If a potential hacker is to attack your Linux server, he will first try the buffer overflow. In the past few years, security vulnerabilities overflowing in buffer are the most common forms. More serious is that the buffer overflow vulnerability accounts for the vast majority of the remote network attack, which can easily make an anonymous Internet user has a chance to get part of the host or all of the control!
In order to prevent such attacks, we should pay attention to when we install the system. If you use root partition record data, such as log files and email, you may cause a large number of logs or spam because the denial is generated, resulting in a system crash. So it is recommended to open a separate partition for / var, used to store logs and messages to avoid root partitions being overflow. It is best to open a partition separately, especially the programs that can produce a large number of logs, as well as / home separately, so they can't fill / partition, thus avoiding part of Linux partitions. Spilled malicious attack.
§ About BIOS:
Remember to set a BIOS password in the BIOS setting, do not receive the floppy disk start. This can prevent uncomfortable people from launching your Linux system with a dedicated boot disk, and avoid others changing the BIOS settings, such as changing the floppy boot settings or not popping the password box directly to start the server.
§ About password:
The password is the primary means of authenticating users in the system. The default password when the system is installed is usually 5, but to ensure that the password is difficult to be speculated, the minimum length of the password can be increased, at least equal to 8. To do this, modify the parameter pass_min_len in the file /etc/login.defs (minimum length). At the same time, the password usage time should be restricted, and the regular replacement password is guaranteed, it is recommended to modify the parameter pass_min_days (password usage time).
§ About ping:
Since no one can ping your machine and receive a response, you can greatly enhance your site's security. You can add a line of commands to /etc/rc.d/rc.local to automatically run each startup, so you can prevent your system from responding to any PING request from the outside / internal.
Echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
§ About Telnet:
If you want users to log in to your server with Telnet to log in to your server (you can avoid targeted vulnerability attacks), you should rewrite a line like /etc/inetd.conf below:
Telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.TELNETD -H
Plus -H logo is finally allowed to display system information in the background background, and only login is displayed. § About privilege:
Prohibit all the default accounts that are started by the operating system itself and unwanted accounts, when you install the system, you should do this, Linux provides a variety of accounts, you may not need it if you don't need this account, When you remove it, the more you have the account, the easier it is to attack.
To delete users on your system, with the following command: userdel username
To delete the group user account on your system, use the following command: GroupDel Username
In the terminal, the following command deletes the following privilege account:
Userdel ADM Userdel LP Userdel Sync Userdel Shutdown Userdel Halt Userdel Mail
If you don't have to use the Sendmail server, delete these accounts:
Userdel News Userdel Uucp Userdel Operator Userdel Games If you don't have to use the X Windows server, you will delete this account.
Userdel gopher
If you don't allow anonymous FTP, you will delete this user account:
Userdel FTP
§ About Su Command: If you don't want anyone to be sau, you should edit the /etc/pam.d/su file, plus a few lines:
Auth sufficient / lib- / security / pam_rootok- .so debug
Auth request / lib- / security / pam_wheel- .so group = ISD
This means that only the user of the ISD group can be SU as root. If you want the user to act as root. Run the following command:
Usermod -g10 admin
The SUID program is also very dangerous, these programs are performed by ordinary users as EUID = 0 (ie root), only a small number of programs are set to SUID. Use this command to list the SUID binary of the system:
Suneagle # find / -perm -4000 -print
You can remove some SuID bits that don't need programs with chmod -s.
§ About account logout:
If the system administrator has forgot to log out from root when leaving the system, the system should automatically log out from the shell. So, you need to set a special Linux variable "TMOUT" to set the time. Similarly, if the user has forgotten the logout account, it may bring hidden dangers to system security. You can modify the / etc / profile file, and ensure that the account is not available from the system after a period of operation. Edit file / etc / profile, the next line in "histfilesis =" is as follows:
TMOUT = 600
If all users will automatically log out after 10 minutes. Note: After modifying this parameter, you must exit and log in to root, and change can take effect.
