Shulou(Shulou.com)06/01 Report--

This article focuses on the "Linux operating system security configuration process", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn the "Linux operating system security configuration process"!

Brief introduction of Linux Security configuration steps

I. disk partition

1. If you are installing a new system, you should consider the security of disk partitions:

1) the root directory (/), user directory (/ home), temporary directory (/ tmp) and / var directory should be separated into different disk partitions

2) the disk space size of the partitions where the above directories are located should be fully considered to avoid the system crash caused by running out of partition space for some reasons.

2. For the partitions where the / tmp and / var directories are located, programs with the suid attribute are not needed in most cases, so the nosuid attribute should be added to these partitions.

Method 1: modify the / etc/fstab file and add the nosuid attribute word. For example:

/ dev/hda2 / tmp ext2 exec,dev,nosuid,rw 0 0

^

Method 2: if you are not familiar with the operation of the / etc/fstab file, it is recommended to modify it through the linuxconf program.

* run the linuxconf program

* Select "Access local drive" under "File systems"

* Select the disk partition whose properties need to be modified

* Select the "No setuid programs allowed" option

* Select other options as needed

* exit normally. (you will generally be prompted to re-mount the partition)

II. Installation

1. For non-test hosts, you should not install too many software packages. This reduces the possibility of security vulnerabilities caused by software packages.

2. For non-test hosts, non-essential services should not be selected when selecting hosts to start services. For example, routed, ypbind, etc.

III. Security configuration and enhancement

Kernel upgrade. At least upgrade to version 2.2.16 or above.

GNU libc shared library upgrade. Warning: if you have no experience, don't try it easily. It can be put on hold. )

Shut down dangerous network services. Echo, chargen, shell, login, finger, NFS, RPC, etc.

Turn off non-essential network services. Talk, ntalk, pop-2, etc.

Security configuration and upgrade of common network services

Make sure that the version used by the network service is currently the latest and most secure version.

Cancel anonymous FTP access

Remove non-essential suid programs

Use tcpwrapper

Use ipchains Firewall

Log system syslogd

Some details:

1. The logfile inside the operating system is an important clue to detect whether there is a network intrusion. Of course, this assumes that your logfile will not be destroyed by the intruder. If you have a server that connects directly to the Internet with a dedicated line, which means that your IP address is permanently fixed, you will find that many people try to log in to your system by running # more / var/log/secure | grep refused to check it.

two。 Limiting the number of programs with the SUID permission flag, which runs as root, is a potential security loophole. Of course, some programs must have this flag, such as passwd programs.

3.BIOS is secure. Set the BIOS password and change the boot order to prevent the system from booting from the floppy disk.

4. User password. User password is one of the most basic starting points of Linux security. The user password used by many people is simple 'password',', which opens the door for intruders, although in theory, there is no user password that cannot be understood, as long as there are enough time and resources to use. A better user password is a string of characters that only he can easily remember and understand, and never write it anywhere.

5./etc/exports file. If you use the NFS network file system service, make sure your / etc/exports has the strictest access settings, which does not mean that you do not use any wildcards, do not allow root write permission, and mount is a read-only file system. Edit the file / etc/exports and add: for example:

/ dir/to/export host1.mydomain.com (ro,root_squash)

/ dir/to/export host2.mydomain.com (ro,root_squash)

/ dir/to/export is the directory you want to output, and host.mydomain.com is the name of the machine that logs in to this directory.

Ro means that mount is a read-only system, and root_squash forbids root from writing to that directory.

For the above changes to take effect, run / usr/sbin/exportfs-a

6. Make sure that the owner of / etc/inetd.conf is root and that the file permissions are set to 600.

[root@deep] # chmod 600 / etc/inetd.conf

ENSURE that the owner is root.

[root@deep] # stat / etc/inetd.conf

File: "/ etc/inetd.conf"

Size: 2869 Filetype: Regular File

Mode: (0600 root) Uid: (0 / root) Gid: (0 / root)

Device: 8,6 Inode: 18219 Links: 1

Access: Wed Sep 22 16:24:16 1999 (00000.00VOV 10VV 44)

Modify: Mon Sep 20 10:22:44 1999 (00002.06 12)

Change:Mon Sep 20 10:22:44 1999 (00002.06 purl 12purl 16)

Edit / etc/inetd.conf disables the following services:

Ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger

Auth, etc. Unless you really want to use it.

In particular, those r commands are prohibited. If you use ssh/scp, you can also disable telnet/ftp.

For the changes to take effect, run # killall-HUP inetd

You can also run # chattr + I / etc/inetd.conf to make the file immutable.

