Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail "what are the knowledge points of Linux server security configuration", the content is detailed, the steps are clear, and the details are handled properly. I hope that this article "what are the knowledge points of Linux server security configuration" can help you solve your doubts.

1. Overview

Linux server version: redhat linux as

For the open operating system-linux, the security settings of the system include minimizing system services, restricting remote access, hiding important data, repairing security loopholes, using security tools and frequent security checks. This article mainly from the user settings, how to open services, system optimization and other aspects of the system security configuration, in order to make the linux server more secure and stable.

two。 User management

In the linux system, the user account is the user's identity, which consists of a user name and a user password. The system stores the entered user name in the / etc/passwd file and the entered password in the / etc/shadow file in encrypted form. Under normal circumstances, these passwords and other information are protected by the operating system and can only be accessed by superusers (root) and some applications of the operating system. However, if the configuration is improper or in the case of some system running errors, this information can be obtained by ordinary users. In turn, malicious users can use a kind of tool called "password cracking" to get the pre-encrypted password.

2.1 Delete the special user account and group account of the system:

# userdel username

Userdel adm

Userdel lp

Userdel sync

Userdel shutdown

Userdel halt

Userdel news

Userdel uucp

Userdel operator

Userdel games

Userdel gopher

The above deleted users are some accounts created by default by the system, but are not used in commonly used servers, but these accounts are often used and attacked by hackers.

# groupdel username

Groupdel adm

Groupdel lp

Groupdel news

Groupdel uucp

Groupdel games

Groupdel dip

Again, the above deletes some group accounts that the system installation creates by default. This reduces the chance of being attacked.

2.2 user password settings:

When installing Linux, the default minimum password length is 5 bytes, but this is not enough. Set it to 8 bytes. To modify the minimum password length requires editing the login.defs file (vi / etc/login.defs)

Pass_max_days 99999 # # password setting maximum validity period (default)

Pass_min_days 0 # # password setting minimum validity period

Pass_min_len 5 # # set the minimum password length

How many days in advance pass_warn_age 7 # # warns users that their passwords are about to expire.

2.3 modify the time of automatic account cancellation:

Log out of the account automatically. In the linux system, the root account has the highest privilege. If the system administrator forgets to log out of the root account before leaving the system, it will bring great security risks and the system should be allowed to log out automatically. This function can be achieved by modifying the "tmout" parameter in the account. Tmout is calculated in seconds. Edit your profile file (vi / etc/profile) and add the following line after "histsize=":

Tmout=300

300, which means 300 seconds, which means 5 minutes. In this way, if the logged-in user in the system does not act within 5 minutes, the system will automatically cancel the account.

2.4 lock the user name and password of the system to store the file:

Chattr + I / etc/passwd

Chattr + I / etc/shadow

Chattr + I / etc/gshadow

Chattr + I / etc/group

Note: chattr is a command to change file attributes. Parameter I represents that the file or directory must not be changed arbitrarily, where I is the unmodifiable bit (immutable). Viewing method: lsattr / etc/passwd

3. Service management

In the service management of the linux system, if you want to achieve the best security of the service, the main thing is to upgrade the software version of the service itself, and the other is to turn off the services that the system does not use to minimize the service.

3.1 turn off services that are not used by the system:

Cd / etc/init.d # # go to the system init process startup directory

There are two ways to shut down the service in the init directory. First, mv the file name in the init directory to the file name of the * .old class, that is, modify the file name, which means that the startup file for this service cannot be found when the system starts. Second, use chkconfig system commands to shut down the service at the startup level of the system.

Note: when using any of the following methods, please first check whether the service that needs to be shut down is a service that this server specifically needs to start to support, in case of shutting down the service that is in normal use.

The first one: the method of changing the file name

Cd / etc/init.d/

Mv apmd apmd.old # # Notebook needs

Mv netfs netfs.old # # nfs client

Mv yppasswdd yppasswdd.old # # nis server, this service has many vulnerabilities

Mv ypserv ypserv.old # # nis server, this service has many vulnerabilities

Mv dhcpd dhcpd.old # # dhcp service

Mv portmap portmap.old # # required to run the rpc service

Mv lpd lpd.old # # Printing Service

Mv nfs nfs.old # # nfs server with many vulnerabilities

Mv sendmail sendmail.old # # email service with many vulnerabilities

Mv snmpd snmpd.old # # snmp, from which remote users can get a lot of system information

Mv rstatd rstatd.old # # avoid running the r service, from which remote users can get a lot of information

Mv atd atd.old # # A time-running program service that is very similar to cron

Second: use the chkcofig command to shut down unused system services

Chkconfig? clevel 35 apmd off

Chkconfig? clevel 35 netfs off

Chkconfig? clevel 35 yppasswdd off

Chkconfig? clevel 35 ypserv off

Chkconfig? clevel 35 dhcpd off

Chkconfig? clevel 35 portmap off

Chkconfig? clevel 35 lpd off

Chkconfig? clevel 35 nfs off

Chkconfig? clevel 35 sendmail off

Chkconfig? clevel 35 snmpd off

Chkconfig? clevel 35 rstatd off

Chkconfig? clevel 35 atd off

Note: 3 and 5 of the above chkcofig commands are the type of system startup, 3 represents the multi-purpose boot mode of the system, and 5 represents the x startup mode of the system.

