| |
Many new to Linux network administrators find it difficult to convert the point-and-click security configuration interface to another interface based on complex and subtle editing text files. This article lists the steps administrators can and should be done in seven, to help them build a more secure Linux servers, and significantly reduce the risks they face.
Please any large organization network administrator for Linux and network operating systems (such as Windows NT or Novell) are compared, and perhaps he'll admit that Linux is an inherently more stable, more scalable solutions. Perhaps he also admitted that protect the system from external attacks, Linux may be the most difficult of the three system configuration.
This recognition is quite common - many new to Linux network administrators find it difficult to convert the point-and-click security configuration interface to another based on complex and subtle editing a text file interface. Most administrators are fully aware that they need to manually set the obstacles and barriers to prevent a possible hacker attacks, to protect the security of corporate data. But they are not familiar with in the Linux world, they are not sure their direction is correct, or where to start.
This is the purpose of this paper. It lists some simple steps to help administrators protect Linux security, and significantly reduce the risk they face. This tutorial lists seven such steps, but you can find more in the Linux manual and discussion forums.
Protect the root account
Root account (or superuser account) on a Linux system is like the Rolling Stones concert, backstage passes, like - it allows you to access all the content in the system. Therefore, it is worth taking extra steps to protect it. First, the account password command to set a password difficult to guess and regularly amended and the password should be limited to a few major figures within the company (under ideal circumstances, only two people) know.
Then, the / etc / securetty file for editing, limited root access can be terminal. To avoid the user to let root terminal "open", local variables can be set TMOUT inactive root login set a time; and HISTFILESIZE local variable to 0, to ensure that the root command history file (which may contain confidential information) is disabled. Finally, the development of a mandatory policy that uses this account can only execute specific management tasks; and prevents users from default root user login service.
Tip: After closing these loopholes, and then require that every normal user account must be set up as a password and ensure that passwords are not easy to identify revelation of the password, such as birthdays, user names or dictionary words can be found.
Install a firewall
Firewall help you filter out of the server data packets, and ensure that data packets can access the system only those rules and predefined matches. There are many excellent for Linux firewall, and the firewall code can even be compiled directly into the system kernel. First Application ipchains or iptables command packet defined input, output and forwarding rules out of the network. You can make rules based on a combination of IP address, network interface, port, protocol, or these properties. These rules also provide matching what actions should be taken to (accept, reject, forward). After the rule set is completed, then the firewall for detailed testing to ensure that no loopholes exist. Secure Firewall is to protect you against Distributed Denial of Service (DDoS) attacks such attacks common first line of defense.
Use OpenSSH transaction processing network
Secure transmission of data over the network is a client - server architecture is an important issue to be addressed. If the network transaction in the form of plain text will be, a hacker could "sniff" the data transmitted over the network, in order to gain confidential information. You can use the OpenSSH secure shell application such as the establishment of a data transmission "encryption" channel, close this loophole. In this form of connection is encrypted, unauthorized users would be difficult to read in the data transmission between the network host.
Disable unnecessary services
Most Linux system after installation, a variety of different services are activated, such as FTP, telnet, UUCP, ntalk like. In most cases, we rarely use these services. Let them be active like the windows open to let the opportunity slip through, like thieves. You can cancel at /etc/inetd.conf file or /etc/xinetd.conf these services, and then restart inetd or xinetd daemon, thus disabling them. In addition, some services (such as a database server) may default boot during the boot process, you can disable these services by editing /etc/rc.d/* directory hierarchy. Many experienced administrators disable all system services, leaving only the SSH communication ports.
Use anti-spam and virus filters
Spam and virus interferes with the user, may sometimes cause serious network failure. Linux has a strong anti-virus capabilities, but the client computer running Windows may be more vulnerable to virus attacks. Therefore, install a spam and virus filters on the mail server, in order to "prevent" suspicious information chain and reduce the risk of collapse, would be a good idea.
First, install SpamAssassin application of this technology to identify and mark spam-class open source tools, the program supports user-based white list and gray list, improved accuracy. Next, based on regular expressions to install user-level filter, this tool can receive inbox automatically filter. Finally, install Clam Anti-Virus, the free anti-virus tools to integrate Sendmail and SpamAssassin, and supports scanning incoming e-mail attachments.
Install an intrusion detection system
Intrusion Detection System (IDS) is to help you understand some of the network change early warning system. They can accurately identify (and confirm) an attempt to invade the system, of course, to increase the consumption of resources and wrong clues for the price. You can try out two fairly well-known IDS: tripwire, which tracks file signatures to detect modifications; snort, it uses a rule-based instructions to perform real-time information packet analysis, search for and identification of the system to detect or attempted attacks. Both systems can generate e-mail alerts (and other acts), when you suspect that your network security threats and in need of conclusive evidence, you can use them.
Regular safety checks
To protect network security, the final step may be the most important. At this point, you play the role of a villain, you are trying to break in front of the six steps to establish the defense. This can objectively assess the security of the system and identify potential pitfalls that you should fix.
There are many tools that can help you carry out such a check: You can try to Crack and John the Ripper password cracker like deciphering your password file; or use nmap or netstat to find open ports; you can also use tcpdump detection network; in addition, you can also use the program you installed (web server, firewall, Samba) disclosed vulnerability, see if we can find a way to enter. If you are trying to find a way to break through the barriers that others can do the same, you should take immediate action to close these loopholes.
Protection of Linux system is a long-term task, the completion of the above steps does not mean you can sit back and relax. Access Linux Security Forum for more safety tips, and proactively monitor and update the system security. good luck! |
|
|
|