Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of Linux system security configuration, the article is very detailed, has a certain reference value, interested friends must read it!

1. Add the boot password for LILO

Add options to the / etc/lilo.conf file so that LILO startup requires a password to strengthen the security of the system. The specific settings are as follows:

Boot=/dev/hdamap=/boot/mapinstall=/boot/boot.btime-out=60 # wait 1 minute for promptdefault=linuxpassword=# password setting image=/boot/vmlinuz-2.2.14-12label=linuxinitrd=/boot/initrd-2.2.14-12.img root=/dev/hda6 read-only

Note at this point that since passwords are stored in plain code in LILO, you also need to set the file properties of lilo.conf to only root can read and write.

# chmod 600 / etc/lilo.conf

Of course, you also need to make the following settings for the lilo.conf changes to take effect.

# / sbin/lilo-v

two。 Set the minimum password length and

Minimum use time

Password is the main means to authenticate users in the system. The default minimum password length is usually 5 when the system is installed, but in order to ensure that the password is not easy to be guessed and attacked, the minimum password length can be increased to at least 8. To do this, you need to modify the parameter PASS_MIN_LEN in the file / etc/login.defs. At the same time, the use time of the password should be limited, the password should be changed regularly, and the parameter PASS_MIN_DAYS should be modified.

3. User timeout logout

If the user forgets to log out of the account when he leaves, it may bring hidden danger to the security of the system. The / etc/profile file can be modified to ensure that the account is automatically logged out from the system after a period of inoperation.

Edit the file / etc/profile and add the following line to the next line of the "HISTFILESIZE=" line:

TMOUT=600

All users will automatically log out after 10 minutes of inaction.

4. Prohibit access to important documents

The properties of some key files in the system, such as inetd.conf, services and lilo.conf, can be modified to prevent accidental modification and viewing by ordinary users.

First, change the file attribute to 600:

# chmod 600 / etc/inetd.conf

Make sure that the owner of the file is root, and then you can also set it to unchangeable:

# chattr + I / etc/inetd.conf

In this way, any changes to the document will be prohibited.

Changes can only be made after root resets the reset flag:

# chattr-I / etc/inetd.conf

5. Allow and disable remote access

In Linux, you can allow and disable remote host access to local services through the files / etc/hosts.allow and / etc/hosts.deny. The usual practice is:

(1) Edit the hosts.deny file and add the following lines:

# Deny access to everyone. ALL: ALL@ALL

All services are prohibited for all external hosts unless specified by the hosts.allow file.

(2) to edit the hosts.allow file, you can add the following lines:

# Just an example: ftp: 202.84.17.11 xinhuanet.com

The machine with the IP address 202.84.17.11 and the hostname xinhuanet.com will be allowed to access the FTP service as Client.

(3) after the setting is completed, you can use tcpdchk to check whether the setting is correct.

6. Limit the size of Shell command records

By default, bash shell stores up to 500 command records in the file $HOME/.bash_history (the default number of records varies depending on the system). There is one such file in the home directory of every user in the system. Here, the author strongly recommends that the size of the file be limited.

You can edit the / etc/profile file and modify the options as follows: HISTFILESIZE=30 or HISTSIZE=30.

7. Delete command record on logout

Edit the / etc/skel/.bash_logout file by adding the following line:

Rm-f $HOME/.bash_history

In this way, all users in the system delete their command records when they log out.

If you only need to set up for a specific user, such as a root user, you can just modify the / $HOME/.bash_history file under that user's home directory and add the same line.

8. Prohibit unnecessary SUID programs

SUID enables ordinary users to execute a program with root privileges, so such programs in the system should be strictly controlled.

Find out the program with s bits to which root belongs:

# find /-type f\ (- perm-04000-o-perm-02000\)-print less

Prohibit unnecessary procedures:

# chmod Amurs program_name

9. Check the message displayed when you turn it on

When the Linux system starts, a large list of boot messages rolls across the screen. If you find a problem when you boot up and need to check after the system starts, you can enter the following command:

# dmesg > bootmessage

This command will redirect the information displayed at boot time to a file bootmessage.

10. Maintenance of disk space

Checking disk space frequently is necessary to maintain Linux's file system. The commands most frequently used for disk space maintenance in Linux are df and du.

Ten tips:

Step 1: cancel unnecessary services

In early versions of Unix, each different network service had a service program running in the background, and later versions used a unified / etc/inetd server program to do this. Inetd is the abbreviation of Internetdaemon, it monitors multiple network ports at the same time, and once it receives the connection information from the outside, it executes the corresponding TCP or UDP network service.

Because it is under the unified command of inetd, most TCP or UDP services in Linux are set in the / etc/inetd.conf file. So the first step in canceling unnecessary services is to check the / etc/inetd.conf file and add a "#" number before unwanted services.

In general, services other than http, smtp, telnet and ftp should be cancelled, such as simple File transfer Protocol (tftp), imap/ipop transport protocol for network mail storage and reception, gopher for finding and searching data, and daytime and time for time synchronization.

