At present, as the network is gradually popular, security issues have increasingly attracted people's attention. As a free open source operating system, Linux is being used as a server platform, and many people (including the author) have used Linux as a desktop with the diversification of the application software under linux. In this series of articles, we put the main energy on the server with Linux to build a secure server. We cured our system through system settings and some shared security software to make it real security. Due to the reason, it is impossible to discuss very detailed. I just raised us here to pay attention to and care, so that the details of some other common sense are no longer described.
The first part mainly explains Linux as a server that Linux should pay attention to from the installation and setting.
1 installation of Linux servers
Everyone must have installed the Linux system, maybe you may be very skilled, but here we have proposed some questions that should be noted during the installation process:
First, don't just leave all spaces to the root partition when you are in partitioning, and you should put different parts in different partitions. Strong suggestions you put "/ var" and "/ tmp" in different partitions, if your server has more users access, this is almost what you have to do. Alternatively, "/ var" and "/ usr" are best placed in different partitions, which avoids your hard drive to be dushed or directly caused by your server due to logs or users. The last point of warning to the partition is if you want to provide one or more services, you must put things related to this service in a separate partition, for example, if you want to build a WWW server, you must stay in partitioning A separate partition (for example: "/ www"), in the future, you can use Chroot to improve the security of this service.
Another important issue is the choice of software package when installing. We use redhat as an example. For security and performance considerations, you must select the "SELECT Individual Package" radio box so you can choose the package. Some software is that you don't have to install, some software must be uninstalled after installation, some must be installed after installation. Let's give a list below:
Unnecessary package:
Applications / Archiving: DUMP
Applications / File: Git
Applications / Internet: Finger, FTP, FWhois, NCFTP, RSH, RSYNC, TALK, TELNET
Applications / Publishing: GhostScript, GhostScript-fonts, Mpage, RHS-Printfilters
Applications / System: ARPWATCH, BIND-UTILS, KNFSD-Clients, Procinfo, Rdate, Rdist, Screen, UCD-SNMP-UTILS
Documentation / indexhtml
System Environment / Base: ChkFontPath, Yp-Tools
System Environment / Daemons: Xfree86-XFS, LPR, PIDENTD, Portmap, Routed, Rusers, RWho, TFTP, UCD-SNMP, YPBIND
System Environment / Libraries: Xfree86-Libs, LibPNG
User Interface / x: Xfree86-75DPI-FONTS, URW-FONTS
Package that must be uninstalled after installation:
Pump apmd isapnptools redhat-logos MT-ST KERNEL-PCMCIA-CS setserial
RedHat-Release Eject LinuxConf Kudzu GD BC Getty_ps Raidtools PCIUTILS Mailcap SetConsole Gnupg After installation, you must install the package (with these packages can be compiled):
AutoConf-2.13-5.Noarch.rpm M4-1.4-12.i386.rpm automake-1.4-5.Noarch.rpm
DEV86-0.14.9-1.i386.rpm bison-1.28-1.i386.rpm byacc-1.9-11.i386.rpm
CDECL-2.5-9.I386.RPM CPP-1.1.2-24.I386.rpm Cproto-4.6-2.i386.rpm
CTags-3.2-1.i386.rpm EGCS-1.1.2-24.i386.rpm electricfence-2.1-1.i386.rpm
Flex-2.5.4a-7.i386.rpm GDB-4.18-4.i386.rpm kernel-headers-2.2.12-20.i386.rpm
Glibc-debc-2.1.2-11.i386.rpm make-3.77-6.i386.rpm patch-2.5-9.i386.rpm
After you have done all your work for your server (no more compiled needs later), put the above packages from your system. This is even if someone invades your system, he can't compile the program above, and so it can also speed up your integrity check. You can save the above packages in the activity media for future use, possibly these are not the latest version, you can download the latest and most stable version.
2 system settings
2.1 passwords and accounts
First, you must set the password of the BIOS, and now you can support this setting.
Second, you have to set the password restriction for your LILO's single user mode, add the following information in front of the first boot in /etc/lilo.conf:
Restricted
Passwd = "Your Password"
"Your Passwd" is a single user mode boot password you want to set. Settings Finish With LILO -U Re-reading the information in /etc/lilo.conf.
Alternatively the user's password includes the password of the root user, the system default user password is 5 bits. You can edit the "/etc/login.defs" file and change the minimum password length from 5 to 8. Locate Pass_min_len 5, change to: Pass_min_len 8. "login.defs" is a very important profile. Some other security policies can be set in this file, such as the validity period of the password.
The choice of password should not include vocabulary in the dictionary, which is very dangerous. The correct password should be long enough, and some special characters are used.
There are many preset accounts in the system. If you are not used, you must delete these accounts. These unsafe passwords are a huge challenge for the security of the system.
A payable command is chage. You can use it to set the time limit for your account. (See Man Chage).
For root users, you can set up / etc / securetty. This file can limit the console of root users to log in. You can use the "#" symbol annotation to get rid of the console number of the unlicenable root user login.