3.2 Lock the system service port list file

Main role: prevent unauthorized deletion or addition of services

Chattr + I / etc/services

3.3 modify the root login permissions of the ssh service

Modify the ssh service configuration file so that the ssh service does not allow direct use of root users to log in, so as to build the opportunity for the system to be attacked by malicious login.

Vi / etct/ssh/sshd_config

Permitrootlogin yes

After removing the # before this line, modify it to: permitrootlogin no

4. System file permissions

The security of linux file system is mainly achieved by setting the permissions of files. Each linux file or directory has three sets of attributes that define the rights of the owner of the file or directory, user groups, and others (read-only, writeable, executable, suid allowed, sgid allowed, etc.). Pay special attention to the executable files with permissions of suid and sgid, which will give the owner permission to the process during the process of running the program. If found and used by hackers, it will cause harm to the system.

4.1 modify the execution permissions of init directory files:

Chmod-r 700 / etc/init.d/*

4.2 permission to modify the suid and sgid of some system files:

Chmod Amurs / usr/bin/chage

Chmod Amurs / usr/bin/gpasswd

Chmod Amurs / usr/bin/wall

Chmod Amurs / usr/bin/chfn

Chmod Amurs / usr/bin/chsh

Chmod Amurs / usr/bin/newgrp

Chmod Amurs / usr/bin/write

Chmod Amurs / usr/sbin/usernetctl

Chmod Amurs / usr/sbin/traceroute

Chmod Amurs / bin/mount

Chmod Amurs / bin/umount

Chmod Amurs / bin/ping

Chmod Amurs / sbin/netreport

4.3 modify the system boot file

Chmod 600 / etc/grub.conf

Chattr + I / etc/grub.conf

5. System optimization

5.1 Virtual memory optimization:

Generally speaking, the physical memory of linux is almost completely used. This is very different from windows, its memory management mechanism makes full use of system memory, not windows no matter how much memory has to use some virtual memory.

Three numbers in / proc/sys/vm/freepages are of the current system: the minimum memory blank page, the lowest memory blank page, and the highest memory blank page.

Note that the principle for the system to use virtual memory here is to use disk swap space if the number of blank pages is lower than the maximum blank page setting. Use memory swapping when the minimum blank page setting is reached. Memory is generally allocated at 4k bytes per page. The minimum memory blank page setting is 2 times the amount of memory in the system; the minimum memory blank page setting is 4 times the amount of memory; and the maximum memory blank page setting is 6 times the system memory.

The following takes 1g memory as an example to modify the default virtual memory parameter size of the system:

Echo "2048 4096 6444" > / proc/sys/vm/freepages

6. Log management

6.1 system boot log:

Dmesg

Use the dmesg command to quickly view the boot log of the last system boot. Usually it's

There will be a lot of content, so you often want to pipe it to a reader.

6.2 system operation log:

A, linux logs are stored in the / var/log directory. There are several log files maintained by the system, but other services and programs may also keep their logs here. Most logs can only be read by root, but you only need to change the access permissions of the file to make it readable to others.

The following are common Syslog file names and their descriptions:

Lastlog records the last time a user successfully logged in

Bad login attempt record of loginlog

Messages records the messages output to the system console and generated by the syslog system service program

Utmp records each user who is currently logged in

Utmp extended by utmpx

Wtmp records the historical information of each user login and logout wtmpx extension wtmp

Vold.log records errors when using external media

Xferkig records access to ftp sulog records the use of the su command

Acct records the commands used by each user

Aculog dialed automatic call record

B 、 / var/log/messages

The messages log is the core system log file. It contains boot messages when the system is started, as well as other status messages when the system is running. Io errors, network errors, and other system errors are logged to this file. Other information, such as switching someone's identity to root, is also listed here. If the service is running, such as a dhcp server, you can observe its activity in the messages file. In general, / var/log/messages is the first file you want to review when troubleshooting.

C 、 / var/log/xfree86.0.log

This log records the result of the last execution by the xfree86 xwindows server. If you have problems booting to graphics mode, you will generally find the reason for the failure in this file.

D. There are some files in the / var/log directory that end with a number. These are the archive files that have been rotated. Log files can become very large and bulky. Linux provides a command to cycle through these logs so that your current log information is not drowned in old extraneous information. Logrotate usually runs automatically on a regular basis, but it can also be run manually. When executed, logrotate takes the current version of the log file and appends a ".1" to the end of the file name. Other earlier documents are ".2", ".3", and so on. The larger the number after the file name, the older the log.

You can configure the automatic behavior of logrotate by editing the / etc/logrotate.conf file. Learn all the details of logrotate through man logrotate.

