System security is critical for users, Linux users are no exception. I use Linux on their own experiences, summarizes some enhanced Linux security tips, in this introduction to you.
1. Increase the LILO boot password
New option in /etc/lilo.conf file so that the requirements LILO boot password, to enhance the security of the system. Specific settings are as follows:
boot = / dev / hdamap = / boot / mapinstall = / boot / boot.btime-out = 60 # Wait one minute promptdefault = linuxpassword = # password set image = / boot / vmlinuz-2.2.14-12label = linux initrd = / boot / initrd-2.2.14-12.img root = / dev / hda6 read-only
It should be noted at this time, since the LILO password is stored in plain way, so it needs to set the lilo.conf file attributes that only root can read and write to.
# Chmod 600 /etc/lilo.conf
Of course, you also need the following settings to make the changes to take effect lilo.conf.
# / Sbin / lilo -v
2. Setting minimum password length and
Passwords are the primary means of user authentication system, the system will install the default minimum password length is usually 5, but not easy to ensure the password guessing attacks, increase the minimum length of the password, at least equal to 8. To do this, you need to modify the file /etc/login.defs parameters PASS_MIN_LEN. At the same time should be limited to the use of passwords to ensure the password be changed regularly, it is recommended to modify the parameters PASS_MIN_DAYS.
3. User logoff timeout
If a user forgets to log account to leave, you can give the system safety and security. You can modify / etc / profile file to ensure that accounts do not operate in a period of time, the automatic logout from the system.
Edit the file / etc / profile, in "HISTFILESIZE =" line of the next line add the following line:
TMOUT = 600
All users will be automatically logged out after 10 minutes of inactivity.
4. Prohibit access to important documents
For some key system files such as inetd.conf, services and lilo.conf, etc. can modify its properties to prevent accidental modification and the ordinary users to view.
First, change the file attributes is 600:
# Chmod 600 /etc/inetd.conf
The owner of the file to ensure the root, then you can set it can not be changed:
# Chattr + i /etc/inetd.conf
Thus, any changes to the document will be banned.
It can only be modified after the root reset reset flag:
# Chattr -i /etc/inetd.conf
5. Enabling and disabling remote access
In Linux can enable and disable access to the remote host to the local services through the /etc/hosts.allow and /etc/hosts.deny these two files. The usual practice is:
(1) editing hosts.deny file and add the following lines:
# Deny access to everyone ALL:. ALL @ ALL
All services to all external hosts prohibited, unless specified by the hosts.allow file to allow.
(2) editing hosts.allow file, add the following line:
#Just An example: ftp: 126.96.36.199 xinhuanet.com
It will allow IP address 188.8.131.52 and the host machine named xinhuanet.com as Client access FTP services.
(3) setting, check available tcpdchk settings are correct.
6. Shell command record size limit
By default, bash shell command will store up to 500 records (depending on the particular system, different from the default number of records) in the file $ HOME / .bash_history in. There is one such file under each user's home directory system. Here I strongly recommend to limit the size of the file.
You can edit the / etc / profile file, modify the options are as follows: HISTFILESIZE = 30 or HISTSIZE = 30.
7. Delete command logout records
Edit /etc/skel/.bash_logout file, add the following line:
rm -f $ HOME / .bash_history
Thus, the system all users will be deleted when you log out its order records.
If only for a specific user, such as root user settings, you can only modify /$HOME/.bash_history files in the user's home directory, add the same line can be.
8. Prohibit unnecessary SUID program
SUID allows ordinary users to execute a program root privileges, so the system should be strictly controlled such procedures.
Find the program with s-bit root belongs:
# Find / -type f \ (-perm -04000 -o -perm -02000 \) -print less
Which prohibit unnecessary programs:
# Chmod a-s program_name
9. Check the information displayed in the boot
When a Linux system starts, it will scroll past a long list of boot information on the screen. If the boot and found a problem, you need to check the system starts, enter the following command:
Information This command will redirect the boot display output to a file in bootmessage.
10. Disk space maintenance
Always check the disk space for the maintenance of the Linux file system is necessary. While Linux is maintained using the maximum disk space that df and du command of.
The first move: eliminating unnecessary services
The early Unix versions, each has a different network service a service running in the background, the later version with a unified / etc / inetd server program to undertake this task. Inetd is Internetdaemon acronym, which also monitor multiple network ports, upon receiving the connection information coming from the outside world, on the implementation of the corresponding TCP or UDP network services.