Access to the console can be prohibited by the following script:
#! / bin / sh
CD /etc/pam.d
For i in *; do
Sed '/[ ^#].*pam_console.so/s/ ^/#/' <$ i> Foo && MV Foo $ I
DONE
All console programs are then prohibited, such as ShutDown and Halt. You can run the following command:
[root @ Sound] # rm -f /etc/security/console.apps/serviceName
Short your "~ / .bash_history" file, save the previously used command list in this file. The truncation This file allows you to expose the commands you have performed in other people's vision to decrease. (It is probably confidential information such as password information in your command). You can do this by editing / etc / profile below:
Histfilesize = 20
Histicsize = 20
__
The following measures can prevent anyone from SU ROOT:
1 Edit Su file (vi /etc/pam.d/su) Add the following two lines in the head of the file:
Auth sufficient /lib/security/pam_rootok.so debug
Auth Required /Lib/security/pam_wheel.so group = WHEEL
2 Then put the user who wants to perform SU to become a root.
[root @ Sound] # usermod -g10 admin
2.2 Permissions and File System
Linux's EXT2 file system has this characteristic of the properties. We can use the lsattr command to list the properties of the file, use the chattr command to change the properties of the file. There are many properties of the file system, we have to pay attention to the two properties here:
A only adding properties
i does not change attribute
For the configuration file of the system, it is best to set the property, and for some log files, it is best to add only properties. Here are two specific examples:
Chattr I /etc/inetd.conf
Chattr A / VAR / LOG / SECURE
If you want to remove these properties, turn the " " number in the above command to "-".
In addition, we have to limit the MOUNT's file system, which is configured in / etc / fstab. By setting the mount option We can make our Mount's file system safer. Common Mount options are default, nodev, noexec, nosuid, noatime, ro, user, etc.
We can also limit system resources to make our system safer, look at the following methods:
Edit Limits.conf file (vi /etc/security/limits.conf), join or change the following line:
* Hard Core 0
* HARD RSS 5000
* Hard NPROC 20
The meaning of these rows is: "Core 0" means that it is forbidden to create a Core file; "NPROC 20" limit the maximum number of processes to 20; "RSS 5000" means that other users can only use 5M memory in addition to root. The above is only valid for users who log in to the system. By the above limitations, you can better control the usage of users in the system on the process, core file, and memory. The asterisk "*" is indicated by users who log in to the system.
Then you must edit the "/etc/pam.d/login" file, join the following line at the end of the file:
Session Required /LIB/Security/Pam_Limits.so
2.3 Other settings
1 Release the unwanted service in /etc/inetd.conf
2 Settings to access your system in /etc/host.allow and /etc/host.deny.
3 Make the system without reacting the system by the following method
Echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all4_ Use the following command to disable IP original path routing on your server:
FOR F IN / PROC / SYS / NET / IPv4 / Conf / * / Accept_Source_Route; DO
Echo 0> $ f
DONE
__ add the above command to the "/etc/rc.d/rc.local" file.
5 Use the following method to improve the ability of the system to prevent SYN attacks:
[root @ Sound] # echo 1> / proc / sys / net / ipv4 / tcp_syncookies
Join this command to the "/etc/rc.d/rc.local" file
6 Enable the Control-Alt-delete soft offline to edit the initTab file (vi / etc / inittab) this line:
Ca :: ctrlatdel: / sbin / shutdown -t3 -r now
Change to:
#ca :: ctrlatdel: / sbin / shutdown -t3 -r Now
Use the following command to make a change in effect:
[root @ Sound] # / sbin / init Q
7 Remove the user's prompt information Edit "/ECT/rc.d/rc.local" file, add "#" in front of these rows:
-
# This will overwrite / etc / issue at every boot. So, make any changes you
# Want to make to / etc / issue here or you will lose theme you reboot.
#echo ""> / etc / Issue
#echo "$ r" >> / etc / issue
#echo "kernel $ (uname -r) on $ a $ (uname -m) >> / etc / ssue
#
#CP -F / etc / Issue /etc/issue.net
#echo >> / etc / issu
-
Then delete the "Issue.Net" and "Issue" files under the "/ etc" directory: "/etc/issue.net" file is the login prompt when the user logs in to the computer from the network (for example, telnet, ssh). Also in the "/ etc" directory, there is a "issue" file, which is the prompt seen from the local login. Both files are text files, which can be changed as needed. However, if you want to delete these two files, you must take the line of the "/etc/rc.d/rc.local" script as described above, otherwise the system will re-start every time you restart. Create these two files.
Resource
Www.redhat.com --- Red Hat Linux Main Station www.debian.org --- Debian Linux release of the main station www.linuxforum.net - China's largest Linux Forum www.linuxbyte.net --- Domestic integration of better Linux website www.nsfocus.com --- Green League Site www.securityfocus.com --- Foreign integrated safety website
About author
Jinliang, network security engineer, can contact him via Sound810@sina.com.
