Linux network server configuration foundation
Http://www.lelew.com/ 2004-05-22 09:18:06
To create a secure Linux server, you must first learn about the meaning of the profile related to the network service and how to configure the network service. In the Linux system, the TCP / IP network is configured through several text files. Perhaps you need to edit these files to complete the networking work, but these configuration files can be multi-configuration command Linuxconf (where the configuration of the network can pass through the NetConf command Implementation) Commands to implement. The basic TCP / IP network profile is introduced below. * /etc/conf.modules file This profile defines the parameter information of the modules that need to be loaded at startup. Here mainly focuses on the configuration of the NIC. In the case of using Linux to do a gateway, the Linux server needs to configure two network cards. In order to reduce problems that may occur at start-up, the Linux kernel does not automatically detect multiple network cards. For systems that do not have a drive to the kernel to the kernel but as a dynamic load as a module, the corresponding configuration should be performed in the "conf.modules" file if you need to install multiple blocks. If the device driver is compiled into a module (the module of the kernel): For the PCI device, the module will automatically detect all devices installed on the system; for the ISA card, you need to provide the module to the module to know where the module knows where Look for this card, which is available in "/etc/conf.modules". For example, we have two ISA bus 3C509 cards, one IO address is 0x300, and the other is 0x320. Edit the "conf.modules" files as follows: Alias Eth0 3C509 Alias Eth1 3C509 Options 3C509 IO = 0x300, 0x320 This is to explain the driver of 3C509 should be loaded with ETH0 or Eth1, respectively (Alias Eth0, Eth1), and they should The parameters IO = 0x300, 0x320 are loaded to inform the driver where to find the NIC, where 0X is indispensable. For the PCI card, only the alias command is required to associate the Ethn and the appropriate drive module name, and the IO address of the PCI card will be automatically detected. For the PCI card, the editor "conf.modules" file is as follows: Alias Eth0 3C905 Alias Eth1 3C905 If the driver has been compiled into the kernel: The PCI detection program when the system starts will automatically find all relevant NIC. The ISA card can generally be automatically detected, but in some cases, the ISA card still needs to do the following configuration: In "/etc/lilo.conf", the configuration information is added, and the method is to start the parameters through the LILO program. The information is transmitted to the kernel. For the ISA card, edit the "lilo.conf" file, add the following: append = "ether =" 0, 0, Eth0 ether = "0, 0, eth1" Note: Do not join the startup parameters in "lilo.conf" Test your ISA card, if you fail, use the startup parameters. If the method of passing the startup parameters, ETH0 and Eth1 will be set in the order discovered at startup. * / etc / hostname file This file contains the system's host name, including a complete domain name, such as: Deep.openarch.com.
* / etc / sysconfig / network-scripts / ifcfg-ethn file In Redhat, the configuration file of the system network device is saved in the / etc / sysconfig / network-scripts directory, and ifcfg-eth0 contains the configuration information of the first block. IFCFG-Eth1 includes configuration information of the second block of NIC. The following is an example of "/ etc / sysconfig / network-scripts / ifcfg-eth0" file: DEVICE = eth0 IPADDR = 208.164.186.1 NETMASK = 255.255.255.0 NETWORK = 208.164.186.0 BROADCAST = 208.164.186.255 ONBOOT = yes BOOTPROTO = none USERCTL = No wants to manually modify the network address or add a new network interface on the new interface, you can implement the corresponding file (IFCFG-ETHN) or create a new file. Device = name name indicates the name of the physical device iPaddr = addr addr indicates that the IP address of the card is named Netmask = Mask Mask indicates that the network mask network = addr addr indicates that the network address Broadcast = addr addr indicates the broadcast address onboot = yes / no startup Whether to activate the card None: No launch protocol bootp: Using the Bootp protocol DHCP: Use the DHCP protocol userctl = yes / no allows non-root users to control the device * / etc / resolv.conf file This file is made by the domain name parser (resolver, A profile used in accordance with the host name parsing the IP address. Examples are as follows: Search Openarch.com Nameserver 208.164.186.1 Nameserver 208.164.186.2 "Search DomainName.com" means that when a host name does not include a full domain name, Add the suffix of DomainName.com after the host name; "Nameserver" means that the host specified by the address is dominated when the domain name is parsed. The domain name server is queried in the order that appears in the file. * / etc / host.conf file This file specifies how to resolve the host name. Linux gets the IP address corresponding to the host name by the parser library. Here is an example of "/etc/host.conf": Order Bind, Hosts Multi On Ospoof On "Order Bind, Hosts" Specifies the host name query order, here, you must use DNS to parse domain names, then query "/ etc / Hosts file (or opposite). "Multi On" Specifies whether the host specified in the "/ etc / hosts" file can have multiple addresses, and the host with multiple IP addresses is generally referred to as a pocket host. "Nospook ON" means that the server is not allowed to deceive the server. IP spoof is a means of attacking system security, and the trust of other computers is achieved by implying IP addresses to other computers.
