Chapter 6 Network Server Foundation
Author: Linuxaid registered engineer ideal
To create a secure Linux server, you must first learn about the meaning of the profile related to the network service and how to configure the network service. In the Linux system, the TCP / IP network is configured through several text files. Perhaps you need to edit these files to complete the networking work, but these configuration files can be multi-configuration command Linuxconf (where the configuration of the network can pass through the NetConf command to fulfill). The basic TCP / IP network profile is introduced below.
Ø /etc/conf.modules file
This configuration file defines the parameter information of the modules that need to be loaded at startup. Here mainly focuses on the configuration of the NIC. In the case of using Linux to do a gateway, the Linux server needs to configure two network cards. In order to reduce problems that may occur at start-up, the Linux kernel does not automatically detect multiple network cards. For systems that do not have a drive to the kernel to the kernel but as a dynamic load as a module, the corresponding configuration should be performed in the "conf.modules" file if you need to install multiple blocks.
If the device driver is compiled into a module (the module of the kernel): For the PCI device, the module will automatically detect all devices installed on the system; for the ISA card, you need to provide the module to the module to know where the module knows where Look for this card, which is available in "/etc/conf.modules".
For example, we have two ISA bus 3C509 cards, one IO address is 0x300, and the other is 0x320. The editor "conf.modules" file is as follows:
Alias Eth0 3C509Alias Eth1 3C509Options 3C509 IO = 0x300, 0x320
This means that the driver of the 3C509 should be loaded with Eth0 or Eth1, respectively, and they should be loaded with parameters IO = 0x300, 0x320, to notify the driver where to find the network card, where 0X is Indispensable.
For the PCI card, only the alias command is required to associate the Ethn and the appropriate drive module name, and the IO address of the PCI card will be automatically detected. For the PCI card, edit the "conf.modules" file is as follows:
Alias Eth0 3C905Alias Eth1 3C905
If the driver has been compiled into the kernel: The PCI detection program when the system starts will automatically find all related network cards. ISA cards can generally be detected automatically, but in some cases, ISA card still needs to do the following configuration:
Increase configuration information in "/etc/lilo.conf", which is passed to the kernel through the LILO program. For the ISA card, edit the "lilo.conf" file, add the following:
Append = "ether =" 0, 0, eth0 ether = "0, 0, eth1"
Note: Don't join the startup parameters in "lilo.conf", test your ISA card, if you fail, use the startup parameters.
If the method of passing the startup parameters, ETH0 and Eth1 will be set in the order discovered at startup.
Ø / etc / hostname file:
This file contains the host name of the system, including a complete domain name, such as:
Deep.openarch.com
Ø / etc / sysconfig / network-scripts / ifcfg-ethn file:
In Redhat, the configuration file of the system network device is saved in the "/ etc / sysconfig / network-scripts" directory, and ifcfg-eth0 includes the configuration information of the first block, IFCFG-Eth1 includes the configuration information of the second block of NIC. Below is an example of the "/ etc / ifcfg / network-scripts / ifcfg-eth0" file:
DEVICE = eth0IPADDR = 208.164.186.1NETMASK = 255.255.255.0NETWORK = 208.164.186.0BROADCAST = 208.164.186.255ONBOOT = yesBOOTPROTO = noneUSERCTL = no
If you want to manually modify the network address or add a new network interface to the new interface, you can implement it by modifying the corresponding file (ifcfg-ethn) or created a new file.
Device = name name indicates the name of the physical device
IPaddr = addr addr indicates the IP address assigned to the card.
Netmask = Mask Mask means a network mask
Network = addr addr represents the network address
Broadcast = addr addr represents a broadcast address
ONBOOT = YES / NO is activated when the card is activated
None: No launch protocol
Bootp: Using the BOOTP Agreement
DHCP: Using DHCP Agreement
Userctl = yes / no allows non-root users to control the device
Ø /etc/resolv.conf file:
This file is a configuration file used by the domain name parser (Resolver, a library of hostname parsing the IP address), as follows:
Search Openarch.comnameserver 208.164.186.1nameserver 208.164.186.2
"Search DomainName.com" indicates that when a host name does not include a full domain name, the suffix of DomainName.com is added after the host name; "Nameserver" means that the host specified by the address is dominated by the domain name. The domain name server is queried in the order that appears in the file.
Ø /etc/host.conf file:
This file specifies how to resolve the host name. Linux gets the IP address corresponding to the host name by the parser library. Here is an example of "/etc/host.conf":
Order Bind, Hostsmulti OnoF on ON
"ORDER BIND, HOSTS" Specifies the hostname query order, which specifies the use of DNS first to parse the domain name, then query "/ etc / hosts" file (or the opposite).