Only root can unlock it. Use the command.

# chattr-I / etc/inetd.conf

7. TCP_WRAPPERS

By default, Redhat Linux allows all requests. To enhance the security of your site with TCP_WRAPPERS is to raise your hand.

Thanks, you can put it in

"ALL: ALL" to / etc/hosts.deny to disable all requests, and then put those explicitly allowed requests to

/ etc/hosts.allow, such as:

Sshd: 192.168.1.10/255.255.255.0 gate.openarch.com

Ssh connections are allowed for the IP address 192.168.1.10 and the hostname gate.openarch.com.

After the configuration, check with tcpdchk

[root@deep] # tcpdchk

Tcpchk is a TCP_Wrapper configuration check tool

It checks your tcp wrapper configuration and reports any potential / existing problems found.

8. Alias file aliases

Edit the alias file / etc/aliases (or possibly / etc/mail/aliases) to remove / comment out the following line.

# Basic system aliases-these MUST be present.

MAILER-DAEMON: postmaster

Postmaster: root

# General redirections for pseudo accounts.

Bin: root

Daemon: root

# games: root? remove or comment out.

# ingres: root? remove or comment out.

Nobody: root

# system: root? remove or comment out.

# toor: root? remove or comment out.

# uucp: root? remove or comment out.

# Well-known aliases.

# manager: root? remove or comment out.

# dumper: root? remove or comment out.

# operator: root? remove or comment out.

# trap decode to catch security attacks

# decode: root

# Person who should get root's mail

# root: marc

Don't forget to run / usr/bin/newaliases after the last update to make the changes take effect.

9. Prevent your system from responding to any external / internal ping requests.

Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command to / etc/rc.d/rc.local to run automatically after each startup.

Echo 1 >; / proc/sys/net/ipv4/icmp_echo_ignore_all

10. Do not display operating system and version information.

If you want someone to log in remotely to your server without displaying operating system and version information, you can change

A line in / etc/inetd.conf looks like this:

Telnet stream tcp nowait root / usr/sbin/tcpd in.telnetd-h

Add the-h flag at the end so that the telnet background does not display the system information, but only the login:

11.The / etc/host.conf file

Edit the host.conf file (vi / etc/host.conf) and add the following line:

# Lookup names via DNS first then fall back to / etc/hosts.

Order bind,hosts

# We don't have machines with multiple IP addresses on the same card

(like virtual server,IP Aliasing).

Multi off

# Check for IP address spoofing.

Nospoof on

IP Spoofing: IP-Spoofing is a security exploit that works by tricking

Computers in a trust relationship that you are someone that you really aren't.

12. The / etc/securetty file

This file specifies the tty device that allows root login, / etc/securetty is read by the / bin/login program, and its

The format is a list of allowed names per line, such as you can edit / etc/securetty and comment out the following lines.

Tty1

# tty2

# tty3

# tty4

# tty5

# tty6

# tty7

# tty8

-means that root is only allowed to log in at the tty1 terminal.

13. Special account number

Disable all default accounts that are started by the operating system itself and are not needed. You should do this check when you install the system for the first time. Linux provides a variety of accounts, which you may not need. If you do not need this account, remove it. The more accounts you have, the more vulnerable you will be.

To delete users on your system, use the following command:

[root@deep] # userdel username

To delete the group user account on your system, use the following command:

[root@deep] # groupdel username

Type the following command on the terminal to delete the following users.

[root@deep] # userdel adm

[root@deep] # userdel lp

[root@deep] # userdel sync

[root@deep] # userdel shutdown

[root@deep] # userdel halt

[root@deep] # userdel mail

If you do not use the sendmail server, procmail.mailx, delete this account.

[root@deep] # userdel news

[root@deep] # userdel uucp

[root@deep] # userdel operator

[root@deep] # userdel games

If you don't use an X windows server, delete this account.

[root@deep] # userdel gopher

[root@deep] # userdel ftp

If you do not allow anonymous FTP, delete the user account.

=

Type the following command to delete the group account

[root@deep] # groupdel adm

[root@deep] # groupdel lp

[root@deep] # groupdel mail

If you do not use a Sendmail server, delete this group account

[root@deep] # groupdel news

[root@deep] # groupdel uucp

[root@deep] # groupdel games

If you do not use X Windows, delete this group account

[root@deep] # groupdel dip

[root@deep] # groupdel pppusers

[root@deep] # groupdel popusers

If you do not use a POP server, delete this group account

[root@deep] # groupdel slipusers

=

Add the required user account with the following command

[root@deep] # useradd username

Use the following command to change the user password

[root@deep] # passwd username

Use the chattr command to add an immutable attribute to the following file.

