| |
Whether you are an ordinary Linux desktop user or system administrator to manage multiple servers, you are faced with the same problem: the growing threats. Linux is an open system that can find many ready-made programs and tools on the Internet, which not only convenient for users, but also convenient for hackers, because they can easily find the programs and tools to sneak into the Linux system, or steal Linux important information on the system. However, if we carefully set the Linux variety of system functions, and with the necessary safety measures, no exploits can allow hackers.
In general, the security settings on the Linux system, including the elimination of unnecessary services, restrict remote access, hide important information, patch security holes, using security tools, and regular safety checks. The ten kinds of culture and education to improve your Linux system security tactics. Although little tricks, but mouths work, you may wish to try.
1. Firewall Deployment
It sounds like one of the most "obvious" proposal (the same as using strong passwords), but surprisingly, very few people actually go to set up a firewall. Even if a router you may be using the built-in firewall, but the deployment of a software firewall in Linux system is a very easy thing, you can benefit from.
Graphical firewall, such as the recently popular Firestarter, very suitable for the definition of port forwarding rules and monitoring activities.
2. Disable unnecessary network
In general, in addition to http, smtp, telnet and ftp, other services should be eliminated, such as simple file transfer protocol tftp, imap / ipop mail storage and network transport protocol used to receive, find and search information using the gopher and the use daytime for time synchronization and time and so on.
There are also reports the system state services, such as finger, efinger, systat and netstat, etc., although the system is very useful troubleshooting and finding users, but also to provide a door to hackers. For example, a hacker can use finger to find the user's telephone service, use the directory as well as other important information. Therefore, many Linux system will cancel all or part of those services canceled in order to enhance system security.
3. Use a more secure alternative transmission
SSH is short for Secure Sockets Layer, which can be safely used to replace a program group rlogin, rsh and rcp, and other public programs. SSH uses public key technology to network communications between two hosts message encryption, and use their keys act as authentication tool.
Since SSH to encrypt the information on the network, so it can be used to securely log on to a remote host, and transmit information securely between the two hosts. In fact, SSH can not only protect the security of communication, Windows users between Linux hosts can also connect to the Linux server via SSH safely.
4. Cancel non-root access
You start it may seem inconvenient, but you should ensure that normal users can not access the system tools, etc. --- even if fsck and ifconfig almost "harmless" feature. The best way to achieve this effect is to use sudo, Sudo allows general users after configuration settings to the user's own password and then log on once, to obtain super-user privileges, but only a limited number of instruction execution. For example, after the application of sudo, you can let managers manage tape backup time every day to log into the system, obtain superuser privileges to perform the backup documentation work, but not privileged to make other super-users can only make work. Sudo not only limits the user's permission, and sudo command executed record will each use,
Regardless of the implementation of the directive is the success or failure.
5. Always check and a copy of the log
Network managers should always be vigilant, pay attention to all kinds of suspicious conditions, and the various systems on time and check the log files, including general information log, the network connection logs, file transfer log and user login logs. When examining these logs, we should pay attention to whether the anomaly time record. Hackers will often modify the log to cover their traces, so you want to save a copy of a log in an unconventional place. It is best able to log a separate house on a remote server.
6. Use password aging (password aging)
An enhanced system password aging lifetime password authentication mechanism, although it will certainly weaken the program user convenience, but it can ensure that users' passwords be changed regularly, this is a very good security measures. Therefore, if an account has been hacked and was not found, but the next password change cycle, he can no longer access the account up.
7. root login strict restrictions
Use as "root" login is not a good idea. It is safe to you as a regular user logged in, and then use su or sudo to obtain super-user privileges, and then work accordingly.
8. Physical protection
Although most attacks are relying on network implementation, and hackers the opportunity to get physical access to your computer is also very slim, but that does not mean you do not need fortification.
Add password protection to the boot program to ensure that it is always when you leave the computer is locked. And you should be completely sure that no one can start your server from an external device.
9. install the latest security updates
All popular Linux distributions in addition to regular release updates, as long as security vulnerabilities encountered, the corresponding R & D personnel will also soon release updates and patches too, you have to do is often not concerned about security updates and patches released, and timely installation .
10. pay attention to open files
Many Linux distributions include some of the very small tools used, lsof is one of them. Lsof can list all of the currently open file system. In the linux environment, everything exists in the form of a file, the file can be accessed only through the regular data, you can also access the network connectivity and hardware. By lsof tool to see which processes are using which ports, its process ID and who is running it. If you find from some exceptions, then you definitely something worthy of careful examination. |
|
|
|