[Article Information]
Author: chinaunix.net Time: 2004-10-28 Source: chinaunix.net Editor: Wilderness
First, disk partition
1. If it is a new installation system, safety should be considered for disk partitioning:
1) The root directory (/), user directory (/ home), temporary directory (/ TMP), and / var directory should be separated from different disk partitions; 2) The above-mentioned directory is in full consideration, avoiding Some reasons have caused the system to crash;
2, for the partition where the / tmp and / var directory is located, there is no need to have a SUID attribute, so you should add a NosuID attribute for these partitions;
Method 1: Modify the / etc / fstab file, add the NOSUID property word. E.g:
/ DEV / HDA2 / TMP EXT2 EXEC, DEV, NOSUID, RW 0 0 ^^^^^ Method 2: If the / etc / fstab file is not familiar, it is recommended to modify it through the LinuxConf program.
* Run Linuxconf program; * Select "Access local drive" under "File Systems"; * Select the disk partition you want to modify the property; * Select the "No setuid program allowed" option; * Select other options as needed; * Normally exit. (Generally prompted to re-mount this partition)
Second, install
1. For non-test hosts, too many packages should not be installed. This reduces the possibility of security vulnerabilities due to software packages. 2. For non-test hosts, non-essential services should not be selected when selecting the host start service. For example, ROUTED, YPBIND, etc.
Third, safety configuration and enhancement
Nuclear upgrade. At least to upgrade to 2.2.16 or more.
GNU Libc shared library upgrade. (Warning: If there is no experience, it is easy to try. You can be suspended.) Close the dangerous network service. Echo, Chargen, Shell, Login, Finger, NFS, RPC, etc. Close non-essential network services. Talk, NTalk, POP-2 and other common network service security configuration and upgrade ensure that the version of the network service is currently the latest and the safest version. Cancel anonymous FTP access remove unless the required SUID program uses TCPWrapper using IPChains firewall log system syslogd
Some details:
1. Log file inside the operating system is an important clue to detect if there is a network invasion. Of course, this assumption that your logfile is not damaged by invasive, if you have a server, connect it directly to the Internet, which means your IP The address is a permanent fixed address, you will find that there are many people do Telnet / FTP login attempt to your system, try to run #more / var / log / secure | GREP REFUSED to check.
2. Restrict the number of programs with the SuID permission sign, the program with this permission flag is run as root, is a potential security vulnerability, of course, some programs must have the flag, like the Passwd program.
3. BIOS security. Set the BIOS password and modify the boot order disable from the floppy drive.
4. User password. The user password is the most basic starting point for Linux security. Many people used by the user passwords are simple 'password', which is equal to the invasant to open the door, although it is theoretically, there is no unclean user password, as long as there is enough Time and resources can be utilized. Combine user passwords are a string of characters that can only be easily understood by himself, and never write anywhere. 5./etc/exports file. If you use the NFS network file system service, make sure your / etc / exports has the most stringent access permission settings, do not mean not to use any wildcards, not allowing root write permissions, mount into read-only file system. Edit file / etc / exports and plus: for example:
/ DIR / TO / EXPORT HOST1.MYDOMAIN.com (Ro, Root_Squash) / DIR / TO / EXPORT HOST2.MYDOMAIN.com (ro, root_squash)
/ DIR / TO / EXPORT is the directory you want to output. Host.mydomain.com is the machine name that logs in to this directory. RO means that mount is a read-only system, and root_squash disables root to write to this directory.
In order to make the above change, run / usr / sbin / exportfs -a
6. Confirm that the owner of /etc/inetd.conf is root, and the file permission is set to 600.
[root @ Deep] # chmod 600 /etc/inetd.conf Ensure That The Owner is root. [root @ Deep] # stat /etc/inetd.conf file: "/etc/inetd.conf" size: 2869 filetype: regular File Mode: (0600 / -RW -------) Uid: (0 / root) GID: (0 / root) Device: 8,6 inode: 18219 Links: 1 Access: WED SEP 22 16:24: 16 1999 (00000.00: 10: 44) Modify: MON SEP 20 10:22:06 1999 (00002.06: 12: 16) Change: Mon Sep 20 10:22:44 1999 (00002.06: 12: 16)
Edit /etc/inetd.conf prohibited the following services:
FTP, Telnet, Shell, Login, Exec, Talk, Ntalk, IMAP, POP-2, POP-3, Finger, Auth, etc. unless you really want to use it.
