Operation and Maintenance
Linux Operation and Maintenance
How to Enhance the Security of Linux and Unix Servers
How to Enhance the Security of Linux and Unix Servers
1. System security record files
The record files inside the operating system are important clues to detect whether there is a network intrusion. If your system is directly connected to the Internet and you find that there are many people making telnet/ftp login attempts to your system, you can run "#more /var/log/secure grep refused" to check the attacks on the system so that you can take action Corresponding countermeasures, such as using ssh to replace telnet/rlogin, etc.
2. Startup and login security
1. bios security
Set the bios password and modify the boot sequence to prohibit booting the system from a floppy disk.
2. User password
User password is a basic starting point for Linux security. The user password used by many people is too simple, which opens the door to intruders. Although in theory, as long as there are enough time and resources, it can With the help of Internet Security, there is no user password that cannot be cracked, but a properly chosen password is difficult to crack. A better user password is a string of characters that only he can easily remember and understand, and should never be written out anywhere.
3. The default account
should prohibit all unnecessary accounts that are started by the operating system itself. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts there are, the better The more vulnerable the system becomes to attack.
You can use the following command to delete the account.
# userdel用户名
Or use the following command to delete the group user account.
# groupdel username
4. Password file
chattr command adds unchangeable attributes to the following file to prevent unauthorized users from gaining permissions.
# chattr +i /etc/passwd # chattr +i /etc/shadow # chattr +i /etc/group # chattr +i /etc/gshadow
5. Disable the ctrl alt delete command to restart the machine
Modify the /etc/inittab file and comment out the line "ca::ctrlaltdel:/sbin/shutdown -t3 -r now". Then reset the permissions of all files in the /etc/rc.d/init.d/ directory and run the following command:
# chmod -r 700 /etc/rc.d/init.d/*
In this way, only root can read, write or execute all the above script files.
6. Restrict the su command
If you don’t want anyone to be able to su as root, you can edit the /etc/pam.d/su file and add the following two lines:
auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=isd
At this time, only the isd group Users can su as root. Afterwards, if you want user admin to be able to su as root, you can run the following command:
# usermod -g10 admin
7. Delete login information
By default, the login prompt information includes the Linux distribution version, kernel version name, server host name, etc. For a machine with high security requirements, this leaks too much information. You can edit /etc/rc.d/rc.local to comment out the following lines that output system information.
# this will overwrite /etc/issue at every boot. so, make any changes you # want to make to /etc/issue here or you will lose them when you reboot. # echo "" > /etc/issue # echo "$r" >> /etc/issue # echo "kernel $(uname -r) on $a $(uname -m)" >> /etc/issue # cp -f /etc/issue /etc/issue.net # echo >> /etc/issue
Then, perform the following operations:
# rm -f /etc/issue # rm -f /etc/issue.net # touch /etc/issue # touch /etc/issue.net
3. Restrict network access
1. nfs access
If you use the nfs network file system service, you should ensure that your /etc/exports has the most restrictive access permission settings, which means do not use any wildcards, do not allow root write permissions, and only Mounted as a read-only file system. Edit the file /etc/exports and add the following two lines.
/dir/to/export host1.mydomain.com(ro,root_squash) /dir/to/export host2.mydomain.com(ro,root_squash)
/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine logged into this directory, ro means mount as a read-only system, and root_squash prohibits root from writing to the directory. In order for the changes to take effect, run the following command.
# /usr/sbin/exportfs -a
2. inetd settings
First make sure that the owner of /etc/inetd.conf is root and the file permissions are set to 600. After the settings are completed, you can use the "stat" command to check.
# chmod 600 /etc/inetd.conf
Then, edit /etc/inetd.conf to disable the following services.
ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth
If you have ssh/scp installed, you can also disable telnet/ftp. In order for the changes to take effect, run the following command:
#killall -hup inetd
By default, most Linux systems allow all requests, and using tcp_wrappers to enhance system security is a piece of cake. You can modify /etc /hosts.deny and /etc /hosts.allow to increase access restrictions. For example, setting /etc/hosts.deny to "all: all" denies all access by default. Then add allowed access in the /etc/hosts.allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" means that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to connect via ssh.
After the configuration is completed, you can use tcpdchk to check:
# tcpdchk
tcpchk is a tcp_wrapper configuration checking tool, which checks your tcp wrapper configuration and reports all potential/existing problems found.
3. Login terminal settings
/etc/securetty file specifies the tty device that allows root login. It is read by the /bin/login program. Its format is a list of allowed names. You can edit /etc/securetty and Comment out the following lines.
# tty1 # tty2 # tty3 # tty4 # tty5 # tty6
At this time, root can only log in at the tty1 terminal.
