Linux network security and optimization
Release Date: 1999-12-13
content:
Jephe wu translation
Introduction
Network security is a very important issue. Basically, the more security holes you can run, you may open more security vulnerabilities. If the configuration is properly configured, Linux itself is very safe and reliable, and there is a certain in the Linux system. Safety defects, because Linux's source code is open, thousands of volunteers will immediately discover and fix it. This article is intended to introduce general technologies used to enhance / optimize your site security, using redhat Linux as an operating environment.
Part 1: Basic network security
1. Log file inside the operating system is an important clue to detect if there is a network invasion. Of course, this assumption that your logfile is not damaged by invasive, if you have a server, connect it directly to the Internet, which means your IP The address is a permanent fixed address, you will find that there are many people do Telnet / FTP login attempt to your system, try to run #more / var / log / secure | GREP REFUSED to check.
2. Restrict the number of programs with the SuID permission sign, the program with this permission flag is run as root, is a potential security vulnerability, of course, some programs must have the flag, like the Passwd program.
3. BIOS security. Set the BIOS password and modify the boot order disable from the floppy drive.
4. User password. The user password is the most basic starting point for Linux security. Many people used by the user passwords are simple 'password', which is equal to the invasant to open the door, although it is theoretically, there is no unclean user password, as long as there is enough Time and resources can be utilized. Combine user passwords are a string of characters that can only be easily understood by himself, and never write anywhere.
5./etc/exports file. If you use the NFS network file system service, make sure your / etc / exports has the most stringent access permission settings, do not mean not to use any wildcards, not allowing root write permissions, mount into read-only file system. Edit file / etc / exports and plus: for example:
/ DIR / TO / EXPORT HOST1.MYDOMAIN.com (Ro, root_squash)
/ DIR / TO / EXPORT HOST.MYDOMAIN.com (Ro, Root_Squash)
/ DIR / TO / EXPORT is the directory you want to output, host.mydomain.com is the machine name that logs in to this directory.
RO means mount into a read-only system, root_squash prohibits root to write to this directory.
In order to make the above change, run / usr / sbin / exportfs -a
6. Confirm that the owner of /etc/inetd.conf is root, and the file permission is set to 600.
[root @ deskp] # chmod 600 /etc/inetd.conf
Ensure That The Owner is root.
[root @ Deep] # stat /etc/inetd.conf
FILE: "/etc/inetd.conf"
Size: 2869 FILETYPE: Regular File
Mode: (0600 / -RW -------) Uid: (0 / root) GID: (0 / root)
Device: 8,6 inode: 18219 LINKS: 1
Access: WED SEP 22 16:24:16 1999 (00000.00: 10: 44)
MODIFY: MON SEP 20 10:22:44 1999 (00002.06: 12: 16)
Change: Mon Sep 20 10:22:44 1999 (00002.06: 12: 16)
Edit /etc/inetd.conf prohibited the following services:
FTP, Telnet, Shell, Login, Exec, Talk, Ntalk, IMAP, POP-2, POP-3, Finger, Auth, etc. Unless you really want to use it. In particular, those R commands are prohibited. If you use ssh / scp, then you can also prohibit Telnet / FTP.
In order to make a change, run #killall -hup inetd
You can also run #Chattr I /etc/inetd.conf to make this file can not change attributes.
Only root can unlock, with command #chattr -i /etc/inetd.conf
7. TCP_WrapPERS
By default, Redhat Linux allows all requests, using TCP_WrapPers to enhance your site security is to raise your hand, you can put it
All requests are forced to "all: all" to /etc/hosts.deny, then place those requests to be explicitly allowed to
In /etc/hosts.allow, such as: sshd: 192.168.1.10/255.255.255.0 Gate.openarch.com
For IP addresses 192.168.1.10 and hostname Gate.openarch.com, allowing to connect via SSH.
After the configuration is over, check with TCPDCHK
[root @ Deep] # tcpdchk
TCPCHK is a TCP_Wrapper configuration check tool that checks your TCP Wrapper configuration and reports all discovered potential / existent problems.
8. Alias file Aliases
Edit alias files / etc / aliases (or / etc / mail / aliases), remove / note out the following rows.
