Linux network server configuration basis (below)
* /etc/hosts.allow file but for services such as Telnet, FTP, if it is turned off, it will be very inconvenient to the administrator needs remote management. Linux provides another more flexible and effective way to implement restrictions on service request users, so that on the basis of ensuring security, trusted users can use a variety of services. Linux provides a program called TCP Wrapper. In most published versions, this program is often default. With TCP Wrapper, you can limit some of the services mentioned earlier. And TCP Wrapper record files record all attempts to access your system. View the LOG of the program via the last command, the administrator can know who has or attempt to connect your system. In / etc directory, there are two files: hosts.deny hosts.allows You can specify which machines can use these services, which cannot be used. When the service request arrives at the server, TCP Wrapper queries these two files in order until you encounter a match: 1. When there is a host address item with the request service in /etc/hosts.allow, then Allow the host to get the service 2. Otherwise, if there is a host address item that is in /etc/hosts.deny, the host is prohibited from using the host. 3. If the corresponding configuration file does not exist, the access control software considered an empty file, so you can implement all settings by deleting or removing the configuration file. In the file, the row of blank lines or the row is ignored, you can implement the comment function by adding a # 行 # #. Configuring these two files are implemented by a simple access control language, the basic format of the access control statement is: a list of program name: Hostname / IP address list. The program name list specifies a number of programs that provide the corresponding service, with a comma or space separation, you can view the program name that provides the appropriate service in the inetd.conf file: As the file example above, Telent is located The last item is the required program name: in.telnetd. The hostname / IP address list specifies that the identity of one or more hosts that allows the service is allowed or disabled, separated by a comma or space between the host name. The program name and host address can use wildcards to make it easy to specify multiple services and multiple hosts. Linux provides a flexible way of flexible designation or host list: 1. One is "." Start domain name string, such as .amms.ac.cn www.amms.ac.cn is matched with this match 2. "." The IP string ends, such as 202.37.152. Then the IP address includes 202.37.152. The host matches this. 3. The format is n.n.n.n / m.m.m.m represents a network / mask. If the IP address of the host's host's IP address and the result of the mask are equal to N.N.N.N The host is matched to the item. 4.all indicates that the matching all possible 5.EXPECT indicates the host that removes the next defined. Such as: List_1 Except List_2 Indicates that the host 6.local listed in the list_1 host list indicates that several modes that match "." On all hostnames are just a few of the ways provided by Linux, but for Our general application is enough. We use several examples to illustrate this problem: Example 1: We only want to allow the same LAN's machine to use the server's FTP function, and the FTP service request above the WAN is prohibited from the FTP service request above the WAN, and the local local area network is from 202.39.154., 202.39.153. And 202.39.152. Three network segments consist.
In the hosts.deny file, we define all machines from requesting all services: All: All In the hosts.allow file, we define only the LAN access FTP function: in.ftpd -l -a: 202.39.154 202.39.153. 202.39.152. This is rejected when the FTP service of the non-local area network is requested. And the local area network can use FTP services. In addition, record files under the / var / log directory should be checked, and the login events that have threatened system security should be found. The Last command can effectively view the system login event and find the problem. Finally, TCPDCHK is a program that checks TCP_WAPPERS configuration. It checks the configuration of TCP_WAPPERS and reports the problem or potential problem it can discover. After all the configurations are completed, run the TCPDCHK program: [root @ deskp] # TCPDCHK * / etc / service file port number and standard services have a detailed definition in RFC 1700 "Assigned NumBers". The "/ etc / service" file enables the server and client program to convert the name of the service to the port number, which exists on each host, and its file name is "/ etc / services". Only "root" users have permissions to modify this file, and in general this file is not necessary to modify, because this file already contains the port number corresponding to the common service. In order to improve security, we can protect this file to avoid unauthorized deletions and changes. In order to protect this file, you can use the following command: [root @ deskp] # chattr I / etc / service "/ etc / secureTty file" / etc / secureTty "file allows you to specify" root "users can log in from that TTY device. The login program (usually "/ bin / login") needs to read the "/ etc / securetty" file. Its format is that the listed TTY devices are allowed to log in, comment out or in this file is not allowed to log in. Comment (with the beginning of this line plus ##) All TTY devices you want to log in. Edit the SECURETTY file (vi / etc / securetty) Like the following, comment down some lines: TTY1 # TTY2 # Tty3 # Tty4 # Tty5 # Tty6 # Tty7 # TTY8 * Make Control-Alt-delete shutdown button ineffective "/ etc / inittab "One line of comments in the file can be prohibited to shut down the computer with Control-Alt-delete. This is very important if the server is not placing a safe place. Edit the inittab file (vi / etc / inittab) to turn this line: ca :: ctrlaltdel: / sbin / shutdown -t3 -r Now change to: #CA :: ctrlaltdel: / sbin / shutdown -t3 -r Now use the following command Make changes to change: [root @ deskp] # / sbin / init Q * Change the access license of the script file in the "/etc/rc.d/init.d/" directory /etc/rc.d/init.d/ The script mainly contains a script that starts the service. General users do not need to know the contents of the script file. So you should change the permissions of these script files. [Root @ deskp] # chmod -r 700 /etc/rc.d/init.d/* This only root can read, write, and execute the script in this directory.