Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you an example analysis of suse linux system security. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

SUSE Linux Enterprise Server 10 is an excellent mainstream commercial version among many Linux distributions. it not only has the general functions of Linux, but also attracts a lot of enterprise users because of its excellent performance and good control of security. There are also a large number of key applications in China. I have also deployed and applied this version according to customer requirements in the specific projects I came into contact with. In terms of personal feeling, the overall security is still good, and I have done a good job in encryption and authentication, but there are still many security details in SUSE that we need to pay attention to. Here to sum up their own application experience, may not be a comprehensive summary and exchange.

I. account management

1. Lock unnecessary system accounts

Many accounts are system accounts and will not be used in day-to-day management, and locking these accounts can help reduce the use of those who use them. The way to do this is to delete the account directly or set an invalid shell (e.g. / bin/false). / bin/false is used in SUSE instead of / bin/nologin.

Here, we modify the / etc/passwd file through VI to change the login shell of less commonly used users such as at, bin, deamon, ftp, games, lp, man, news, nobody, etc., to / bin/false, so that the user can not log in.

2. Set up account and change password parameters on a regular basis

Force users to change their passwords regularly and adjust them in / etc/login.defs according to your actual situation. For example: set to 90 days to change the password. Just change the default 99999 of PASS_MAX_DAYS to 90 days.

# vi / etc/login.defs

Turn off services that are unnecessary or temporarily unused:

# chkconfig slpd off

# chkconfig portmap off

# chkconfig postfix off

For example, RPC port mapping service, because the authentication mechanism of RPC is very weak, it is easy to be bypassed, but RPC can be used to get a lot of important information. Unless NIS is required, it is best to disable it.

In addition, the Postfix service is activated by default in SUSE. If this server is a mail server, it should be noted that having permission to search for attachments on the web interface is a security hazard. In addition, if you have experience with mail server management, you will know how important it is to plan a chroot environment for postfix. In the chroot environment, even if someone breaks into smtpd daemon, the damage that can be caused is relatively limited. Reinforcement method:

Open: vi / etc/sysconfig/mail and set the SMTPD_LISTEN_REMOTE= "yes".

Close: vi / etc/sysconfig/mail, set SMTPD_LISTEN_REMOTE= "no".

In addition, unnecessary ports can also be closed to avoid leaving loopholes.

# netstat-antp

Output statistics on CPU usage, once per second, for a total of 10 times

Output statistics on the status of network devices

4. Other aspects needing attention:

1. Find unowned files

Do not have any unowned files on your system, which may be caused by a person who has already accessed your system, or by incorrect maintenance and installation of the software package. For example, users or groups are deleted, but the related files are not deleted. Another common situation is that the owner is not set correctly when the software is installed. When NFS mounts files, it will ignore the mapping synchronization between the user ID and the system, and may also lead to the generation of unowned files.

Check the command:

For PART in `grep-v ^ # / etc/fstab | awk'($6! = "0") {print $2}'`; do

Find $PART-nouser-o-nogroup-print

Done

Note: don't worry about the files in the "/ dev" directory. If there are a large number of files without owners in the / tmp directory, it is recommended to identify the purpose and add owners or eliminate them.

2. Delete an empty password account

Use the awk-F:'($2 = = ") {print $1}'/ etc/shadow command to find an empty password account. An empty password account means that anyone can log in without providing a password. All accounts should have robust passwords to avoid weak passwords.

3. Security reinforcement of ssh

OpenSSH,OpenSSH is a popular and free encrypted connection tool installed by default on SUSE, but there are many security vulnerabilities in the lower version of OpenSSH, so it's best to download the latest version. We also need to restrict remote login for ROOT accounts, change the default port, specify accessible networks, and so on. Its version 1 has serious security problems and can even intercept passwords, so it is recommended that you change the protocol version to 2. Because FTP is not very secure, it is recommended that you use the SCP command to transfer files.

Modify it through VI, as follows:

Vi / etc/ssh/sshd_config

6. Kernel network optimization

The / proc/sys/net/ directory mainly contains many network-related topics. By changing the file parameters in these directories, you can easily adjust and optimize the relevant network parameters. There are two directories under the / proc/sys/net/ directory: / proc/sys/net/core and / proc/sys/net/ipv4. Adjusting the parameters of some files in these two directories can bring some unexpected results to our network applications.

It is recommended to modify:

Net.ipv4.tcp_max_syn_backlog = 4096

The maximum value of recorded connection requests for which the client acknowledgement has not been received.

Net.ipv4.conf.all.accept_source_route = 0

Net.ipv4.conf.all.accept_redirects = 0

Net.ipv4.conf.all.secure_redirects = 0

Net.ipv4.conf.default.rp_filter = 1

Net.ipv4.conf.default.accept_source_route = 0

Net.ipv4.conf.default.accept_redirects = 0

Net.ipv4.conf.default.secure_redirects = 0

Net.ipv4.icmp_echo_ignore_broadcasts = 1

With regard to the system security of SUSE LINUX, I would like to sum up so much for the time being. I also hope that friends who use SUSE LINUX can communicate and learn together.

The above is the example analysis of suse linux system security shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.