"Multi On" Specifies whether the host specified in the "/ etc / hosts" file can have multiple addresses, and the host with multiple IP addresses is generally referred to as a pocket host.
"Nospook ON" means that the server is not allowed to deceive the server. IP spoof is a means of attacking system security, and the trust of other computers is achieved by implying IP addresses to other computers.
Ø / etc / sysconfig / network file
This file is used to specify network configuration information on the server. Here is an example:
Are NETWORK = yesRORWARD_IPV4 = yesHOSTNAME = deep.openarch.comGAREWAY = 0.0.0.0GATEWAYDEV = NETWORK = yes / no network is configured; FORWARD_IPV4 = yes / no IP forwarding is turned HOSTNAME = hostname hostname represents the hostname of the server = gw- GAREWAY IP GW-IP represents the IP address of the network gateway GAREWAYDEV = GW-DEV GW-DW indicates the device name of the gateway, such as: Etho, etc. Caution: "/ etc / hostname" file should be used and hostname = Hostname The same hostname.
Ø / etc / hosts file
When the machine is started, the machine needs to query some hostnames to the IP address before you can query DNS. These matching information is stored in the / etc / hosts file. In the case of a domain name server, all network programs on the system are queried by querying the file to parse the IP address corresponding to a host name.
Here is an example of a "/ etc / hosts" file:
IP Address Hostname Alias
127.0.0.1 Localhost Gate.openarch.com
208.164.186.1 Gate.openarch.com Gate
.............................................................................
The leftmost list is the host IP information, and the middle one is the host name. Any back column is the alias of the host. Once the machine's network configuration file is configured, you should restart the network to make the modification take effect. Use the following command to restart the network: /etc/rc.d/init.d/network restart
Ø /etc/inetd.conf file
As we all know, as a server, the more service port is open, the more difficult system security stability is guaranteed. So the server that provides a specific service should be allowed to provide an essential port with the service, and the service that is not related to the server service is closed, such as a machine as a WWW and FTP servers, which should only open 80 and 25 ports, and will Other unrelated services such as: Finger Auth et al. To reduce system vulnerabilities.
And inetd, also called "Super Server", which is the daemon of some network requests that calls the corresponding service process based on the network request to process the connection request. inetd.conf is an inetd configuration file. The inetd.conf file tells the inetD to listen to which network port is started for each port. Using the Linux system in any network environment, the first thing to do is to understand which services needed to provide the server. Unwanted services should be banned, it is best to uninstall, so hackers have less opportunities to attack the system. Check out "/etc/inetd.conf" files to find out which services are available in inetd. Use the following notes (plus ## in one line), prohibiting any unwanted services, and send an SIGHUP signal to the inetd process.
The first step: change the license permission of the file to 600.
[root @ deskp] # chmod 600 /etc/inetd.conf
Step 2: The owner of the confident file is root.
[root @ deep] # stat /etc/inetd.conf Step 3: Edit "inetd.conf" file (vi /etc/inetd.conf), prohibit all unwanted services, such as: FTP, Telnet, Shell, Login , Exec, Talk, Ntalk, IMAP, POP-2, POP-3, Finger, Auth, and more. If you think some services are useful, you can not prohibit these services. However, for these services, the possibility of the system is small. The contents of the "inetd.conf" file after the change are as follows:
# To re-read this file after changes, just do a 'killall -HUP inetd' ## echo stream tcp nowait root internal # echo dgram udp root internal # daytime wait root internal # discard stream tcp nowait root internal # discard dgram udp wait stream tcp nowait root internal # daytime dgram udp wait root internal # chargen stream tcp nowait root internal # chargen dgram udp wait root internal # time stream tcp nowait root internal # time dgram udp are standard services wait root internal ## These. ## ftp Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.FTPD -L -A # Telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in.telnetd ## Shell, Login, Exec, Comsat and Talk Are BSD protocols. ## shell Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in .rshd # login stream TCP NOWAIT ROOT / USR / SBIN / TCPD in .Rlogind # Exec Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.REXECD # COMSAT DGRAM UDP WAIT ROOT / USR / SBIN / TCPD in.comSat # talk dgram udp Wait root / usr / sbin / tcpd in.talkd # ntalk dgram udp Wait root / usr / sbin / tcpd in.ntalkd # dtalk stream TCP WAIT NOBODY / USR / SBIN / TCPD In.dtalkd ## pop and imap mail services et al ## pop-2 stream tcp nopop2d # pop-3 stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP3D # Imap Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IMAPD ## The Internet uucp service. ## uucp stream TCP NOWAIT UUCP / USR / SBIN / TCPD / USR / LIB / UUCP / UUCICO -L ## TFTP Service IS Provided Primarily for Booting. Most Sites # run This Only On Machines Acting As "Boot Servers." Do Not Uncomment # this uns you * nesed * it. ## tftp dgram udp Wait root / usr / sbin / tcpd in.tftpd # bootps DGRAM UDP WAIT ROOT / USR / SBIN / TCPD Bootpd ## finger, SYSTAT AND NETSTAT GIVE OUT User Information Which May Be # Valuable to Potential "System Crackers."
