Network security is a very important issue. Basically, the more security holes you can run, you may open more security vulnerabilities. If the configuration is properly configured, Linux itself is very safe and reliable, and there is a certain in the Linux system. Safety defects, because Linux's source code is open, thousands of volunteers will immediately discover and fix it. This article is intended to introduce common techniques used to enhance your network security to use RedHat Linux as an operating environment.
1. Log file inside the operating system is an important clue to detect if there is a network invasion. Of course, this assumption that your logfile is not damaged by invasive, if you have a server, connect it directly to the Internet, which means your IP The address is a permanent fixed address, you will find that there are many people do Telnet / FTP login attempt to your system, try to run #more / var / log / secure | GREP REFUSED to check.
2. Restrict the number of programs with the SuID permission sign, the program with this permission flag is run as root, is a potential security vulnerability, of course, some programs must have the flag, like the Passwd program.
3. BIOS security. Set the BIOS password and modify the boot order disable from the floppy drive.
4. User password. The user password is the most basic starting point for Linux security. Many people used by the user passwords are simple 'Password, which is equal to the invasant to open the door, although the user password that does not understand, as long as there is enough Time and resources can be utilized. Combine user passwords are a string of characters that can only be easily understood by himself, and never write anywhere.
5./etc/exports file. If you use the NFS network file system service, make sure your / etc / exports has the most stringent access settings, which means do not use any wildcards, not allowing ROOT write permissions, mount into read-only file system. Edit file / etc / exports and plus: for example: / dir / to / export host1.mydomain.com (ro, root_squash) / dir / to / export host2.mydomain.com (ro, root_squash) / DIR / to / export is The directory you want to output, host.mydomain.com is the machine name that logs in to this directory, and the RO means Mount into a read-only system, and root_squash is prohibited from writing to the directory. In order to make the above change, run / usr / sbin / exportfs -a
6. Confirm that the owner of /etc/inetd.conf is root, and the file permission is set to 600. [root @ Deep] # chmod 600 /etc/inetd.conf Ensure That The Owner is root. [root @ Deep] # stat /etc/inetd.conf file: "/etc/inetd.conf" size: 2869 filetype: regular File Mode: (0600 / -RW -------) Uid: (0 / root) GID: (0 / root) Device: 8,6 inode: 18219 Links: 1 Access: WED SEP 22 16:24: 16 1999 (00000.00: 10: 44) Modify: MON SEP 20 10:22:06 1999 (00002.06: 12: 16) Change: Mon Sep 20 10:22:44 1999 (00002.06: 12: 16) Editor / etc / inetd .conf prohibits the following services: FTP, Telnet, Shell, Login, Exec, Talk, Ntalk, IMAP, POP-2, POP-3, Finger, Auth, etc. Unless you really want to use it. In particular, those R commands are prohibited. If you use ssh / scp, then you can also prohibit Telnet / FTP. In order to make changes to take effect, run #killall -hup inetd You can also run #chattr I /etc/inetd.conf to make this file can not change attribute. Only ROOT can be unnovable, with command #Chattr -i /etc/inetd.conf7. TCP_Wrappers By default, Redhat Linux allows all requests, using TCP_WrapPers to enhance your site security is to raise your hand, you can put it "All: All: All "All requests are prohibited in /etc/hosts.deny, then put those requests to be made to /etc/hosts.allow, such as: sshd: 192.168.1.10/255.255.255.0 Gate.openarch.com Parallel IP address 192.168 . 1.10 and hostname Gate.openarch.com allow for connection via SSH. After configuring, use TCPDCHK to check [root @ desk] # tcpdchk tcpchk is TCP_Wrapper Configuration Check Tool, which checks your TCP Wrapper configuration and reports all discovered potential / existent problems.