Where:

# rotate log files weekly

Weekly

This means that each log file is looped once a week, and a log file holds the contents of a week.

# keep 4 weeks worth of backlogs

Rotate 4

Here, the number of log loops is 4, that is, 4 log files can be saved.

E. Custom log

Their behavior can be configured by editing / et/syslog.conf and / etc/sysconfig/syslog, and the storage path and log generation level of system logs can be customized.

6.3 user operation log of the system:

Last

Execute the last instruction alone, which reads the file named wtmp located in the / var/log directory and displays the list of users logged into the system for the contents of the file.

History

The history command saves the most recently executed command. If the command saved by the root command is in the / root/.bash_history file, if it is an ordinary user, the operation command is saved in the user's directory, that is, the general / home/username/.bash_history. The saved value of this history can be set and edited in the / etc / profile file, where the value of histsize=1000 is the value saved by history.

7. Firewalls

7.1 iptables type firewall:

7.1.1 iptables concept:

Iptalbes (ip packet filter Management) is used to set, maintain, and examine the ip packet filtering rules of the linux kernel.

You can define different tables, each containing several internal chains or user-defined chains. Each chain is a list of rules that match the corresponding packages: each rule specifies how the matching package should be handled. This is called a 'target'' and can also jump to a user-defined chain within the same table.

By using user space, you can build your own custom rules, which are stored in the packet filtering table in kernel space. These rules have goals that tell the kernel what to do with packets that come from certain sources, go to certain destinations or have certain protocol types. If a packet matches the rule, the destination accept is used to allow the packet to pass. You can also use the target drop or reject to block and kill packets. There are many other goals for other actions that can be performed on packets.

Rules can be grouped in chains depending on the type of packets that rules process. Rules for handling inbound packets are added to the input chain. Rules for handling outbound packets are added to the output chain. Rules for processing packets being forwarded are added to the forward chain. These three chains are the default main chains built into the basic packet filtering table. In addition, there are many other types of chains available (such as prerouting and postrouting), as well as providing user-defined chains. Each chain can have a policy that defines the "default target", which is the default action to be performed when the packet does not match any rules in the chain.

After you have established the rules and put the chain in place, you can begin the real packet filtering work. At this point, kernel space takes over from user space. When the packet arrives at the firewall, the kernel first checks the header information of the packet, especially the destination of the packet. We call this process routing.

If the packet comes from the outside world and is destined for the system, and the firewall is turned on, the kernel passes it to the input chain of the kernel space packet filter table. If the packet comes from another source within the system or on the intranet to which the system is connected, and the packet is destined for another external system, the packet is passed to the output chain. Similarly, packets originating from and destined for the external system are passed to the forward chain.

7.1.2 iptables instance 1:

#! / bin/sh

# disable the forwarding of packets in the system

Echo 0 > / proc/sys/net/ipv4/ip_forward

# clear the original iptables rules and set the iptables default rules

Iptables-t nat-f postrouting

Iptables-t nat-f prerouting

Iptables-t nat-f output

Iptables-f

Iptables-p input drop

Iptables-p forward accept

Iptables-p output accept

# tcp and upd ports that need to be opened in input rules

Iptables-an input-j accept-p tcp-- dport 80

Iptables-an input-j accept-p tcp-- dport 22

Iptables-an input-j accept-p tcp-- dport 25

Iptables-an input-j accept-p tcp-- dport 1352

Iptables-an input-p udp-- destination-port 53-j accept

# all packages with a status of state related are accepted in the input rule

Iptables-an input-m state-- state established,related-j accept

# enable system ip forwarding

Echo 1 > / proc/sys/net/ipv4/ip_forward

< --end-- >

7.1.3 iptables instance 2:

Note: in this example, you only need to set the tcp, udp port and server network segment ip range, and other settings have been set by default.

#! / bin/sh

# make:yongzhang

# time:2004-06-18

# e-mail: yongzhang@wiscom.com.cn

Path=/sbin:/bin:/usr/sbin:/usr/bin

# # tcp allow ports

Tports= "8022"

# # udp allow ports

Uports= "53"

# # internal server_ip range

Server_ip= "172.18.10.0 Compact 24"

# # disable forwarding

Echo 0 > / proc/sys/net/ipv4/ip_forward

# # reset default policies

Iptables-p input accept

Iptables-p forward accept

Iptables-p output accept

Iptables-t nat-p prerouting accept

Iptables-t nat-p postrouting accept

Iptables-t nat-p output accept

# # del all iptables rules

Iptables-f input

Iptables-f forward

Iptables-f output

# # clean all non-default chains

Iptables-x

Iptables-t nat-x

# # iptables default rules

Iptables-p input drop

Iptables-p forward drop

Iptables-p output accept

# # allow ping packets

Iptables-an input-p icmp- s 0lap 0-- icmp-type 0-j accept

Iptables-an input-p icmp- s 0lap 0-- icmp-type 3-j accept

Iptables-an input-p icmp- s 0lap 0-- icmp-type 5-j accept

Iptables-an input-p icmp- s 0lap 0-- icmp-type 8-j accept

Iptables-an input-p icmp- s 0lap 0-- icmp-type 11-j accept

# iptables-an input-p icmp- s 0accept 0-- icmp-type 11-m limit-- limit 5max s-j accept

Iptables-a forward-p icmp-j accept

# # enable forwarding

Iptables-a forward-m state-- state established,related-j accept

# # state related for router

Iptables-an input-m state-- state established,related-j accept

# # accept internal packets on the internal i/f

Iptables-an input-s $server_ip-p tcp-j accept

# # open ports on router for server/services

# # tcp ports

For atp in $tports

Do

Iptables-an input!-s $server_ip-d $server_ip-p tcp-- destination-port $atp-j accept

