One of the series: Start thinking
This article is written to readers who focus on Linux. Assume that the reader manages Linux-based networks and this network is connected to the Internet. If there is any shortage and mistakes, respect
Please criticize.
One: Considering the needs of safety performance
Keep in mind that maintaining computer security is definitely not always for all. It runs through the work of the network administrator.
Also, you need to consider, how much is it necessary in the current situation? Because the system that is often safe, it will bring a lot of extra overhead, which is still
There is an economical constraint.
Furthermore, there is no system is absolutely safe. If the administrator can make those who have a good guys pay for the value of the best, it is less than the price he pays.
To say the purpose is reached.
2: Factors affecting computer security
Factors affecting security are actually a lot.
For example: Whether your computer is connected to the Internet? Is it a workstation or a server? What services have been opened when doing servers? What kind of way users use this
Some services? ......
Keep in mind the following general guidelines:
1: Separate the server separately, do not let the user close. Do not open user interactive login services unless absolutely necessary
2: To assume that the user will intend to destroy the system.
3: Pay attention to encryption protection for sensitive information. Such as: user account, password, credit card number, etc.
4: Regular scan to check the open port, install the software. In contrast, see if they have sudden changes compared to previous. Some automation tools
Do these things.
5: Backup (it is the best means ^! ^)
You must know that users often don't understand what technology is used after he uses a computer. He only cares about whether his mail can be sent normally? Text
Can I print normally?
It is often like these guys who also like to install many of the stills in the workstation. FTP software, chat, and even some hackers!
So, if possible, in your managed LAN, you should also limit the use of the workstation. Because "Fortress is easier to attack from the interior." If this reason is
Causes the server out of the problem, you can be annoyed.
Further, the requirements listed below will do it if you are right.
1: Plus the BIOS password to the computer that is a workstation, and only tells some people.
2: Limit your computer, so that these computers can only start from a special hard drive.
3: Plus the password to Lilo (LINUX starter).
4: Use a firewall.
5: Do not use the "root" login directly.
6: Give the user to complete the minimum permissions.
......
The software under Linux is very fast, and the new version of the software is not poor. But be careful, although the new software will be better, a lot of mistakes have been fixed. can
Frequently check the online news to see if there is a vulnerability patch.
If there is no new vulnerability to be found, your system is running everything is normal, and there is no trouble in tolerance. If you have to try a fresh version, I doubt you.
There is a problem. ^! ^ Don't do anything meaningless.
When upgrading the software, please test it first.
Three: Installation and start safety
1: Select the appropriate installation scheme.
Appropriate installation is the first step in a stable and safe system.
There are many Linux distributions in the market. With the development of technology, Linux becomes more and better. But this doesn't mean you can choose freely.
Consider.
Many Linux vendors have launched a distribution of different occasions. Such as Turbolinux server version, xteamlinux server version, redhat linux
For oracle, etc. It can be imagined that these versions are more tests, tests compared to ordinary desktop versions. It is more trust in specific occasions.
Also, there are many features similar or identical below the system. Consider your own needs, choose the right product. Sometimes, you can also go online to "learn".
Ask your experienced friends, which versions are suitable, or which package is the most reliable. Of course, there are many software that can be used.
4: System Physical Protection and Start Safety
1: Imagine, although you are doing very well, the software is running smoothly, everything is normal, but the guy of the knife runs to the machine, and the hand presses the power supply.
Key ... If you don't want you, let the machine start from the floppy disk ...
Preparation measures:
Let these people are far from the machine, or lock the machine. If there is condition, you separately make a small room for the machine. There are two keys, "head", you.
2: The setting of the BIOS is also very important, especially if you don't have a good condition to protect the machine. You know, many old versions of BIOS have backdresses, there is a general secret
code. Pay attention to the upgrade.
Set the BIOS to start from C: or the first hard drive. Shielded equipment that is not required to move, such as floppy drive, serial port, parallel port, etc.
Set the right BIOS password, here is not nonsense.
3: Lilo is the most typical Linux launcher. Powerful, very flexible. But technology is often double-edged, and there are many potential safety problems here. because of you
Parameters can be transmitted to the core. The most typical thing is: Single
Using this parameter can go directly to the root user mode, and everything you do is toys and arrangements.
Use existing technologies to reduce these hazards.
There are many parameters that can be set in the /etc/lilo.conf file, such as:
DELAY = X
Tell Lilo Wait for X / 10 seconds when starting, accept user input.
C2 level safety certification requires 0, you can imagine that all dual-start machines violate the requirements. If your machine does not require dual start, or do not enter
Parameters, set DELAY to 0.
Prompt
Forced user input to start the system. You can avoid automatic start of the system. However, if there is a TIMEOUT parameter, the time specified by the TIMEOUT parameter is reached.
After the system is still launched by the default system.
Restricted
The user is required to pass the password parameter to the starter, even if "Linux Single" is used. If you don't ask for remote restarts, it is required to start.
It is a good way to knock the password.
Password = xxxxxxxxxxxx
This parameter requires the use of the RESTRICTED parameter. The equal number is a password. Note that lilo.conf must be controlled, can not read in
Rong. Otherwise everything is white.
Below is an example of lilo.conf:
Boot = / dev / hda
MAP = / boot / map
INSTALL = / boot / boot.b
Prompt
TIMEOUT = 100
# You have 10 seconds of input time
Default = linux
Image = / boot / vmlinuz-2.2.5
Label = Linux
Root = / dev / hda1
Read-only
Restricted
Password = s0m3_passw0rd_h3r3
Set to C: Start, protect Lilo.conf and your password. Now, your start-up security should be good.
Series 2: User Certification
One: Password problem There is usually a number of users in a network, usually, these users need to provide passwords when using services. There is a passwd utility in the system, which can be used
change Password.
There is a lot of practices in the operating system of UNIX classes. For example, usernames and passwords are stored in the / etc / passwd file. Linux is cloning and heavy
Newly written Unix, nature is no exception. In addition to this, this file also stores other important information, such as UID, GID, and more. Information in this file is maintained
It is essential to run normally. Such as user authentication, permission given, etc.
The question is, how to keep the file is readable, and safety guarantee? You can't let users know the password between each other.
This problem has long been considered.
The / etc / passwd file is stored in the encrypted password string. When you change your password, the program uses some algorithm (HASH) encrypted character, and then stores
Part. This happens even if people see it, I absolutely don't know what the password is. When logging in, the system compares the encrypted string and the stored password string after you enter.
If consistency, it is considered to pass.
The hash algorithm is irreversible. That is, you can't push back the expressive password from the encrypted string. This is impossible.
However, Cracker can get a password file first, and then use the speculation, and the poverty is forcibly "guess" password. That is, use the program plus the string,
Contrast comparison with ciphertext inside files, if the same is true, then the password is found. Now, computer technology has a thousand miles per day, computing capacity is rapid. Instant
With the bad password, there is a large possibility of being killed. (According to the test, 25% of the password can be tested in less than an hour. 4% user selection
Fammer name or variant as a password)
What is a good password? I believe many friends have long known. Big small letters and numbers, special characters mix, the length is sufficient. Such as:
S0M3_PASSW0RD_H3R3 passwords can believe that the time to open it is unbearable under the current conditions. And the password like Study will only let the attack
They laugh at the big teeth. This can be seen that the password selection is important.
When you use the Passwd program to change your password, if the password security is insufficient, the system will give you a warning, indicating that the password is very bad. At this time, it is best
Replace one.
Absolutely avoiding the use of usernames or their variations, some crack programs can be used to transform tests using usernames. And bad, quite a number of users
I like this ------ I'm good!
But this security is still not enough, is there a better way?
Yes, use a better encryption algorithm, such as -md5 (some Linux distribution can be selected); or place your password elsewhere.
2: About PAM
Linux solutions are similar to the second solution called Shadow Password. The password string in / etc / passwd file is replaced with 'x', group password
Also processed. When using a password file, the system is found to find the shadow file to complete the corresponding operation. And the Shadow file only has root users
access.