# Basic System Aliases - These Must Be Present.
Mailer-daem: PostmasterPostMaster: root
# General Redirections for Pseudo Accounts.
bin: rootdaemon: root
#games: root? remove or comment out.
#ingres: root? remove or comment out.nobody: root
#System: root? remove or comment out.
#toor: root? REMOVE or Comment Out. # uucp: root? remove or comment Out.
# Well-KNown Aliases.
#manager: root? REMOVE OR Comment Out. # Dumper: root? remove or Comment Out.
#operator: root? remove or comment out.
# Trap decode to catch security atttruction # decode: root
# Person WHO SHOULD GET ROOT'S MAIL
#ROOT: MARC
Don't forget to run / usr / bin / newaliases after the last update, make the change take effect.
9. Block your system from responding to any PING request from the outside / internal.
Since no one can ping your machine and receive a response, you can greatly enhance your site's security. You can add a line of command to /etc/rc.d/rc.local to automatically run each time startup.
Echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
10. Do not display the operating system and version information.
If you want someone to log in to your server, do not display the operating system and version information, you can change
One line like this /etc/inetd.conf is below:
Telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.TELNETD -H Plus -H flag In the final, the Telnet background does not display system information, but only displays login:
11.The /etc/host.conf file
Edit the Host.conf file (vi /etc/host.conf) and add the line:
# Lookup name Via DNS First The Fall Back to / etc / hosts.
ORDER BIND, HOSTS
# We don't have much machine with multiple ip addresses on The Same Card
(Like Virtual Server, IP AliaSing).
Multi off
# Check for ip address spoofing.
Nospoof on
IP Spoing: IP-SPOOFING IS A Security Explute That Works by Tricking Computers in a Trust Relationship That You Are Some "You real Aren't.
12. THE / ETC / Securetty File
This file specifies the TTY device that allows root to log in, / etc / securetty is read by the / bin / login program, it
The format is a list of allowed names, such as you can edit / etc / securetty and comment out of the following rows.
TTY1
# TTY2
# TTY3
# TTY4
# TTY5
# TTY6
# TTY7
# TTY8
It means that root is only allowed to log in in TTY1 terminals.
13. Special account
Prohibit all the default accounts that are started by the operating system itself and unwanted accounts, when you install the system, you should do this, Linux provides a variety of accounts, you may not need it if you don't need this account, When you remove it, the more you have the account, the easier it is to attack.
To delete the user on your system, use the following command:
[root @ deskp] # Userdel Username
To delete the group user account on your system, use the following command:
[root @ Deep] # groupdel username
Delete the following user on the terminal.
[root @ Deep] # Userdel ADM
[root @ Deep] # Userdel LP
[root @ Deep] # Userdel SYNC
[root @ deep] # Userdel shutdown
[root @ deskp] # Userdel Halt
[root @ Deep] # Userdel mail
If you don't have to use the Sendmail server, Procmail.mailx deletes this account.
[root @ deep] # Userdel news
[root @ deskp] # Userdel uucp
[root @ deskp] # Userdel Operator
[root @ Deep] # Userdel Games
If you don't have to use the X Windows server, you will delete this account.
[root @ Deep] # Userdel Goen
[root @ deskp] # Userdel FTP
If you don't allow anonymous FTP, you will delete this user account.
Call the following command to delete the group account
[root @ Deep] # GroupDel ADM
[root @ deskp] # groupdel lp
[root @ deep] # groupdel mail
If you don't have to delete this group account [root @ Deep] # groupdel news
[root @ deskp] # groupdel uucp
[root @ deskp] # Groupdel Games
If you don't have x windows, remove this group account
[root @ Deep] # GroupDel DIP
[root @ deep] # groupdel PPPUsers
[root @ Deep] # groupdel popusers
If you don't have to use a POP server, delete this group account
[root @ Deep] # GroupDel Slipusers
Use the following command to add the user account required
[root @ deep] # UserAdd Username
Change the user password with the following command
[root @ Deep] # Passwd Username
Use the chattr command to add the following files that cannot be changed attributes.