* / etc / sysconfig / network file This file is used to specify the network configuration information on the server. Here is an example: network = yes rat, Whether the network is configured; Forward_IPv4 = YES / NO Whether to turn on IP forwarding function Hostname = hostname Hostname Represents the host name GAREWAY = GW-IP GW-IP represents the IP address of the network gateway GAREWAYDEV = GW-DEV GW-DW Indicates the device of the gateway Name, such as: Etho, etc .: In order to be compatible with old software, the "/ etc / hostname" file should be used with Hostname = HostName. * / etc / hosts file When the machine is started, the machine needs to query some hostnames to the IP address before you can query DNS. These matching information is stored in the / etc / hosts file. In the case of a domain name server, all network programs on the system are queried by querying the file to parse the IP address corresponding to a host name. Below is an example of "/ etc / hosts" file: IP address hostname alias 127.0.0.1 localhostate.openarch.com 208.164.186.1 Gate.openarch.com Gate .......................................... Host IP information, the middle one is the host name. Any back column is the alias of the host. Once the machine's network configuration file is configured, you should restart the network to make the modification take effect. Using the following command to restart the network: /etc/rc.d/init.d/network restart * /etc/inetd.conf file, as a server, the more service ports are open, the harder system security stability is . So the server that provides a specific service should be allowed to provide an essential port with the service, and the service that is not related to the server service is closed, such as a machine as a WWW and FTP servers, which should only open 80 and 25 ports, and will Other unrelated services such as: Finger Auth et al. To reduce system vulnerabilities. And inetd, also called "Super Server", which is the daemon of some network requests that calls the corresponding service process based on the network request to process the connection request. inetd.conf is an inetd configuration file. The inetd.conf file tells the inetD to listen to which network port is started for each port. Using the Linux system in any network environment, the first thing to do is to understand which services needed to provide the server. Unwanted services should be banned, it is best to uninstall, so hackers have less opportunities to attack the system. Check out "/etc/inetd.conf" files to find out which services are available in inetd. Use the following notes (plus ## in one line), prohibiting any unwanted services, and send an SIGHUP signal to the inetd process. The first step: change the license permission of the file to 600. [Root @ Deep] # chmod 600 /etc/inetd.conf Step 2: Confident The owner of the file is root.
[root @ deep] # stat /etc/inetd.conf Step 3: Edit "inetd.conf" file (vi /etc/inetd.conf), prohibit all unwanted services, such as: FTP, Telnet, Shell, Login , Exec, Talk, Ntalk, IMAP, POP-2, POP-3, Finger, Auth, and more. If you think some services are useful, you can not prohibit these services. However, for these services, the possibility of the system is small.
The contents of "inetd.conf" files are as follows: # to re-read this file after change, just do a 'killall -hup inetd' #echo stream TCP NOWAIT ROOT INTERNAL #Echo Dgram UDP WAIT ROOT INTERNAL #discard stream tcp nowait root internal #discard dgram udp wait root internal #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal #time stream tcp nowait root internal # Time Dgram Udp WAIT ROOT Internal # # THESE ARE Standard Services. #ftp stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.FTPD -L -A #telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in.telnetd # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Shell, Login, Exec, Comsat and Talk Are Bsd Protocols. # #Shell Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IRSHD #Login Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in. ROOT / USR / SBIN / TCPD in. Rlogind #Exec Stream TCP NOWAIT ROOT / usr / sbin / tcpd in.rexecd #comsat dgram udp wait root / usr / sbin / tcpd in.comSat #talk Dgram UDP W AIT root / usr / sbin / tcpd in.talkd #ntalk Dgram udp Wait root / usr / sbin / tcpd in.ntalkd #dtalk stream tcp wait nobody / usr / sbin / tcpd in.dtalkd # pop and number mail service et al # # Pop-2 stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP2D # POP-3 Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IMAP3D #IMap Stream TCP NOPD # # The Internet UUCP Service . # #Uucp stream TCP NOWAIT UUCP / USR / SBIN / TCCID / USR / LIB / UUCP / UUCIO -L # # TFTP Service IS Provided Primarily for Booting. MOT SITES # Run this Only On Machines Acting As "Boot Servers."