Shulou(Shulou.com)06/01 Report--

How to configure a secure SCO UNIX network system, I believe many inexperienced people are helpless about this, this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Configuring Secure SCO UNIX Network Systems

The degree of security of a network system depends to a large extent on the quality of managers and the strength of security measures taken by managers. While configuring the system, security issues should be placed in an important position.

SCO Unix, as a mature commercial network operating system, is widely used in finance, insurance, post and telecommunications industries. It has built in rich network functions, and has good stability and security. However, if the user does not set up the Unix system correctly, it will give the intruder an opportunity. Therefore, in network security management, not only necessary network security equipment, such as firewalls, etc., but also reasonable planning and configuration at the operating system level to avoid risks caused to the application system due to management loopholes.

Here is SCO Unix Openserver V5.0.5 as an example to provide some views on network security settings at the operating system level for your reference.

Reasonable setting of system security level

SCO Unix provides four security levels: Low, Traditional, Improved, and High, with the system default being Traditional;Improved meeting the Department of Defense's C2 security standards; and High being higher than C2. Users can set the system security level according to the importance of their own system and the number of customers. The specific setting steps are: scoadmin→system→security→security profile manager.

Reasonable setting of users

When creating a user, be sure to consider which group the user belongs to, and you cannot arbitrarily select the default group group of the system. If necessary, you can add a user group and determine the members of the group. Under the user's home directory, the access permission of the new file is determined by the umask value in the user's configuration file.profile. The value of umask depends on the system security level. The value of umask at Tradition security level is 022. Its permission type is as follows:

File permissions: - r w - r - - r - -

Directory permissions: d r w x r - x r - x

In addition, limit the number of unsuccessful logins to prevent intruders from trying to log in by guessing the user's password. The steps to set login limits for an account are: Scoadmin--> Account Manager--> Select Account--> User--> Login Controls--> Add a new number of unsuccessful logins.

Specify limits for console and terminal logins

If you want root to log in only on one terminal (or virtual screen), then specify the console, for example: specify that root can only log in on the first screen of the host tty01, so as to avoid remote attacks on root from the network. This is done by adding a line to the/etc/default/login file: CONSOLE=/dev/tty01.

Note: When setting the console, it will take effect after the host is running. There is no need to restart the host.

If your terminal is connected to Unix host through Modem asynchronous dialing or long-line drive asynchronous serial port, you should consider setting the number of unsuccessful logins of a terminal. After exceeding this number, lock this terminal. The setting method is: scoadmin→Sysrem→Terminal Manager→ Examination → Select terminal, and then set the number of unsuccessful login times of a terminal. If a terminal is locked, it can be unlocked with ttyunlock . You can also use ttylock to lock directly.

File and directory permissions management

Sometimes we set many directory and file permissions to 777 or 666 for ease of use, but this makes it easy for hackers to attack. Therefore, permissions for applications, data, and corresponding directories must be carefully distributed. Found directory and file permissions are not appropriate, should be promptly corrected with the chmod command.

Password protected settings

Passwords should generally not be less than 8 characters, the composition of passwords should be irregular combination of upper and lower case letters, numbers and symbols, absolutely avoid using English words or phrases to set passwords, and should develop the habit of regularly changing the passwords of each user. By editing the/etc/default/passwd file, you can enforce the minimum password length, minimum and maximum time between password changes. Password protection also involves protecting the/etc/passwd and/etc/shadow files, which must be accessible only to system administrators.

Reasonable setting of equivalent host

Setting up equivalent hosts can be convenient for users to operate, but it is necessary to prevent unauthorized illegal access to the system. So you have to manage three files: /etc/hosts.equiv,.rhosts, and.netrc. Among them,/etc /hosts.equiv lists the host name that allows remote commands such as rsh and rcp to be executed;.rhosts specifies the name of the remote user in the user directory, and the remote user does not need to provide a password when using the local user account to execute commands such as rcp, rlogin, and rsh;. netrc provides the information required for ftp and rexec commands, and can automatically connect to the host without providing a password. This file is also placed in the user's local directory. Because the settings for all three files allow commands to access the host without providing a password, you must restrict the settings for all three files. Avoid "+ +" in.rhosts because it allows users of any host to execute commands such as rcp, rlogin, and rsh without providing a password.

/etc/inetd.conf file

Unix systems start with the inetd process, which listens for most network connections and starts the process on request. ftp, telnet, rcmd, rlogin and finger are all started by inetd. Therefore, from a system security perspective, we should reasonably set up the/etc/inetd.conf file to turn off unnecessary services. This is done by inserting the "#" character at the beginning of the appropriate line in the file and executing the following command to make the configured command take effect immediately.

#ps-ef │ grep inetd │ grep -v grep

#kill -HUP 〈 inetd-PID 〉

/etc/ftusers file

The/etc/ftpuser file lists users who can transfer files using FTP protocol. In order to prevent untrusted users from transferring sensitive files, the file must be properly planned. In systems with high security requirements, ftp access to root and UUCP is not allowed, and root and UUCP can be listed in/etc/ftusers.

Reasonable setting of network segment and routing

When setting IP addresses of TCP/IP protocols in hosts, subnet masks should be reasonably set to isolate IP addresses that are prohibited from access. Setting a default route is strictly forbidden. It is recommended that you set up a route for each subnet or segment, otherwise other machines may be able to access the host in some way.

Do not set UUCP

UUCP provides a simple and economical scheme for dial-up users to connect to the network, but it also provides a means for hackers to invade, so it must be avoided to use this mode for network interconnection.

Remove unused packages and protocols

In system planning, the general principle is to eliminate all unnecessary functions. For example, remove X Window through scoadmin--> Soft Manager; remove UUCP, SNMP, POP, POP2, POP3 and other protocols by modifying/etc/services file.

Correctly configure.profile files

The.profile file provides the user login program and environment variables. To prevent the average user from entering the $symbol state by interrupting, the system administrator must disable the keyboard interrupt function. To do this, add the following line to the.porfile header:

trap ' ' 0 1 2 3 5 15

Create anonymous ftp

If you need to publish information and you are worried about data security, you can create anonymous ftp, which allows any user to use anonymous ftp to access files or subdirectories in a specified directory without password. It does not pose a threat to the security of the local system, because it cannot change the directory and cannot obtain other information on the local system. Be careful not to copy/etc/passwd and/etc/prop into anonymous ftp under etc, as this is a potential security threat.

Separation of application users and maintenance users

Unix users are end users who perform certain fixed tasks in a specific application system, generally without executing system commands (shells), and whose applications are called by.profile, which returns to login state after the application ends. It is inconvenient to use the su command at root level to enter the application user during maintenance. This can be resolved by modifying the.profile file and creating a new user with the same id. For example: the application user work has a user worksh with the same id and the same home directory, and the.profile file of the user work is finally:

set -- `who am i`

case $1 in

work exec workmain;exit;;

worksh break;;

esac

This way, when logged in with work, the workmain program is executed, and when logged in with worksh, the $state of work is entered.

After reading the above, do you know how to configure a secure SCO UNIX network system? If you still want to learn more skills or want to know more related content, welcome to pay attention to the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.