It is well known that cyber security is a very important issue, and the server is the most critical link in network security. Linux is considered to be a secure Internet server as an open source operating system. Once there is a security vulnerability in the Linux system, volunteers from all over the world will patch it. However, system administrators often do not get information in time and correct, which gives hackers. More security issues are caused by improper configuration relative to these system itself, which can be prevented by proper configuration. The more services running on the server, the more opportunities in the improper configuration, the greater the possibility of security issues. In this regard, this article will introduce some knowledge of enhancing Linux / UNIX server system security.
System security record file
The record file inside the operating system is an important clue to detect if there is a network intrusion. If your system is connected directly to the Internet, you find that there are many people do Telnet / FTP login attempts for your system. You can run "#MORE / VAR / LOG / Secure | GREP REFUSED" to check the attack of the system, so that Take the corresponding countermeasures, such as using SSH to replace Telnet / RLogin et al.
Start and login security
1.BIOS security
Set the BIOS password and modify the boot order disable from the floppy drive.
2. User password
The user password is a basic starting point for Linux security. The user password used by many people is too simple. This is equal to the invasant to open the door. Although in theory, as long as there is enough time and resources, there is no unable to crack. Password. However, the choice of password is difficult to crack, and better user passwords are those characters that are only easy to remember and understand, and never write anywhere.
3. Default account
All defaults should be prohibited from starting and unnecessary accounts, when you first install the system, you should do this, Linux provides a lot of default accounts, and the more accounts, the more you accept the attack.
You can delete your account with the following command.
# Userdel username
Or use the following command to delete the group user account.
# Groupdel Username
4. Password file
The Chattr command adds the following files that cannot be changed to prevent unauthorized users from obtaining permissions.
# chattr I / etc / passwd # chattr I / etc / shadow # chattr I / etc / group # chattr I / etc / gshadow
5. Prohibit Ctrl Alt Delete Restart Machine Command
Modify the / etc / inittab file, comment "CA :: Ctrlattdel: / sbin / shutdown -t3 -r now" row. Then reset the permissions of all files in /etc/rc.d/init.d/ directory, run as follows:
# chmod -r 700 /etc/rc.d/init.d/*
This will only be able to read, write or execute all script files described above.
6. Restrict Su command
If you don't want anyone to use SU as root, you can edit the /etc/pam.d/su file, add the following two lines:
Auth sufficient /lib/security/pam_rootok.so debugauth request /lib/security/pam_wheel.so group = ISD
At this time, only the user of the ISD group can use SU as root. Thereafter, if you want user admin to use SU as root, you can run as follows:
# Usermod -g10 admin
7. Delete login information
By default, login prompt information includes Linux distribution, kernel version name, and server host name. For a machine that is highly required, it has leaked too much information. You can edit /etc/rc.d/rc.local comment out of the output system information. # This will overwrite / etc / ssue at every boot. So, make any changes you #ow to make to / etc / ipsue here or you will lose theme you reboot # echo "> / etc / issue # echo" $ R ">> / etc / issue # echo" kernel $ (uname $ (uname -m) >> / etc / issue # cp -f / etc / issu /etc/issue.net# echo> > / Etc / issue
Then, do the following:
# r r -f / etc / Issue # rm -f /etc/issue.net# Touch / etc / Issue # Touch /etc/issue.net
Limit network access
1.NFS access
If you use NFS network file system services, you should make sure your / etc / exports has the most stringent access settings, which means do not use any wildcards, not allowing ROOT write permissions and can only be installed as a read-only file system. Edit file / etc / exports and join the following two lines.
/ DIR / TO / EXPORT HOST1.MYDOMAIN.com (Ro, Root_Squash) / DIR / TO / EXPORT HOST2.MYDOMAIN.com (ro, root_squash)
/ DIR / TO / EXPORT is the directory you want to output. Host.mydomain.com is the machine name that logs in to this directory. RO means that mount is a read-only system, and root_squash disables root to write to this directory. In order to enable the change to take effect, run the following command.
# / usr / sbin / exportfs -a
2.INETD setting
First, confirm that the owner of /etc/inetd.conf is root, and the file permission is set to 600. Once the setting is complete, you can check with the "stat" command.
# chmod 600 /etc/inetd.conf
Then, edit /etc/inetd.conf prohibits the following services.
FTP Telnet Shell Login Exec Talk Ntalk IMAP POP-2 POP-3 Finger Auth
If you have an SSH / SCP, you can also disable Telnet / FTP. In order to make the change take effect, run the following command:
#killall -hup inetd
By default, most Linux systems allow all requests, and use TCP_WrapPERS enhancement system security is to raise hand, you can modify /etc/hosts.deny and /etc/hosts.allow to increase access restrictions. For example, set /etc/hosts.deny to "all: all" to refuse all access by default. Then add a permitted access in the /etc/hosts.allow file. For example, "SSHD: 192.168.1.10/255.255.255.0 Gate.openarch.com" means allowing IP address 192.168.1.10 and hostname Gate.OpenArch.com to allow via SSH connection.
Once the configuration is complete, you can check with TCPDCHK:
# TCPDCHK
TCPCHK is a TCP_Wrapper configuration check tool that checks your TCP Wrapper configuration and reports all discovered potential / existent problems. 3. Login Terminal Set
The / etc / secureTty file specifies the TTY device that allows root login, read by the / bin / login program, which is a list of allowed names, you can edit / etc / securetty and comment out the following rows.
# Tty1 # Tty2 # Tty3 # Tty4 # Tty5 # Tty6
At this time, root can only log in at TTY1 terminals.
4. Avoid display system and version information
If you wish to remotely log in to users can not see the system and version information, you can change the /etc/inetd.conf file by following the following:
Telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.TELNETD -H
Plus -H means Telnet does not display system information, but only "Login:" is displayed.
Prevent attack
Punching PING
If no one can ping your system, the security has naturally been increased. To do this, you can add the following line in the /etc/rc.d/rc.local file:
Echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
2. Prevent IP spoofing
Edit the host.conf file and increase the following line to prevent IP spoofing attack.
ORDER BIND, HOSTSMULTI OFFNOSPOOF ON
3. Prevent DOS attacks
Setting resource restrictions for all users of the system can prevent DOS type attacks. Such as the maximum number of processes and the number of memory usage, etc. For example, you can add the following lines in /etc/security/limits.conf:
* Hard Core 0 * Hard RSS 5000 * HARD NPROC 20
You must then edit the /etc/pam.d/login file check if there is any line below.
Session Required /LIB/Security/Pam_Limits.so
The above command prohibits debug files, restricting the number of processes 50 and limiting memory to 5MB.
After the above settings, your Linux server has access to the vast majority of known security issues and network attacks, but an excellent system administrator still wants to pay attention to network security dynamics, always exposed and Potential security vulnerabilities for repair.