[root @ deskp] # chattr I / etc / passwd
[root @ deskp] # chattr I / etc / shadow
[root @ deep] # chattr I / etc / group
[root @ deep] # chattr I / etc / gshadow
14. Prevent anyone SU from as root.
If you don't want anyone to be SU as root, you can edit the /etc/pam.d/su plus the line:
Auth sufficient /lib/security/pam_rootok.so debug
Auth Required /Lib/security/pam_wheel.so group = ISD
It means that only the ISD group can be SU as root.
Then, if you want the user to act as root. Run the following command.
[root @ deep] # usermod -g10 admin
15. Resource restrictions
Setting the resource restriction on all users on your system can prevent DOS type attacks, such as the maximum number of processes, number of memory, and so on. For example, the limitations of all users are below:
Edit /etc/security/limits.con plus:
* Hard Core 0
* HARD RSS 5000
* Hard NPROC 20
You must also edit the /etc/pam.d/login file plus / check this line.
Session Required /LIB/Security/Pam_Limits.so
The above command prohibits core files "core 0", restricting the number of "NPROC 50", and restricting memory usage
It is 5M "RSS 5000".
16. THE /ETC/LILO.conf file
a) Add: rest
This line is below each boot image, which indicates that if you boot (Linux Single), you need a password.
b) Add: password = some_password
When using the RESTRICTED, when you are booting, you need to enter your password, you also want to make sure that the lilo.conf file cannot be readable by users who do not belong to root, and also free to see the text. Here is an example:
Edit /etc/lilo.conf plus:
Boot = / dev / sda
MAP = / boot / map
INSTALL = / boot / boot.bprompt
TIMEOUT = 50
Default = linux
Restrictage? add this line.
Password = Some_password? add this line.image = / boot / vmlinuz-2.2.12-20
Label = Linux
INITRD = / boot / initrd-2.2.12-10.img
root = / dev / sda6
Read-only
[root @ deep] # chmod 600 /etc/lilo.conf (no longer readable by other users).
[root @ deep] # / sbin / lilo -v (updated LILO configuration).
[root @ deep] # chattr I /etc/lilo.conf (Block this file from being modified)
17. Prohibit Control-Alt-delete restart machine command
[root @ deep] # vi / etc / inittab
Ca :: ctrlatdel: / sbin / shutdown -t3 -r now
TO
#ca :: ctrlatdel: / sbin / shutdown -t3 -r Now
[root @ deep] # / sbin / init Q
18. Reset /etc/rc.d/init.d/ License permission to all files under the directory
[root @ deskp] # chmod -r 700 /etc/rc.d/init.d/*
Only root can read, write all Script files described above.
19. The /etc/rc.d/rc.local file
By default, when you login to Linux Server, it tells you that Linux version name, kernel version name, and server host name. It gives you too much information, if you want to get a prompt login:, edit /etc/rc.d/rc.local put # in front of the row:
# This will overwrite / etc / issue at every boot. So, make any changes you
# Want to make to / etc / issue here or you will lose theme you reboot.
#echo ""> / etc / Issue
#echo "$ r" >> / etc / issue
#echo "kernel $ (uname -r) on $ a $ (uname -m) >> / etc / issue #
#CP -F / etc / Issue /etc/issue.net
#echo >> / etc / issu
Then, do the following things:
[root @ deskp] # rm -f / etc / issue
[root @ Deep] # rm -f /etc/issue.net
[root @ deskp] # Touch / etc / issue
[root @ Deep] # Touch /etc/issue.net
20. Bits of the program owned by the root.
The S-bit flag that is removed by the ROOT has a program, of course, some programs need this, complete this with command 'chmod a-s'.
Note: Those procedures for the front tape (*) generally do not need to have an S bit flag.