This method is really simple and reliable. However, the problem has not yet finished, many programs need user authentication at runtime, and must modify all of these programs, once again
Translation to support this technology. There are also new, safer and reliable and economic certification technologies constantly emerge. If you want to use these technologies, you still need to modify a lot of procedures.
sequence. This is a dream.
In order to achieve more economical and reasonable purposes, our other important partners are invited to debut: PAM "Pluggable Authentication Modules"
Insert the authentication module. It introduces the middleware layer between the program and the actual authentication mechanism that requires authentication. Once the program is released based on PAM, then any PAM supported authentication method can
For the program! ! This is not to recompile all programs. As long as PAM has developed new technologies, such as digital signatures, PAM-based programs can make it right away.
Use it.
This powerful flexibility is indispensable.
Further, it is difficult to manage users, session data, etc., and other work can also be handed over to PAM. For example, you can be very easy to ban some
The user logs in to a specific time period or requires the special authentication method when they log in.
You can even bind Linux workstations to Microsoft NT-based networks, using your Linux workstation under the NT domain to complete the authentication. but
You don't need to buy additional software.
It seems that PAM is really beneficial!
The famous redhat Linux default is based on PAM release. His popularity and this technique are not related.
If Linux issued, if it is not based on a PAM method, then you will do more, such as installing a PAM suite, compiling the corresponding program.
The following list describes the common release of PAM:
Red Hat 5.0, 5.1, 5.2, 6.x Completely
Debian 2.1 yes
Caldera 1.3, 2.2 Completely
TurboLinux 3.6 Completely
SUSE 6.2 YES
Here are some URLs about PAM:
Pam Cryptocard Module
http://www.jdimedia.nl/igmar/pam/
PAM Smart Card Module
http://www.linuxnet.com/applications/applications.html
Pam Module for SMB
http://rpmfind.net/linux/rpm/pam_smb.html
http://www.csn.ul.ie/~airlied/pam_smb/
Interested to go see.
Three: a small problem
Many people may not care about this problem. This is, how do your password remember? Of course, the best way is to remember it in your brain. Can you manage dozens of stations
Point? Good passwords are generally 8 or more, and various characters are mixed with each other, of course, is particularly difficult. How to do? Some people came up with "good idea", all the stations
Point password is the same!!
Also, you can write your password, but what do others find? A better way is to write a password using an encrypted method, just remember the corresponding regulations
then. Or store it in the computer with encrypted software, as long as the brain remembers a unlocking password.
Third of the series: the security of documents and file systems
One: Summary
"Cover the house first to make a good foundation." This "foundation" for Linux is the EXT2 (Extended, Version 2) file system.
EXT2 file system is excellent, support file permission control (read, write, execution, etc.) and primary control.
But so far, there is still a lack of a good log system. This is more important for applications. However, it is said that the next generation of EXT3 file system will
Very good make up this lack. "Acquisition Control List" will replace existing file permissions mechanisms, setting more flexible and convenient.
The EXT2 file system also has excellent Software RAID capabilities. Support from 0 to level 5. These techniques can greatly increase the stability of the system.
Two: Division of file systems.
In fact, this should be done when installing Linux, dividing hard disk partitions.
Under Linux, our commonly used operational files are: LS, LN, CP, Chown, Chmod, Find, FDisk, Find ..., etc. How to ensure that they are not illegally used? Or prohibit unauthorized operations?
For example, the temporary files generated by many programs are placed in "/ TMP". The attacker is a hard connection, pointing to / etc / passwd, when your program is executed, it
Do not check the problem inside. As a result, huh, this file is destroyed. Your system is likely to drop.
How to prevent this problem? Like this kind of problem, as long as the directory of "/ TMP" "/ home" is written separately into one
A partition can be avoided.
Simply put, when you install Linux, you need the correct division of file system. Many linux enthusiasts are generally only planted when installing Linux on their own PC.
Different partitions: native and swap. In addition to the exchange partition, all other things are in "/" below. Of course, this is the most expensive. If you are playing,
There is nothing big deal.
However, if you are applied to a business environment, you will take a lot of risks. Only one "/" is really bad. Preferably, / usr, / var, / / etc,
/ boot and other important directorys separately divided into the component area. Some of the size of each partition, there is a system restriction, such as / boot partition maximum 16MB. Some is the number of experiences
Value, if the switch partition can be set to be less than or equal to the memory value. Since the / usr partition is made as much as possible because there are many software to install. Other partition capacity
I have to see the specific situation. Here is an example:
/ boot sda1 5m 5m Linux native
/ usr SDA5 1000M 1000M Linux Native
/ Home SDA6 500M 500M Linux Native
/ chroot SDA7 400M 400M Linux Native
/ Cache SDA8 400M 400M Linux Native
/ var sda9 200m 200m Linux Native
SDA10 150M 150M Linux Swap
/ TMP SDA11 100M 100M Linux Native
/ SDA12 316M 315M Linux native
Drive Geom [C / H / S] Total (M) Free (M) Used (M) Used (%)
SDA [3079/64/32] 3079m 1M 3078M 99%
Three: Security deletion of files
Many people will ignore one thing, that is, when deleting files, the content of the file is actually not erased. Even if you override the file or reinstall it
The system is still possible to discover traces in special techniques. Really, only things you can't imagine, the Discovery program has also reported to save torn fragments.
Information in the floppy disks. The previous DOS version of Norton Tool Diskedit is also very powerful.
In this way, this has become a hidden danger for important, sensitive documents.
However, don't forget, all stored things in the computer are composed of 0/1. If you delete a file, use a special tool software to destroy the file.
Rong, all clear it is 0 or 1, so even if it is read from being read?
From the following address, you can download the appropriate software tools, specialize in this kind of thing.
http://gsu.linux.org.tr/wipe/.
http://users.erols.com/thomassr/ze/download/wipe/.
However, you must be careful before using these tools to erase files. Otherwise, huh, it is useless.
Four: Important system files 1: / etc / passwd
This is one of the most important documents in the Linux system. Save relevant important information about users. Must be readable. Otherwise, it may even make basic LS commands
Can not operate.
The content of the file is as follows:
Username: encrypted_password: uid: gid: gecoos_field: Home_directory: Login_Shell
E.g:
Root: x: 0: 0: root: / root: / bin / bash
As mentioned earlier, the password behind the username is generally encrypted storage or Shadow processed (the displayed password becomes X). The user ID is stored later, group
ID, user private information domain, default home directory, used shell programs, etc.
Note that the UID of ordinary registered users is more than 500, and the root user is 0, if the ID of the ordinary user is changed to 0, the user has equivalent to root.
Power.
2: / etc / shadow
The actual password is stored here. In addition to the username, password, there is information about the user account. Such as: Expiration time, etc.
E.g:
ROOT: $ 1 $ 6UVICNVH $ WTR0ZPMEK41KMZD0Z1DDV1: 11194: 0: 99999: 7: -1: -1: 134622596
This file must implement extremely stringent protection and can only allow root users to read it. Otherwise, the consequences can be imagined. (Don't believe you look at Linux, default
The authority attribute is set to only allow root read. )
3: / etc / groups
Contains information of the user group. You can give different permissions within a different group, depending on the specific needs of the working nature or according to the specific needs. This make better management
system. NetWare, NT has this concept.
The content of this file is similar to the following format:
Groupname: Encrypted_password: GID: Member1, Member2, Member3
Group name Password ID member 1 member 2 ...
Here password, members can be empty.
4: / etc / gshadow
And / etc / shadow files are similar.
5: /etc/login.defs
Many default values or attributes are defined within the file. For example: useradd. Various versions of Linux may have different situations, but the content of the file has good
Comment. Modifying the corresponding attributes can better adapt to their own environments.
6: / etc / shells
This file lists the shell program (command interpreter) available for users. Note that if the shell used by the user is not here, the user may not
Normal login.
7: / etc / securetty
It is specified that the root user can log in from what TTY login system. Generally, from TTY1 ~ TTY6. It is recommended to retain TTY1.