Many sites choose to disable # some or all of these services to improve security. ## finger stream tcp nowait root / usr / sbin / tcpd in.fingerd # cfinger stream tcp nowait root / usr / sbin / tcpd in.cfingerd # systat stream TCP NOWAIT GUEST / USER SBIN / TCPD / BIN / PS -AUWWX # netstat stream TCP NOWAIT GUEST / USER SBIN / TCPD / BIN / NETSTAT -F INET ## Authentication ## Auth Stream TCP NOWAIT NOBODY / USR / SBIN / IN .identd in.Identd -l -e -o # e e in 注意 Note: After changing the "inetd.conf" file, don't forget to send an SIGHUP signal to the inetd process (KILLALL-HUP INETD).
[root @ deep / root] # killall -hup inetd
the fourth step:
In order to ensure the security of the "inetd.conf" file, you can set it into a non-change with the Chattr command. Setting the files into non-changing as long as the following command:
[root @ deep] # chattr I /etc/inetd.conf
This avoids any changes (accidents or other reasons for "inetd.conf" files. A file with the "I" attribute cannot be changed: can not be deleted or renamed, the link to this file cannot be created, and the data cannot be written to this file. Only the system administrator can set and clear this property. If you want to change the inetd.conf file, you must first clear this mark that is not allowed to change:
[root @ Deep] # chattr -i /etc/inetd.conf
However, for services such as Sendmail, Named, WWW, because they are not like finger, telnet, etc., when the INET daemon is launched, when the system is started, the system is running as the daemon. For RedHat Linux, a LinuxConfig command is provided, which can set whether to run related services at startup in the graphical interface. You can also set a service when you start, such as: [root @ deep] # chkconfig -level 35 named off
The specific command can refer to the explanation of Man ChkConfig.
Ø /etc/hosts.allow /etc/hosts.allow
But for Telnet, FTP and other services, if it is turned off, it will be very inconvenient to the administrator needs remote management. Linux provides another more flexible and effective way to implement restrictions on service request users, so that on the basis of ensuring security, trusted users can use a variety of services. Linux provides a program called TCP Wrapper. In most published versions, this program is often default. With TCP Wrapper, you can limit some of the services mentioned earlier. And TCP Wrapper record files record all attempts to access your system. View the LOG of the program via the last command, the administrator can know who has or attempt to connect your system.
In / etc directory, there are two files: hosts.deny hosts.allows You can specify which machines can use these services, which cannot be used.
When the service request arrives at the server, TCP Wrapper queries these two files in order until you encounter a match:
1. When there is a host address item with the request service in /etc/hosts.allow, then the host is allowed to get the service.
2. Otherwise, if there is a host address item with the request service in /etc/hosts.deny, the host is prohibited from using the service.
3. If the corresponding configuration file does not exist, the access control software considered an empty file, so you can implement all settings by deleting or removing the configuration file. In the file, the row of blank lines or the row is ignored, you can implement the comment function by adding a # 行 # #.
Configuring these two files are implemented by a simple access control language, the basic format of access control statements is:
Program name list: Hostname / IP address list.
The program name list specifies a number of programs that provide the corresponding service, with a comma or space separation, you can view the program name that provides the appropriate service in the inetd.conf file: As the file example above, Telent is located The last item is the required program name: in.telnetd.
The hostname / IP address list specifies that the identity of one or more hosts that allows the service is allowed or disabled, separated by a comma or space between the host name. The program name and host address can use wildcards to make it easy to specify multiple services and multiple hosts.
Linux provides a flexible way of flexible designation or list:
1. One is "." Start domain name, such as .amms.ac.cn, www.amms.ac.cn is matched with this
2. The IP string ended in ".", Such as 202.37.152. Then the IP address includes 202.37.152. The host matches this.
3. The format is n.n.n.n / m.m.m.m represents a network / mask. If the IP address of the host's host's IP address and the result of the mask are equal to N.N.N.N The host is matched to the item.