There are also services that report the status of the system, such as finger, efinger, systat, and netstat, which are useful for checking system errors and finding users, but also provide a convenient door for hackers. For example, hackers can use finger services to find users' phones, usage directories, and other important information. Therefore, many Linux systems cancel all or part of these services to enhance the security of the system.

In addition to setting up system service items with / etc/inetd.conf, Inetd also uses the / etc/services file to find the ports used by each service. Therefore, the user must carefully check the settings of each port in the file to avoid security vulnerabilities.

There are two different types of services in Linux: one is a service that is executed only when needed, such as a finger service, and the other is a non-stop service that is always executing. This type of service starts when the system starts up, so you can't stop its service by modifying inetd, but only by modifying the / etc/rc.d/ RC [n] .d / file or by using Runleveleditor. NFS servers that provide file services and news that provide NNTP news services fall into this category, and it is best to cancel these services if they are not necessary.

Trick 2: restrict access to the system

Before entering the Linux system, all users need to log in, that is, the user needs to enter the user account number and password, and the user can enter the system only after they have been verified by the system.

Like other Unix operating systems, Linux typically encrypts passwords and stores them in the / etc/passwd file. The / etc/passwd file can be read by all users on the Linux system, and although the password saved in the file is encrypted, it is still not very secure. Because the average user can use the ready-made password deciphering tool to guess the password by exhaustive method. A safer way is to set the shadow file / etc/shadow to allow only users with special permissions to read the file.

In Linux systems, if shadow files are to be used, all utilities must be recompiled to support shadow files. This method is troublesome, and a relatively simple method is to use plug-in verification module (PAM). Many Linux systems come with Linux's utility program PAM, which is an authentication mechanism that can be used to dynamically change authentication methods and requirements without requiring other utilities to be recompiled. This is because PAM uses a closed package to hide all authentication-related logic in the module, so it is the best helper for using shadow files.

In addition, PAM has many security features: it can rewrite traditional DES encryption methods into other more powerful encryption methods to ensure that users' passwords will not be easily deciphered; it can set an upper limit for each user to use computer resources; and it can even set the time and place for users to get on the computer.

Linux system administrators only need a few hours to install and set up PAM, which can greatly improve the security of the Linux system and keep many attacks out of the system.

Trick 3: keep up-to-date system core

As there are many Linux distribution channels, and there are often updated programs and system patches, in order to strengthen system security, the system kernel must be updated frequently.

Kernel is the core of the Linux operating system. It resides in memory and is used to load other parts of the operating system and implement the basic functions of the operating system. Because Kernel controls various functions of computer and network, its security is very important to the security of the whole system.

Early versions of Kernel have many well-known security vulnerabilities, and they are also unstable. Only versions above 2.0.x are more stable and secure, and the running efficiency of the new version has been greatly improved. When setting the functions of the Kernel, only choose the necessary functions, do not accept all the functions according to the order, otherwise the Kernel will become very large, which not only takes up system resources, but also leaves opportunities for hackers.

There are often the latest security patches on Internet, and Linux system administrators should be well informed and visit security newsgroups frequently to check for new patches.

Step 4: check the login password

Setting login password is a very important security measure, if the user's password is not set properly, it is easy to be deciphered, especially for users with super user rights, if they do not have a good password, it will cause a big security loophole to the system.

In a multi-user system, if each user is forced to choose a password that is not easy to guess, the security of the system will be greatly improved. However, if the passwd program cannot force every computer user to use the appropriate password, to ensure the security of the password, we can only rely on the password cracker.

In fact, the password cracker is a tool in the hacker's toolbox, which encrypts commonly used passwords or all the words that may be used as passwords in English dictionaries into passwords, and then compares them with the / etc/passwd password file or / etc/shadow shadow file of the Linux system. If you find a matching password, you can get the clear code.

Many password cracking programs can be found on the network, and the more famous one is crack. Users can first execute the password cracking program to find out the passwords that are easy to be cracked by hackers. It is always advantageous to correct them first than to be cracked by hackers.

Step 5: set the security level of the user's account

In addition to passwords, user accounts also have a level of security, because each account on Linux can be given different permissions, so when creating a new user ID, the system administrator should give the account different permissions as needed and merge them into different user groups.

In tcpd on the Linux system, you can set the list of people who are allowed to get on the computer and who are not allowed to get on the computer. The list of people on board is allowed to be set in / etc/hosts.allow, and the list of people on board is not allowed to be set in / etc/hosts.deny. After the setup is complete, you need to restart the inetd program to take effect. In addition, Linux will automatically record the results of allowed or disallowed entry in the / rar/log/secure file, based on which the system administrator can detect suspicious entry records.

There should be someone in charge of each account ID. In an enterprise, if the employee responsible for an ID leaves, the administrator should immediately delete the account from the system. Many intrusions have borrowed accounts that have not been used for a long time.