Four four: Network Security Overview
Linux's network capabilities are not to say. Look at the annual growth rate of Linux in the server market.
Powerful network performance is an important factor in the rise of Linux and guarantee. The range involved in network security is quite wide.
1: PPP connection security
PPP uses the modem to provide TCP / IP and other protocols through the serial port. Most people are connected using the PPP protocol and the Internet.
PPP itself has no safety performance. Your username and password are usually expressly sent to the server. Moreover, usually needs to be uniform in the server.
Account.
In this way, the system has brought hidden dangers. If you can't get it, you will have some people who use the "sniff detector" to intercept the detection.
Using the PAP (Password Authentication Protocol) protocol, you can encrypt user information, although it is still express delivery, but the user name transmitted
And the actual username actually is not the same. In this way, the security is high.
Another method is to use the Chap (Chapternge Handshake Authentication Protocol) protocol. It uses a public key exchange mechanism to encrypt user information during the authentication process. This approach is the best. But because Microsoft uses the DES encryption method in software, and Linux uses the MD5 method, this
When the Linux terminal logs in to the server running Microsoft, it may come out. You need to check the patch kernel.
Two: TCP / IP Security
At the beginning of the TCP / IP protocol, security issues did not receive people's attention. It should be said that there is no such need at that time. There are very few hosts, sessions
Users know each other. So even if the TCP / IP protocol is running very stable and reliable, there is basically no security guarantee such as certification. So now
Online, using hacker tools can be easily detected, intercepting packets, camouflage, etc. The most commonly used attack mode is now "refusing service", that is,
Use some means to make the service invalid. This approach is easy to achieve and difficult to prevent. These facts are not related to the security weakness of TCP / IP itself. Sina is allegedly
The mail server has also been attacked in this way.
The authentication based on the host name is unreliable. "DNS Poison" is easy to make DNS Cache poisoned, thus chaos the host name and IP address correspondence. Now
Some mechanisms can't know where the datagon is sent, who accepts. IPv6 and VPN have taken some techniques to improve security. Such as IPv6 integrate
IPsec. With these technologies, the attacker will not be easy to start now. Linux can support IPv6 very well.
You should strictly restrict the use of the reserved IP address on the LAN. These addresses are often used by attackers (such IPs on the issued datagram). Such as
127. * / 10. * Wait. If you use the address conversion protocol, there is no good configuration of the firewall, then you may be attacked or by an attacker.
It is recommended to consider VPN technology.
Three: Common configuration files
1: /etc/inetd.conf
The file content is what services are available. For example, as follows:
......
#
# Tse Cene Standard Services.
#
FTP Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.FTPD -L -A
Telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in.telnetd
#
# Shell, Login, Exec, COMSAT and TALK Are BSD protocols.
#
Shell Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.RSHD
Login Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in.rlogind
#exec stream tcp noetait root / usr / sbin / tcpd in.rexecd
#comsat dgram udp Wait root / usr / sbin / tcpd in.comSat
Talk Dgram Udp Wait Root / USR / SBIN / TCPD in.talkd
NTALK DGRAM UDP WAIT ROOT / USR / SBIN / TCPD IN.ntalkd
#dtalk stream tcp waut nobody / usr / sbin / tcpd in.dtalkd
#
# POP AND IMAP MAIL Services ET AL
#
# POP-2 stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP2D
# POP-3 Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IPOP3D
#imap stream TCP NOWAIT ROOT / USR / SBIN / TCPD IMAPD
#
# The Internet uucp service. #
#uucp stream tcp nowait uucp / usr / sbin / tcpd / usr / lib / uucp / uucico -l
#
# TFTP Service IS Provided Primarily for Booting. Most Sites
# Run this only on machineines acting as "boot servers." DO NOT UNCOMMENT
# this unless YOU * NEED * IT.
#
#TFTP DGRAM UDP WAIT ROOT / USR / SBIN / TCPD in.tftpd
#bootps Dgram Udp Wait Root / USR / SBIN / TCPD BOOTPD
#
# Finger, SYSTAT AND NETSTAT GIVE OUT USER Information Which May BE
# Valuable to Potential "System Crackers." MANY SITES choose to disable
# Some or all of these services to impRove Security.
#
Finger stream tcp noait root / usr / sbin / tcpd in.fingerd
#cfinger stream tcp noait root / usr / sbin / tcpd in.cfingerd
#nsystat stream TCP NOWAIT GUEST / USR / SBIN / TCPD / BIN / PS --AUWWX
#NetStat Stream TCP NOWAIT GUEST / USR / SBIN / TCPD / BIN / NETSTAT-F inet
#
# Authentication
#
Auth Stream TCP NOWAIT NOBODY /USR/SBIN/IN.IDENTD INDENTD -L -E -O
#
# End of inetd.conf
Linuxconf Stream TCP WAIT ROOT / BIN / LinuxConf Linuxconf - HTTP
#Swat Stream TCP NOWAIT.400 ROOT / USR / SBIN / SWAT SWAT
The above content has not been modified.
Use # 号 注 注 不 服务 服务. After the modification, use 'killall -hup inetd' to make changes to effect.
2: / etc / services
File La Luo lists port numbers, protocols, and corresponding names.
The format is: Service-Name Port / Protocol Aliases # Optional Comment
E.g:
TCPMUX 1 / TCP # TCP Port Service Multiplexer
ECHO 7 / TCP
ECHO 7 / UDP
Discard 9 / TCP Sink Null
Discard 9 / UDP Sink Null
SYSTAT 11 / TCP USERS
Daytime 13 / TCP
Daytime 13 / UDP
NetStat 15 / TCP
QOTD 17 / TCP quote
MSP 18 / TCP # Message Send Protocol
MSP 18 / UDP # Message Send Protocol
Run the command 'netstat -a' to use the configuration in the file. 'Netstat -an' stops.
3: TCP_WrapPers
TCP_Wrappers are controlled by the following two files.
/etc/hosts.allow
/etc/hosts.deny
It allows you to easily control which IP addresses are forbidden to log in, which can. To join the service restriction condition, you can better manage the system. When using them, first check the previous file, scan from head to tail, if the user's corresponding record tag is found, connect the user to the service. If you didn't find a record
Record, just scan the hosts.deny file just like just now, check whether the user's tag is prohibited. If the record is found, the user will not provide the corresponding service. in case
Still not finding a record, use the system default value --- open service.
If you join this line in Hosts.deny:
All: 0.0.0.0.0.0.0.0
It means that users who are not explicitly indicated without the Hosts.allow file cannot use the required services. That is, the system default value is changed.
For example, if you want to limit Telnet login and open FTP, you can modify hosts.allow and hosts.deny:
Please note that these configurations have a great impact on SSH, NFS, etc., and must be careful.
Hosts.allow file content:
in.telnetd: 10.0.0.0/255.255.255.0 # Limit Telnet login can only be here
In.ftpd: 0.0.0.0.0.0.0 # No one can use FTP service, regardless of place
Hosts.deny file content:
In.Telnetd: 0.0.0.0.0.0.0 # If the Telnet login is not in the specified address range, it will be prohibited!
Further, you can use the following configuration
All: 0.0.0.0.0.0.0 # Prohibits all unauthorized requests
However, if you have a new software for users to use, and I just forgot to put their corresponding marks in permissible files, your users will rush you. but
Yes, more importantly, to ensure the safety and reliable system, users are easy to appease.
Use 'man hosts.allow' or 'man hosts.deny' to view detailed instructions.
There is also a small problem. Please note that the system will strip all '/' when interpreting the content of the file, (because it appears as a continuation) and makes each line.
Such as follows:
# This is a small problem in this!
# in.ftpd: 1.1.1.1 /
in.telnetd: 1.1.1.1
In actually in.telnetd: 1.1.1.1 This line is also commented.
4: Monitoring system
If you don't even know what services run, how to ensure its security?
There are two very useful tools: PS and NetStat. Run them can make you know that the system is available and run.
