Linux Security: Step by Step Defense (1)

As with no unbreakable shield, no system is absolutely safe. Also in the security field, no one can say that he is a master. The security of the system is exchanged for the sweat and wisdom of many seniors. The security of the system involves all aspects. Whether it is a bank or a telephone system, whether it is MS Windows or the Unix system that the public believes to be insured, there are security issues without exception. The only point of safety is how many people are using the system. The more users of the system, the more critical the security issue is, and the faster the security vulnerability is discovered. In addition, the better the scalability of the system, the more application services supported, the more security issues. Under the MS Windows system, the person who uses the mouse can refer to the information on the network to set the security of the system or damage the system. The security setting is a double-edged sword. One side can tear the undefended system, destroy the data, and the other is to block illegal intrusion and protect data. This boundary is the difference between Nuker and Hacker. Linux is an open source system, and security can be enhanced from the code level, but for those new to Linux systems, this is too complicated. If a company wants to use Linux as a desktop operating system, the settings must be different from the server. The server may be used on the Internet, whether it is its firewall, proxy server or other applications. The security settings are focused on critical applications, and the application focus of the desktop is different. For the common Mandrake, Red Hat, SuSE, Debian on the market, the security settings are different, but the method is the same. For example, Red Hat, which has many users in the Chinese market, will use Red Hat Linux as the desktop operating system for the 200-300-person company. The system security will be set step by step, and the configuration of surrounding resources will also be mentioned.
Hardware Security
The chassis needs to be locked. Once any system is physically in contact, security is reduced by at least half. Because anyone can remove the hard drive and read data to other systems, breaking the security. Therefore, desktops and servers need to avoid physical contact as much as possible.
BIOS Security
Although there are many tools to read the BIOS password, and there are many BIOS passwords, setting the BIOS password protection is a necessary step. The password used should be as large as 8 or more digits, the combination of numbers, symbols and letters, and not the same as any system password. If you are concerned about the security of all machines after being stolen, consider adding a personalized password. For example, using the name of the person of the machine or the unique number of the machine to combine the previous password can be a better memory and a password that meets the complexity and uniqueness requirements.
Startup Settings
Once the system is installed, in addition to the hard drive boot, floppy disks, CDs, and even USB flash drives can cause security issues. Therefore, it is necessary to prohibit the booting of any device other than the hard disk in the BIOS.
System Partition
The current hard disk can meet the Linux capacity requirements. Take a 20 to 40 GB hard disk as an example. No additional partitioning method is required. Red Hat's automatic partitioning can meet the requirements. The specific partitioning method is a 40MB boot partition (/boot), twice the memory swap partition (swap), and the rest is the root partition (/). The reason why the /home directory and the /var directory are not separated is that because of the single-user use, too many system partitions will increase the management complexity. For example, the /var partition is full and the system is abnormal. Simple partitioning is available for users.
Installation
Please avoid full installation, ie Everything option. As mentioned earlier, the more services the system provides, the more vulnerabilities and the worse the security. Install as much as possible with non-interactive installations, such as making installation floppy disks, via NFS, or installing scripts. The less the user directly participates, the stronger the manageability. Host naming uses uniform rules, such as the company's E-mail address and extension number, which is easy to troubleshoot and locate. IP addresses also try to use static addresses or DHCP with MAC address binding, so any exception can quickly eliminate the qualified machine. Note that using the ext3 file system can reduce the loss of data on the hard disk due to power failure and cannot be started.
Account and Center Control
It's probably good to use NIS for account and central control, but it's also an option to increase management complexity. If the usage environment is a single user login and the files are shared by the server, then it is also a good choice to log in with a single user without using NIS. Of course, now is not just a NIS type of central account management. The account of this machine needs to use the user's company E-mail address as the login name, of course, there must be an administrator account, but do not add the local account to the local administrator group. Having multiple native root privileges accounts is inherently dangerous.
