can be refused all access by default. Then add allowed access in /etc/hosts.allow file. For example, "sshd: gate.openarch.com" indicates that the IP address and the hostname gate.openarch.com allowed to connect via SSH.

Once configured, you can use tcpdchk check:

# Tcpdchk

tcpchk is TCP_Wrapper configuration checking tool to check your tcp wrapper configuration and reports any potential problems / presence of discovery.

3. Login terminal settings

/ Etc / securetty file specifies the tty device to allow root login, read by the / bin / login program, the format is a list of names is allowed, you can edit / etc / securetty and comment out the following line.

# Tty1

# Tty2

# Tty3

# Tty4

# Tty5

# Tty6

In this case, root can only log on tty1 terminal.

4. To avoid display system and version information.

If you want to remote login user can not see the system and version information, you can look at changing the /etc/inetd.conf file operations:

telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd -

Add -h indicates telnet does not display system information, but merely show "login:".

Fourth, to prevent attacks

1. If no one can prevent the ping ping through your system, security naturally increases. To do this, you can add the following line to the /etc/rc.d/rc.local file:

echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all

2. Prevent IP spoofing

Edit host.conf file and add the following lines to prevent IP spoofing attacks.

order bind, hosts

multi off

nospoof on

3. Prevent DoS attacks

All users of the system can be set resource limits prevent DoS type attacks. Such as the maximum number of processes and amount of memory to use. For example, you can add a few lines in /etc/security/limits.conf follows:

* Hard core 0

* Hard rss 5000

* Hard nproc 20

Then you must edit the file /etc/pam.d/login check the following line exists.

session required /lib/security/pam_limits.so

The above order prohibiting the debug files, limit the number of processes to 50, and restrict memory usage to 5MB.

After the above settings, your Linux server already vast majority of known security issues and network attacks have immunity, but still a good system administrator should always pay attention to network security dynamic, at any time and have been exposed potential security holes patched. (T002)
- A script to make your Ubuntu 14.04 Memory screen brightness (Linux)
- Timeout control related to Python threads and a simple application (Programming)
- Install Unity 8 preview version of the desktop in Ubuntu (Linux)
- Enable Intel Rapid Start in GNU / Linux (Linux)
- Nginx server security configuration (Server)
- Linux install Maven and SVN client (Linux)
- ASP.NET 5 (vNext) Linux deployment (Server)
- Linux operation and maintenance engineers face questions Intermediate (Linux)
- Tmux Crash Course: Tips and adjustment (Linux)
- Based on Python: OpenCV simple image manipulation (Programming)
- Linux ps command (Linux)
- Installation CD audio file extraction tool Flacon (Linux)
- Oracle Migration partition table (Database)
- Git and GitHub use of Eclipse and Android Studio (Programming)
- Preview function to confirm the stop resource Oracle 12c new feature crsctl (Database)
- XP virtual machine under VirtualBox solve occupy 100% CPU problem (Linux)
- How to manage your to-do list with the Go For It on Ubuntu (Linux)
- Simple and fast sorting (Programming)
- Python substring format (Programming)
- HAproxy let IP recording back-end RS (Server)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.