An important aspect of any computer security measures is to maintain the actual control of the operation of the service. This article shows you how to configure the security services on the Linux operating system, PC.
An important aspect of any computer security measures is to maintain the actual control of the operation of the service, so that unnecessary network service accepts requests will increase the security risks of the system. Even if these network services for certain functions of the server is necessary also requires careful management, configuration and minimize the possibility of unwelcome intrusion and log them.
When configuring security for Linux systems, use the / etc / inittab file, runlevels and one or two service management "superdaemons" such as inetd or xinetd direct management services.
Initialization / etc / inittab file for the system to start system services. On a configured system, though it generally does not include a lot of services, but in the default installation of some Linux system will load a lot of other services. / Etc / inittab file content somewhat vague, it is important that service management is relatively easy to make.
First, we can not through the / etc / inittab file mode startup items to add services to the system.
Second, do not remove previous / etc / inittab file in the first colon its first field is a single-precision numbers, or the front part of the login service. In the beginning of the single-precision digital TTY line can open the console, all services are all listed in the open before they even list the more important function. Maybe some exceptions, does not change when it is very safe, especially if you are unsure of the case do not change.
Third, / etc / inittab in the lead and when runlevel choice for process management. Generally not used for normal system operation.
Fourth, when importing rc start adding steps performed by the system, rather than init system. If you look at the contents of / etc / inittab, and will note be logged in to rc6 rc0 this character. This is the initialization of the system of how to handle runlevels.
Linux-based operating system operation can be managed by runlevels. Different runlevels are defined as different behaviors, like Windows operating systems, it has a normal operating mode, safe mode, and in some cases there are DOS mode.
Runlevel 0 is used to shut down the system, if appropriate soft power settings, it can shut down the system.
Runlevel 1 is single user mode without network, which is used to low-level troubleshooting and management operations.
Runlevel 2 Runlevel 5 to normal system operation of multi-user mode. Runlevel2 and 3 is a command-line mode, 2 and 3 have a network connection without a network connection. Runlevel 5 is used to start X Windows provides a graphical user interface.
Runlevel 6 is used to reboot the system, using it even when the entire system bootloader need to restart init.
Other runlevels are defined by the system administrator, but "traditional" UNIX system does not have this feature. In this case, they can not be defined nor can be used.
In the shell, where you can enter the command runlevel find renlevel previous and the current runlevel. If you do not change the system runlevel, the output of the command to uppercase N with runlevel behind the numbers, where N is the runlevel not before, if you want to change the runlevel, you can use the init command, followed by the runlevel you want to use to digital. For example, enter init 6 indicates reboot the system, init 1 or single-user mode.
Runlevel configuration process is different for each version of the situation. For example, in Debian GNU / Linux system, it is located in /etc/init.d service path from script /etc/rcN.d link with them, where N is the runlevel numbers need to be configured. Beginning with the letter K indicates when entering runlevel symlinks killed the program, and to begin with the letter S indicates symlinks when entering runlevel program is started. The greater the numerical values of letters back from 1-99, represents a time after the start or kill the more reliable.
Most RPM-based versions are used RedHat used by the rc system. Compared to Debian based systems, this system is the use of more complex directory structure, and different between RPM-based systems are also very different. It provides more information on the management of runlevel instructions.
A daemon for Linux management "superdaemon" is well known inetd, it is a command-line tool for service management. Termination of service is very simple: First, as the root user opens the /etc/inetd.conf file with a text editor. Next, find the file needs to terminate services. Finally, in the service of the front row to add the # symbol (Others include "steeple symbol" and "pound sign"), as shown below. "Comment out" line, so the service will not start after inted.
Before editing service sign might be the following:
ident stream tcp wait identd / usr / sbin / identd identd
After stopping the service to log into the following way:
# Ident stream tcp wait identd / usr / sbin / identd identd
If you are uninstalling is registered reference background programs, you can delete some lines in the file - whether through the package manager to uninstall or remove the executable file to uninstall (for the above example is / usr / sbin / identd file).
After editing the /etc/inetd.conf file, save it, and later you can use to change the inetd. Edit and save Once completed, you can enter the following command at the root of the changes to take effect immediately:
kill -HUP `pidofinetd`
Using modified (save) after the configuration file causes inetd restart.
Also superdaemon called xinetd inetd is more innovative than more complex, you can accomplish more functions. But the service is shut down, they like to use.
When using xinetd, you must add a line in the file /etc/xinetd.conf close the service. If you simply want to delete the service, you must remove several lines of code instead of one. Where to find the services you want to close that one in the back of the block to add "disable = yes" line, or delete the entire block. For example, if you turn off telnet service, we need to do something like this below. (Ellipsis here representing other pieces of content)
disable = yes
In some systems, for some services, service configuration file is not in the /etc/xinetd.conf. For example, services such as telnet file /etc/xinetd.d/telnet possible, changing its methods and its service configuration method /etc/xinetd.conf file is the same.
After editing and saving the file or change /etc/xinetd.conf service file, you can enter the following command for the changes to take effect immediately:
kill -USR2 `pidofxinetd`
This tells xinetd program using the changed configuration.
In addition to shutting down or removing Xinetd service configuration, it can also be used to control remote login service. This will be completed by several mechanisms:
You can specify a permissible host service. For example: You can add by the service profile only_from = 192.168.0.101 host logon limit line telnet service. Despite the use of the words "only", but it can only limit the number of hosts, and not just a host. You can also use part of the complete network address specified. For example: You can use "only_from = 192.168.0.to" indicates any host can access local Class C of this service.
You can specify banned host a service in the configuration file. For example: You can add in the configuration file "no_access = 192.168.0.102" This line prohibits the host remote access telnet services. This can also be used multiple times and can also be used to specify multiple host portion of the address. In case of a host and meet only_from no_access two restrictions will weigh determine their access. If xinetd can not determine which restrictions can be applied, the system more secure default options - service not turn on.
Beyond Service Management
For secure remote access service, there are more things we can do. It should be properly configured firewall protection service from attack. Proxy server, can be transferred via the gateway server and the network address of the port to promote effective in reducing the risk of service attacks. For safe use, service tool that is used to log the running should also be configured, for example, if you use the secure shell remote connection without the use of X Server, it is important to reduce the X forwarding in SSH in. Direct security management is to ensure that an important part of Linux system security, but it is only part of a comprehensive security plan.