Iptables-a forward-p tcp-- destination-port $atp-j accept

Done

# # udp ports

For aup in $uports

Do

Iptables-an input-p udp-- destination-port $aup-j accept

Iptables-a forward-p udp-- destination-port $aup-j accept

Done

# # bad_packets chain

# # drop invalid packets immediately

Iptables-an input-p all-m state-- state invalid-j drop

# # limit syn flood

# iptables-an input-f-m limit--limit 100 accept s-limit-burst 100-j accept

# iptables-a forward-f-m limit--limit 100 accept s-limit-burst 100-j accept

# # deny all icmp packets,eth0 is external net_eth

# iptables-an input-I eth0-s 0.0.0.0 drop 0-p icmp-j drop

# # allow loopback

Iptables-an input-I lo-p all-j accept

Iptables-an output-o lo-p all-j accept

# # enable forwarding

Echo 1 > / proc/sys/net/ipv4/ip_forward

< --end-- >

7.2 ipchains type firewall:

7.2.1 ipchains concept:

Ipchains is used to install, maintain, and check the firewall rules of the linux kernel. Rules can be divided into four categories: ip input chain, ip output chain, ip forward chain, user defined chain.

A firewall rule specifies the format and destination of the package. When a package comes in, the core uses the input chain to determine its fate. If it passes, the core will determine where the packet should be sent next (this step is called routing). If it is sent to another machine, the core uses the forward chain. If it doesn't match, go to the next chain specified by the target value, which could be a user defined chain, or a specific value: accept,deny,reject,masq,redirect,return.

Accept means that the packet is allowed to pass, deny throws the packet as if it had never been received, and reject throws the packet away, but (if it is not an icmp packet) generates an icmp reply to tell the sender that the destination address is unreachable (note that deny and reject are the same for icmp packets).

Masq tells the core to camouflage the package that it only works on the forward chain and the user defined chain, and if you want it to work, you must make ip masquerading work when compiling the core.

Redirect only works on input and user defined chains. It tells the core to resend packets wherever they should be sent to a local port. Only tcp and udp protocols can use this specification. Specifying a port (name or number) with any'- j redirect' allows packets sent here to be redirected to a particular port, even if it is marked to be sent to another port. For it to work, you have to make config_ip_transparent_proxy work when you compile the kernel.

The last target is specified as return, which skips all the rules below it to the end of the chain.

Any other target specification represents a user-defined chain. The bag will pass through that chain. If that chain does not determine the fate of the packet, then the transfer in that chain is completed and the packet will pass the next rule of the current chain.

7.2.2 ipchains instance:

# # clear the input rule and change the default rule chain policy of input to reject

-f input

-p input reject

# # the following is the allowed tcp port of input rule chain: 8081 22123

-an input-s 0 accept 0-d 0 pound 0 80-p tcp-y-j accept

-an input-s 0 accept 0-d 0 pound 0 81-p tcp-y-j accept

-an input-s 0 accept 0-d 0 pound 0 22-p tcp-y-j accept

-an input-s 0 accept 0-d 0 udp 0 123-p

# # set the tcp and upd ports of 0-1023, 2049, 6000-6009, 7100 as rejected except for the above allowed input rule chain

-an input-p tcp-s 0ax 0-d 0lap 0 0Rose 023-y-j reject

-an input-p tcp-s 0ax 0-d 0max 0 2049-y-j reject

-an input-p udp-s 0ax 0-d 0max 0 0mop reject 1023-j

-an input-p udp-s 0ax 0-d 0max 0 2049-j reject

-an input-p tcp-s 0ax 0-d 0max 06000 reject 6009-y-j

-an input-p tcp-s 0ax 0-d 0max 0 7100-y-j reject

# # allow all packets that occur on your own unified network card to pass through

-an input-s 0 accept 0-d 0 lo 0 accept

-an input-s 0 accept 0-d 0 eth0 0 accept

-an input-s 0 accept 0-d 0 eth1 0 accept

# # clear the output rule and change the default rule chain policy of output to accept

-f output

-p output accept

# # clear the forward rule and change the default rule chain policy of forward to deny, and set the forward rule chain to allow packets of 10.10.11.0 and 24 IP address ranges to be forwarded and camouflaged.

