System administrator must read: Enhance system security for Linux installation suite!

zhaozj2021-02-11  210

System administrator must read: Enhance system security for Linux installation suite!

Release Date: 1999-12-6

content:

Summary: This article introduces system security protection strategies to allow system administrators to block intruders. needle

Discuss some improvement methods for different Linux systems.

-------------------------------------------------- ------------------------------

Guide

Many people began to broadly discuss topics of invasive network hosts, and Linux and FreeBSD become near

The main attack objects, including the buffer overflow as IMAPD and Bind

question. Every day, a wide range of "system vulnerabilities" will announce in the Bugtraq Post Forum.

This mail forum has nearly 20,000 subscribers. (If you just want to subscribe to a system security

The relevant postal forum, then this is not missed).

Assuming the above 19,305 subscribers, at least one intended to write a for () loop, with

The open system vulnerability attack program is used to quickly obtain the control of the host on the Internet ...

Such assumptions are not over.

In this way, your computer has become the next goal of attack, when you may

I can't do it.

Perhaps some "experts" have given you to install and maintain a safe computer, as "space

Science is complicated, in fact, it is not so difficult. Have a perfect and sound system management

Show to protect you from the threat from the global network, and this article is discussed, I am in the grabbus

The precautions generally taken when the Red Hat Linux network system is generally taken. Although the text provides protection

System security guidelines, but it is never a complete reference description.

The following steps are used to make your system, don't be the victim of the network program security vulnerability

By. Special attention: If you are not sure what you are doing, don't do it. some

The step is assumption that you already have relevant knowledge above. At the end of the article, there is also some suggestions.

Reference reading.

System security

1. Remove all unnecessary network services in the system. The fewer ways to connect to your computer,

The less the route of the invaders. In the /etc/inetd.conf file, all unnecessary

The project will be canceled. If the system does not need Telnet, then cancel it, such as

FTPD, RSHD, REXECD, GOPHER, Chargen, Echo, POP3D, etc.

Treatment principle. After finishing the inetd.conf file, don't forget to be a 'KILLALL-HUP

inetd 'action. Also, don't ignore the things in the /etc/rc.d/init.d directory, some nets

Road service (like bind, printer servo program) is a program that is executed alone, in the directory

The command manuscript is started.

2. Install SSH. SSH is a program for replacing the 'R' series of instructions, those

Berkeley version of the program is already old. The following is taken from http://www.cs.hut.fi/ssh

Web information:

SSH (Secure Shell) is a host of login,

Execute instructions on the remote host, or move the file between two hosts.

It provides powerful authentication and ensures safe information on the Internet.

It can also be able to deal with some things, may be interested in the masters of the heart. Please

Http://ftp.rge.com/pub/ssh downloads the SSH program. 3. Use VIPW (1) to lock all the accounts of all Yaoyai login. It is worth noting that those

Without the account number of the login shell, Red Hat Linux will preset to specify them as

/ BIN / SH, this may not be what you expect. At the same time, be sure, your user account

Didn't give the password bar, the following is some of the normal password files:

Daemon: *: 2: 2: daem: / sbin: / bin / sync

ADM: *: 3: 4: ADM: / VAR / ADM: / BIN / SYNC

LP: *: 4: 7: lp: / var / spool / lpd: / bin / sync

Sync: *: 5: 0: sync: / sbin: / bin / sync

Shutdown: *: 6: 0: shutdown: / bin: / sync

Halt: *: 7: 0: Halt: / sbin: / bin: / sync

Mail: *: 8: 12: Mail: / var / spool / mail: / bin / sync

News: *: 9: 13: News: / var / spool / news: / bin / sync

UUCP: *: 10: 14: UUCP: / VAR / SPOOL / UUCP: / BIN / SYNC

Operator: *: 11: 0: Operator: / root: / bin / sync

Games: *: 12: 100: Games: / usr / games: / bin / sync

Gopher: *: 13: 30: Gopher: / usr / lib / gopher-data: / bin / sync

FTP: *: 14: 50: FTP User: / Home / ftp: / bin / sync

Nobody: *: 99: 99: NoDy: /: / bin / sync

4. Remove all ROOT's program's 's' bit yuan permissions, if it doesn't matter at all

permission. This action can be completed by the 'chmod A-s' instruction, the back-on-connected parameters are you

To change the file.

The above-mentioned programs include the following, but are not limited thereto:

a) Post you never use

b) Program that you don't want ROOTs to execute

c) I will use it, but in su (1) into root and then execute, it does not matter

I will column below the privileges and put an asterisk (*) in front. Remember

Your system still needs some SUID root program, in order to be executed properly, so

Don't be careful.