[root@deep] # chattr + I / etc/passwd

[root@deep] # chattr + I / etc/shadow

[root@deep] # chattr + I / etc/group

[root@deep] # chattr + I / etc/gshadow

14. Stop anyone from su as root.

If you don't want anyone to be able to su as root, you can edit / etc/pam.d/su plus the following line:

Auth sufficient / lib/security/pam_rootok.so debug

Auth required / lib/security/pam_wheel.so group=isd

It means that only users in the isd group can su as root.

Then, if you want the user admin to su as root. Just run the following command.

[root@deep] # usermod-G10 admin

16. Resource restriction

Setting resource restrictions on all users on your system can prevent DoS type attacks (denial of service attacks)

Such as the maximum number of processes, the number of memory and so on. For example, the restrictions on all users are as follows:

Edit / etc/security/limits.con plus:

* hard core 0

* hard rss 5000

* hard nproc 20

You must also edit the / etc/pam.d/login file to add / check the existence of this line.

Session required / lib/security/pam_limits.so

The above command forbids core files "core 0", limits the number of processes to "nproc 50", and limits memory usage

Is 5m "rss 5000".

17. The / etc/lilo.conf file

A) Add: restricted

Add this line to each boot image, which indicates that if you use (linux single) when booting, you need a password.

B) Add: password=some_password

When used in conjunction with restricted and booting normally, the user is required to enter a password, and you also need to make sure that lilo.conf

The file cannot be read by users who do not belong to root, and the password is avoided. Here is an example:

Edit / etc/lilo.conf plus:

=

Boot=/dev/sda

Map=/boot/map

Install=/boot/boot.b

Prompt

Timeout=50

Default=linux

Restricted? add this line.

Password=some_password? add this line.

Image=/boot/vmlinuz-2.2.12-20

Label=linux

Initrd=/boot/initrd-2.2.12-10.img

Root=/dev/sda6

Read-only

[root@deep] # chmod 600 / etc/lilo.conf (no longer readable by other users).

[root@deep] # / sbin/lilo-v (update lilo configuration).

[root@deep] # chattr + I / etc/lilo.conf (prevent the file from being modified)

18. Disable Control-Alt-Delete restart machine command

[root@deep] # vi / etc/inittab

Ca::ctrlaltdel:/sbin/shutdown-T3-r now

To

# ca::ctrlaltdel:/sbin/shutdown-T3-r now

[root@deep] # / sbin/init q

19. Reset permissions for all files in the / etc/rc.d/init.d/ directory

[root@deep] # chmod-R 700 / etc/rc.d/init.d/*

Only root can read, write, and execute all the above script file.

20. The / etc/rc.d/rc.local file

By default, when you login to linux server, it tells you the linux version name, kernel version name, and server

Hostname. It gives you too much information, if you just want to be prompted login: edit

/ etc/rc.d/rc.local put # in front of the following line:

--

# This will overwrite / etc/issue at every boot. So, make any changes you

# want to make to / etc/issue here or you will lose them when you reboot.

# echo "" >; / etc/issue

# echo "$R" >; >; / etc/issue

# echo "Kernel $(uname-r) on $a $(uname-m)" >; >; / etc/issue

#

# cp-f / etc/issue / etc/issue.net

# echo >; >; / etc/issue

--

Then, do the following:

[root@deep] # rm-f / etc/issue

[root@deep] # rm-f / etc/issue.net

[root@deep] # touch / etc/issue

[root@deep] # touch / etc/issue.net

21. The bit of the program owned by root.

Remove the s-bit flags that are owned by root. Of course, some programs need this, using the command 'chmod a Myers' to do this.

Note: programs preceded by (*) generally do not need to have an s-bit flag.

