Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to encrypt the Linux system server, and the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

The encryption system based on secWall can not encrypt the port in Linux directly. When doing the security scheme of Linux, we usually choose to set up a proxy server. Proxy the service port of Linux on the proxy server and make encryption settings on the proxy server.

The network architecture is as follows:

I. ssh service

1. Netsh sets the forwarding service for port 22.

The IP address of our Linux server is 172.16.1.100. The network card IP that the Windows agent connects to the office network is 192.168.1.141, and the IP address of the other network card connected to the Linux server is 172.16.1.115. Set port forwarding via netsh:

C: > netsh interface portproxy add v4tov4 listenport=22 listenaddress=192.168.1.141 connectport=22 connectaddress=172.16.1.100

22 is the service port of ssh

After forwarding is set, users will automatically go to the 172.16.1.100 machine when they access port 22 of the 192.168.1.141 machine.

2. Set connection secret and port encryption

The proxy server is set as a trusted security zone at the client to ensure normal communication between the client and the server. Check the "connection secret" option to set that the ssh service is secret, and the data obtained from this service will be automatically encrypted (the effect of "landing encryption").

In order to prevent users who do not have an encrypted client from connecting directly to the server to retrieve confidential data, port encryption also needs to be set on the server side.

Set up a separate encrypted user server for the server, double-click the server user to select advanced settings, and set port 22 as the encrypted port in remote management.

After the setup is completed, the server needs to log in as a server user for encryption. In this way, clients without normal login encryption will not be able to access the server through ssh.

II. Svn services

1. Netsh sets port forwarding

The article "using secWall Port encryption to Control svn Services forwarded by IP Helper using secWall Port encryption" is a reference to the settings of the svn service for forwarding through IP Helper.

2. Port encryption and client data automatic encryption

With reference to the ssh service settings above, change the port number of ssh to the service port number of svn.

3. Set the specified browser to a secret browser

Some users access svn through a browser, which is isolated by default and cannot be accessed normally after svn encryption. The specified browser needs to be set to a secret browser to access.

Example: the customer specifies IE to access the svn dedicated browser, and the chrome browser accesses the external network normally.

The steps are as follows:

Enter the centralized control service manager, select "File" → "Edit Security Policy" → "Global Policy" → "Network Application process" → "browser", find the IE process "iexplore.exe", delete it and click OK.

After the setting is completed, IE is connected by default, and users can use it to access the SVN server directly.

III. Ftp/sftp service

Passive FTP cannot be forwarded through a simple proxy. If you use a FTP service, it is recommended that you transfer the FTP service directly to the proxy server.

1. Set connection secret and port encryption

Set trusted security zones and port encryption in the same way as ssh.

It is also important to note that since most ftp use dynamic ports (passive ftp) when transmitting data, you also need to check the "passive connection" option when setting trusted security zones. A passive connection indicates that a dynamic port connection to the same destination is allowed after a connection is established on the primary port.

IV. Samba service

1. Netsh sets port forwarding

C: > netsh interface portproxy add v4tov4 listenport=139 listenaddress=192.168.1.141 connectport=139 connectaddress=172.16.1.100

139is the port of the SAMBA service in Linux.

Note that if you want to use the port 139 proxy, you should first turn off the file and print sharing services of the proxy server itself, and also turn off NetBIOS to ensure that the local port 139 is not occupied.

Unlike other services, SAMBA service does not need to set trusted security zone and port encryption, and the client can encrypt files on the server directly.

If the user needs to automatically decrypt the files uploaded to the server, the file system security zone needs to be set in the policy.

After entering the policy editing, select "File system Security Zone", click the "add" button to enter the shared folder path, and then click OK.

The file system security zone should be used in conjunction with port encryption, and the Samba port should be set on the proxy server as a secret port to prevent unauthorized clients from directly accessing the Samba service.

About the Linux system server how to encrypt to share here, hope that the above content can have some help to everyone, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.