[root @ Deep] # Find / -type f / (-perm -04000 -o -perm -02000 /) / -exec ls -lg {} /;
-RWSR-XR-x 1 root root 33120 Mar 21 1999 / USR / BIN / AT
* -RWSR-XR-x 1 root root 30560 APR 15 20:03 / usr / bin / chage
* -RWSR-XR-x 1 root root 29492 APR 15 20:03 / usr / bin / gpasswd-rwsr-xr-x 1 root root 3208 Mar 22 1999 / usr / bin / disable-paste
-RWXR-SR-x 1 root man 32320 APR 9 1999 / USR / BIN / Man
-r-s - x - x 1 root root 10704 APR 14 17:21 / usr / bin / passwd
-rws - x - x 2 root root 517916 APR 6 1999 / USR / BIN / SUIDPERL
-rws - x - x 2 root root 517916 APR 6 1999 /usr/bin/sperl5.00503
-RWXR-SR-X 1 Root Mail 11432 APR 6 1999 / USR / BIN / LOCKFILE
-RWSR-SR-X 1 Root Mail 64468 APR 6 1999 / USR / BIN / Procmail
-RWSR-XR-x 1 root root 21848 aug 27 11:06 / usr / bin / crontab
-RWXR-SR-x 1 root slocate 15032 APR 19 14:55 / usr / bin / slocate
* -R-XR-SR-X 1 root tty 6212 APR 17 11:29 / usr / bin / wall
* -rws - x - x 1 root root 14088 APR 17 12:57 / usr / bin / chfn
* -rws - x - x 1 root root 13800 APR 17 12:57 / usr / bin / chsh
* -rws - x - x 1 root root 5576 APR 17 12:57 / usr / bin / newgrp
* -RWXR-SR-x 1 root tty 8392 APR 17 12:57 / usr / bin / write
-RWSR-X - 1 Root Squid 14076 OCT 7 14:48 / usr / lib / square / pinger
-RWXR-SR-X 1 root utmp 15587 jun 9 09:30 / usr / sbin / utemptter
* -RWSR-XR-x 1 root root 5736 APR 19 15:39 / usr / sbin / usernetctl
* -RWSR-XR-x 1 root bin 16488 JUL 6 09:35 / USR / SBIN / TraceRoute
-RWSR-SR-x 1 root root 299364 APR 19 16:38 / USR / SBIN / Sendmail
-RWSR-XR-X 1 root root 34131 APR 16 18:49 / usr / libexec / pt_chown
-RWSR-XR-X 1 root root 13208 APR 13 14:58 / bin / su
* -RWSR-XR-x 1 root root 52788 APR 17 15:16 / bin / mount
* -RWSR-XR-x 1 root root 26508 APR 17 20:26 / bin / umount
* -RWSR-XR-x 1 root root 17652 JUL 6 09:33 / bin / ping
-RWSR-XR-X 1 root root 20164 APR 17 12:57 / bin / login
* -RWXR-SR-X 1 root root 3860 APR 19 15:39 / sbin / netreport
-R-SR-XR-X 1 root root 46472 APR 17 16:26 / sbin / pwdb_chkpwd
[root @ deep] # chmod a-s / usr / bin / chage
[root @ deskp] # chmod a-s / usr / bin / gpasswd
[root @ deep] # chmod a-s / usr / bin / wall [root @ Deep] # chmod a-s / usr / bin / chfn
[root @ deskp] # chmod a-s / usr / bin / chsh
[root @ deep] # chmod a-s / usr / bin / newgrp
[root @ deskp] # chmod a-s / usr / bin / write
[root @ deep] # chmod a-s / usr / sbin / usernetctl
[root @ deskp] # chmod a-s / usr / sbin / traceroute
[root @ Deep] # chmod a-s / bin / mount
[root @ deep] # chmod a-s / bin / umount
[root @ deep] # chmod a-s / bin / ping
[root @ deep] # chmod a-s / sbin / netreport
You can use the following command to find all procedures with S-bit flags:
[root @ Deep] # Find / -type f / (-perm -04000 -o -perm -02000 /) / -exec ls -lg {} /;
> Suid-Sgid-Results
Export the results to the file suid-sgid-results.
In order to find all writable files and directories, with the following command:
[root @ Deep] # Find / -type f / (-perm -2 -o -perm -20 /) -exec ls -lg {} /;> WW-files-results
[root @ Deep] # Find / -type d / (-perm -2 -o -perm -20 /) -exec ls -ldg {} /;> WW-DIRECTORIES-RESULTS
Use the following command to find files with no owners:
[root @ Deep] # Find / -nouser -o -nogroup> unowed-results
Use the following command to find all .rhosts files:
[root @ Deep] # Find / Home -Name .Rhosts> rhost-results