Rookie class: teach you how to improve the security of Linux system

Linux has many advantages in terms of function, price or performance. However, as an open operating system, it inevitably has some security risks. On how to solve these hidden dangers and provide a safe operating platform for the application, this article will tell you some of the most basic, most common, and most effective tricks.

Linux is a Unix-like operating system. In theory, the design of Unix itself does not have any major security flaws. Over the years, the vast majority of security issues found on Unix operating systems have existed in individual programs, so most Unix vendors claim to be able to solve these problems and provide a secure Unix operating system. But Linux is a bit different because it doesn't belong to a certain vendor, and no vendor claims to provide security guarantees for it, so users only have to solve security problems themselves.

Linux is an open system that can find many off-the-shelf programs and tools on the web, which is convenient for users and hackers because they can easily find programs and tools. To sneak into the Linux system, or steal important information on the Linux system. However, as long as we carefully set the various system functions of Linux, and add the necessary security measures, it will allow hackers to take advantage of it.

Generally, security settings for Linux systems include eliminating unnecessary services, limiting remote access, hiding important information, fixing security vulnerabilities, using security tools, and regular security checks. . This article teaches you ten tricks to improve the security of your Linux system. Although the tricks are not big, but the tricks work, you may wish to try.

1st trick: cancel unnecessary services

In the early Unix version, each different web service had a service program running in the background, later The version uses the unified /etc/inetd server program to do the heavy lifting. Inetd is an abbreviation of Internetdaemon. It monitors multiple network ports at the same time. Once it receives the connection information from outside, it performs the corresponding TCP or UDP network service.

Because of the unified command of inetd, most of the TCP or UDP services in Linux are set in the /etc/inetd.conf file. So the first step in canceling unnecessary services is to check the /etc/inetd.conf file and add the "#" before the unwanted service.

Generally speaking, in addition to http, smtp, telnet and ftp, other services should be canceled, such as the simple file transfer protocol tftp, network mail storage and receiving imap/ipop transport protocol, Gopher for finding and searching data, daytime and time for time synchronization, etc.

There are also some services that report system status, such as finger, efinger, systat, and netstat. Although it is very useful for system troubleshooting and finding users, it also provides a convenient way for hackers. For example, a hacker can use the finger service to find a user's phone, directory, and other important information. Therefore, many Linux systems cancel or partially cancel these services to enhance the security of the system.

In addition to using /etc/inetd.conf to set system service items, Inetd also uses the /etc/services file to find the ports used by each service. Therefore, the user must carefully check the settings of each port in the file to avoid security vulnerabilities.

There are two different service types in Linux: one is a service that is executed only when needed, such as a finger service; the other is a never-ending one that has been executed. service. This kind of service starts when the system starts, so you can't stop inetd by modifying inetd, but you can only modify it by modifying /etc/rc.d/rc[n].d/file or using Runleveleditor. The NFS server that provides the file service and the news that provides the NNTP news service belong to this type of service, and it is best to cancel these services if it is not necessary.

Second trick: Restrict access to the system

Before entering the Linux system, all users need to log in, that is, the user needs to enter the user account and password. Only after they have passed the system verification can the user enter the system.

Like other Unix operating systems, Linux generally encrypts passwords and stores them in the /etc/passwd file. The /etc/passwd file can be read by all users on the Linux system. Although the password saved in the file has been encrypted, it is still not very secure. Because the average user can use the off-the-shelf password cracking tool to guess the password in an exhaustive way. A safer method is to set the shadow file /etc/shadow to allow only users with special permissions to read the file.

In Linux systems, if you want to use shadow files, you must recompile all the utilities to support shadow files. This method is cumbersome, and the easier way is to use a plug-in verification module (PAM). Many Linux systems come with the Linux utility PAM, an authentication mechanism that can be used to dynamically change the methods and requirements of authentication without requiring recompilation of other utilities. This is because PAM uses a closed package to hide all the logic related to authentication in the module, so it is the best helper to use shadow files.

In addition, PAM has many security features: it can rewrite the traditional DES encryption method to other more powerful encryption methods to ensure that user passwords are not easily deciphered; Set the upper limit for each user's use of computer resources; it can even set the user's time and location.

Linux system administrators can spend a few hours installing and setting up PAM, which can greatly improve the security of Linux systems and block many attacks outside the system.

3rd move: keep the latest system core

Because Linux has a lot of distribution channels, and often updated programs and system patches appear, therefore, in order to strengthen system security , be sure to update the system kernel frequently.

Kernel is the core of the Linux operating system. It resides in memory and is used to load other parts of the operating system and implement the basic functions of the operating system. Because Kernel controls the various functions of computers and networks, its security is critical to overall system security.

The early versions of Kernel have many well-known security vulnerabilities, and they are not stable. Only versions above 2.0.x are more stable and secure, and the operating efficiency of the new version has changed a lot. When setting the function of Kernel, only select the necessary functions, and do not accept all the functions as a whole, otherwise the Kernel will become very large, which will take up system resources and leave a good opportunity for hackers.

There are often the latest security patches on the Internet. Linux system administrators should be well-informed, frequent security newsgroups, and check out new patches.