Among the user accounts, hackers like the account with root authority best. this kind of super user has the right to modify or delete various system settings and can run freely in the system. Therefore, you must consider carefully before granting root permission to any account.

The / etc/securetty file in the Linux system contains a set of terminal names that can be logged in as a root account. For example, on RedHatLinux systems, the initial value of this file only allows the local virtual console (rtys) to log in with root privileges, not remote users with root privileges. It is best not to modify this file. If you must log in remotely to root permissions, it is best to log in as a normal account first, and then use the su command to upgrade to superuser.

Step 6: eliminate the hotbed of hacker crime

In the Unix system, there are a series of r-prefix utilities, which are very dangerous weapons used by hackers, so never open your root account to these utilities. Because these utilities are used. Rhosts files or hosts.equiv files are approved, so make sure that your root account is not included in these files.

Because the r-prefix instruction is a hotbed for hackers, many security tools are designed to address this security vulnerability. For example, the PAM tool can be used to abolish the power of the r-prefix utility by adding instructions that login must be approved in the / etc/pam.d/rlogin file, so that users of the entire system cannot use their own home directory. Rhosts file.

Step 7: enhance security tools

SSH, short for secure socket layer, is a set of programs that can be safely used to replace utilities such as rlogin, rsh, and rcp. SSH uses public key technology to encrypt the communication between two hosts on the network, and uses its key as a tool for authentication.

Because SSH encrypts information on the network, it can be used to securely log in to remote hosts and securely transfer information between two hosts. In fact, SSH can not only ensure secure communication between Linux hosts, but also allow Windows users to connect to Linux servers securely through SSH.

Tip 8: limit the power of super users

As we mentioned earlier, root is the focus of Linux protection, and because of its unlimited power, it is best not to easily authorize superusers. However, the installation and maintenance of some programs must require superuser privileges, in which case, other tools can be used to give such users partial superuser privileges. Sudo is such a tool.

The Sudo program allows the general user to log in again with the user's own password after configuration, to obtain the permission of the superuser, but can only execute a limited number of instructions. For example, with the application of sudo, the administrator who manages tape backups can log in to the system on time every day and obtain super user privileges to perform document backup work, but do not have the privilege to do other tasks that only superusers can do.

Sudo not only limits the user's permissions, but also records every instruction executed using sudo, regardless of whether the execution of the instruction succeeds or fails. In large enterprises, sometimes there are many people managing different parts of the Linux system at the same time, and each manager uses the ability of sudo to grant superuser privileges to certain users. From the sudo log, you can track who did what and which parts of the system were changed.

It is worth noting that sudo does not restrict all user behavior, especially when some simple instructions are not qualified, which can be abused by hackers. For example, the / etc/cat instruction, which is commonly used to display the contents of a file, can be used by hackers to modify or delete important files if they have superuser privileges.

Tip 9: follow the hacker's trail

When you carefully set up a variety of Linux-related configurations and install the necessary security tools, the security of the Linux operating system is greatly improved, but there is no guarantee to prevent the intrusion of those high-skilled and daring network hackers.

In peacetime, network managers should always be vigilant, pay attention to all kinds of suspicious situations, and check all kinds of system log files on time, including general information log, network connection log, file transfer log and user login log. When checking these logs, pay attention to whether there is an unreasonable time record. For example:

Normal users log in in the middle of the night

Abnormal logging, such as cutting off only half of the log, or the entire log file has been deleted

Users enter the system from unfamiliar web sites

Log records that are rejected due to password errors or user account errors, especially those that have repeatedly tried and failed but have a certain pattern of trial and error

Instructions for illegal or improper use of the superuser privilege su

Record of rebooting or restarting services.

Tip 10: common defense to ensure security

From the perspective of computer security, there is no absolutely airtight and 100% secure computer system in the world, and the Linux system is no exception. Using the above security rules, although the security of the Linux system can be greatly improved, so that shoplifting hackers and computer players can not easily break in, but it may not be able to stop those martial arts masters with special skills, therefore, business users also need to rely on firewalls and other security tools to jointly prevent hacker intrusion in order to ensure that the system is foolproof.

Notes on Linux Security Settings

User group security settings under Linux

Chmod Omurr / etc/passwd / / make the information in passwd inaccessible to other users

Chmod Omurr / etc/group / / make the information in group inaccessible to other users

Chgrp apache / etc/passwd / etc/group / / change passwd and group to apache group

Permission settin

Cd /

Chmod Omurr *

Cd / usr

Chmod Omurr *

Cd / var

Chmod Omurr *

Chmod go-r / etc/httpd/conf

Chmod go-rx / etc/rc.d/init.d

Chmod Omurr / etc/rc.d/init.d/* / / remove column permissions from several directories

Chmod go-rx / usr/bin/gcc

Chmod go-rx / usr/bin/g++

Chmod go-rx / usr/include / / remove permissions from other users of glibc

The above is all the contents of the article "sample Analysis of Linux system Security configuration". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.