Shulou(Shulou.com)06/01 Report--

This article shows you how to eliminate the hidden dangers of Linux server security, the content is concise and easy to understand, can definitely brighten your eyes, through the detailed introduction of this article, I hope you can get something.

Many people know that the security of Linux system is very high, and there are many advantages in function and price, but it is inevitable that there will be security risks, and it will be troublesome to solve the problems. In order to better avoid these security risks, provide eight ways to improve the security of Linux system. Although the trick is not big, but it works, you might as well give it a try.

1. Restrict access to the system

Before entering the Linux system, all users need to log in, that is, the user needs to enter the user account number and password, and the user can enter the system only after they have been verified by the system. Like other Unix operating systems, Linux typically encrypts passwords and stores them in the / etc/passwd file. The / etc/passwd file can be read by all users on the Linux system, and although the password saved in the file is encrypted, it is still not very secure. Because the average user can use the ready-made password deciphering tool to guess the password by exhaustive method. A safer way is to set the shadow file / etc/shadow to allow only users with special permissions to read the file.

In Linux systems, if shadow files are to be used, all utilities must be recompiled to support shadow files. This method is troublesome, and a relatively simple method is to use plug-in verification module (PAM). Many Linux systems come with Linux's utility program PAM, which is an authentication mechanism that can be used to dynamically change authentication methods and requirements without requiring other utilities to be recompiled. This is because PAM uses a closed package to hide all authentication-related logic in the module, so it is the best helper for using shadow files.

In addition, PAM has many security features: it can rewrite traditional DES encryption methods into other more powerful encryption methods to ensure that users' passwords will not be easily deciphered; it can set an upper limit for each user to use computer resources; and it can even set the time and place for users to get on the computer. Linux system administrators only need a few hours to install and set up PAM, which can greatly improve the security of the Linux system and keep many attacks out of the system.

two。 Cancel unnecessary services

In early versions of Unix, each different network service had a service program running in the background, and later versions used a unified / etc/inetd server program to do this. Inetd is the abbreviation of Internetdaemon, it monitors multiple network ports at the same time, and once it receives the connection information from the outside, it executes the corresponding TCP or UDP network service.

Because it is under the unified command of inetd, most TCP or UDP services in Linux are set in the / etc/inetd.conf file. So the first step in canceling unnecessary services is to check the / etc/inetd.conf file and add a "#" number before unwanted services.

In general, services other than http, smtp, telnet and ftp should be cancelled, such as simple File transfer Protocol (tftp), imap/ipop transport protocol for network mail storage and reception, gopher for finding and searching data, and daytime and time for time synchronization.

There are also services that report the status of the system, such as finger, efinger, systat, and netstat, which are useful for checking system errors and finding users, but also provide a convenient door for hackers. For example, hackers can use finger services to find users' phones, usage directories, and other important information. Therefore, many Linux systems cancel all or part of these services to enhance the security of the system.

In addition to setting up system service items with / etc/inetd.conf, Inetd also uses the / etc/services file to find the ports used by each service. Therefore, the user must carefully check the settings of each port in the file to avoid security vulnerabilities.

There are two different types of services in Linux: one is a service that is executed only when needed, such as a finger service, and the other is a non-stop service that is always executing. This type of service starts when the system starts up, so you cannot stop its service by modifying inetd, but only by modifying the / etc/rc.d/ RC [n] .d / file or by using Run  level  editor. NFS servers that provide file services and news that provide NNTP news services fall into this category, and it is best to cancel these services if they are not necessary.

3. Keep the core of the system up to date

As there are many Linux distribution channels, and there are often updated programs and system patches, in order to strengthen system security, the system kernel must be updated frequently. Kernel is the core of the Linux operating system. It resides in memory and is used to load other parts of the operating system and implement the basic functions of the operating system. Because Kernel controls various functions of computer and network, its security is very important to the security of the whole system.

Early versions of Kernel have many well-known security vulnerabilities, and they are also unstable. Only versions above 2.0.x are more stable and secure, and the running efficiency of the new version has been greatly improved. When setting the functions of the Kernel, only choose the necessary functions, do not accept all the functions according to the order, otherwise the Kernel will become very large, which not only takes up system resources, but also leaves opportunities for hackers. There are often the latest security patches on Internet, and Linux system administrators should be well informed and visit security newsgroups frequently to check for new patches.