[root@deep] # find /-type f\ (- perm-04000-o-perm-02000\)\-exec ls-lg {}\

-rwsr-xr-x 1 root root 33120 Mar 21 1999 / usr/bin/at

*-rwsr-xr-x 1 root root 30560 Apr 15 20:03 / usr/bin/chage

*-rwsr-xr-x 1 root root 29492 Apr 15 20:03 / usr/bin/gpasswd

-rwsr-xr-x 1 root root 3208 Mar 22 1999 / usr/bin/disable-paste

-rwxr-sr-x 1 root man 32320 Apr 9 1999 / usr/bin/man

-r-s--x--x 1 root root 10704 Apr 14 17:21 / usr/bin/passwd

-rws--x--x 2 root root 517916 Apr 6 1999 / usr/bin/suidperl

-rws--x--x 2 root root 517916 Apr 6 1999 / usr/bin/sperl5.00503

-rwxr-sr-x 1 root mail 11432 Apr 6 1999 / usr/bin/lockfile

-rwsr-sr-x 1 root mail 64468 Apr 6 1999 / usr/bin/procmail

-rwsr-xr-x 1 root root 21848 Aug 27 11:06 / usr/bin/crontab

-rwxr-sr-x 1 root slocate 15032 Apr 19 14:55 / usr/bin/slocate

*-r-xr-sr-x 1 root tty 6212 Apr 17 11:29 / usr/bin/wall

*-rws--x--x 1 root root 14088 Apr 17 12:57 / usr/bin/chfn

*-rws--x--x 1 root root 13800 Apr 17 12:57 / usr/bin/chsh

*-rws--x--x 1 root root 5576 Apr 17 12:57 / usr/bin/newgrp

*-rwxr-sr-x 1 root tty 8392 Apr 17 12:57 / usr/bin/write

-rwsr-x--- 1 root squid 14076 Oct 7 14:48 / usr/lib/squid/pinger

-rwxr-sr-x 1 root utmp 15587 Jun 9 09:30 / usr/sbin/utempter

*-rwsr-xr-x 1 root root 5736 Apr 19 15:39 / usr/sbin/usernetctl

*-rwsr-xr-x 1 root bin 16488 Jul 6 09:35 / usr/sbin/traceroute

-rwsr-sr-x 1 root root 299364 Apr 19 16:38 / usr/sbin/sendmail

-rwsr-xr-x 1 root root 34131 Apr 16 18:49 / usr/libexec/pt_chown

-rwsr-xr-x 1 root root 13208 Apr 13 14:58 / bin/su

*-rwsr-xr-x 1 root root 52788 Apr 17 15:16 / bin/mount

*-rwsr-xr-x 1 root root 26508 Apr 17 20:26 / bin/umount

*-rwsr-xr-x 1 root root 17652 Jul 6 09:33 / bin/ping

-rwsr-xr-x 1 root root 20164 Apr 17 12:57 / bin/login

*-rwxr-sr-x 1 root root 3860 Apr 19 15:39 / sbin/netreport

-r-sr-xr-x 1 root root 46472 Apr 17 16:26 / sbin/pwdb_chkpwd

[root@deep] # chmod Amurs / usr/bin/chage

[root@deep] # chmod Amurs / usr/bin/gpasswd

[root@deep] # chmod Amurs / usr/bin/wall

[root@deep] # chmod Amurs / usr/bin/chfn

[root@deep] # chmod Amurs / usr/bin/chsh

[root@deep] # chmod Amurs / usr/bin/newgrp

[root@deep] # chmod Amurs / usr/bin/write

[root@deep] # chmod Amurs / usr/sbin/usernetctl

[root@deep] # chmod Amurs / usr/sbin/traceroute

[root@deep] # chmod Amurs / bin/mount

[root@deep] # chmod Amurs / bin/umount

[root@deep] # chmod Amurs / bin/ping

[root@deep] # chmod Amurs / sbin/netreport

You can find all programs with s-bit flags with the following command:

[root@deep] # find /-type f\ (- perm-04000-o-perm-02000\)\-exec ls-lg {}\

>; suid-sgid-results

Output the results to the file suid-sgid-results.

To find all writable files and directories, use the following command:

[root@deep] # find /-type f\ (- perm-2-o-perm-20\)-exec ls-lg {}\; >; ww-files-results

[root@deep] # find /-type d\ (- perm-2-o-perm-20\)-exec ls-ldg {}\; >; ww-directories-results

Use the following command to find files that do not have owners:

[root@deep] # find /-nouser-o-nogroup >; unowed-results

Find all .rhosts files with the following command:

[root@deep] # find / home-name .rhosts >; rhost-results

Recommended replacement of common network service applications

WuFTPD

WuFTD has been experiencing security vulnerabilities since 1994. Hackers can easily gain remote root access (Remote Root Access), and many security vulnerabilities do not even require a valid account on the FTP server. Recently, there are also frequent security vulnerabilities in WuFTP.

Its best alternative is ProFTPD. ProFTPD is easy to configure, fast in most cases, and its source code is clean (buffer overflows are rare). There are many important sites that use ProFTPD. Sourceforge.net is a good example (there are 3000 open source projects on this site, and the load is not small! ). Some Linux publishers also use ProFTPD on their main FTP sites, and only two major Linux publishers (SuSE and Caldera) use WuFTPD.