In particular, those R commands are prohibited. If you use ssh / scp, then you can also prohibit Telnet / FTP.
In order to make a change, run #killall -hup inetd
You can also run #Chattr I /etc/inetd.conf to make this file can not change attributes.
Only root can unlock and use commands
#chattr -i /etc/inetd.conf
7. TCP_WrapPERS
By default, Redha Linux allows all requests, using TCP_WrapPers to enhance your site's security is to raise your hand, you can put it in "all: all" to /etc/hosts.deny prohibited all requests, then put those clear allowable Request to /etc/hosts.allow, such as:
Sshd: 192.168.1.10/255.255.255.0 Gate.openarch.com allows access to the SSH.OpenArch.com for IP address 192.168.1.10 and hostname. After the configuration is over, check with TCPDCHK
[root @ deep] # TCPDCHK TCPCHK is TCP_Wrapper Configuration Check Tool, which checks your TCP Wrapper configuration and reports all discovered potential / existent problems. 8. Alias files Aliases Edit alias files / etc / aliases (or / etc / mail / aliases), remove / comment out the row below. # Basic system aliases - these MUST be present MAILER-DAEMON:. Postmaster postmaster: root # General redirections for pseudo accounts bin: root daemon: root #games: root remove or comment out #ingres: root remove or comment.?.? Out #system: root # syt? #toor: root? remove or comment out. #uucp: root? remove or comment out. # Well-known aliases. #Manager: root? remove or Comment Out . #OPerator: root? Remove or comment out. # Trap decode to catch security attits #decode: root # Person WHO SHOULD GET ROOT'S MAIL #Root: Marc
Don't forget to run / usr / bin / newaliases after the last update, make the change take effect.
9. Block your system from responding to any PING request from the outside / internal.
Since no one can ping your machine and receive a response, you can greatly enhance your site's security. You can add a line of command to /etc/rc.d/rc.local to automatically run each time startup.
Echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
10. Do not display the operating system and version information.
If you want someone to log in to your server remotely to your server, do not display the operating system and version information, you can change one of the lines in /etc/inetd.conf below:
Telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD IN.TELNETD -H
Plus -H logo in final make the Telnet background not to display system information, but only display login:
11.The /etc/host.conf file
Edit the Host.conf file (vi /etc/host.conf) and add the line:
# Lookup names via DNS first then fall back to / etc / hosts. Order bind, hosts # We do not have machines with multiple IP addresses on the same card (like virtual server, IP Aliasing). Multi off # Check for IP address Spoofing. Nospoof on IP spoing: ip-spoofing is a security expen't some one what you real aren't.
12. The / etc / securetty file This file specifies the TTY device that allows root to log in, / etc / securetty is read, its format is a list of allowed names, such as you can edit / etc / securetty and comment out the following line.
Tty1 # tty2 # tty3 # Tty4 # Tty5 # Tty6 # Tty7 # Tty8
- means that root is only allowed to log in in TTY1 terminals.
13. Special account
Prohibit all the default accounts that are started by the operating system itself and unwanted accounts, when you install the system, you should do this, Linux provides a variety of accounts, you may not need it if you don't need this account, When you remove it, the more you have the account, the easier it is to attack.
To delete the user on your system, use the following command:
[root @ deskp] # Userdel Username
To delete the group user account on your system, use the following command:
[root @ Deep] # groupdel username
Delete the following user on the terminal.
[root @ deep] # Userdel adm [root @ Deep] # Userdel LP [root @ Deep] # Userdel sync [root @ Deep] # Userdel shutdown [root @ Deep] # Userdel Halt [root @ Deep] # Userdel Mail
If you don't have to use the Sendmail server, Procmail.mailx deletes this account. [Root @ Deep] # Userdel news [root @ deskp] # Userdel uucp [root @ desk] # Userdel operator [root @ Deep] # Userdel Games
If you don't have to use the X Windows server, you will delete this account. [Root @ deep] # Userdel gopher [root @ Deep] # Userdel FTP
If you don't allow anonymous FTP, you will delete this user account. ===
Call the following command to delete the group account
[root @ deep] # groupdel adm [root @ Deep] # groupdel lp [root @ Deep] # GroupDel mail
If you don't have to delete this group account [root @ desk] # groupdel news [root @ Deep] # groupdel uucp [root @ Deep] # GroupDel Games
If you don't have to use x windows, remove this group account [root @ desk] # groupdel dip [root @ Deep] # groupdel pppuses [root @ Deep] # GroupDel Popusers
If you don't have to use a POP server, delete this group account [root @ desk] # groupdel slipusers ====
Use the following command to add the user account [root @ Deep] # UserAdd Username
Change the user password with the following command [root @ Deep] # Passwd UserName
Use the chattr command to add the following files that cannot be changed attributes.
