If a potential hacker to attack your Linux servers, he first attempts to buffer overflow. In the past few years, with the type of buffer overflow vulnerabilities is the most common form. More seriously, buffer overflow vulnerability accounted for the vast majority of remote network attacks, such attacks can easily make an anonymous Internet users have access to a host of part or all of control
If a potential hacker to attack your Linux servers, he first attempts to buffer overflow. In the past few years, with the type of buffer overflow vulnerabilities is the most common form. More seriously, buffer overflow vulnerability accounted for the vast majority of remote network attacks, such attacks can easily make an anonymous Internet users have access to some or all of the control of a host!
To prevent such attacks, we install the system from it should be noted. If the root partition records data such as log files and email, it is possible to produce a large number of logs because of denial of service or spam, causing the system to crash. It is recommended for the / var open up a separate partition, used to store logs and e-mail, in order to avoid the root partition is overflow. Best to open a separate partition for specific applications, in particular, can produce large log programs, as well as recommendations for the / home a separate sub-zone, so they can not fill the / partition, so as to avoid some of the partitions for Linux overflow of malicious attacks.
Remember to set a BIOS password in BIOS setup does not accept floppy disk. This prevents malicious people to use a special boot disk on your Linux system and change the BIOS settings to avoid others, such as changing the boot floppy disk set or not pop up the password box directly start the server and so on.
Passwords are the primary means of user authentication system, the system will install the default minimum password length is usually 5, but not easy to ensure the password guessing attacks, increase the minimum length of the password, at least equal to 8. To do this, you need to modify the file /etc/login.defs parameters PASS_MIN_LEN (minimum password length). At the same time should be limited to the use of a password, the password be changed regularly to ensure that the proposed changes to the parameters PASS_MIN_DAYS (password to use time).
Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command line to /etc/rc.d/rc.local, so run automatically each time you start, so that you can prevent your system to respond to any ping request from external / internal come.
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
Do not show the operating system and version information if you want the user to use Telnet remote login to your server (to avoid targeted exploits), you should rewrite /etc/inetd.conf row like this:
telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd -h
Add -h flag in the background and finally makes telnet not display system information, but merely displayed login.
About privileged account
Prohibit all the default operating system itself was initiated and unnecessary account, when you first install the system should do this check, Linux offers a variety of accounts, you may not need, if you do not need this account, to remove it, you have one account, the more vulnerable to attack.
To delete users on your system, use the following command: userdel username
To delete your user account on the system group, use the following command: groupdel username
In the terminal enter the following command to delete the account with the following privileges:
If you do not have sendmail server, delete these accounts:
If you do not have X windows server, delete the account.
If you do not allow anonymous FTP, delete the user account:
About su command
If you do not want anyone to be able to su to root, you should edit /etc/pam.d/su file, add the following lines:
auth sufficient / lib-
/ Security / pam_rootok-
auth required / lib-
/ Security / pam_wheel-
.so group = isd
This means that users can only isd group su as root. If you want the user admin to su as root can run the following command:
usermod -G10 admin
suid program is also very dangerous, these programs are ordinary users to euid = 0 (ie, root) to perform only a small amount of the program is set to suid. Use this command to list the system suid binaries:
suneagle # find / -perm -4000 -print
You can use the chmod -s suid bits do not need to get rid of some programs.
About account logout
If the system administrator forgot to log out when you leave the system from the root, the system should automatically logout from the shell. Then you need to set a special Linux variable "tmout", to set the time. Similarly, if the user leaves the machine forget the cancellation account, you can give the system safety and security. You can modify / etc / profile file to ensure that account is not operated for some time, the automatic logout from the system. Edit the file / etc / profile, in "histfilesize =" line of the next line add the following line:
tmout = 600
All users will be automatically logged out after 10 minutes of inactivity. Note: Modifying this parameter, you must log out and log root, changes to take effect.