Due to the unified command inetd, so Linux TCP or UDP in most of the services are set in the /etc/inetd.conf file. So the first step in eliminating unnecessary service is to check the /etc/inetd.conf file, before the service do not add "#" sign.
In general, in addition to http, smtp, telnet and ftp, other services should be eliminated, such as simple file transfer protocol tftp, imap / ipop mail storage and network transport protocol used to receive, find and search information using the gopher and the use daytime for time synchronization and time and so on.
There are also reports the system state services, such as finger, efinger, systat and netstat, etc., although the system is very useful troubleshooting and finding users, but also to provide a door to hackers. For example, a hacker can use finger to find the user's telephone service, use the directory as well as other important information. Therefore, many Linux system will cancel all or part of those services canceled in order to enhance system security.
In addition to using /etc/inetd.conf Inetd set the system service item, but also use / etc / services file to find the port used by the service. Therefore, the user must carefully check the file settings of each port in order to avoid security loopholes.
In Linux, there are two different service patterns: one is when the service has to be performed only as finger service; the other is a non-stop service has been performed. Such services started at system startup, you should not rely modify inetd to stop their service, but only from files or modify /etc/rc.d/rc[n].d/ Run?level?editor to modify it. NFS servers to provide file services and NNTP news service providing news belong to such services, if not necessary, it is best to cancel these services.
2 strokes: limit system access
Before entering the Linux system, all users need to log in, that is, users need to enter a user ID and password, the system only after they are verified by the user to enter the system.
After other Unix operating systems, Linux will generally be password encrypted, stored in / etc / passwd file. All users on the Linux system can read / etc / passwd file, although the file has been stored in encrypted password, but still not safe. Because the general users can use existing code-breaking tools to guess the password brute-force method. Safer method is to set the shadow file / etc / shadow, only allowed with special permission of the user to read the file.
In the Linux system, if you want to use the shadow file, all utilities must be recompiled to support the shadow file. This method is cumbersome, relatively simple method is to use Pluggable Authentication Modules (PAM). Many Linux systems come with the Linux utility PAM, it is an authentication mechanism can be used to dynamically change the authentication methods and requirements, without requiring recompilation of other utilities. This is because the PAM uses a closed package of the way, all the authentication-related logic all hidden in the module, so it is the best helper using shadow files.
In addition, PAM there are many security features: it can rewrite the traditional DES encryption method for other more powerful encryption methods to ensure that the user password will not easily being cracked; it can be set for each user to use computer resources the upper limit; it can even set up a user's computer time and place.
Linux system administrators only need to spend a few hours to install and set the PAM, can greatly improve the security of Linux systems, to block many attacks outside the system.
3 strokes: to keep the latest system kernel
Since many Linux distribution channels, often for updated procedures and system patches appear, therefore, in order to enhance system security, be sure to regularly update the system kernel.
Kernel is the core of the Linux operating system, which permanent memory, used to load other parts of the operating system and the basic functions of the operating system. Since the Kernel control various functions of computers and networks, therefore, its security is critical to overall system security.
Kernel versions earlier there are many well-known security vulnerabilities, but also not very stable, only the 2.0.x version is rather more stable and secure, the new version of the operating efficiency is also greatly improved. In setting Kernel function, only select the necessary functions, do not accept everything all the features, otherwise it would become very large Kernel, not only takes up system resources, but also give hackers an opportunity to leave.
On the Internet often have the latest security patches, Linux system administrator should be informed, frequented by security news groups, access to new patches.
4 strokes: Check Password
Set password is a very important security measure, inappropriate if the user's password is set, it is easy to decipher, especially those with super-user permission to use the user, if not a good password, the system will cause great security vulnerabilities.
In a multi-user system, if forced to choose each user a password difficult to guess, will greatly enhance the security of the system. But if the passwd program can not force each user on the machine proper password, to ensure the security of the password, you can only rely on password cracking program.
Indeed, password cracking program is a tool in the toolbox hacker, it is commonly used passwords, or all words in the English dictionary may be used as passwords are encrypted using the program into code words, then with the Linux system / etc / passwd password file or the / etc / shadow shadow file is compared, if found to have consistent password, you can obtain the codes.
On the network can find a lot of password cracking programs, more well-known program is crack. Users can perform password cracking programs to find out easily by hackers to crack passwords, hackers crack the first to correct than to be beneficial.
5 trick: Set the security level of user account
In addition to the password, the user account also has the security level, because each account can be given different permissions on Linux, so when you create a new user ID, the system administrator should be given the account different permissions as necessary, and integrated into different user groups.