[root @ Deep] # chattr I / etc / passwd [root @ Deep] # chattr I / etc / shadow [root @ desk] # chattr I / etc / group [root @ Deep] # chattr I / ETC / GSHADOW14. Blocking anyone SU as root.
If you don't want anyone to be SU as root, you can edit the /etc/pam.d/su plus the line:
Auth sufficient /lib/security/pam_rootok.so debug auth request /lib/security/pam_wheel.so group = ISD
It means that only the ISD group can be SU as root.
Then, if you want the user to act as root. Run the following command.
[root @ deep] # usermod -g10 admin
16. Resource restrictions
Setting the resource restriction on all users on your system can prevent DOS type attacks, such as the maximum number of processes, number of memory, and so on. For example, the limitations of all users are below:
Edit /etc/security/limits.con plus:
* Hard Core 0 * Hard RSS 5000 * HARD NPROC 20
You must also edit the /etc/pam.d/login file plus / check this line.
Session Required /LIB/Security/Pam_Limits.so
The above command prohibits Core Files "Core 0", the limit process is "NPROC 50", and the limit memory is 5M "RSS 5000".
17. The /etc/lilo.conf file
a) Add: restricted adds this line to each boot image, which indicates that if you boot (Linux Single), you need a password.
b) add: password = Some_password When using the RESTRICTED, and when you are booting, you need to enter your password, you also make sure that the lilo.conf file cannot be readable by users who do not belong to root, and also free to see the password clear text. Here is an example:
Edit /etc/lilo.conf plus: ==== boot = / dev / sda map = / boot / map install = / boot / boot.b prompt timeout = 50 default = linux rest? Add this line. Password = Some_password? Add this line. Image = / boot / vmlinuz-2.2.12-20 label = Linux initrd = / boot / initrd-2.2.12-10.img root = / dev / sda6 read-only [root @ deep] # chmod 600 /etc/lilo.conf (no longer be readable by other users). [root @ deskp] # / sbin / lilo -v (updated LILO configuration). [root @ deep] # chattr i /etc/lilo.conf (Block this file from being modified)
18. Prohibit Control-Alt-delete restart machine command
[root @ deep] # vi / etc / inittab ca :: ctrlatdel: / sbin / shutdown -t3 -r Now to #ca :: ctrlatdel: / sbin / shutdown -t3 -r now [root @ Deep] # / sbin / INIT Q19. Reset /etc/rc.d/init.d/ License Permit for all files under the directory
[root @ deep] # chmod -r 700 /etc/rc.d/init.d/* Just root can read, write, write all Script file described above.
20. The /etc/rc.d/rc.local file
By default, when you login to Linux Server, it tells you that Linux version name, kernel version name, and server host name. It gives you too much information, if you want to get a prompt login:, edit /etc/rc.d/rc.local put # in front of the row:
# This will overwrite / etc / Issue At Every Boot. So, make any changes you # omen or 乐 / / e l h r r r r ""> / etc / issue #echo "$ R ">> / etc / issue #echo" kernel $ (uname -r) on $ a $ (uname -m) >> / etc / issue # #cp -f / etc / issu /etc/issue.net # Echo >> / etc / issue
Then, do the following things: [root @ deep] # rm -f / etc / issue [root @ desk] # rm -f /etc/issue.net [root @ deep] # Touch / etc / iv @ deep ] # Touch /etc/issue.net
21. The bit of the program owned by the root.
The S-bit flag that is removed by the ROOT has a program, of course, some programs need this, complete this with command 'chmod a-s'.
Note: Those procedures for the front tape (*) generally do not need to have an S bit flag.