-f forward

-p forward deny

-a forward-s 10.10.11.0 lap 24-j masq

1. Overview

Linux server version: redhat linux as

For the open operating system-linux, the security settings of the system include minimizing system services, restricting remote access, hiding important data, repairing security loopholes, using security tools and frequent security checks. This article mainly from the user settings, how to open services, system optimization and other aspects of the system security configuration, in order to make the linux server more secure and stable.

two。 User management

In the linux system, the user account is the user's identity, which consists of a user name and a user password. The system stores the entered user name in the / etc/passwd file and the entered password in the / etc/shadow file in encrypted form. Under normal circumstances, these passwords and other information are protected by the operating system and can only be accessed by superusers (root) and some applications of the operating system. However, if the configuration is improper or in the case of some system running errors, this information can be obtained by ordinary users. In turn, malicious users can use a kind of tool called "password cracking" to get the pre-encrypted password.

2.1 Delete the special user account and group account of the system:

# userdel username

Userdel adm

Userdel lp

Userdel sync

Userdel shutdown

Userdel halt

Userdel news

Userdel uucp

Userdel operator

Userdel games

Userdel gopher

The above deleted users are some accounts created by default by the system, but are not used in commonly used servers, but these accounts are often used and attacked by hackers.

# groupdel username

Groupdel adm

Groupdel lp

Groupdel news

Groupdel uucp

Groupdel games

Groupdel dip

Again, the above deletes some group accounts that the system installation creates by default. This reduces the chance of being attacked.

2.2 user password settings:

When installing Linux, the default minimum password length is 5 bytes, but this is not enough. Set it to 8 bytes. To modify the minimum password length requires editing the login.defs file (vi / etc/login.defs)

Pass_max_days 99999 # # password setting maximum validity period (default)

Pass_min_days 0 # # password setting minimum validity period

Pass_min_len 5 # # set the minimum password length

How many days in advance pass_warn_age 7 # # warns users that their passwords are about to expire.

2.3 modify the time of automatic account cancellation:

Log out of the account automatically. In the linux system, the root account has the highest privilege. If the system administrator forgets to log out of the root account before leaving the system, it will bring great security risks and the system should be allowed to log out automatically. This function can be achieved by modifying the "tmout" parameter in the account. Tmout is calculated in seconds. Edit your profile file (vi / etc/profile) and add the following line after "histsize=":

Tmout=300

300, which means 300 seconds, which means 5 minutes. In this way, if the logged-in user in the system does not act within 5 minutes, the system will automatically cancel the account.

2.4 lock the user name and password of the system to store the file:

Chattr + I / etc/passwd

Chattr + I / etc/shadow

Chattr + I / etc/gshadow

Chattr + I / etc/group

Note: chattr is a command to change file attributes. Parameter I represents that the file or directory must not be changed arbitrarily, where I is the unmodifiable bit (immutable). Viewing method: lsattr / etc/passwd

3. Service management

In the service management of the linux system, if you want to achieve the best security of the service, the main thing is to upgrade the software version of the service itself, and the other is to turn off the services that the system does not use to minimize the service.

3.1 turn off services that are not used by the system:

Cd / etc/init.d # # go to the system init process startup directory

There are two ways to shut down the service in the init directory. First, mv the file name in the init directory to the file name of the * .old class, that is, modify the file name, which means that the startup file for this service cannot be found when the system starts. Second, use chkconfig system commands to shut down the service at the startup level of the system.

Note: when using any of the following methods, please first check whether the service that needs to be shut down is a service that this server specifically needs to start to support, in case of shutting down the service that is in normal use.

The first one: the method of changing the file name

Cd / etc/init.d/

Mv apmd apmd.old # # Notebook needs

Mv netfs netfs.old # # nfs client

Mv yppasswdd yppasswdd.old # # nis server, this service has many vulnerabilities

Mv ypserv ypserv.old # # nis server, this service has many vulnerabilities

Mv dhcpd dhcpd.old # # dhcp service

Mv portmap portmap.old # # required to run the rpc service

Mv lpd lpd.old # # Printing Service

Mv nfs nfs.old # # nfs server with many vulnerabilities

Mv sendmail sendmail.old # # email service with many vulnerabilities

Mv snmpd snmpd.old # # snmp, from which remote users can get a lot of system information

Mv rstatd rstatd.old # # avoid running the r service, from which remote users can get a lot of information

Mv atd atd.old # # A time-running program service that is very similar to cron

Second: use the chkcofig command to shut down unused system services

Chkconfig? clevel 35 apmd off

Chkconfig? clevel 35 netfs off

Chkconfig? clevel 35 yppasswdd off

Chkconfig? clevel 35 ypserv off

Chkconfig? clevel 35 dhcpd off

Chkconfig? clevel 35 portmap off

Chkconfig? clevel 35 lpd off

Chkconfig? clevel 35 nfs off

Chkconfig? clevel 35 sendmail off

Chkconfig? clevel 35 snmpd off

Chkconfig? clevel 35 rstatd off

Chkconfig? clevel 35 atd off

Note: 3 and 5 of the above chkcofig commands are the type of system startup, 3 represents the multi-purpose boot mode of the system, and 5 represents the x startup mode of the system.