8. Alias files Aliases Edit alias files / etc / aliases (or / etc / mail / aliases), remove / comment out the row below. # Basic system aliases - these MUST be present MAILER-DAEMON:. Postmaster postmaster: root # General redirections for pseudo accounts bin: root daemon: root #games: root remove or comment out #ingres: root remove or comment.?.? Out #system: root # syt? #toor: root? remove or comment out. #uucp: root? remove or comment out. # Well-known aliases. #Manager: root? remove or Comment Out . # ot? #operator: root? remove or comment out. # Trap decode to catch security attnce: root # Person WHO SHOULD GET ROOTS Mail #root: MARC Last updated Don't forget to run / USR / BIN / NEWALIASES enables changes to this. 9. Block your system from responding to any PING request from the outside / internal. Since no one can ping your machine and receive a response, you can greatly enhance your site's security. You can add a line of command to /etc/rc.d/rc.local to automatically run each time startup. Echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
10. Do not display the operating system and version information. If you want someone to log in to your server to your server, do not display the operating system and version information, you can change the one of the lines in /etc/inetd.conf below: telnet stream tcp noait root / usr / sbin / tcpd in.telnetd -H Plus -H logo in final make the Telnet background not to display system information, but only display Login:
11.The /etc/host.conf file Edit Host.conf file (vi /etc/host.conf) and plus line: # ookup names via DNS first the fall back to / etc / hosts. Order Bind, Hosts # We don have machines with multiple IP addresses on the same card (like virtual server, IP Aliasing) multi off # Check for IP address spoofing nospoof on IP Spoofing:.. IP-Spoofing is a security exploit that works by tricking computers in a trust Relationship That You are here.
12. The / etc / securetty file This file specifies the TTY device that allows root to log in, / etc / securetty is read, its format is a list of allowed names, such as you can edit / etc / securetty and comment out the following line. TTY1 # TTY2 # Tty3 # Tty4 # Tty5 # Tty6 # Tty7 # TTY8 - means that root is only allowed to log in in TTY1 terminals.
13. Special account prohibits all default accounts that are started by the operating system itself and unwanted accounts, when you install the system, you should do this, Linux provides a variety of accounts, you may not need, if you If you don't need this account, you remove it. The more you have the account, the easier it is to attack. To delete the user on your system, use the following command: [root @ desk] # userdel username to delete the group user account on your system, with the following command: [root @ deep] # groupdel username to take the following The command deletes the following users. [root @ deep] # Userdel adm [root @ Deep] # Userdel LP [root @ Deep] # Userdel sync [root @ Deep] # Userdel shutdown [root @ Deep] # Userdel Halt [root @ Deep] # Userdel mail if you Do not use the Sendmail server, procmail.mailx, delete this account. [root @ Deep] # Userdel news [root @ desk] # Userdel uucp [root @ Deep] # Userdel Operator [root @ Deep] # Userdel Games If you don't have to use the X Windows server, you will delete this account. [root @ Deep] # Userdel gopher [root @ Deep] # Userdel FTP If you don't allow anonymous FTP, you will delete this user account. === Put the following command delete group account [root @ desk] # groupdel adm [root @ desk] # groupdel lp [root @ desk] # GroupDel mail, if you don't have to use the sendmail server, remove this group account [root @ deep] # GroupDel news [root @ deskp] # groupdel uucp [root @ desk] # groupdel games, such as you don't have to use x windows, delete this group account [root @ desk] # groupdel dip [root @ deskp] # GroupDel PPPUsers [root @ Deep] # GroupDEL POPUSERS If you don't need a POP server, delete this group account [root @ desk] # groupdel slipusers ==== Use the following command to add the user account [root @ deep] # UserAdd username Change the user password with the following command [root @Deep] # Passwd Username Use the chattr command to add the following files that cannot be changed attributes. [root @ Deep] # chattr I / etc / passwd [root @ Deep] # chattr I / etc / shadow [root @ desk] # chattr I / etc / group [root @ Deep] # chattr I / ETC / GSHADOW
14. Block anyone SU as root. If you don't want anyone to be boot, you can edit /etc/pam.d/su plus line: auth sufficient /lib/security/pam_rootok.so debug auth request / lib /Security/pam_wheel.so group = ISD means only the user of the ISD group can be as root. Then, if you want the user to be sago as root. Run the following command. [root @ deep] # usermod -g10 admin16. Resource Limits To set resource restrictions on all users on your system to prevent DOS type attacks, such as maximum number of processes, number of memory. For example, the limitations of all users are below: Edit /etc/security/limits.con plus: * Hard Core 0 * HARD RSS 5000 * Hard NPROC 20 You must also edit /etc/pam.d/login file plus / check The existence of this line. Session Required /Lib/security/pam_limits.so is disabled from Core Files "Core 0", the limit process is "NPROC 50", and the limited memory is 5M "RSS 5000".