Use 'ps -xau' to output a large amount of information about the system run.
E.g:
User PID% CPU% MEM Size RSS TTY Stat Start Time Command
BIN 320 0.0 0.6 760 380? s Feb 12 0:00 Portmap
Daemon 377 0.0 0.6 784 404? s Feb 12 0:00 / USR / SBIN / ATD
Named 2865 0.0 2.1 2120 1368? s 01:14 0:01 / usr / sbin / named -u named -g named -t / home / named
Nobody 346 0.0 18.6 12728 11796? s Feb 12 3:12 Squid
Nobody 379 0.0 0.8 1012 544? s Feb 12 0:00 (DNSServer)
Nobody 380 0.0 0.8 1012 540? s Feb 12 0:00 (DNSSERVER)
Nobody 383 0.0 0.6 916 416? s Feb 12 0:00 (DNSSERVER) Nobody 385 0.0 0.8 1192 568? s Feb 12 0:00 / usr / bin / ftpget -s 1030
Nobody 392 0.0 0.3 716 240? s Feb 12 0:00 (unlinkd)
Nobody 1553 0.0 1.8 1932 1200? s Feb 14 0:00 httpd
NoBody 1703 0.0 1.8 1932 1200? s Feb 14 0:00 httpd
Root 1 0.0 0.6 776 404? s Feb 12 0:04 init [3]
Root 2 0.0 0.0 0? SW Feb 12 0:00 (KFlushd)
Root 3 0.0 0.0 0 0? SW Feb 12 0:00 (KSWAPD)
Root 4 0.0 0.0 0? SW Feb 12 0:00 (MD_THREAD)
Root 64 0.0 0.5 736 348? s Feb 12 0:00 Kerneld
Root 357 0.0 0.6 800 432? s Feb 12 0:05 syslogd
Root 366 0.0 1.0 1056 684? s Feb 12 0:01 klogd
Root 393 0.0 0.7 852 472? s Feb 12 0:00 Crond
Root 427 0.0 0.9 1272 592? S Feb 12 0:19 / USR / SBIN / SSHD
Root 438 0.0 1.0 1184 672? s Feb 12 0:00 rpc.mountd
Root 447 0.0 1.0 1180 644? s Feb 12 0:00 rpc.nfsd
Root 458 0.0 1.0 1072 680? s Feb 12 0:00 / usr / sbin / dhcpd
Root 489 0.0 1.7 1884 1096? s Feb 12 0:00 httpd
Root 503 0.0 0.4 724 296 2 S Feb 12 0:00 / sbin / mingetty TTY2
Root 505 0.0 0.3 720 228? s Feb 12 0:02 Update (bdflush)
Root 541 0.0 0.4 724 296 1 s Feb 12 0:00 / sbin / mingetty TTY1
Root 1372 0.0 0.6 772 396? s Feb 13 0:00 inetd
Root 1473 0.0 1.5 1492 1000? S Feb 13 0:00 Sendmail: Accepting Connections on Port 25
Root 2862 0.0 0.0 188 44? S 01:14 0:00 /usr/sbin/holelogd.named / home / named / dev / log
Root 3090 0.0 1.9 1864 1232? s 12:16 0:02 / usr / sbin / sshd
Root 3103 0.0 1.1 1448 728 P1 S 12:16 0:00 Su -root 3104 0.0 1.3 1268 864 P1 S 12:16 0:00 -Bash
Root 3136 0.0 1.9 1836 1212? s 12:21 0:04 / usr / sbin / sshd
It should be noted that Telnet, FTPD and other information are not listed above. Because they are started by /etc/inetd.conf. You can use the command
'Netstat -vat' to view the corresponding information. It lists all and network-related information.
E.g:
Active Internet Connections (Including Servers)
Proto Recv-q Send-Q local address foreign address statetcp 0 0 24.108.11.200:80 205.253.183.122:3661 ESTABLISHED
TCP 0 0 0.0.0.0:1036 0.0.0.0:0:0:14 Listen
TCP 0 0 0.0.0.0:80 0.0.0.0:0:0:0:80 0.0.0.0:0:0:0:80
TCP 0 0 10.0.0.10:53 0.0.0.0:0:0:51 Listen
TCP 0 0 28.208.55.254:53 0.0.0.0:0:0:8 Listen
TCP 0 0 127.0.0.1:53 0.0.0.0:0:8 listen
TCP 0 0 0.0.0.0:139 0.0.0.0:0:0:0:139
TCP 0 0 0.0.0.0:25 0.0.0.0:0:0:0:25 0.0.0.0:0:0:45
TCP 0 0 0.0.0.0:0:2049 0.0.0.0:0:8 Listen
TCP 0 0 0.0.0.0:635 0.0.0.0:0:0:16 Listen
TCP 0 0 0.0.0.0:22 0.0.0.0:0:0:22 0.0.0.0:0:8 Listen
TCP 0 0 0.0.0.0:21 0.0.0.0:0:0:0:21 0.0.0.0:0:0:21 0.0.0.0:0:0:0:21 0.0.0.0:0:0:21 0.0.0.0:0:0:41
TCP 0 0 0.0.0.0:111 0.0.0.0:0:0:0:111
UDP 0 0 127.0.0.1:1031 0.0.0.0:0:*
UDP 0 0 0.0.0.0:1029 0.0.0.0:0:0
UDP 0 0 0.0.0.0:800 0.0.0.0:0:0
UDP 0 0 0.0.0.0:1028 0.0.0.0:0:0
UDP 0 10.0.0.10:53 0.0.0.0:0:0:*
UDP 0 0 28.208.55.254:53 0.0.0.0:0:8
UDP 0 0 127.0.0.1:53 0.0.0.0:0:0
UDP 0 0 10.1.0.1:138 0.0.0.0:0:0
UDP 0 0 10.1.0.1:137 0.0.0.0:0:0
UDP 0 0 10.0.0.10:138 0.0.0.0:0:0
UDP 0 0 10.0.0.10:137 0.0.0.0:0:0
UDP 0 0 0.0.0.0:138 0.0.0.0:0:0
UDP 0 0 0.0.0.0:137 0.0.0.0:0:0:8
UDP 0 0.0.0.0:2049 0.0.0.0:0:0
UDP 0 0 0.0.0.0:635 0.0.0.0:0:0
UDP 0 0 0.0.0.0:514 0.0.0.0:0:0
UDP 0 0 0.0.0.0:111 0.0.0.0:0:0:0
Raw 0 0 0.0.0.0:1 0.0.0.0:0:0:0
RAW 0 0 0.0.0.0:6 0.0.0.0:0:0:0:8
The line marked with 'ESTABLISHED' indicates that there is a user who is in and the host session. You can see port numbers and corresponding IP addresses. Samba (139),
Services such as Mail (25), NFS (2049) are in listening waiting.
Five of the series: the application of firewall
I. Overview
The firewall is usually in the boundaries connected to other networks. Use specific information filtration methods to isolate internal and external networks. Limit a variety of services, shield blocking attacks. but
Yes, it can't be the last means of your safety work, that is, malicious attackers destroy your firewall, but also continue to face further safety measures.
Shi. Also, be careful of internal network issues. For example, some users do not use firewall Internet access, and bypass it to connect to the Internet. In this way, network security
It has been threatened.
Linux has a good firewall capability. Starting from the kernel version 2.1, Ipchains starts as a ripe component replaces the previous IPFWADM start application.
. It is alleged that there will be better software replacement software in the core of the 2.4 version. Independent performance, better filtration characteristics.
Two most common firewall usage is:
A: Allow all services unless they are explicitly refused.
B: Reject all services unless they are explicitly allowed. Generally, the second approach is better because it prevents new development agreements and applications to break through the firewall. All unknown protocols are set to refuse. also
Yes, it can also prevent the danger caused by your negligence. For example, you can use the FTP software on a WWW server running through the firewall.
Household download software. But you have forgotten to join the corresponding entry in the firewall configuration file. If the default is allowed, then your firewall comes with FTP.