4. Check login password

Setting login password is a very important security measure, if the user's password is not set properly, it is easy to be deciphered, especially for users with super user rights, if they do not have a good password, it will cause a big security loophole to the system.

In a multi-user system, if each user is forced to choose a password that is not easy to guess, the security of the system will be greatly improved. However, if the passwd program cannot force every computer user to use the appropriate password, to ensure the security of the password, we can only rely on the password cracker.

In fact, the password cracker is a tool in the hacker's toolbox, which encrypts commonly used passwords or all the words that may be used as passwords in English dictionaries into passwords, and then compares them with the / etc/passwd password file or / etc/shadow shadow file of the Linux system. If you find a matching password, you can get the clear code.

Many password cracking programs can be found on the network, and the more famous program is crack. Users can first execute the password cracking program to find out the passwords that are easy to be cracked by hackers. It is always advantageous to correct them first than to be cracked by hackers.

5. Set the security level of the user account

In addition to passwords, user accounts also have a level of security, because each account on Linux can be given different permissions, so when creating a new user ID, the system administrator should give the account different permissions as needed and merge them into different user groups.

In tcpd on the Linux system, you can set the list of people who are allowed to get on the computer and who are not allowed to get on the computer. The list of people on board is allowed to be set in / etc/hosts.allow, and the list of people on board is not allowed to be set in / etc/hosts.deny. After the setup is complete, you need to restart the inetd program to take effect. In addition, Linux will automatically record the results of allowed or disallowed entry in the / rar/log/secure file, based on which the system administrator can detect suspicious entry records. There should be someone in charge of each account ID. In an enterprise, if the employee responsible for an ID leaves, the administrator should immediately delete the account from the system. Many intrusions have borrowed accounts that have not been used for a long time.

Among the user accounts, hackers like the account with root authority best. this kind of super user has the right to modify or delete various system settings and can run freely in the system. Therefore, you must consider carefully before granting root permission to any account.

The / etc/securetty file in the Linux system contains a set of terminal names that can be logged in as a root account. For example, on RedHatLinux systems, the initial value of this file only allows the local virtual console (rtys) to log in with root privileges, not remote users with root privileges. It is best not to modify this file. If you must log in remotely to root permissions, it is best to log in as a normal account first, and then use the su command to upgrade to superuser.

6. Limit the power of super users

As we mentioned earlier, root is the focus of Linux protection, and because of its unlimited power, it is best not to easily authorize superusers. However, the installation and maintenance of some programs must require superuser privileges, in which case, other tools can be used to give such users partial superuser privileges. Sudo is such a tool.

The Sudo program allows the general user to log in again with the user's own password after configuration, to obtain the permission of the superuser, but can only execute a limited number of instructions. For example, with the application of sudo, the administrator who manages tape backups can log in to the system on time every day and obtain super user privileges to perform document backup work, but do not have the privilege to do other tasks that only superusers can do. Sudo not only limits the rights of users, but also every, hope that the above measures to improve the security of the Linux system will be useful to everyone.

7. Enhanced security tools

SSH, short for secure socket layer, is a set of programs that can be safely used to replace utilities such as rlogin, rsh, and rcp. SSH uses public key technology to encrypt the communication between two hosts on the network, and uses its key as a tool for authentication.

Because SSH encrypts information on the network, it can be used to securely log in to remote hosts and securely transfer information between two hosts. In fact, SSH can not only ensure secure communication between Linux hosts, but also allow Windows users to connect to Linux servers securely through SSH.

8. Eliminate the hotbed of hacker crime

In the Unix system, there are a series of r-prefix utilities, which are very dangerous weapons used by hackers, so never open your root account to these utilities. Because these utilities are used. Rhosts files or hosts.equiv files are approved, so make sure that your root account is not included in these files.

Because the r-prefix instruction is a hotbed for hackers, many security tools are designed to address this security vulnerability. For example, the PAM tool can be used to disable the r-prefix utility by adding instructions that login must be approved in the / etc/pam.d/rlogin file so that users of the entire system cannot use the .rhosts file in their own home directory.

The above content is how to eliminate the hidden dangers of Linux server security, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.