4. ALL indicates that the match is possible
5. EXPECT indicates the host that removes the rear. Such as: list_1 except list_2 Indicates the host listed in List_1 in the list of list_1
6. Local means that the host does not contain "." In all hostnames.
The above way is just several of the ways provided by Linux, but it is enough for our general application. We explain this question by raising a few examples:
Example 1: We only want to allow the same LAN's machine to use the server's FTP function, and the FTP service request above the WAN is prohibited by the FTP service request, and the local LAN is constructed from 202.39.154., 202.39.153. And 202.39.152. Three network segments.
In the hosts.deny file, we define all machines from requesting all services:
All: ALL
In the hosts.allow file, we define only the LAN access to the FTP function:
IN.FTPD -L-A: 202.39.154 202.39.153.
Thus, when the FTP service of the non-local area network is requested, it will be rejected. And the local area network can use FTP services. In addition, record files under the / var / log directory should be checked, and the login events that have threatened system security should be found. The Last command can effectively view the system login event and find the problem.
Finally, TCPDCHK is a program that checks TCP_WAPPERS configuration. It checks the configuration of TCP_WAPPERS and reports the problem or potential problem it can discover. After all the configurations are completed, please run the TCPDCHK program:
[root @ Deep] # tcpdchk
Ø / etc / services "The correspondence between the file port number and the standard service has a detailed definition in RFC 1700" Assigned NumBers "." / Etc / service "file enables the server and client program to convert the name of the service The port number, this table exists on each host, its file name is "/ etc / services". Only "root" users have permission to modify this file, and in general this file is not necessary to modify Because this file already contains a port number corresponding to the commonly used service. In order to improve security, we can protect this file to avoid unauthorized deletion and change. To protect this file, you can use the following command:
[root @ deskp] # chattr I / etc / services
Ø / etc / securetty file
"/ Etc / securetty" file allows you to specify "root" users to log in from that TTY device. The login program (usually "/ bin / login") needs to read the "/ etc / securetty" file. Its format is that the listed TTY devices are allowed to log in, comment out or in this file is not allowed to log in.
Comment (with the beginning of this line plus ##) All TTY devices you want to log in.
Edit the SecureTty file (vi / etc / securetty) like the following, comment down some lines:
Tty1 # tty2 # Tty3 # Tty4 # Tty5 # Tty6 # Tty7 # Tty8
Ø Make the control-alt-delete shutdown button invalid
Comment on a line in the "/ etc / inittab" file can disable the computer with Control-Alt-delete. This is very important if the server is not placing a safe place.
Edit the inittab file (vi / etc / inittab) take this line:
Ca :: ctrlatdel: / sbin / shutdown -t3 -r now
Change to:
#ca :: ctrlatdel: / sbin / shutdown -t3 -r Now
Use the following command to make a change in effect:
[root @ deep] # / sbin / init Q
Ø Change the access license for script files in the "/etc/rc.d/init.d/" directory
The script under /etc/rc.d/init.d/ mainly contains the script program for the launch service. General users do not need to know the contents of the script file. So you should change the permissions of these script files.
[root @ deskp] # chmod -r 700 /etc/rc.d/init.d/*
This only root can read, write, and execute scripts in this directory.
Ø /etc/rc.d/rc.local file
By default, when the LINUX system is logged in, the system will tell you the name, version number, kernel version, and server name of the Linux release. This leaked too much system information. It is best to display only a "login:" prompt information.
first step
Edit the "/ECT/rc.d/rc.local" file, plus "#" in front of these rows:
- # this will overwrite / etc / ssue at every boot. So, make any changes you # want to make to / etc / issue here or you will lose theme you reboot. # Echo ""> / etc / issu # echo "$ R" >> / etc / issue # echo "kernel $ (uname -r) on $ A $ (uname -m) >> / etc / Issue ## CP -F / etc / ISSUE / etc / ISSUE. Net # echo >> / etc / issu - second step
Delete "Issue.Net" and "Issue" files under the "/ etc" directory:
[root @ deep] # rm -f / etc / issue [root @ desk] # rm -f /etc/issue.net
Note: The "/ etc / questionue.net" file is the login prompt seen when the user logs in from the network (eg Telnet, SSH). Also in the "/ etc" directory, there is a "issue" file, which is the prompt seen from the local login. Both files are text files, which can be changed as needed. However, if you want to delete these two files, you must take the line of the "/etc/rc.d/rc.local" script as described above, otherwise the system will re-start every time you restart. Create these two files.