Linux security road to strengthen Linux server tricks

As we all know, network security is a very important topic, and servers are the most critical part of network security. Linux is considered to be a relatively secure Internet server. As an open source operating system, once a security vulnerability is discovered in a Linux system, volunteers from around the world will be patched up on the Internet. However, system administrators often fail to get information and make corrections in a timely manner, which gives hackers a chance. However, relative to the security vulnerabilities of these systems themselves, more security issues are caused by improper configuration and can be prevented by proper configuration. The more services that are running on the server, the more opportunities there are for improper configuration, and the greater the likelihood of security issues. In this regard, this article will introduce some knowledge to enhance the security of Linux /Unix server systems. System Security Record File The log file inside the operating system is an important clue to detect network intrusion. If your system is directly connected to the Internet, you find that many people do Telnet/FTP login attempts to your system. You can run “#more /var/log/secure grep refused” to check the system for attacks. Take appropriate countermeasures, such as using SSH to replace Telnet/rlogin. Startup and Login Security 1. BIOS Security Setting the BIOS password and modifying the boot order prohibits booting the system from a floppy disk. 2. User Password User password is a basic starting point for Linux security. Many users use the user password too simple, which is equivalent to opening the door to the intruder, although in theory, as long as there is enough time and resources available, there is no User password that cannot be cracked. But choosing the password to get it is difficult to crack. The better user password is a string of characters that only he can easily remember and understand, and never write it anywhere. 3. Default account All default accounts that are started by the operating system itself and are unnecessary should be disabled. This should be done when you first install the system. Linux provides a lot of default accounts, and the more accounts, the easier the system is. being attacked. You can delete the account with the following command. # userdelusername or delete the group user account with the following command. # groupdel username 4. Password File The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from gaining access. # chattr +i /etc/passwd # chattr +i /etc/shadow # chattr +i /etc/group # chattr +i /etc/gshadow 5. Disable Ctrl+Alt+Delete to restart the machine command Modify the /etc/inittab file Comment out a line of “ca::ctrlaltdel:/sbin/shutdown -t3 -r now”. Then reset the permissions of all files in the /etc/rc.d/init.d/directory and run the following command: # chmod -R 700 /etc/rc.d/init.d/* So only root can read Write or execute all of the above script files. 6. Limit su command If you don't want anyone to use su as root, you can edit the /etc/pam.d/su file by adding the following two lines: auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security /pam_wheel.so group=isd At this point, only users of the isd group can use su as the root. Thereafter, if you want the user admin to use su as the root, you can run the following command: # usermod -G10 admin 7. Delete login information By default, the login prompt information includes the Linux distribution, the kernel version name, and the server host name. This leaks too much information for a machine with high security requirements. You can edit the following line of the output system information by editing /etc/rc.d/rc.local. # This will overwrite /etc/issue at every boot. So,make any changes you # want to make to /etc/issue here or you will lose them when you reboot # echo "">/etc/issue # echo " ;">>/etc/issue # echo "Kernel 100 100uname -r) on 100 100uname -m)">>/etc/issue # cp -f /etc/issue /etc/issue.net # echo> >/etc/issue Then, do the following: # rm -f /etc/issue # rm -f /etc/issue.net # touch /etc/issue # touch /etc/issue.net Restricting network access 1.NFS access If you use the NFS Network File System service, you should ensure that your /etc/exports has the strictest access settings, which means you don't use any wildcards, do not allow root write access, and can only be installed as a read-only file system. Edit the file /etc/exports and add the following two lines. /dir/to/export host1.mydomain.com(ro,root_squash) /dir/to/export host2.mydomain.com(ro,root_squash) /dir/to/export is the directory you want to output, host.mydomain.com Is the name of the machine that logs into this directory, ro means mount to read-only system, root_squash prohibits root from writing to this directory. In order for the changes to take effect, run the following command. # /usr/sbin/exportfs -a 2.Inetd Settings First make sure that the owner of /etc/inetd.conf is root and the file permissions are set to 600. After the setup is complete, you can use the “stat” command to check. # chmod 600 /etc/inetd.conf Then, edit /etc/inetd.conf to disable the following services. Ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth If you have ssh/scp installed, you can also disable Telnet/FTP. In order for the changes to take effect, run the following command: #killall -HUP inetd By default, most Linux systems allow all requests, and using TCP_WRAPPERS to enhance system security is a breeze, you can modify /etc/hosts.deny and /etc/hosts .allow to increase access restrictions. For example, setting /etc/hosts.deny to “ALL: ALL” can deny all access by default. Then add the allowed access in the /etc/hosts.allow file. For example, & ldquo;sshd: 192.168.1.10/255.255.255.0 gate.openarch.com” indicates that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to connect via SSH. After the configuration is complete, you can check with tcpdchk: # tcpdchk tcpchk is the TCP_Wrapper configuration checker, which checks your tcp wrapper configuration and reports any potential/existing problems found. 3. Login terminal settings The /etc/securetty file specifies the tty device that allows root login. It is read by the /bin/login program. The format is a list of allowed names. You can edit /etc/securetty and comment out the following. Row. #tty1 # tty2 # tty3 # tty4 # tty5 # tty6 At this point, root can only log in at the tty1 terminal. 4. Avoid displaying system and version information If you want remote login users to not see system and version information, you can change the /etc/inetd.conf file by doing the following: telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd - h plus -h means that telnet does not display system information, but only displays “login:”. Prevent Attacks 1. Block pings If no one can ping your system, security naturally increases. To do this, add the following line to the /etc/rc.d/rc.local file: echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all 2. Prevent IP spoofing Edit the host.conf file and add the following lines to Prevent IP spoofing attacks. Order bind, hosts multi off nospoof on 3. Prevent DoS attacks Set resource limits for all users of the system to prevent DoS type attacks. Such as the maximum number of processes and the amount of memory used. For example, you can add the following lines to /etc/security/limits.conf: * hard core 0 * hard rss 5000 * hard nproc 20 You must then edit the /etc/pam.d/login file to check if the following line exists. Session required /lib/security/pam_limits.so The above command disables debugging files, limits the number of processes to 50 and limits memory usage to 5MB. After the above settings, your Linux server can be immune to most known security issues and cyber attacks, but a good system administrator still needs to pay attention to network security dynamics at any time. Potential security vulnerabilities are patched.