Start Loader
Start the loader to use GRUB instead of LILO. The reason: although they can all add a startup password, LILO uses plaintext passwords in the configuration file, and GRUB is encrypted using the md5 algorithm. Password protection prevents the use of a customized kernel to boot the system and sets the startup wait time to 0 without any other operating system. The LILO configuration is in the /etc/lilo.conf file. The GRUB configuration file is in /boot/grub/grub.conf: /etc/lilo.conf image=/boot/2.4.18-vmlinuz label=Linux read-only # Password is plain text password=Clear-TextPassword # Join protection restricted /boot/grub/grub.conf # Modify the startup time to 0, that is, start directly timeout 0 # Can use grub-md5-crypt to generate the encrypted password after md5 password --md5 $1$LS8eV/$mdN1bcyLrIZGXfM7CkBvU1
Using sudo users sometimes use commands that require root privileges, in which case sudo is required. Sudo is a tool that is used by users and recorded in logs for a limited time based on commands that are restricted in the configuration file. It is configured in the /etc/sudoers file. When the user uses sudo, they need to enter their own password to verify the identity of the user. The defined commands can be used for a period of time. When using commands that are not in the configuration file, there will be a record of the alarm. /etc/sudoers sudo [-bhHpV] [-s <shell>] [-u <user>] [command] or sudo [-klv] -b Execute the command in the background -h Display help -H Put the HOME environment The variable is set to the new identity HOME environment variable -k End password is valid, that is, the password will be entered next time -l List the commands that the current user can use -p Change the prompt for the challenge password -s <shell> Execute the specified Shell -u <user> takes the specified user as the new identity. When not in use, the default is root -v. Extended password is valid for 5 minutes -V displays version information
limits the number of su users
The newly created user does not have root privileges, so you need to use su to switch users. Linux can increase the limit on switching to the root user. Use PAM (Pluggable Authentication Modules) to disable anyone other than the wheel group from becoming su, modify the /etc/pam.d/su file, and remove the mask ID#. Use /usr/sbin/usermod G10 bjecadm to add the bjecadm account to the group with a gid of 10, which is the wheel group. /etc/pam.d/su # Use password verification auth sufficient /lib/security/pam_wheel.so debug # Limit wheel group users can switch to root auth required /lib/security/pam_wheel.so use_uid
Strengthen login security
You can increase the settings for login error delay, logging, login password length limit, and expiration limit by modifying the /etc/login.defs file. /etc/login.defs #Login password valid for 90 days PASS_MAX_DAYS 90 #Login password minimum modification time, increase can prevent illegal users from changing in the short-term multiple times PASS_MIN_DAYS 0 #Login password minimum length 8 digits PASS_MIN_LEN 8 #Login password expires 7 days in advance prompt to modify PASS_WARN_AGE 7 #waiting time 10 seconds for login error FAIL_DELAY 10 #Login error log to log FAILLOG_ENAB yes #Use SYSLOG_SU_ENAB when restricting super user management log #Use SYSLOG_SG_ENAB yes when using super user group management log #When using md5 as password Encryption method using MD5_CRYPT_ENAB yes
Restricting the terminal window for root login
Modify the /etc/securetty file to prevent the security defense from breaking through the login exhaustion method. Once root can't log in directly, you can only switch users through su, and it is limited by pam.d, and the chance of breaking through this method will be reduced. /etc/securetty vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 #Shield terminal window root login, and can be restricted to open at the same time The number of terminals. #tty1 #tty2 #tty7 #tty8 #tty9
In addition, you should also limit the history in the terminal window. Modify the /etc/profile file and change the profile file in the user directory if necessary. /etc/profile #Restrict the history of typing commands in 20, which is similar to the doskey function HISTSIZE = 20 #limit record type the file size of the command history HISTFILESIZE = 20 #Set the terminal window to exit after 600 seconds without any operation This setting does not apply to all windows TMOUT =600
Backing up important files
Many Trojans, worms, and backdoors hide themselves by replacing important files. It is good practice to back up the most important and commonly used commands. Prepare a set of read-only media, CD or USB flash drive, or even download it online. In short, use the original command when necessary instead of the commands that may be infected in the system. Note the following backup: /bin/su /bin/ps /bin/rpm /usr/bin/top /sbin/ifconfig /bin/mount