17. The /etc/lilo.conf file a) Add: restricted adds this line below each boot image, which indicates that if you boot (Linux Single), you need a password. B) add: password = some_password When using the RESTRICTED, when you are booting, you need to enter your password, you also want to make sure that the lilo.conf file cannot be readable by users who do not belong to root, and also free to see the text. Here is an example: edit /etc/lilo.conf plus: ==== boot = / dev / sda map = / boot / map install = / boot / boot.b prompt timeout = 50 default = linux restricted? Add this line. Password = some_password? add this line. Image = / boot / vmlinuz-2.2.12-20 label = Linux initrd = / boot / initrd-2.2.12-10.img root = / dev / sda6 read-only-ly [root @ deep ] # chmod 600 /etc/lilo.conf (no longer be readable by other users). [root @ deep] # / sbin / lilo -v (updated LILO configuration). [root @ deep] # chattr I / etc /LILO.CONF (block the file from being modified)
18. Prohibit Control-Alt-delete restart machine command [root @ deskp] # vi / etc / inittab ca :: ctrlaltdel: / sbin / shutdown -t3 -r now to #ca :: ctrlaltdel: / sbin / shutdown -t3 -r Now [root @ deep] # / sbin / init Q
19. Reset /etc/rc.d/init.d/ Directory permission permission [root @ deep] # chmod -r 700 /etc/rc.d/init.d/* only root can read, write , Perform all Script file described above.
20. The /etc/rc.d/rc.local file defaults, when you login to Linux Server, it tells you that Linux version name, kernel version name, and server host name. It gives you too much information, if you want to get a reminder login:, edit /etc/rc.d/rc.local put # in front of the row: - # this will overwrite / etc / issue at Every Boot So, make any changes you #ow to make to / etc / issue Here or you will lose theme you reboot. #Echo "> / etc / issue #echo" $ r ">> / etc / issue #echo" KERNEL $ (UNAME -R) on $ a $ (uname -m) >> / etc / issue # #cp -f / etc / issue /etc/issue.net #echo >> / etc / issue - then Be the following things: [root @ deskp] # rm -f / etc / issue [root @ desk] # rm -f /etc/issue.net [root @ desk] # Touch / etc / iv @ Deep] # Touch /etc/issue.net21. Bits of the program owned by the root. The S-bit flag that is removed by the ROOT has a program, of course, some programs need this, complete this with command 'chmod a-s'. Note: Those procedures for the front tape (*) generally do not need to have an S bit flag.