It is said that it is inseparable. But if the default is refused, it is not dangerous. Of course, the trouble is not finished, your users will rush you, how to do it? Do not
Is it a service? You have to modify the configuration immediately and appease their anger. How to say this is better than forgetting, and someone tells you something problem. Do not
However, unless you don't have the FTP limit, I am afraid you have no one.
Second: Common firewall software
1: ipchains
Ipchains is powerful, reliable performance, convenient management. It is much stronger than the previous IPFWADM. You can set six rules to guard the security of the system.
They are Accept, Deny, Reject, Masq, Redirect, Return
For example, using redirect can let the data reported to the 80 port to resourcely rendering other ports, such as: Squid proxy server port. You can even regulate
Differentiated priority.
You can also define your own rules yourself.
Below is an example of a gateway:
#! / bin / bash
#
# This script sets up firewall rules appropriate for a server with 2 interfaces
# Running as a gateway
# This script neseds to be edited if you plan to use it.
# We assume the internal machines call all talk to the Gateway, So No Rules Block
# Internal Traffic
#
# A couple of variables
#
# Eth0 is the ip address on et t t (The External Interface)
# Eth0net is the network
# Eth0.comask is The Network Mask
# TrustedHost1 Is A Trusted Host (for Webmin / SSH)
# TrustedHost2 Is a trusted host (for webmin / ssh)
# E1ip is the ip address on et1 (Internal Interface)
# E1Net is the network
# E1neetmask is the network mask
#
Eth0ip = 1.1.1.1
Eth0Net = 1.1.1.0
Eth0Netmask = 24
TrustedHost1 = 1.5.1.1
TrustedHost2 = 1.5.1.2
Eth1ip = 10.0.0.1
Eth1Net = 10.0.0.0
Eth1Netmask = 24
#
Path = / sbin
# Flush All Rules
Ipchains -f INPUT
Ipchains -f Output
ipchains -f forward
# Anti-spoofing
Ipchains -a INPUT -P all -j deny -s 10.0.0.0.0.0.0:0.0.0:0.0.0.0 - ^ 2 -P 0.0. 0.0 / 0
Ipchains -a INPUT -P all -j deny -s 192.168.0.0/16 -i eth0 -d 0.0.0.0.0/0
Ipchains -a INPUT -P all -j deny -s 172.16.0.0/16 -i eth0 -d 0.0.0.0/0
Ipchains -a INPUT -P all -j deny -s $ eth0ip -i eth0 -d 0.0.0.0/0
# ICMP first
Ipchains -a INPUT -P ICMP -J ACCEPT -S $ ETH0NET / $ Eth0Netmask -i Eth0 -d 0.0.0.0.0/0
Ipchains -a INPUT -P ICMP -J DENY -S 0.0.0.0/0 -i eth0 -d 0.0.0.0.0/0
# Ssh
Ipchains -a INPUT -P TCP -J ACCEPT -S $ TRUSTEDHOST1 -I Eth0 -d 0.0.0.0/0 22
Ipchains -a INPUT -P TCP -J ACCEPT -S $ TRUSTEDHOST2 -I Eth0 -D 0.0.0.0/0 22
# Blocking 1: 1023
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i Eth0 -d 0.0.0.0/0 1: 1023
Ipchains -a INPUT -P udp -j deny -s 0.0.0.0-0 -i eth0 -d 0.0.0.0/0 1: 1023
#Blocking other thing
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0.0.0.0.0.0.0 1109
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i Eth0 -d 0.0.0.0/0 1524
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0.0 -i eth0 -d 0.0.0.0/0 1600
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i Eth0 -d 0.0.0.0/0 2003
Ipchains -a INPUT -P udp -j deny -s 0.0.0.0-0 -i eth0 -d 0.0.0.0/0 2049
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i Eth0 -d 0.0.0.0/0 2105
Ipchains -a INPUT -P udp -j deny -s 0.0.0.0/0 -i eth0 -d 0.0.0.0/0 3001
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i Eth0 -d 0.0.0.0/0 3001
Ipchains -a INPUT -P UDP -J DENY -S 0.0.0.0-0 -i Eth0 -D 0.0.0.0/0 3128: 3130
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i Eth0 -D 0.0.0.0/0 3128: 3130
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i Eth0 -d 0.0.0.0/0 3306
Ipchains -a INPUT -P UDP -J DENY -S 0.0.0.0.0 -i eth0 -d 0.0.0.0.0.0.0- 0 a 0.0.0.0/0 -i eth0 -d 0.0 .0.0 / 0 4444
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0 -i Eth0 -D 0.0.0.0/0 6000: 6100
Ipchains -a INPUT -P udp -j deny -s 0.0.0.0/0 -i eth0 -d 0.0.0.0/0 6000: 6100
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i eth0 -d 0.0.0.0/0 6667
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i Eth0 -D 0.0.0.0 7000
# Webmin
Ipchains -a INPUT -P TCP -J ACCEPT -S $ TRUSTEDHOST1 -I Eth0 -d 0.0.0.0/0 10000
Ipchains -a INPUT -P TCP -J ACCEPT -S $ TRUSTEDHOST2 -I Eth0 -D 0.0.0.0/0 10000
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -i Eth0 -D 0.0.0.0/0 10000
# Forward Rules
Ipchains -p Forward Deny
Ipchains -a forward -p all -j masq -s $ eth1net / $ t1netmask -d 0.0.0.0/0
After setting the rules, you should automatically run the ipchains to the daemon and first in other network programs. It is recommended not to set it unless it is necessary.
Log, because each datam news has recorded, disk space consumes very fast.
Use 'man ipchains' to view detailed information and its discussion.
The URL for developing Ipchains is: http: //netfilter.kernelnotes.org/.
2: Other software URLs
Netfilter
http://netfilter.kernelnotes.org/
IPF
http://coombs.anu.edu.au/~avalon/
SINUS FIREWALL
http://www.sinusfirewall.org/
Phoenix Adaptive FireWall
Commercial software can completely replace ipchains, more intelligent, and passed ICSA certification.
http://www.progressive-systems.com/products/phoenix/
FirePlug Edge
http://edge.fireplug.net
Mason
This is a firewall rule script generator, and IPChains's good partner. Not only can design rules, but also monitor the circulation of datagrams.
http://users.dhp.com/~whisper/mason/
FireWall Scripts
Red Hat Linux used firewall rules script generator.
http://www.webideal.de/rh-isdn/downloads/
Series 6: IPSec-encrypted data
I. Overview
IPsec refers to the data segment encryption when transmitting the IP packet, of course, IP headers and cyclic redundant check codes cannot be encrypted. Encryption occurs in the IP layer, so
Can bring higher levels of security. It can be imagined that even if the datagram is intercepted, it is difficult to know the content of the data. Because the data itself is still encrypted.
Linux's IPsec feature is still in the test phase, but there have been some relatively stable versions. IPsec software applied to Win95 / Win98 / Winnt has been sold on the market. In fact, IPsec itself is part of the IPv6 standard protocol.
Use the IPSec feature under Linux must be supported by the kernel. However, basically, the various release versions on the market will contain this feature. or
Not enough. Therefore, you must recompile the kernel. The kernel version should use 2.2.13 or more. The latest version of the IPsec package can be from
Http://www.freeswan.org get
2: Examples of using IPSec
Assuming that there are two networks that need to be connected to each other, safe delivery data. The configuration is shown below:
Servers A, B use the RedHat6.1 Linux operating system. The default kernel version is 2.2.12.
1: Install the kernel source file, compile tool and Ipchains, recompile the kernel:
CD / USR / SRC / Linux
Make Menuconfig
Make Dep
Make Bzimage
Make modules
Make modules_install
CP / USR / SRC / Linux / Arch / I386 / Boot / Bzimage / Boot / NewImage
Use any software tool to modify /etc/lilo.conf.
Join the new kernel launch project. If you are troublesome or afraid, use the "LinuxConf" tool to add a new core. However, don't forget, use it after modification.