3.2 Lock the system service port list file

Main role: prevent unauthorized deletion or addition of services

Chattr + I / etc/services

3.3 modify the root login permissions of the ssh service

Modify the ssh service configuration file so that the ssh service does not allow direct use of root users to log in, so as to build the opportunity for the system to be attacked by malicious login.

Vi / etct/ssh/sshd_config

Permitrootlogin yes

After removing the # before this line, modify it to: permitrootlogin no

4. System file permissions

The security of linux file system is mainly achieved by setting the permissions of files. Each linux file or directory has three sets of attributes that define the rights of the owner of the file or directory, user groups, and others (read-only, writeable, executable, suid allowed, sgid allowed, etc.). Pay special attention to the executable files with permissions of suid and sgid, which will give the owner permission to the process during the process of running the program. If found and used by hackers, it will cause harm to the system.

4.1 modify the execution permissions of init directory files:

Chmod-r 700 / etc/init.d/*

4.2 permission to modify the suid and sgid of some system files:

Chmod Amurs / usr/bin/chage

Chmod Amurs / usr/bin/gpasswd

Chmod Amurs / usr/bin/wall

Chmod Amurs / usr/bin/chfn

Chmod Amurs / usr/bin/chsh

Chmod Amurs / usr/bin/newgrp

Chmod Amurs / usr/bin/write

Chmod Amurs / usr/sbin/usernetctl

Chmod Amurs / usr/sbin/traceroute

Chmod Amurs / bin/mount

Chmod Amurs / bin/umount

Chmod Amurs / bin/ping

Chmod Amurs / sbin/netreport

4.3 modify the system boot file

Chmod 600 / etc/grub.conf

Chattr + I / etc/grub.conf

5. System optimization

5.1 Virtual memory optimization:

Generally speaking, the physical memory of linux is almost completely used. This is very different from windows, its memory management mechanism makes full use of system memory, not windows no matter how much memory has to use some virtual memory.

Three numbers in / proc/sys/vm/freepages are of the current system: the minimum memory blank page, the lowest memory blank page, and the highest memory blank page.

Note that the principle for the system to use virtual memory here is to use disk swap space if the number of blank pages is lower than the maximum blank page setting. Use memory swapping when the minimum blank page setting is reached. Memory is generally allocated at 4k bytes per page. The minimum memory blank page setting is 2 times the amount of memory in the system; the minimum memory blank page setting is 4 times the amount of memory; and the maximum memory blank page setting is 6 times the system memory.

The following takes 1g memory as an example to modify the default virtual memory parameter size of the system:

Echo "2048 4096 6444" > / proc/sys/vm/freepages

6. Log management

6.1 system boot log:

Dmesg

Use the dmesg command to quickly view the boot log of the last system boot. Usually it's

There will be a lot of content, so you often want to pipe it to a reader.

6.2 system operation log:

A, linux logs are stored in the / var/log directory. There are several log files maintained by the system, but other services and programs may also keep their logs here. Most logs can only be read by root, but you only need to change the access permissions of the file to make it readable to others.

The following are common Syslog file names and their descriptions:

Lastlog records the last time a user successfully logged in

Bad login attempt record of loginlog

Messages records the messages output to the system console and generated by the syslog system service program

Utmp records each user who is currently logged in

Utmp extended by utmpx

Wtmp records the historical information of each user login and logout wtmpx extension wtmp

Vold.log records errors when using external media

Xferkig records access to ftp sulog records the use of the su command

Acct records the commands used by each user

Aculog dialed automatic call record

B 、 / var/log/messages

The messages log is the core system log file. It contains boot messages when the system is started, as well as other status messages when the system is running. Io errors, network errors, and other system errors are logged to this file. Other information, such as switching someone's identity to root, is also listed here. If the service is running, such as a dhcp server, you can observe its activity in the messages file. In general, / var/log/messages is the first file you want to review when troubleshooting.

C 、 / var/log/xfree86.0.log

This log records the result of the last execution by the xfree86 xwindows server. If you have problems booting to graphics mode, you will generally find the reason for the failure in this file.

D. There are some files in the / var/log directory that end with a number. These are the archive files that have been rotated. Log files can become very large and bulky. Linux provides a command to cycle through these logs so that your current log information is not drowned in old extraneous information. Logrotate usually runs automatically on a regular basis, but it can also be run manually. When executed, logrotate takes the current version of the log file and appends a ".1" to the end of the file name. Other earlier documents are ".2", ".3", and so on. The larger the number after the file name, the older the log.

You can configure the automatic behavior of logrotate by editing the / etc/logrotate.conf file. Learn all the details of logrotate through man logrotate.

Where:

# rotate log files weekly

Weekly

This means that each log file is looped once a week, and a log file holds the contents of a week.

# keep 4 weeks worth of backlogs

Rotate 4

Here, the number of log loops is 4, that is, 4 log files can be saved.