About Your System Files
For some key system files such as passwd, passwd.old, passwd ._, shadow, shadown ._, inetd.conf, services and lilo.conf, etc. can modify its properties to prevent accidental modification and the ordinary users to view. As the inetd document attributes to 600:
# Chmod 600 /etc/inetd.conf
This ensures that the file owner is root, then you can set it can not be changed:
# Chattr + i /etc/inetd.conf
Thus, any changes to the document will be banned. You may want to ask: What I am not and can not modify? Of course, we can be set to only root can reset the reset flag to be modified after:
# Chattr -i /etc/inetd.conf
About User Resources
All user settings on your system resource limits can prevent the type of DoS attacks, such as the maximum number of processes, amount of memory. For example, users of all restrictions, edit /etc/security/limits.con add the following lines:
* Hard core 0
* Hard rss 5000
* Hard nproc 20
You must also edit /etc/pam.d/login file, check for the presence of this line:
session required /lib/security/pam_limits.so
The above order prohibiting core files "core 0", limit the number of processes to "nproc 50", and restrict memory usage to 5M "rss 5000".
About the NFS server
Because NFS server vulnerability more, you must be careful. If you want to use the NFS network file system services, so make sure your / etc / exports with the most stringent access permissions set, does not mean do not use any wildcard, does not allow root write permissions, mount into a read-only file system. You can edit the file / etc / exports and add:
/ Dir / to / export host1.mydomain.com (ro, root_squash)
/ Dir / to / export host2.mydomain.com (ro, root_squash)
Where / dir / to / export is the directory you want to output, host.mydomain.com is the login directory machine name, ro means mount as read-only system, root_squash prohibit root write to the directory. Finally, in order to make the above changes to take effect, but also run the / usr / sbin / exportfs -a
On open service
The default linux is a powerful system to run a lot of services. But there are many services are not needed, it is easy to cause a security risk. This file is /etc/inetd.conf, it has developed / usr / sbin / inetd will listen service, you may only need two of them: telnet and ftp, other classes such as shell, login, exec, talk, ntalk , imap, pop-2, pop-3, finger, auth, etc. unless you really want to use it. Otherwise, all the close.
You first use the following command to display the service has not been commented out:
grep -v "#" /etc/inetd.conf
The total number of service order statistics before:
ps -eaf | wc -l
Need to remind you that a lot of loopholes in the following three services, we strongly recommend that you close them: S34yppasswdd (NIS server), S35ypserv (NIS server) and S60nfs (NFS server).
We can run #killall -HUP inetd to turn off unneeded services. Of course, you can also run
#chattr + i /etc/inetd.conf
If you want to make inetd.conf file has the attribute can not be changed, but only root can unlock, hit the following command
#chattr -i /etc/inetd.conf
When you close some services after the re-run the above command to see how much less service. The fewer services running, the more secure the system naturally. We can use the following command to see which services are running:
netstat -na --ip
If you are using RedHat it is much more convenient. ^ _ ^ Redhat provides a tool to help you shut down the service, enter / usr / sbin / setup, and then select the "system services", which you can customize the service to run at system startup. Another option is chkconfig command, many linux version of the system comes with this tool. The name of the script sequence number is started, beginning with uppercase K is used to kill the process.
All logs are in / var / log down (only linux system is concerned), default linux log has been very strong, but in addition to ftp outside. Therefore, we can modify the / etc / ftpaccess or /etc/inetd.conf, to ensure that each ftp connection logs can be recorded. The following is a modified inetd.conf example, if there is the next line:
ftp stream tcp nowait root / usr / sbin / tcpd in.ftpd -l -L -i -o
-l Each ftp connections are written to syslog
-L Record the user's every command
-i file is received, the record to xferlog
-o file transmitted, recorded xferlog
But you do not get too believe the log, because most hackers have a "rub footprint" of the "good" habit Hello! If you do not worry, it is best to install a Sniffer.
Default, Redhat Linux allows all requests, it is very dangerous. If TCP_WRAPPERS to enhance the security of our site is simply a little effort, you can disable all requests in "ALL: ALL" to /etc/hosts.deny and then put those requests are explicitly allowed to / etc / hosts. allow, such as:
sshd: 192.168.1.10/255.255.255.0 gate.openarch.com
192.168.1.10 IP address and host name gate.openarch.com, allowed to connect via ssh. After configuration finished with tcpdchk check, you can directly execute: tcpdchk. Here, tcpchk is TCP_Wrapper configuration checking tool to check your tcp wrapper configuration and reports any potential problems / presence of discovery.
You should always go to the latest patches installed on your Linux system publishers home page.