The "lilo" command enables the modification to take effect. Otherwise, it will be wrong.
2: Modify the firewall settings of two servers in A b
Server A:
Ipchains -p Forward Deny
Ipchains -a forward -p all -j masq -s 10.0.0.0/24 -d 0.0.0.0/0
Server B:
Ipchains -p Forward Deny
Ipchains -a forward -p all -j masq -s 192.168.0.0/24 -d 0.0.0.0/0
Modify each machine / etc / sysconfig / network file, will follow the following line:
Forward_IPv4 = "no"
Replace
Forward_IPv4 = "YES"
If the network is normal, ping 5.6.7.8 or ping 1.2.3.4 should have no error.
3: Install IPSec to the server
Download the latest IPsec packages and use root to enter the Linux environment.
Refer to the following command sequence installation.
CD / USR / LOCAL / SRC /
Tar -zvvxf /Path/to/tarball/snapshot.tar.gz
Chown -r root: root freeeswan-snapxxxxxx14b
CD FreeESwan-Snapxxxxxx14b
Make Menugo
Generally 2.2.x or more kernels are large, so if you mistake, finally you need to compile the kernel using the following instructions:
CD / USR / SRC / Linux
Make Bzimage
CP / USR / SRC / Linux / Arch / I386 / Boot / Bzimage /Boot/vmlinuz-2.2.x-IPSec
4: Modify the lilo.conf file of two servers
The file content is similar to:
Boot = / dev / hda
MAP = / boot / map
INSTALL = / boot / boot.b
Prompt
TIMEOUT = 100
Image = / boot / vmlinuz-2.2.x-ipsec
Label = Linux-ipsec
Root = / dev / hda1
Read-only
Image = / boot / vmlinuz-2.2.10Label = Linux
Root = / dev / hda1
Read-only
Re-use the "LILO" command to make the modification take effect. Use the new kernel boot system. Perform the next modulation.
5: Network environment configuration
Add directory "/ usr / local / lib / ipsec" to your system environment. The system requires its support.
Modify the IPsec.conf file, the default content is as follows:
CONN SAMPLE
Type = tunnel
# Left security Gateway (Public-Network Address)
LEFT =
# Next hop to reach right
LEFTNEXTHOP =
# Subnet Behind Left (OMIT IF The IS No Subnet)
Leftsubnet =
# Right S.g., Subnet Behind IT, And Next Hop To Reach Left
Right =
Rightnexthop =
Rightsubnet =
#
SPIBASE = 0x200
# (manual) Encryption / Authentication Algorithm and Parameters to IT
ESP = 3DES-MD5-96
Espenckey =
ESPAUTHKEY =
Modified into the following:
CONN MY-TUNNEL
Type = tunnel
# Left security Gateway (Public-Network Address)
LEFT = 1.2.3.4
# Next hop to reach right
Leftnexthop = 1.2.3.1
# Subnet Behind Left (OMIT IF The IS No Subnet)
Leftsubnet = 10.0.0.0 / 24
# Right S.g., Subnet Behind IT, And Next Hop To Reach Left
Right = 5.6.7.8
RightnexThop = 5.6.7.1
Rightsubnet = 192.168.0.0 / 24
#
SPIBASE = 0x200
# (manual) Encryption / Authentication Algorithm and Parameters to IT
ESP = 3DES-MD5-96
# The key below uses the RanBits tool software
Espenckey = Some_AUTH_KEY_HERE (Ranbits 192)
ESPAUTHKEY = Some_other_key_here (ranbits 128)
6: Modify the firewall
Add the following content in the firewall configuration file of the server A:
Ipchains -a forward -p all -j accept -s 10.0.0.0/24 -d 192.168.0.0/24
Ipchains -a forward -p all -j accept -s 192.168.0.0/24 -d 10.0.0.0.0/24
As a result, it should be like this:
# Forward Rules
#
Ipchains -p Forward Deny
#
Ipchains -a forward -p all -j accept -s 10.0.0.0/24 -d 192.168.0.0/24
Ipchains -a forward -p all -j accept -s 192.168.0.0/24 -d 10.0.0.0.0/24
Ipchains -a forward -p all -j masq -s 10.0.0.0/24 -d 0.0.0.0/0 Make sure the newly added lines are before the "Camouflage Rules".
The following content is added to the firewall configuration file of the server B:
Ipchains -a forward -p all -j accept -s 192.168.0.0/24 -d 10.0.0.0.0/24
Ipchains -a forward -p all -j accept -s 10.0.0.0/24 -d 192.168.0.0/24
As a result, it should be like this:
# Forward Rules
#
Ipchains -p Forward Deny
#
Ipchains -a forward -p all -j accept -s 192.168.0.0/24 -d 10.0.0.0.0/24
Ipchains -a forward -p all -j accept -s 10.0.0.0/24 -d 192.168.0.0/24
Ipchains -a forward -p all -j masq -s 192.168.0.0/24 -d 0.0.0.0/0
Make sure the newly added lines are before the "Camouflage Rules".
7: Start IPSec
Enter the command on each server:
"Ipsec man -up my-tunnel"
Should be produced similar to the following output:
/ usr / local / lib / ipsec / spi: Message Size IS 36
/ usr / local / lib / ipsec / spi: Message Size IS 132
/ usr / local / lib / ipsec / spi: Message Size IS 132
Try the machine from the machine "ping" in one subnet. If it is successful, it will prove that IPSec can be used.
Three: Other IPSec software
I-data
http://www.i-data.com/networks/
Windows client IPsec products
PGP VPN
http://www.pgpi.com/
http://www.nai.com/asp_set/products/tns/pgp_vpn.asp
IRE
http://www.ire.com/
Series 7: Linux Management Tools
1: Local tool
1: Webmin
Webmin is a web-based management tool, mainly written by Perl.
With it, you can set different levels, different permissions. For example, only the permissions of Zhang San boot, add users to Li Si, delete the user's permissions, so wait
Wait. It is convenient to manage.
Its problem is: In some cases that need to be certified, the password is still transferred, and the document is not detailed.
The default port is 10000, so the firewall also needs to be set.
E.g:
Ipchains -a INPUT -P All -j Accept-S 10.0.0.0/8 -D 0.0.0.0/0 10000
Ipchains -a INPUT -P All -j Accept-Some.trusted.host -d 0.0.0.0/0 10000
Ipchains -a INPUT -P all -j deny -s 0.0.0.0-0 -d 0.0.0.0/0 10000
The URL is: http://www.webmin.com/webmin/
2: Linuxconf
LinuxConf is a very good tool that can be run by means of a command line, a X window environment, web. Very friendly interface, and almost linux
Things to be configured can find the appropriate items here.
Locally managed disk handling, system start, daemon, kernel adjustment, user-added deletion, etc. Network management has SMB configuration, PPP settings, gateways, DNS
Wait. However, running through the command line, the mouse does not work, only the keyboard operation can be used. It is more convenient to use the X window.
Run through the network, you need to open LinuxConf locally, then join the network and host you need to connect (conf> Misc> Linuxconf)
NetWork Access). drop out. Re-enter and connect to the machine that needs to be managed. Enter the username and password to enter (default is root user!). by
If LinuxConf itself does not support any encryption, if you don't use the IP level encryption, such as IPsec, don't use this feature! unless
I want to find trouble. In addition, its document is too poor. There is no MAN page.
Linuxconf is generally bundled with RedHat, the URL is http://www.solucorp.qc.ca/linuxConf/
3: URL of other tools
Runas
http://www.mindspring.com/~carpinello/runas/index.htm
Super
ftp://ftp.ucolick.org/pub/USERS/will/
coas
http://www.coas.org/
Webrat
http://hq.hellug.gr/~webrat/
PIKT
http://pikt.uchicago.edu/pikt/
VNC
http://www.uk.research.att.com/vnc/
2: Remote management
Remote management is especially important for each administrator. The reason is simple, real, economic factors. We almost impossible to sit in front of the terminal every day, manage
System. It is more impossible if the machine is far from yourself. It is very economical while remote management compares. But remote management must have more risks.