E. Custom log

Their behavior can be configured by editing / et/syslog.conf and / etc/sysconfig/syslog, and the storage path and log generation level of system logs can be customized.

6.3 user operation log of the system:

Last

Execute the last instruction alone, which reads the file named wtmp located in the / var/log directory and displays the list of users logged into the system for the contents of the file.

History

The history command saves the most recently executed command. If the command saved by the root command is in the / root/.bash_history file, if it is an ordinary user, the operation command is saved in the user's directory, that is, the general / home/username/.bash_history. The saved value of this history can be set and edited in the / etc / profile file, where the value of histsize=1000 is the value saved by history.

7. Firewalls

7.1 iptables type firewall:

7.1.1 iptables concept:

Iptalbes (ip packet filter Management) is used to set, maintain, and examine the ip packet filtering rules of the linux kernel.

You can define different tables, each containing several internal chains or user-defined chains. Each chain is a list of rules that match the corresponding packages: each rule specifies how the matching package should be handled. This is called a 'target'' and can also jump to a user-defined chain within the same table.

By using user space, you can build your own custom rules, which are stored in the packet filtering table in kernel space. These rules have goals that tell the kernel what to do with packets that come from certain sources, go to certain destinations or have certain protocol types. If a packet matches the rule, the destination accept is used to allow the packet to pass. You can also use the target drop or reject to block and kill packets. There are many other goals for other actions that can be performed on packets.

Rules can be grouped in chains depending on the type of packets that rules process. Rules for handling inbound packets are added to the input chain. Rules for handling outbound packets are added to the output chain. Rules for processing packets being forwarded are added to the forward chain. These three chains are the default main chains built into the basic packet filtering table. In addition, there are many other types of chains available (such as prerouting and postrouting), as well as providing user-defined chains. Each chain can have a policy that defines the "default target", which is the default action to be performed when the packet does not match any rules in the chain.

After you have established the rules and put the chain in place, you can begin the real packet filtering work. At this point, kernel space takes over from user space. When the packet arrives at the firewall, the kernel first checks the header information of the packet, especially the destination of the packet. We call this process routing.

If the packet comes from the outside world and is destined for the system, and the firewall is turned on, the kernel passes it to the input chain of the kernel space packet filter table. If the packet comes from another source within the system or on the intranet to which the system is connected, and the packet is destined for another external system, the packet is passed to the output chain. Similarly, packets originating from and destined for the external system are passed to the forward chain.

7.1.2 iptables instance 1:

#! / bin/sh

# disable the forwarding of packets in the system

Echo 0 > / proc/sys/net/ipv4/ip_forward

# clear the original iptables rules and set the iptables default rules

Iptables-t nat-f postrouting

Iptables-t nat-f prerouting

Iptables-t nat-f output

Iptables-f

Iptables-p input drop

Iptables-p forward accept

Iptables-p output accept

# tcp and upd ports that need to be opened in input rules

Iptables-an input-j accept-p tcp-- dport 80

Iptables-an input-j accept-p tcp-- dport 22

Iptables-an input-j accept-p tcp-- dport 25

Iptables-an input-j accept-p tcp-- dport 1352

Iptables-an input-p udp-- destination-port 53-j accept

# all packages with a status of state related are accepted in the input rule

Iptables-an input-m state-- state established,related-j accept

# enable system ip forwarding

Echo 1 > / proc/sys/net/ipv4/ip_forward

< --end-- >

7.1.3 iptables instance 2:

Note: in this example, you only need to set the tcp, udp port and server network segment ip range, and other settings have been set by default.

#! / bin/sh

# make:yongzhang

# time:2004-06-18

# e-mail: yongzhang@wiscom.com.cn

Path=/sbin:/bin:/usr/sbin:/usr/bin

# # tcp allow ports

Tports= "8022"

# # udp allow ports

Uports= "53"

# # internal server_ip range

Server_ip= "172.18.10.0 Compact 24"

# # disable forwarding

Echo 0 > / proc/sys/net/ipv4/ip_forward

# # reset default policies

Iptables-p input accept

Iptables-p forward accept

Iptables-p output accept

Iptables-t nat-p prerouting accept

Iptables-t nat-p postrouting accept

Iptables-t nat-p output accept

# # del all iptables rules

Iptables-f input

Iptables-f forward

Iptables-f output

# # clean all non-default chains

Iptables-x

Iptables-t nat-x

# # iptables default rules

Iptables-p input drop

Iptables-p forward drop

Iptables-p output accept

# # allow ping packets

Iptables-an input-p icmp- s 0lap 0-- icmp-type 0-j accept

Iptables-an input-p icmp- s 0lap 0-- icmp-type 3-j accept

Iptables-an input-p icmp- s 0lap 0-- icmp-type 5-j accept

Iptables-an input-p icmp- s 0lap 0-- icmp-type 8-j accept

Iptables-an input-p icmp- s 0lap 0-- icmp-type 11-j accept

# iptables-an input-p icmp- s 0accept 0-- icmp-type 11-m limit-- limit 5max s-j accept

Iptables-a forward-p icmp-j accept

# # enable forwarding

Iptables-a forward-m state-- state established,related-j accept

# # state related for router

Iptables-an input-m state-- state established,related-j accept

# # accept internal packets on the internal i/f

Iptables-an input-s $server_ip-p tcp-j accept

# # open ports on router for server/services

# # tcp ports

For atp in $tports

Do

Iptables-an input!-s $server_ip-d $server_ip-p tcp-- destination-port $atp-j accept

