Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to enhance the security of Linux and Unix servers. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

Network security is a very important topic, and the server is the most important link in network security. Linux is considered to be a relatively secure Internet server, as an open source operating system, once a security loophole is detected in the Linux system, Internet volunteers from all over the world will actively fix it. However, system maintainers are often unable to get information and perform corrections in a timely manner, which gives hackers an opportunity. However, with regard to the security vulnerabilities of these systems themselves, more security questions are caused by improper configuration, which can be prevented by appropriate configuration. The more services running on the server, the more opportunities for improper configuration to appear, and the greater the ability to present security questions.

As we all know, network security is a very important topic, and Linux and unix are the most advertising operating systems running on the server. This article will strengthen some appropriate configurations to prevent some security problems and enhance the security of the Linux/Unix server system.

I. system security record file

The record file inside the operating system is an important clue to detect whether there is a network intrusion. If your system is directly connected to Internet and you find that many people are trying to log in to your system with Telnet/FTP, you can run "# more / var/log/secure grep refused" to check for attacks on your system so that you can take appropriate countermeasures, such as replacing Telnet/rlogin with SSH.

II. Startup and login security

1.BIOS security

Set the BIOS password and change the boot order to prevent the system from booting from the floppy disk.

2. User password

User password is a basic starting point of Linux security. The user password used by many people is too simple, which is tantamount to opening the door to the intruder. Although in theory, as long as there is enough time and resources to use, there is no user password that can not be cracked, but it is difficult to choose a proper password. A better user password is a string of characters that only he can easily remember and understand, and never write it anywhere.

3. Default account number

All default and unnecessary accounts started by the operating system itself should be disabled, as you should do when you install the system for the first time. Linux provides many default accounts, and the more accounts, the more vulnerable the system will be.

You can delete the account with the following command.

# userdel user name

Or delete the group user account with the following command.

# groupdel username

4. Password file

The chattr command adds an immutable attribute to the following file to prevent unauthorized users from gaining permissions.

# chattr + I / etc/passwd# chattr + I / etc/shadow# chattr + I / etc/group# chattr + I / etc/gshadow

5. Prohibit Ctrl+Alt+Delete from restarting the machine command

Modify the / etc/inittab file to comment out the line "ca::ctrlaltdel:/sbin/shutdown-T3-r now". Then reset the permissions for all files in the / etc/rc.d/init.d/ directory and run the following command:

# chmod-R 700 / etc/rc.d/init.d/*

This leaves only root to read, write, or execute all of the above script files.

6. Restrict the su command

If you don't want anyone to be able to su as root, you can edit the / etc/pam.d/su file by adding the following two lines:

Auth sufficient / lib/security/pam_rootok.so debugauth required / lib/security/pam_wheel.so group=isd

At this point, only users of the isd group can su as root. After that, if you want the user admin to be able to su as root, you can run the following command:

# usermod-G10 admin

7. Delete login information

By default, login prompts include the Linux release, kernel version name, server hostname, and so on. This leaks too much information for a machine with high security requirements. You can edit / etc/rc.d/rc.local to comment out the output line of system information, such as the following line.

# This will overwrite / etc/issue at every boot. So, make any changes you# want to make to / etc/issue here or you will lose them when you reboot.# echo "> / etc/issue# echo" $R "> / etc/issue# echo" Kernel $(uname-r) on $a $(uname-m) "> > / etc/issue# cp-f / etc/issue / etc/issue.net# echo > > / etc/issue

Then, do the following:

# rm-f / etc/issue# rm-f / etc/issue.net# touch / etc/issue# touch / etc/issue.net

III. Restrictions on network access

1.NFS access

If you are using the NFS network file system service, you should ensure that your / etc/exports has the strictest access settings, which means that you do not use any wildcards, do not allow root write permissions, and can only be installed as a read-only file system. Edit the file / etc/exports and add the following two lines.

/ dir/to/export host1.mydomain.com (ro,root_squash) / dir/to/export host2.mydomain.com (ro,root_squash)

/ dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs in to this directory, ro means that mount is a read-only system, and root_squash forbids root from writing to this directory. For the changes to take effect, run the following command.

# / usr/sbin/exportfs-a

2.Inetd Settin

The first step is to verify that the owner of / etc/inetd.conf is root and that the file permissions are set to 600. After the setup is complete, you can use the "stat" command to check.

# chmod 600 / etc/inetd.conf

Then, the editor / etc/inetd.conf disables the following services.

Ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth

If you have ssh/scp installed, you can also disable Telnet/FTP. For the changes to take effect, run the following command:

# killall-HUP inetd

By default, most Linux systems allow all requests, but it's easy to use TCP_WRAPPERS to enhance system security, and you can modify / etc/ hosts.deny and / etc/hosts.allow to increase access restrictions. For example, setting / etc/hosts.deny to "ALL: ALL" denies all access by default. Then add the allowed access to the / etc/hosts.allow file. For example, "sshd: 192.168.1.10 gate.openarch.com 255.255.255.0" means that the IP address 192.168.1.10 and the hostname gate.openarch.com are allowed to connect through SSH.

After the configuration is complete, you can check with tcpdchk:

# tcpdchk

Tcpchk is a TCP_Wrapper configuration check tool that checks your tcp wrapper configuration and reports any potential / existing problems found.

3. Login terminal settings

The / etc/securetty file specifies the tty device that allows root login, which is read by the / bin/login program in the format of a list of allowed names, and you can edit / etc/securetty and comment out the following lines.

# tty1# tty2# tty3# tty4# tty5# tty6

At this point, root can only log in at the tty1 terminal.

4. Avoid displaying system and version information.

If you want remotely logged in users not to see the system and version information, you can change the / etc/inetd.conf file by doing the following:

Telnet stream tcp nowait root / usr/sbin/tcpd in.telnetd-

Adding-h means that telnet does not display system information, but only "login:".

IV. Prevent attacks

1. Block ping if no one can ping your system, security will naturally increase. To do this, add the following line to the / etc/rc.d/rc.local file:

Echo 1 > / proc/sys/net/ipv4/icmp_echo_ignore_all

2. Prevent IP spoofing

Edit the host.conf file and add the following lines to prevent IP spoofing attacks.

Order bind,hostsmulti offnospoof on

3. Prevent DoS attacks

Setting resource limits on all users of the system can prevent DoS type attacks. Such as the maximum number of processes and memory usage and so on. For example, you can add the following lines to / etc/security/limits.conf:

* hard core 0

* hard rss 5000

* hard nproc 20

Then you must edit the / etc/pam.d/login file to check that the following line exists.

Session required / lib/security/pam_limits.so

The above command disables debugging of files, limits the number of processes to 50, and limits memory usage to 5MB.

With the above settings, your Linux server is immune to most known security problems and network attacks, but a good system administrator should always pay attention to network security developments and fix exposed and potential security vulnerabilities at any time.

This is the end of the article on "how to enhance the security of Linux and Unix servers". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.