System administrator must read: Enhance system security for Linux installation suite!
Release Date: 1999-12-6
content:
Summary: This article introduces system security protection strategies to allow system administrators to block intruders. needle
Discuss some improvement methods for different Linux systems.
-------------------------------------------------- ------------------------------
Guide
Many people began to broadly discuss topics of invasive network hosts, and Linux and FreeBSD become near
The main attack objects, including the buffer overflow as IMAPD and Bind
question. Every day, a wide range of "system vulnerabilities" will announce in the Bugtraq Post Forum.
This mail forum has nearly 20,000 subscribers. (If you just want to subscribe to a system security
The relevant postal forum, then this is not missed).
Assuming the above 19,305 subscribers, at least one intended to write a for () loop, with
The open system vulnerability attack program is used to quickly obtain the control of the host on the Internet ...
Such assumptions are not over.
In this way, your computer has become the next goal of attack, when you may
I can't do it.
Perhaps some "experts" have given you to install and maintain a safe computer, as "space
Science is complicated, in fact, it is not so difficult. Have a perfect and sound system management
Show to protect you from the threat from the global network, and this article is discussed, I am in the grabbus
The precautions generally taken when the Red Hat Linux network system is generally taken. Although the text provides protection
System security guidelines, but it is never a complete reference description.
The following steps are used to make your system, don't be the victim of the network program security vulnerability
By. Special attention: If you are not sure what you are doing, don't do it. some
The step is assumption that you already have relevant knowledge above. At the end of the article, there is also some suggestions.
Reference reading.
System security
1. Remove all unnecessary network services in the system. The fewer ways to connect to your computer,
The less the route of the invaders. In the /etc/inetd.conf file, all unnecessary
The project will be canceled. If the system does not need Telnet, then cancel it, such as
FTPD, RSHD, REXECD, GOPHER, Chargen, Echo, POP3D, etc.
Treatment principle. After finishing the inetd.conf file, don't forget to be a 'KILLALL-HUP
inetd 'action. Also, don't ignore the things in the /etc/rc.d/init.d directory, some nets
Road service (like bind, printer servo program) is a program that is executed alone, in the directory
The command manuscript is started.
2. Install SSH. SSH is a program for replacing the 'R' series of instructions, those
Berkeley version of the program is already old. The following is taken from http://www.cs.hut.fi/ssh
Web information:
SSH (Secure Shell) is a host of login,
Execute instructions on the remote host, or move the file between two hosts.
It provides powerful authentication and ensures safe information on the Internet.
It can also be able to deal with some things, may be interested in the masters of the heart. Please
Http://ftp.rge.com/pub/ssh downloads the SSH program. 3. Use VIPW (1) to lock all the accounts of all Yaoyai login. It is worth noting that those
Without the account number of the login shell, Red Hat Linux will preset to specify them as
/ BIN / SH, this may not be what you expect. At the same time, be sure, your user account
Didn't give the password bar, the following is some of the normal password files:
Daemon: *: 2: 2: daem: / sbin: / bin / sync
ADM: *: 3: 4: ADM: / VAR / ADM: / BIN / SYNC
LP: *: 4: 7: lp: / var / spool / lpd: / bin / sync
Sync: *: 5: 0: sync: / sbin: / bin / sync
Shutdown: *: 6: 0: shutdown: / bin: / sync
Halt: *: 7: 0: Halt: / sbin: / bin: / sync
Mail: *: 8: 12: Mail: / var / spool / mail: / bin / sync
News: *: 9: 13: News: / var / spool / news: / bin / sync
UUCP: *: 10: 14: UUCP: / VAR / SPOOL / UUCP: / BIN / SYNC
Operator: *: 11: 0: Operator: / root: / bin / sync
Games: *: 12: 100: Games: / usr / games: / bin / sync
Gopher: *: 13: 30: Gopher: / usr / lib / gopher-data: / bin / sync
FTP: *: 14: 50: FTP User: / Home / ftp: / bin / sync
Nobody: *: 99: 99: NoDy: /: / bin / sync
4. Remove all ROOT's program's 's' bit yuan permissions, if it doesn't matter at all
permission. This action can be completed by the 'chmod A-s' instruction, the back-on-connected parameters are you
To change the file.
The above-mentioned programs include the following, but are not limited thereto:
a) Post you never use
b) Program that you don't want ROOTs to execute
c) I will use it, but in su (1) into root and then execute, it does not matter
I will column below the privileges and put an asterisk (*) in front. Remember
Your system still needs some SUID root program, in order to be executed properly, so
Don't be careful.
Alternatively, you can build a special group name called 'suidExec', and then
The trusted user account is located inside, and the CHGRP (1) instruction is used to change all SUID's program.