Iptables-a forward-p tcp-- destination-port $atp-j accept

Done

# # udp ports

For aup in $uports

Do

Iptables-an input-p udp-- destination-port $aup-j accept

Iptables-a forward-p udp-- destination-port $aup-j accept

Done

# # bad_packets chain

# # drop invalid packets immediately

Iptables-an input-p all-m state-- state invalid-j drop

# # limit syn flood

# iptables-an input-f-m limit--limit 100 accept s-limit-burst 100-j accept

# iptables-a forward-f-m limit--limit 100 accept s-limit-burst 100-j accept

# # deny all icmp packets,eth0 is external net_eth

# iptables-an input-I eth0-s 0.0.0.0 drop 0-p icmp-j drop

# # allow loopback

Iptables-an input-I lo-p all-j accept

Iptables-an output-o lo-p all-j accept

# # enable forwarding

Echo 1 > / proc/sys/net/ipv4/ip_forward

< --end-- >

7.2 ipchains type firewall:

7.2.1 ipchains concept:

Ipchains is used to install, maintain, and check the firewall rules of the linux kernel. Rules can be divided into four categories: ip input chain, ip output chain, ip forward chain, user defined chain.

A firewall rule specifies the format and destination of the package. When a package comes in, the core uses the input chain to determine its fate. If it passes, the core will determine where the packet should be sent next (this step is called routing). If it is sent to another machine, the core uses the forward chain. If it doesn't match, go to the next chain specified by the target value, which could be a user defined chain, or a specific value: accept,deny,reject,masq,redirect,return.

Accept means that the packet is allowed to pass, deny throws the packet as if it had never been received, and reject throws the packet away, but (if it is not an icmp packet) generates an icmp reply to tell the sender that the destination address is unreachable (note that deny and reject are the same for icmp packets).

Masq tells the core to camouflage the package that it only works on the forward chain and the user defined chain, and if you want it to work, you must make ip masquerading work when compiling the core.

Redirect only works on input and user defined chains. It tells the core to resend packets wherever they should be sent to a local port. Only tcp and udp protocols can use this specification. Specifying a port (name or number) with any'- j redirect' allows packets sent here to be redirected to a particular port, even if it is marked to be sent to another port. For it to work, you have to make config_ip_transparent_proxy work when you compile the kernel.

The last target is specified as return, which skips all the rules below it to the end of the chain.

Any other target specification represents a user-defined chain. The bag will pass through that chain. If that chain does not determine the fate of the packet, then the transfer in that chain is completed and the packet will pass the next rule of the current chain.

7.2.2 ipchains instance:

# # clear the input rule and change the default rule chain policy of input to reject

-f input

-p input reject

# # the following is the allowed tcp port of input rule chain: 8081 22123

-an input-s 0 accept 0-d 0 pound 0 80-p tcp-y-j accept

-an input-s 0 accept 0-d 0 pound 0 81-p tcp-y-j accept

-an input-s 0 accept 0-d 0 pound 0 22-p tcp-y-j accept

-an input-s 0 accept 0-d 0 udp 0 123-p

# # set the tcp and upd ports of 0-1023, 2049, 6000-6009, 7100 as rejected except for the above allowed input rule chain

-an input-p tcp-s 0ax 0-d 0lap 0 0Rose 023-y-j reject

-an input-p tcp-s 0ax 0-d 0max 0 2049-y-j reject

-an input-p udp-s 0ax 0-d 0max 0 0mop reject 1023-j

-an input-p udp-s 0ax 0-d 0max 0 2049-j reject

-an input-p tcp-s 0ax 0-d 0max 06000 reject 6009-y-j

-an input-p tcp-s 0ax 0-d 0max 0 7100-y-j reject

# # allow all packets that occur on your own unified network card to pass through

-an input-s 0 accept 0-d 0 lo 0 accept

-an input-s 0 accept 0-d 0 eth0 0 accept

-an input-s 0 accept 0-d 0 eth1 0 accept

# # clear the output rule and change the default rule chain policy of output to accept

-f output

-p output accept

# # clear the forward rule and change the default rule chain policy of forward to deny, and set the forward rule chain to allow packets of 10.10.11.0 and 24 IP address ranges to be forwarded and camouflaged.

-f forward

-p forward deny

-a forward-s 10.10.11.0 lap 24-j masq

After reading this, the article "what are the knowledge points of Linux server security configuration" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it before you can understand it. If you want to know more about related articles, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.