Alternatively, you can build a special group name called 'suidExec', and then

The trusted user account is located inside, and the CHGRP (1) instruction is used to change all SUID's program.

It belongs to Suidexec this group and removes the permissions that other users can perform.

# Find / -user root -perm "-u s"

* / bin / ping

* / bin / mount - You should only have root to hang the archive system

* / bin / umount -

/ BIN / SU - Don't change it!

/ bin / login

/ SBIN / PWDB_CHKPWD

* / SBIN / CARDCTL - PCMCIA Card Control Tools

* / usr / bin / rcp - use SSH

* / usr / bin / rlogin - 同

* / usr / bin / rsh - "

* / usr / bin / at - use cron, or both deactivate * / usr / bin / lpq - modified Lprng

* / usr / bin / lpr - "

* / usr / bin / lprm - "

* / usr / bin / mh / inc

* / usr / bin / mh / msgchk

/ usr / bin / passwd - don't change it!

* / usr / bin / suidper - each new version of Suidper is like

Buffer overflow problem

* / usr / bin / Sperl5.003 - only use it if necessary

/ usr / bin / procmail -

* / usr / bin / chfn

* / usr / bin / chsh

* / usr / bin / newgrp

* / usr / bin / crontab

* / usr / x11r6 / bin / dga - x11 has many buffer overflow problems

* / usr / x11r6 / bin / xterm - "

* / usr / x11r6 / bin / xf86_svga - "

* / usr / sbin / usernetctl

/ usr / sbin / sendmail

* / usr / sbin / traceroute - you should be able to endure even, let's take a root password.

5. Upgrade Sendmail. Download the latest from ftp://ftp.sendmail.org/pub/sendmail

Original code file, read the documentation file after unlocking, if you still have a little more time, you can

SMRSH (with SenMail), many people concerned, SENDMAIL security issues,

If you send a letter to some harmful programs, this program is mostly considered. Last editing

Sendmail.cf file, set the 'privacyoptions' option to 'goaway':

O privacyoptions = goaavy

If you don't intend to charge an email on both Internet #, don't pay the sendmail

SENDMAIL -BD is executed! In the above case, please

/etc/rc.d/init.d/sendmail.init Cancel, and execute 'KILLALL -TERM

Sendmail 'command. However, you can also send a letter to the outside.

6. If you have bind, you have to remember the upgrade. The latest version of Bind can be

Http://www.isc.org is found, otherwise, please turn off all of them.

7. Rebate the core program. If the preset core program is too big, I usually recompile it.

Tip: Please open all the options for the firewall, even if your computer is not a firewall.

Config_firewall = y

Config_net_alias = y

CONFIG_INET = Y

# Config_ip_forward is not set

# Config_ip_multicast is not set

Config_syn_cookies = y

Config_rst_cookies = y

Config_ip_firewall = y

Config_ip_firewall_verbose = y

# Config_ip_masquerade is not set

# Config_ip_transparent_proxy is not set

Config_ip_always_defrag = Y

Config_ip_acct = y # config_ip_router is not set

# Config_net_ipip IS not set

Config_ip_alias = m

8. Conduct all known software issues, can be on the REDHAT's "correct web page"

Find, (please check) http://www.redhat.com/support/docs/errata.html, find

Suitable for your version of the patch code), redhat is maintained to update these pages, doing

Pretty good. At the same time, these pages also include some RPM files, you should be used,

Please install it according to the instructions.

9. Set TCP_WrapPers: TCP_WrapPERS can be used to manage the network, which computers can

"Communication" with your computer. This set of prices is from a system security master WIESTE

Venema is written, it will manage those via inetd (or connected to the inetd program)

The program started, analyzes their set files to decide whether to reject or agree to a network

Line requirements. For example, in order to allow you to get Telnet through ISP from home and

FTP, at the same time to reject all other connectors, can be in the /etc/hosts.allow file

Write:

In.ftpd: .dialup.Your-ISP.com: allow

All: All: Deny

SSH, Sendmail and other programs can be made to support with TCP_WrapPers.

Please read the documentation of TCPD (1) to achieve further information.

Solar Designer provided Secure Linux Patches:

http://www.false.com/security/li num u /

Replay.com REDHAT CRYPTO PAGES:

http://www.replay.com/redhat/

Breaking Into IT ITO IT provided by Improving The Security of Your Site:

http://www.alw.nih.gov/security/docs/admin-guide-to-cracking.101.html

Slashdot provides the latest and timely message:

http://www.slashdot.org

For the latest software update status, please refer to Freshmeat Regularly:

http://www.freshmeat.net

Smashing the stac:

Http://reality.sgi.com/nate/machines/security/p49-14-aleph-one

Wen by Penelope Marr

转载请注明原文地址:https://www.9cbs.com/read-3527.html

New Post(0)