It belongs to Suidexec this group and removes the permissions that other users can perform.
# Find / -user root -perm "-u s"
* / bin / ping
* / bin / mount - You should only have root to hang the archive system
* / bin / umount -
/ BIN / SU - Don't change it!
/ bin / login
/ SBIN / PWDB_CHKPWD
* / SBIN / CARDCTL - PCMCIA Card Control Tools
* / usr / bin / rcp - use SSH
* / usr / bin / rlogin - 同
* / usr / bin / rsh - "
* / usr / bin / at - use cron, or both deactivate * / usr / bin / lpq - modified Lprng
* / usr / bin / lpr - "
* / usr / bin / lprm - "
* / usr / bin / mh / inc
* / usr / bin / mh / msgchk
/ usr / bin / passwd - don't change it!
* / usr / bin / suidper - each new version of Suidper is like
Buffer overflow problem
* / usr / bin / Sperl5.003 - only use it if necessary
/ usr / bin / procmail -
* / usr / bin / chfn
* / usr / bin / chsh
* / usr / bin / newgrp
* / usr / bin / crontab
* / usr / x11r6 / bin / dga - x11 has many buffer overflow problems
* / usr / x11r6 / bin / xterm - "
* / usr / x11r6 / bin / xf86_svga - "
* / usr / sbin / usernetctl
/ usr / sbin / sendmail
* / usr / sbin / traceroute - you should be able to endure even, let's take a root password.
5. Upgrade Sendmail. Download the latest from ftp://ftp.sendmail.org/pub/sendmail
Original code file, read the documentation file after unlocking, if you still have a little more time, you can
SMRSH (with SenMail), many people concerned, SENDMAIL security issues,
If you send a letter to some harmful programs, this program is mostly considered. Last editing
Sendmail.cf file, set the 'privacyoptions' option to 'goaway':
O privacyoptions = goaavy
If you don't intend to charge an email on both Internet #, don't pay the sendmail
SENDMAIL -BD is executed! In the above case, please
/etc/rc.d/init.d/sendmail.init Cancel, and execute 'KILLALL -TERM
Sendmail 'command. However, you can also send a letter to the outside.
6. If you have bind, you have to remember the upgrade. The latest version of Bind can be
Http://www.isc.org is found, otherwise, please turn off all of them.
7. Rebate the core program. If the preset core program is too big, I usually recompile it.
Tip: Please open all the options for the firewall, even if your computer is not a firewall.
Config_firewall = y
Config_net_alias = y
CONFIG_INET = Y
# Config_ip_forward is not set
# Config_ip_multicast is not set
Config_syn_cookies = y
Config_rst_cookies = y
Config_ip_firewall = y
Config_ip_firewall_verbose = y
# Config_ip_masquerade is not set
# Config_ip_transparent_proxy is not set
Config_ip_always_defrag = Y
Config_ip_acct = y # config_ip_router is not set
# Config_net_ipip IS not set
Config_ip_alias = m
8. Conduct all known software issues, can be on the REDHAT's "correct web page"
Find, (please check) http://www.redhat.com/support/docs/errata.html, find
Suitable for your version of the patch code), redhat is maintained to update these pages, doing
Pretty good. At the same time, these pages also include some RPM files, you should be used,
Please install it according to the instructions.
9. Set TCP_WrapPers: TCP_WrapPERS can be used to manage the network, which computers can
"Communication" with your computer. This set of prices is from a system security master WIESTE
Venema is written, it will manage those via inetd (or connected to the inetd program)
The program started, analyzes their set files to decide whether to reject or agree to a network
Line requirements. For example, in order to allow you to get Telnet through ISP from home and
FTP, at the same time to reject all other connectors, can be in the /etc/hosts.allow file
Write:
In.ftpd: .dialup.Your-ISP.com: allow
All: All: Deny
SSH, Sendmail and other programs can be made to support with TCP_WrapPers.
Please read the documentation of TCPD (1) to achieve further information.
Solar Designer provided Secure Linux Patches:
http://www.false.com/security/li num u /
Replay.com REDHAT CRYPTO PAGES:
http://www.replay.com/redhat/
Breaking Into IT ITO IT provided by Improving The Security of Your Site:
http://www.alw.nih.gov/security/docs/admin-guide-to-cracking.101.html
Slashdot provides the latest and timely message:
http://www.slashdot.org
For the latest software update status, please refer to Freshmeat Regularly:
http://www.freshmeat.net
Smashing the stac:
Http://reality.sgi.com/nate/machines/security/p49-14-aleph-one
Wen by Penelope Marr