§ About system files:
For some of the key files in the system such as Passwd, Passwd, Passwd ._, Shadow, Shadown ._, inetd.conf, services, and lilo.conf, etc., to prevent accidental modifications and view them by ordinary users. If the inetd file attribute is changed to 600:
# chmod 600 /etc/inetd.conf
This ensures that the owner of the document is root, and then set it to not change:
# chattr I /etc/inetd.conf
In this way, any changes to the file will be prohibited. You may ask: Then I don't want to modify it? Of course, we can set it to only ROOT reset the reset flag to modify:
# chattr -i /etc/inetd.conf
§ About User Resources:
Setting resource restrictions on all users on your system can prevent DOS type attacks, such as maximum number of processes, number of memory, and so on. For example, to all users, edit /etc/security/limits.con add the following lines:
* Hard Core 0 * Hard RSS 5000 * HARD NPROC 20
You must also edit the /etc/pam.d/login file, check the existence of this line:
Session Required /LIB/Security/Pam_Limits.so
The above command prohibits Core Files "Core 0", the limit process is "NPROC 50", and the limit memory is 5M "RSS 5000". § About NFS Server:
Because the NFS server vulnerability is more, you must be careful. If you want to use the NFS network file system service, make sure your / etc / exports has the most stringent access permission settings, does not mean not to use any wildcards, not allowing root write permissions, mount into read-only file system. You can edit file / etc / exports and plus:
/ DIR / TO / EXPORT HOST1.MYDOMAIN.com (Ro, Root_Squash) / DIR / TO / EXPORT HOST2.MYDOMAIN.com (ro, root_squash)
Where / DIR / TO / EXPORT is the directory you want to output, host.mydomain.com is the machine name that logs in to this directory. RO means that Mount is a read-only system, and root_squash disables root to write to the directory. Finally, in order to make the above change, it is also necessary to run / usr / sbin / exportfs -a on the open service:
The default Linux is a powerful system and has run a lot of services. But there are many services that are not required, it is easy to cause security risks. This file is /etc/inetd.conf, which makes / usr / sbin / inetd will listen to the service, you may only need it: Telnet and FTP, other classes such as shell, login, exec, talk, ntalk , IMAP, POP-2, POP-3, Finger, Auth, etc. Unless you really want to use it. Otherwise it will be closed.
You first use the following command to display the service that is not commented out:
Grep -v "#" /etc/inetd.conf
The total number of services in front of this command:
PS -EAF | WC -L
It is necessary to remind you that there are many of the following three service vulnerabilities. It is highly recommended that you close them: S34YPASSWDD (NIS server), S35ypserv (NIS server), and S60NFS (NFS server).
We can run the #killall -hup inetd to turn off unwanted services. Of course, you can run
#Chattr I /etc/inetd.conf
If you want the inetd.conf file to have a change attribute, and only root can unwinder, knock the following command
#chattr -i /etc/inetd.conf
When you turn off some services, you will rely on the above command to see how much less service. The fewer running services, the safer the system is natural. We can use the following services to see which services are running:
Netstat -na - IP
If you use redhat, it is more convenient. ^ _ ^ Redhat provides a tool to help you close the service, enter / usr / sbin / setup, then select "System Services" to customize which services run when the system starts. Another choice is a chkconfig command, and many Linux version of the system comes with this tool. The number in the script name is the order in which the upper-written K starts, is killing the process. § About log:
All logs are under / var / log (for Linux systems only), the LINUX log is already powerful by default, but except for FTP. So we can guarantee that each FTP connection log can record by modifying / etc / ftpaccess or /etc/inetd.conf. Below is an example of modifying inetd.conf, if there is a next line: ftp stream tcp noait root / usr / sbin / tcpd in.ftpd -l -l -i-f
Note: -L Each FTP connection writes every command -i file receive to the syslog -l record, record to XFerlog -o file transmitted, record XFerlog
But you don't believe in the log, because most hackers have "good" habits of "rubbing footprints"! If you don't worry, it is best to install a sniffer.
§ About TCP_Wrappers:
By default, Redhat Linux allows all requests, which is very dangerous. If you use TCP_WrapPers to enhance our site's security, it is simple to raise your hand, you can put all requests from "all: all" to /etc/hosts.deny, then put those requests to / etc / hosts. ALOW, such as:
Sshd: 192.168.1.10/255.255.255.0 Gate.openarch.com
For IP addresses 192.168.1.10 and hostname Gate.openarch.com, allowing to connect via SSH. After the configuration is over, check with TCPDCHK, you can do it directly: TCPDCHK. Here, TCPCHK is a TCP_Wrapper configuration check tool that checks your TCP Wrapper configuration and reports all discovered potential / existent problems.
§ About patch:
You should regularly go to the home page of the Linux System Publisher of the Linux System, find the latest patches. For example, for the RedHat system, you can find the patch on: http://www.redhat.com/corp/support/errata/. Fortunately, the version after redHat 6.1 has an automatic upgrade tool Up2date, which automatically determines which RPM packets need to be upgraded, and then automatically download and complete the installation from the Redhat site. This is a province's spirit of the spirit of some lazy administrators! ^ _ ^
9CBS ID Yishao (Dragon) (www.94888.net)