[root @ Deep] # Find / -type f (-perm -04000 -o -perm -02000) -exec ls -lg {};
-RWSR-XR-x 1 root root 33120 Mar 21 1999 / usr / bin / at * -RWSR-XR-x 1 root root 30560 APR 15 20:03 / usr / bin / chage * -RWSR-XR-x 1 root Root 29492 APR 15 20:03 / usr / bin / gpasswd -rwsr-xr-x 1 root root 3208 Mar 22 1999 / usr / bin / disable-Paste -RWXR-SR-x 1 Root Man 32320 APR 9 1999 / USR / Bin / Man -rs - x - x 1 root root 10704 APR 14 17:21 / usr / bin / passwd -rws - x - x 2 root root 517916 APR 6 1999 / usr / bin / suidperl -rws- -x - x 2 root root 517916 APR 6 1999 /usr/bin/sperl5.00503 -RWXR-SR-x 1 root mail 11432 APR 6 1999 / usr / bin / lockfile -RWSR-SR-x 1 root mail 64468 APR 6 1999 / usr / bin / procmail -rwsr-xr-x 1 root root 21848 AUG 27 11:06 / usr / bin / crontab -rwxr-sr-x 1 root slocate 15032 Apr 19 14:55 / usr / bin / slocate * -R-XR-SR-X 1 root tty 6212 APR 17 11:29 / usr / bin / wall * -rts - x - x 1 root root 14088 APR 17 12:57 / usr / bin / chfn * - RWS - x - x 1 root root 13800 APR 17 12:57 / usr / bin / chsh * -rts - x - x 1 root root 5576 APR 17 12:57 / usr / bin / newgrp * -rwxr- SR-X 1 root tty 8392 APR 17 12:57 / usr / bin / write -rtsr-x --- 1 r OOT SQUID 14076 OCT 7 14:48 / usr / lib / Squid / Pinger -RWXR-SR-x 1 root UTMP 15587 JUN 9 09:30 / USR / SBIN / UTEMPTER * -RWSR-XR-X 1 root root 5736 APR 19 15:39 / usr / sbin / usernetctl * -RWSR-XR-x 1 root bin 16488 JUL 6 09:35 / usr / sbin / traceroute -RWSR-SR-x 1 root root 299364 APR 19 16:38 / usr / sbin / sendmail -rwsr-xr-x 1 root root 34131 APR 16 18:49 / usr / libexec / pt_chown -rtwsr-xr-x 1 root root 13208 APR 13 14: 58 / bin / su * -RWSR-XR-X 1 Root root 52788 apr 17 15:16 / bin / mount * -rwsr-xr-x 1 root root 26508 APR 17 20:26 / bin / umount * -rwsr-xr-x 1 root root 17652 JUL 6 09:33 / bin / ping -rwsr-xr-x 1 root root 20164 APR 17 12:57 / bin / login * -rwxr-sr-x 1 root root 3860 APR 19 15:39 / sbin / netreport -R-SR-XR-X 1 Root root 46472 APR 17 16:
26 / sbin / pwdb_chkpwd [root @ Deep] # chmod as / usr / bin / chage [root @ Deep] # chmod as / usr / bin / gpasswd [root @ Deep] # chmod as / usr / bin / wall [root @ Deep] # chmod as / usr / bin / chfn [root @ Deep] # chmod as / usr / bin / chsh [root @ Deep] # chmod as / usr / bin / newgrp [root @ Deep] # chmod as / usr / BIN / WRITE [ROOT @ Deep] # chmod as / usr / sbin / usernetctl [root @ Deep] # chmod as / usr / sbin / traceroute [root @ Deep] # chmod as / bin / mount [root @ Deep] # chmod as / bin / umount [root @ deep] # chmod as / bin / ping [root @ desk] # chmod as / sbin / netreport You can use the following command to find all procedures with S-bit flags: [root @ deskp] # Find / -type f (-Perm -04000 -o -perm -02000) -exec ls -lg {};> Suid-sgid-results outputs the result into the file suid-sgid-results. In order to find all writable files and directories, with the following command: [Root @ deep] # Find / -Type F (-Perm -2 -O -Perm -20) -EXEC ls -lg {};> WW-Files -Results [root @ Deep] # Find / -Type d (-Perm -2 -O -Perm -20) -exec ls -ldg {};> WW-DIRECTORIES-RESULTS Find files with no owner with the following command: [root @ deskp] # Find / -nouser -o -nogroup> unowed-results Find all .rhosts files with the following command: [root @ Deep] # Find / Home -Name .Rhosts> Rhost-Results