Luinux has many advantages, regardless of the feature, and there are many advantages, however, as an open operating system, it inevitably there are some security hazards. With regard to how to solve these hidden dangers, provide a safe operating platform for applications, this article will tell you some of the most basic, most common, and is also the most effective trick. LINUX is a kind of UNIX operating system. In theory, UNIX itself has no major security defects. Over the years, most of the security issues found on UNIX operating systems mainly exist in individual procedures, so most UNIX vendors claim to solve these problems and provide a secure UNIX operating system. But Linux is somewhat different because it does not belong to a vendor, no manufacturers claim to provide security guarantees, so users only solve security problems. LINUX is an open system that can find many ready-made programs and tools on the Internet, which is convenient for users, and it is convenient for hackers because they can easily find programs and tools to sneak into the Linux system. Or steal important information on the Linux system. However, as long as we carefully set up various system functions of Linux, and add the necessary safety measures, it will allow hackers to be able to multiply. In general, security settings for Linux systems include unnecessary services, restrict remote access, hide important information, repair security vulnerabilities, security tools, and regular security checks. This article teaches you ten kinds of tricks that improve the security of Linux system. Although the number of tricks is not big, the recruitment is effective, you may wish to try. Heavy. Inetd is an abbreviation of InternetDaemon. It simultaneously monitors multiple network ports. Once the external connection information is received, the corresponding TCP or UDP network service is performed. Due to the unified command of INETD, most of Linux is set in the /etc/inetd.conf file. So the first step in canceling unnecessary service is to check the /etc/inetd.conf file, plus the "#" number before do not service. In addition to HTTP, SMTP, Telnet, and FTP, other services should be canceled, such as simple file transfer protocols TFTP, webmail storage, and receiving IMAP / IPOP transport protocols used, find and search for information Gopher and Daytime and Time for time synchronization. There are also some services of the system state, such as Finger, Efinger, Systat, and NetStat, although it is very useful for system-in-law and finding users, but also gives hackers. For example, hackers can use the Finger service to find users' phones, use directory, and other important information. Therefore, many Linux systems cancel or partially cancel all of them to enhance system security. In addition to using the / Etc/inetd.conf to set the system service items, all services are used to find the services used by the / etc / services file. Therefore, the user must carefully check the settings in the file to avoid safe vulnerabilities. There are two different service patterns in Linux: one is the service only when there is needed, such as a finger service; the other is the never paused service that is being executed. Such services are started when the system is activated, so it does not rely on the INETD to stop its service, but can only be modified from the modification /etc/rc.d/rc[n].d/editor it.
NFS servers for providing files and NEWS that provide NNTP news services are such services, and it is best to cancel these services if not necessary. . " Like other UNIX operating systems, Linux generally stores password encryption, stored in the / etc / passwd file. All users on the Linux system can read / etc / passwd files, although the password saved in the file has been encrypted, but still not safe. Because the general user can use the ready-made password deciphering tool to speculate on the password with the exhaustion method. The more secure method is to set the shadow gear / etc / shadow, only users with special permissions are allowed to read the file. In the Linux system, if you want to use shadow file, you must recompile all the public programs to support shadow. This method is more troublesome, and the relatively simple method is to use the Insert Verification Module (PAM). Many Linux systems have Linux tools PAM, which is an authentication mechanism that can be used to dynamically change the method and requirements of authentication, without requiring other utilities. This is because PAM uses a closed package to hide all logic related to authentication in the module, so it is the best helper with shadow files. In addition, PAM has a lot of security features: it can overwrite traditional DES encryption methods as other functional encryption methods to ensure that the user password will not be deciphered; it can set each user Use the upper limit of the computer resources; it can even set the user's upper and locations. LINUX system management only takes a few hours to install and set PAM, greatly improve the security of the Linux system, and block a lot of attacks outside the system. 3rd strokes: Maintaining the latest system core Due to a lot of Linux circulation channels, and often have updated programs and system patches, in order to enhance system security, it is necessary to update the system kernel. Keernel is the core of the Linux operating system, its resident memory, used to load other parts of the operating system and implement the basic functions of the operating system. Because kernel controls various functions of computers and networks, its security is critical to the entire system. The early Kernel version has many well-known security vulnerabilities, and is not stable. Only 2.0.x or more is relatively stable and safe, and the new version of the running efficiency is also changed. When setting the function of KERNEL, only the necessary features, don't complete all the functional bills, otherwise it will make KERNEL very large, both of the system resources, and the hacker will be allowed. On the Internet, there is often the latest security patches. Linux system administrators should promptly, often patron safe newsgroups, check new patchs. The 4th trick: Check the login password Set the login password is a very important security measures. If the user's password setting is not suitable, it is easily deciphered, especially if you have a user who has a superuser. If there is no good password, it will cause a lot of security vulnerabilities to the system. In multi-user systems, if you force each user to choose a password that is not easy to guess, it will greatly improve the security of the system. However, if the Passwd program cannot force each board user to use the appropriate password, ensure that the password is secure, it can only rely on the password crack program.
In fact, the password crack program is a tool in the hacker toolbox, which uses the commonly used password or all the words that may be used as a password in English, and then The Linux system / etc / passwd password file or / etc / shadow shadow file is compared, if you find the matching password, you can seek clear. Many password crack programs can be found on the web, and more famous programs are CRACK. Users can perform password crack programs yourself, find the password that is easy to be crackled by hackers, and the first correction is always beneficial than being hacked. When the ID, the system administrator should give the account different permissions as needed and is merged into different user groups. In the TCPD on the Linux system, you can set a list of allowed to pass and not allowed to pass the person. Among them, the list of personnel is allowed to set in /etc/hosts.allow, and the list of personnel is not allowed to set in /etc/hosts.deny. After the setting is complete, you need to reactivate the inetd program to take effect. In addition, Linux will automatically record the resulting result of the entered or not allowing access to the / RAR / LOG / Secure file, and the system administrator can find suspicious entered records accordingly. Every account ID should have a person responsibility. In the enterprise, if the staff responsible for a ID is left, the administrator should immediately delete the account from the system. Many intrusion events are borrowed for those who haven't need for a lot of accounts. In the user account, the hacker likes an account with root privileges. This super user has the right to modify or delete various system settings, which can be unimpeded in the system. Therefore, it must be carefully considered before giveing any account to the root permission. The / etc / securetty file in theLinux system contains a set of termination names that can log in with the root account. For example, in the RedHatlinux system, the initial value of the file only allows the local virtual console (RTYS) to log in with root privilege without allowing remote users to log in with root privileges. It is best not to modify the file. If you must log in to root from the remote login, it is best to log in with a normal account, and then upgrade to a super user using the su command. " . Since these utilities are entered with. RHOSTS file or hosts.equiv file, be sure to make sure the root account is not included within these files. Since the R header instruction is a hacker's temperature, many security tools are designed for this security vulnerability. For example, the PAM tool can be used to abolish the power of the R header utility, which in the /etc/pam.d/rlogin file plus the instructions that must be approved first, so that users of the entire system cannot use their own home. The .rhosts file under the directory. The SSH uses the public key technology to encrypt communication information between two hosts on the network, and act as a tool for authentication with its key. Since SSH encrypts information on the network, it can be used to securely log in to the remote host and secure information between two hosts. In fact, SSH can not only secure secure communication between Linux hosts, but Windows users can also securely connect to the Linux server via SSH.