[root @ Deep] # Find / -type f / (-perm -04000 -o -perm -02000 /) / -exec ls -lg {} /;
-RWSR-XR-x 1 root root 33120 Mar 21 1999 / usr / bin / at * -RWSR-XR-x 1 root root 30560 APR 15 20:03 / usr / bin / chage * -RWSR-XR-x 1 root Root 29492 APR 15 20:03 / usr / bin / gpasswd -rwsr-xr-x 1 root root 3208 Mar 22 1999 / usr / bin / disable-Paste -RWXR-SR-x 1 Root Man 32320 APR 9 1999 / USR / Bin / Man -rs - x - x 1 root root 10704 APR 14 17:21 / usr / bin / passwd -rws - x - x 2 root root 517916 APR 6 1999 / usr / bin / suidperl -rws- -x - x 2 root root 517916 APR 6 1999 /usr/bin/sperl5.00503 -RWXR-SR-x 1 root mail 11432 APR 6 1999 / usr / bin / lockfile -RWSR-SR-x 1 root mail 64468 APR 6 1999 / usr / bin / procmail -rwsr-xr-x 1 root root 21848 AUG 27 11:06 / usr / bin / crontab -rwxr-sr-x 1 root slocate 15032 Apr 19 14:55 / usr / bin / slocate * -R-XR-SR-X 1 root tty 6212 APR 17 11:29 / usr / bin / wall * -rts - x - x 1 root root 14088 APR 17 12:57 / usr / bin / chfn * - RWS - x - x 1 root root 13800 APR 17 12:57 / usr / bin / chsh * -rts - x - x 1 root root 5576 APR 17 12:57 / usr / bin / newgrp * -rwxr- SR-X 1 root tty 8392 APR 17 12: 57 / usr / bin / write -rt-x --- 1 root squid 14076 OCT 7 14:48 / usr / lib / square / pinger -rwxr-SR-x 1 root utmp 15587 jun 9 09:30 / usr / sbin / utempter * -rtwsr-xr-x 1 root root 5736 APR 19 15:39 / usr / sbin / usernetctl * -rwsr-xr-x 1 root bin 16488 JUL 6 09:35 / usr / sbin / traceroute -RWSR-SR -x 1 root root 299364 APR 19 16:38 / usr / sbin / sendmail -RWSR-XR-x 1 root root 34131 APR 16 18:49 / usr / limited iec / pt_chown -rwsr-xr-x 1 root root 13208 APR 13 14:58 / Bin / Su * -RWSR-XR-x 1 root root 52788 APR 17 15:16 / bin / mount * -rwsr-xr-x 1 root root 26508 APR 17 20:26 / bin / umount * -rwsr -xr-x 1 root root 17652 JUL 6 09:33 / bin / ping -rtwsr-xr-x 1 root root 20164 APR 17 12:57 / bin / login * -rwxr-sr-x 1 root root 3860 APR 19 15 :
39 / sbin / netreport -R-SR-XR-x 1 root root 46472 APR 17 16:26 / sbin / pwdb_chkpwd [root @ Deep] # chmod as / usr / bin / chage [root @ Deep] # chmod as / usr / bin / gpasswd [root @ deep] # chmod as / usr / bin / wall [root @ desk] # chmod as / usr / bin / chfn [root @ Deep] # chmod as / usr / bin / chsh [root @ deep ] # chmod as / usr / bin / newgrp [root @ deep] # chmod as / usr / bin / write [root @ Deep] # chmod as / usr / sbin / usernetctl [root @ Deep] # chmod as / usr / sbin / traceroute [root @ Deep] # chmod as / bin / mount [root @ Deep] # chmod as / bin / umount [root @ desk] # chmod as / bin / ping [root @ Deep] # chmod as / sbin / netreport You can use the following command to find all procedures with S-bit flags:
[root @ deep] # Find / -type f / (-perm -04000 -o -perm -02000 /) / -exec ls -lg {} /;> suid-sgid-results
Export the results to the file suid-sgid-results.
In order to find all writable files and directories, with the following command:
[root @ Deep] # Find / -type f / (-perm -2 -o -perm -20 /) -exec ls -lg {} /;> ww-files-results [root @ deep] #find / -type D / (-Perm -2 -o -perm -20 /) -exec ls -ldg {} /;> WW-DIRECTORIES-RESULTS
Use the following command to find files with no owners:
[root @ Deep] # Find / -nouser -o -nogroup> unowed-results
Use the following command to find all .rhosts files:
[root @ Deep] # Find / Home -Name .Rhosts> rhost-results
Recommended replacement of common network service applications
WUFTPD
WUFTD will continue to have security vulnerabilities from 1994, and hackers can easily get the permissions of remote root access (REMOT Access), and many security vulnerabilities do not even need a valid account on the FTP server. Recently, WUFTP is also frequent security vulnerabilities.
Its best alternative is Proftpd. ProftPD is easy to configure, in most cases, the speed is also faster, and its source code is also clean (less buffer overflow). There are many important sites to use Proftpd. SourceForge.net is a good example (this site has a total of 3,000 open source projects, which is not small!). Some Linux publishers are used on their primary FTP sites, and only two main Linux publishers (SUSE and CALDERA) use wuftpd.