In tcpd on a Linux system, you can set to allow on the list are not allowed on the plane and the crew. Which allows the crew list provided in /etc/hosts.allow not allowed on the crew list provided in the /etc/hosts.deny. After the setup is complete, you need to restart the inetd program to take effect. In addition, Linux will automatically allowed to enter or not allowed to enter the results recorded / rar / log / secure file, the system administrator could then detect suspicious enters the record.
Each account ID should have the person responsible. In the enterprise, if an ID is responsible for staff turnover, the administrator should immediately remove the account from the system. Many intrusion events are borrowed from those long unused account.
Among the user account, the hacker has root privileges favorite account, this super-user the right to modify or delete a variety of system settings, you can pass unimpeded in the system. Thus, prior to any account given root privileges, must be carefully considered.
Linux system / etc / securetty file contains a set of root account can log on terminal name. For example, in RedHatLinux system, the initial value of the file allows only the local virtual consoles (rtys) logged in as root, but does not allow remote users to log in as root. Best not to modify the file if certain privileges from a remote log in as root, it is best to first log on general account, and then use su command to upgrade to super-user.
6 strokes: the elimination of hacker crime hotbed
In the Unix system, there are a series of r prefix utility, they are hacking to the invasion of weapons, very dangerous, not to root account is absolutely open to the utility. Because these utilities are used .rhosts file or hosts.equiv file approval to enter, so make sure root account is not included in these documents.
Since r prefix instruction is a hotbed of hackers, many security tools are designed for the security vulnerability. For example, PAM tool can be used to r prefix utility skill is destroyed, it /etc/pam.d/rlogin file plus login instructions must be approved so that users of the system can not use their own home .rhosts file directory.
7 strokes: enhanced security tools
SSH is short for Secure Sockets Layer, which can be safely used to replace a program group rlogin, rsh and rcp, and other public programs. SSH uses public key technology to network communications between two hosts message encryption, and use their keys act as authentication tool.
Since SSH to encrypt the information on the network, so it can be used to securely log on to a remote host, and transmit information securely between the two hosts. In fact, SSH can not only protect the security of communication, Windows users between Linux hosts can also connect to the Linux server via SSH safely.
Article 8 strokes: limit the power of the superuser
We mentioned earlier, root is the Linux the focus of protection, because of its unlimited power, it is best not to go out easily be super-user license. However, some programs installation and maintenance work must require super user privileges, in this case, you can use other tools to allow such users to some super-user privileges. Sudo is one such tool.
Sudo allows general users after configuration settings to the user's own password and then log on once, to obtain super-user privileges, but only a limited number of instruction execution. For example, after the application of sudo, you can let managers manage tape backup time every day to log into the system, obtain superuser privileges to perform the backup documentation work, but not privileged to make other super-users can only make work.
Sudo not only limits the user's permission, and sudo command executed record will each use, regardless of the implementation of the directive is the success or failure. In large enterprises, sometimes there are many people manage different parts of the Linux system, each manager has a certain ability to authorize use sudo superuser privileges log from sudo, you can track who did what and change what part of the system.
It is noteworthy that, sudo does not restrict all the user behavior, especially when some simple instructions do not set Limited, is likely to be abused by hackers. For example, generally used to display the contents of the file / etc / cat command, if they have super-user privileges, a hacker can use it to modify or delete some important files.
9 strokes: tracking hackers traces
When you carefully set all kinds of Linux-related configuration, and installed the necessary security tools, Linux operating system security is indeed greatly improved, but it does not guarantee the prevention of those skilled are bold network hackers.
In normal times, network managers should always be vigilant, pay attention to all kinds of suspicious conditions, and the various systems on time and check the log files, including general information log, the network connection logs, file transfer log and user login logs. When examining these logs, we should pay attention to whether the anomaly time record. E.g:
- Normal user log in middle of the night;
- Abnormal logging, such as log records only half cut off, or the entire log file is deleted;
- Users from unfamiliar URL into the system;
- Due to wrong password or user account error was abandoned logging out, especially those who have repeatedly failed consecutive attempts to enter, but there is a certain mode of trial and error;
- Illegal use or improper use of super-user privileges su command;
- Reboot or restart the service records.
10 strokes: the common defense, to ensure safety
From a computer security point of view, the world is no absolute airtight, 100% secure computer systems, Linux system is no exception. Applying the above safety guidelines, although the security of Linux systems can greatly improved, so that pilfering by hackers and computer-based players can not easily break into, but not necessarily stop those great talent martial arts master, therefore, business users need With other firewalls and other security tools, common defense hacking in order to ensure the system foolproof.