1: Telnet
Telnet is one of the first services used in the Internet. It allows you to remotely enter the system, interactive login, run the necessary commands and view the corresponding knots
fruit. But it is almost the least inaccurate agreement. Using the coded authentication and running commands, it is very susceptible to probing and attack.
If you do need to use this service, use the firewall and TCP_WrapPers (previously mentioned) to strictly limit the range of allowed logins.
as follows:
Add to IPChains rules
Ipchains -a INPUT -P All -j Accept-S 10.0.0.0/8 -D 0.0.0.0/0 23
ipchains -a input -p all -j accept -s "can trust host" -D 0.0.0.0 23
Ipchains -a INPUT -P all -j deny -s 0.0.0.0-0 -d 0.0.0.0/0 23
Modify the following files:
/etc/hosts.allow
In.Telnetd: 10.0.0.0/255.0.0.0, "I can trust host"
/etc/hosts.deny:
in.telnetd: all
Another situation is ISP, you need to allow users to log in remotely to change the password. It can be solved like this:
Add in / etc / shells list
/ usr / bin / passwd
Then modify the / etc / passwd to change the user's shell:
UserName: x: 1000: 1000 :: / Home / Username: / usr / bin / passwd
that's it. The user can log in to the system remotely, prompt the username, password, and then disconnected. Such as:
Trying 1.2.3.4 ...
Connected to Localhost.
Escape Character is '^]'.
Red Hat Linux Release 5.2 (Apollo)
Kernel 2.2.5 on AN i586login: Tsjjjil
PASSWORD:
Changing Password for Tsjjjil
(CURRENT) Unix Password:
New Unix Password:
Retype New Unix Password:
Passwd: All Authentication Tokens Updated SuccessFully
Connection Closed by Foreign Host.
There is still a problem in the above method, which is to output unnecessary prompt information such as operating system, kernel version, and more. If users are, this is very dangerous
of. This is because rc.local outputs / etc / ISSUE and other information. So you need to modify /etc/rc.d/rc.local, and annotate unnecessary things.
Such as:
# This will overwrite / etc / issue at every boot. So, make any changes you
# Want to make to / etc / issue here or you will lose theme you reboot.
#echo ""> / etc / Issue
#echo "$ r" >> / etc / issue
#echo "kernel $ (uname -r) on $ a $ (uname -m) >> / etc / ssue
#CP -F / etc / Issue /etc/issue.net
#echo >> / etc / issu
Or add some warning statements, prompting illegal entry will be punished.
But the best solution is to turn off this service and use SSL-based Telnet or SSH. In particular, the administrator needs.
2: SSH
The SSH protocol is the purpose of starting design: providing as secure remote access. It can be used to make any network-based information transfer, and
It is very strong. Linux, UNIX, NT and other systems can be used. Since the transmitted key, authentication information, etc. is encrypted because the key, authentication information, etc. are encrypted.
Performance is very good. However, it is still not free software, (although there is already corresponding project, it has not officially released) free use is limited to non-commercial environments
SSH operates in a daemon, and can be used with TCP_WrapPers or firewalls to achieve a better limit.
You can find this RPM version from below: ftp://ftp.zedz.net/
You can get the code from the following address: ftp: //ftp.yellowdoglinux.com/pub/yellowdog/install-ssh/
Use the firewall to modify the IPchains rules, as follows:
Ipchains -a INPUT -P TCP -J ACCEPT -S 10.0.0.0/8 -D 0.0.0.0/0 22
Ipchains -a INPUT -P TCP -J ACCEPT -S ISP.DIAL.UP.POOL / 24 -D 0.0.0.0/0 22
# Above rules Allow you to remotely on the firewall SSH
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -D 0.0.0.0/0 22
Use with TCP_WrapPers, as follows:
Hosts.Allow:
SSHD: 10.0.0.0/255.0.0.0, isp.dial.up.pool / 255.255.255.0
Hosts.deny:
Sshd: 0.0.0.0.0.0.0.0
In addition, SSH has its own profile to strengthen security. The file is / etc / sshd / sshd_config, typical configuration is as follows: Port 22
# Runs on Port 22, The Standard
ListenAddress 0.0.0.0
# listens to all interfaces, you might only want to bind a firewall
# Internally, ETC
HostKey / etc / ssh / ssh_host_key
# Where the host key is
Randomseed / etc / ssh / ssh_random_seed
# Where the random seed is
ServerKeyBITS 768
# How long the server key is
LogingRacetime 300
# How long the get to punch their credentials in
KeyRegenerationInterval 3600
# How offen the server key gets regenerated
Permitrootlogin No
# permit root to login? no
Ignorerhosts YES
# ignore .rhosts files in users Dir? YES
Strictmodes YES
# Ensures Users Don't Do Silly Things
Quietmode No
. # i i..................
X11Forwarding NO
# Forward X11? Shouldn't Have to On A Server
Fascistlogging no
# Maybe we don't want to log too much.
PrintMotd Yes
# print the message of the day? always nice
Keepalive Yes
# eSures sessions Will Be Properly Disconnected
Syslogfacility daemon
# WHO's doing the logging?
RhostSauthentication NO
# allow rhosts to be used for automation? The default is no
# b nice to say it is anyways
Rhostsrsaauthentication NO
# is automation using rhosts or /etc/hosts.equiv sufficient
# NOT IN My Mind. The default is Yes So lets Turn IT OFF.
Rsaauthentication Yes
# Allow Pure RSA Authentication? This One is Pretty Safe
PasswordAuthentication Yes
# allow users to use their normal login / passwd? why not.
PermitemptyPasswords No
# Permit Accounts with EMPTY Password To Log in? no
Other useful rules:
ALLOWGROUPS - Explicit specification allows groups to log in to SSH (/ etc / group)
DenyGroups - Explicit regulations prohibit groups of SSH login (/ etc / group)
AllowUsers - Explicit specification allows users who are logged in using SSH DenyUsers - Explicit Specification For users who use SSH login
AllowHosts - Allowed hosts, the rest.
Denyhosts - Forbidden host, the rest is open.
Idletimeout Time - The specified timeout (minutes / hours / days /), forciting the SIGHUP'ing signal exit processing process for timeout.
Eight of the series: limit the user's use of the host
Sometimes, you have to establish a user account on the host, and open an interchange. If you don't add restrictions on users, many things to do will cause numbness to you.
bother. For example, Linux does not have disk limit control by default. Any user may use your disk space! Another example is the software that runs high computing strength.
Put your host CPU processing time. Things such as this are absolutely unable to happen.
One: Limitations for memory and CPU
Almost all Linux is now bound to PAM, which can be used to limit the number of memory used by the user. Under the Redhat Linux system
The /etc/security/limits.conf file can be used to do such control. (If not, I am afraid you need to find the installation disk again, install the component.
go with)
The format of this configuration file is:
--- User name, group name (@ 开头) or "*" means all users
------ "Soft" or "Hard", Soft indicates that the limit is not strict, it can exceed this value, but there will be
WARNING, HARD indicates strict restrictions and cannot exceed this value.
----- CPU-> Treatment time frame unit, MaxLogins-> allows this user to log in to the number,
NPROC-> Maximum number of processes, etc.
----- Corresponding digital value
For example, as follows:
* Soft Core 0
* HARD RSS 10000
@student Hard Nproc 20
@faculty Soft NPROC 20
@faculty hard nproc 50
FTP Hard Nproc 0
@student - MaxLogins 4
2: Limitations of disk usage
Quota is used to limit the number of disks using the user. Most Linux distributions are bound to it, but the default state is closed.
If you are not sure to support Quota's support, you will recompile the kernel and select Quota's support in the appropriate option. then
1: Modify the startup script /etc/rc.d/rc.sysinit file, add the following script at the end:
# Check quota and then turn quota on.
IF [-x / usr / sbin / quotacheck]
THEN
Echo "Checking Quotas. This May Take Some Time."