Another advantage of PrOFTPD is to run from inetd and can be run as separate daemon. This will easily solve some problems brought by inetd, such as the Denial of Service Attack, and so on. The more simple system, the easier the system is safe. WUFTPD either re-audit all source code (very difficult), or completely rewritten the code, otherwise wuftpd must be replaced by Proftpd. Telnet
Telnet is very unsafe, it uses a plaintext to transfer your password. Its secure alternative is OpenSSH.
OpenSSH has been very mature and stable on Linux, and there are also a lot of free client software on the Windows platform. Linux's publisher should use OpenBSD policy: Install OpenSSH and set it to the default, install Telnet but do not set it into default. For Linux publishers who are not in the United States, it is easy to add OpenSSH in Linux issued. The United States's Linux publisher must think of some other ways (for example: Red Hat) has the latest OpenSSH RPM package on the German FTP server (ftp.redhat.de).
Telnet is an unhappy program. To ensure that the system's security must replace it with software such as OpenSSH.
Sendmail
In recent years, Sendmail's security has increased much (previously it is usually a prior art of hackers). However, Sendmail still has a very serious problem. Once there is a security vulnerability (eg, recently the Linux kernel error), Sendmail is a program that is hit by a hacker, because Sendmail is running with root privileges and the code is very prone to problems.
Almost all Linux publishers use Sendmail as the default configuration, only a few a few of several POSTFIX or QMAIL as an optional package. However, there are very few issuers with Linux use Sendmail on their own mail servers. SUSE and Red Hat use a QMAIL-based system.
Sendmail does not necessarily be fully replaced by other programs. But its two alternatives qmail and postfix are safe, fast, especially if Postfix is easier to configure and maintain than it.
SU
The SU is used to change the ID of the current user, convert to other users. You can log in with a normal user. When you need to do something as a root, just execute the "su" command, then enter the root password. Su itself is no problem, but it will make people develop bad habits. If a system has multiple administrators, you must give them a password of root.
An alternative for Su is sudo. This software is included in Red Hat 6.2. Sudo allows you to set which users can perform in root which programs are performed as root. You can also restrict them according to the location of the user (if someone "breaks" a user's password, and log in with this account, you can limit him using sudo). Debian also has a similar program called Super, which has advantages and disadvantages with SUDO.
Let users develop good habits. Use the root account and let multiple people know that the root password is not a good habit. This is the reason why www.apache.org is invaded, because it? .. 菀菀菀 肭 肭 摹? / A>
Named
Most Linux distributors have solved this problem. Named used to run in root, so when a new vulnerability appears, it is easy to invade some important computers and get root privileges. Now use some of the parameters of the command line to allow NAMEDs to run in non-root users. Moreover, most Linux publishers now make NAMEDs to run with ordinary users. Command format is usually: named -u
In the documentation in Inn, it has been clearly indicated: "VerifyCancels, this feature is useless and will be removed". About one month ago, a hacker released the method of invading Inn when "VerifyCancels" entered into force. Red Hat is valid for "VerifyCancels". Any setuid / setgid program or network service program must be properly installed and checked to ensure that there is no security vulnerability as much as possible.
Security
1. Wafore remove all the default accounts and passwords of the system. 2. Do not display the company's head, online help, and other information before the user's legitimacy is verified. 3. Abolition "hacker" can attack the network service of the system. 4. Use 6 to 8-digit alphanumeric password. 5. Restrict users try to log in to the system. 6. Record the situation in violation of security and review the safety record. 7. For important information, you should be encrypted before the transmission is transferred. 8. Pay attention to the proposal proposed, install the system "patch" they recommend. 9. Host files that are restricted without passwords. 10. Modify the network configuration file to limit the TCP connection from the outside to the minimum number of ports. A protocol such as TFTP, SunRPC, Printer, Rlogin or REXEC is not allowed. 11. Instead of Sendmail with UPAS. SENDMAIL has too many known vulnerabilities, it is difficult to repair complete. 12. Remove the procedure for the operation is not critical and very useful. 13. Change all system directories to 711 mode using CHMOD. In this way, attackers will not see what they have, while users can perform. 14. As long as it is possible, install the disk as a read-only mode. In fact, there is only a few directorys to read and write. 15. Upgrade the system software to the latest version. The old version may have been studied and successfully attacked, and the latest version generally includes the remedies of these issues.