Another advantage of ProFTPD is that it can be run both from inetd and as a separate daemon. This makes it easy to solve some of the problems caused by inetd, such as denial of service attacks (denial of service attack), and so on. The simpler the system, the easier it is to ensure the security of the system. WuFTPD either re-examines the entire source code (which is very difficult) or rewrites the code completely, or WuFTPD will inevitably be replaced by ProFTPD.

Telnet

Telnet is very insecure, it uses clear text to send passwords. Its secure alternative is OpenSSH.

OpenSSH is very mature and stable on Linux, and there are a lot of free client software on the Windows platform. Linux publishers should adopt OpenBSD's strategy: install OpenSSH and set it as the default, install Telnet but not set it as the default. For Linux distributors who are not in the United States, it is easy to add OpenSSH to Linux distributions. Linux publishers in the United States are about to think of something else (for example, Red Hat has the latest OpenSSH rpm package on the FTP server in Germany (ftp.redhat.de)).

Telnet is a hopeless program. To ensure the security of the system, software such as OpenSSH must be used to replace it.

Sendmail

The security of Sendmail has improved a lot in recent years (it used to be the program that hackers focused on). However, Sendmail still has a serious problem. Once there is a security loophole (for example, the recent Linux kernel error), Sendmail is the key program to be attacked by hackers, because Sendmail runs with root privileges and the code is large and prone to problems.

Almost all Linux publishers use Sendmail as the default configuration, and only a few use Postfix or Qmail as an optional package. However, few publishers of Linux use Sendmail on their own mail servers. Both SuSE and Red Hat use Qmail-based systems.

Sendmail will not necessarily be completely replaced by other programs. But its two alternatives, Qmail and Postfix, are safer and faster than it, and Postfix, in particular, is easier to configure and maintain.

Su

Su is the ID used to change the current user into another user. You can log in as a normal user, and when you need to do something as root, just execute the "su" command and enter the password for root. There is nothing wrong with su itself, but it can make people form bad habits. If a system has multiple administrators, they must all be given root passwords.

An alternative to su is sudo. This software is included in Red Hat 6.2. Sudo allows you to set which users and which groups can execute which programs as root. You can also restrict users according to where they log in (if someone "breaks" a user's password and logs in from a remote computer with that account, you can restrict his use of sudo). Debian also has a similar program called super, which has its own advantages and disadvantages compared with sudo.

Let users form good habits. It is not a good habit to use a root account and let multiple people know the root password. This is why www.apache.org was compromised because it has multiple system administrators who all have root privileges. A messy system is easy to invade.

Named

Most Linux publishers have solved this problem. Named used to run as root, so when there are new vulnerabilities in named, it is easy to hack into some very important computers and gain root privileges. Now you can get named to run as a non-root user with just a few parameters on the command line. Moreover, the vast majority of Linux publishers now let named run under the privileges of ordinary users. The command format is usually: named-u;-g

INN

It has been clearly stated in the INN documentation: "disable this feature (verifycancels), this feature is useless and will be removed." About a month ago, a hacker released a way to hack into INN when "verifycancels" takes effect. Red Hat sets "verifycancels" to be valid. Any setuid/setgid program or network service program should be properly installed and checked to ensure that there are as few security vulnerabilities as possible.

Safety code

1. Abolish all default accounts and passwords in the system.

two。 Do not display company headings, online help, and other information until the user's legitimacy has been verified.

3. Abolishing "hackers" can attack the network services of the system.

4. Use alphanumeric passwords of 6 to 8 digits.

5. Limit the number of times users try to log in to the system.

6. Record security violations and review safety records.

7. For important information, it should be encrypted before it is transmitted on the Internet.

8. Attach importance to the suggestions made by experts and install the system "patches" recommended by them.

9. Restrict host files that can be accessed without a password.

10. Modify the network profile to limit external TCP connections to a minimum number of ports. Protocols such as tftp,sunrpc,printer,rlogin or rexec are not allowed.

11. Use upas instead of sendmail. Sendmail has so many known vulnerabilities that it is difficult to fix them completely.

twelve。 Remove programs that are not critical to the operation and are rarely used.

13. Use chmod to change all system directories to 711 mode. In this way, attackers will not be able to see anything among them, while the user can still execute it.

14. Whenever possible, install the disk in read-only mode. In fact, only a few directories need to be read and written.

15. Upgrade the system software to the latest version. Older versions may have been studied and successfully attacked, and the latest versions generally include remedies for these problems.

At this point, I believe you have a deeper understanding of the "Linux operating system security configuration process". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.