/ usr / sbin / quotacheck -avug
echo "done."
Fi
IF [-x / usr / sbin / quotaon]
THEN
echo "Turning on Quota."
/ usr / sbin / quotaon -avug
Fi
It should be noted that the Quota must be opened after loading the file system in / etc / fstab, otherwise Quota does not work.
2: Modify / etc / fstab file
It is usually not added to quota like this:
/ DEV / HDA5 / EXT2 Defaults 1 1
/ DEV / HDA7 / USR EXT2 Defaults 1 1
Plus "USRQUOTA" in the fourth field containing the word "defaults". / DEV / HDA5 / EXT2 Defaults 1 1
/ DEV / HDA7 / USR EXT2 Defaults, USRQUOTA 1 1
If you need to open the group quota support in a file system, change "USRQUOTA" to
"Grpquota".
/ DEV / HDA5 / EXT2 Defaults 1 1
/ dev / hda7 / usr ext2 defaults, Grpquota 1 1
If you want to support users Quota and group quota
/ DEV / HDA5 / EXT2 Defaults 1 1
/ dev / hda7 / usr ext2 defaults, usrquota, Grpquota 1 1
3: Establish a corresponding configuration file
Use the following command to create a file with the following commands in the partition root directory of Quota. These files can only allow root users to read and write, and other users do not have any permissions.
Touch /Partition/quota.user
Touch /Partition/quota.group
CHMOD 600 /PArtition/quota.user
Chmod 600 /Partition/quota.group
4: Restart and edit user limit
Use the edquota command.
Edquota -u xxx (xxx refers to user name) or edquota -g xxx (xxx means name) takes you into the VI editor, edit the corresponding content.
"Man Edquota" can view the details.
Family of nine: Check invasion
Computer security is a continuous battle, it is definitely not for all. Even if you feel good, it will not be. The so-called "Tao is one foot, the magic high
"", You are in a mortuary, ghosts know what a vulnerability is found.
1: Document monitoring
General invaders often modify certain files often, leave "back door" for you to use it again. If we use file monitoring methods, installation
After placing, make a non-fake mark to the software, often compare whether the file changes. If the release is not normal to use backup corrections, you can effectively resist
damage.
Below is a package available for Linux.
1: Tripwire
There is a RPM package for Linux. commercial software.
http://www.tripwiresecurity.com/
2: Aide
AIDE is the GPL software, the code is open, from a security perspective, more trust than commercial software. And Aide also tries to surpass TripWire. It supports multiple
Hash algorithm.
http://www.cs.tut.fi/~rammer/aide.html
3: L5
Free software, monitoring the effective tools for the document.
ftp://avian.org/src/hacks/
4: GOG & MAGOG
http://www.multimania.com/cparisel/gog/
5: Sentinel
Graphical interface, use checkpoint technology
http://zurk.netpedia.net/zfile.html
6: ViPerdb
http://www.ensentment.org/projects/viperdb/
7: SXID
ftp://marcus.seva.net/pub/sxid
8: Confcollect
http://www.skagelund.com/confcollect
Tools for network monitoring
9: DTK
http://all.net/dtk
10: PSIONIC PortSentry
http://www.psionic.com/abacus/portsentry
Two: System Security Detection Tools and Hackers
Online, you can find a lot of hacking tools. You can also see "Linux hacking tools" in the market. " People can use, administrators
Why can't you? : ->
Precautions, do an attacker, use these guys to see if there is no loophole. I have found it to correct it.
There are also some system security detection tools, automatic operation, and judgment system vulnerabilities.
1: Check.pl
Perl programs, check files and directory permission settings are appropriate.
http://opop.nols.com/proggie.html
2: NMAP
New detection tools have a lot of good features.
http://www.insecure.org/nmap/index.html
3: Portscanner
Free software, small and easy to use.
http://www.ameth.org/~veilleux/portscan.html
4: NESSUS
There are more than 200 attack methods.
http://www.nessus.org
5: ftpCheck / relaycheck
FTP / MAIL
http://david.warekly.org/code
6: Sara (Security Auditor's Research Assistant)
Fast, easy to use
http://home.arc.com/sara
7: firewalk
Tools that detect firewall security.
http://www.packetfactory.net/firewalk
Ten: Backup
I have said that a famous computer security expert said: "Someone asks me, what is the best way to protect my computer? My answer is:
Backup, Backup, Backup ... "
Remember, people will make mistakes, maybe you don't think about RM -F, and they can't delete it. Calculate the opportunity to crash, disk will fail, software
There are bugs, and there will be people who are preventive. If everything comes from the beginning, you may take you a few days to reconfigure a lot of things. And if there is a backup?
All of this, the final killer is to use backup recovery.
There are many backup programs, free software, and commercial software.
1: TAR and GZIP
The oldest, most common, system supports the most two programs. They can see their figure almost all UNIX systems. Although the speed is relatively poor,
The way is still very big. A large number of applications use them package.
Use the following command:
Tar -cvf archive-name.tar Dir1 Dir2 Dir3 ....
Pack all the important directories (/ ETC, / USR, etc.).
Then use:
Gzip -9 Archive-Name.tar
"-9" parameters can make the compressed package small as possible. Then you can copy or transfer this file or transfer to a safe place. Of course, if there is a tape drive, directly output
Go to the machine. Tar is originally designed for tape devices, please check the corresponding parameters.
2: rsync
A featured tool. Can be used across the network. Rsync is one of the most effective tools of mirror files. It can also keep the original state of the file, such as the right
Limit, links, etc. It also supports so-called "anonymous" anonymous mode, which can be allowed from the server or from a remote client. Use customers to transport
You don't have to use root users when you don't have to work anonymity. When you need to use a registered user, you will automatically encrypt the authentication information (128 digits!). Safety is guaranteed. Very strong
Big, use it to handle. The following URL can be obtained: http://rsync.samba.org/
The rsyncd.conf file will be generated in the / etc / directory after installation, you can configure it in your own needs. As follows:
Motd file = /etc/rsync.motd # Specifies a File to Be Displayed, Legal Disclaimer, ETC.
Max connections = 5 # Maximum Number of Connections So you don't get flooded
[pub-ftp]
Comment = public ftp area # Simple Comment
PATH = / home / ftp / pub # path to the directory being exported
Read online = yes # make it it read Only, Great for Exported Directories
Chroot = yes # chroot to / home / ftp / pub
Uid = Nobody # evlicitly set the uid
GID = Nobody # evlicitly set the gid
[secret-stuff]
Comment = My Secret Stuff
Path = / home / user / secret # path to my stuff
List = no # hide this module when ask for a list
Secrets file = /etc/rsync.users # Password file
Auth users = me, bob, santa # list of users I trust to see my secret stuff
Hosts allow = 1.1.1.1.1.1.1.2.2.2 # list of hosts to allow
Use man rsyncd.conf to view the details.
When combined with the firewall, you need to modify ipchains, RSYNCD uses TCP, 873 ports.
Ipchains -a INPUT -P TCP -J Accept-S 10.0.0.0/8 -D 0.0.0.0 873
Ipchains -a INPUT -P TCP -J ACCEPT -S Some.trusted.host -d 0.0.0.0.0 873
Ipchains -a INPUT -P TCP -J DENY -S 0.0.0.0-0 -D 0.0.0.0 873
3: Other commercial software
BRU (Backup and Restore Utility)
http://www.estinc.com/features.html
QuickStart
http://www.estinc.com/qsdr.html
Backup Professional
http://www.unitrends.com/bp.html
CTAR
http://www.unitrends.com/ctar.html
CTAR: Net
http://www.unitrends.com/ctarnet.html
PC Parachute
http://www.unitrends.com/pcpara.html
4: Backup media
It seems that there is more and more hard drives. Because dozens of GB's big hard drive is really cheap, the speed is first-class. In addition, CDR / CDRW is also a good choice, but
The time, the speed is not as good as the hard disk, and it is cheap after all. Another common medium is tape. Flow read and write, can not be accessed random. Cheap stability is its advantages.