4. Avoid displaying system and version information.
If you want remote login users not to see system and version information, you can change the /etc/inetd.conf file through the following operations:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -
Add -h to indicate that telnet does not display system information. Instead, only "login:" is displayed.
4. Prevent attacks
1. Block ping If no one can ping your system, security is naturally increased. To do this, you can add the following line to the /etc/rc.d/rc.local file:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
2. Prevent IP spoofing
编辑host.conf文件并增加如下几行来防止ip欺骗攻击。
order bind,hosts multi off nospoof on
3.防止dos攻击
对系统所有的用户设置资源限制可以防止dos类型攻击。如最大进程数和内存使用数量等。例如,可以在/etc/security/limits.conf中添加如下几行:
* hard core 0
* hard rss 5000
* hard nproc 20
然后必须编辑/etc/pam.d/login文件检查下面一行是否存在。
session required /lib/security/pam_limits.so
上面的命令禁止调试文件,限制进程数为50并且限制内存使用为5mb。
The above is the detailed content of How to Enhance the Security of Linux and Unix Servers. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1386
52
How to use docker desktop
Apr 15, 2025 am 11:45 AM
How to use Docker Desktop? Docker Desktop is a tool for running Docker containers on local machines. The steps to use include: 1. Install Docker Desktop; 2. Start Docker Desktop; 3. Create Docker image (using Dockerfile); 4. Build Docker image (using docker build); 5. Run Docker container (using docker run).
Difference between centos and ubuntu
Apr 14, 2025 pm 09:09 PM
The key differences between CentOS and Ubuntu are: origin (CentOS originates from Red Hat, for enterprises; Ubuntu originates from Debian, for individuals), package management (CentOS uses yum, focusing on stability; Ubuntu uses apt, for high update frequency), support cycle (CentOS provides 10 years of support, Ubuntu provides 5 years of LTS support), community support (CentOS focuses on stability, Ubuntu provides a wide range of tutorials and documents), uses (CentOS is biased towards servers, Ubuntu is suitable for servers and desktops), other differences include installation simplicity (CentOS is thin)
How to view the docker process
Apr 15, 2025 am 11:48 AM
Docker process viewing method: 1. Docker CLI command: docker ps; 2. Systemd CLI command: systemctl status docker; 3. Docker Compose CLI command: docker-compose ps; 4. Process Explorer (Windows); 5. /proc directory (Linux).
What to do if the docker image fails
Apr 15, 2025 am 11:21 AM
Troubleshooting steps for failed Docker image build: Check Dockerfile syntax and dependency version. Check if the build context contains the required source code and dependencies. View the build log for error details. Use the --target option to build a hierarchical phase to identify failure points. Make sure to use the latest version of Docker engine. Build the image with --t [image-name]:debug mode to debug the problem. Check disk space and make sure it is sufficient. Disable SELinux to prevent interference with the build process. Ask community platforms for help, provide Dockerfiles and build log descriptions for more specific suggestions.
What computer configuration is required for vscode
Apr 15, 2025 pm 09:48 PM
VS Code system requirements: Operating system: Windows 10 and above, macOS 10.12 and above, Linux distribution processor: minimum 1.6 GHz, recommended 2.0 GHz and above memory: minimum 512 MB, recommended 4 GB and above storage space: minimum 250 MB, recommended 1 GB and above other requirements: stable network connection, Xorg/Wayland (Linux)
Detailed explanation of docker principle
Apr 14, 2025 pm 11:57 PM
Docker uses Linux kernel features to provide an efficient and isolated application running environment. Its working principle is as follows: 1. The mirror is used as a read-only template, which contains everything you need to run the application; 2. The Union File System (UnionFS) stacks multiple file systems, only storing the differences, saving space and speeding up; 3. The daemon manages the mirrors and containers, and the client uses them for interaction; 4. Namespaces and cgroups implement container isolation and resource limitations; 5. Multiple network modes support container interconnection. Only by understanding these core concepts can you better utilize Docker.
vscode cannot install extension
Apr 15, 2025 pm 07:18 PM
The reasons for the installation of VS Code extensions may be: network instability, insufficient permissions, system compatibility issues, VS Code version is too old, antivirus software or firewall interference. By checking network connections, permissions, log files, updating VS Code, disabling security software, and restarting VS Code or computers, you can gradually troubleshoot and resolve issues.
What is vscode What is vscode for?
Apr 15, 2025 pm 06:45 PM
VS Code is the full name Visual Studio Code, which is a free and open source cross-platform code editor and development environment developed by Microsoft. It supports a wide range of programming languages and provides syntax highlighting, code automatic completion, code snippets and smart prompts to improve development efficiency. Through a rich extension ecosystem, users can add extensions to specific needs and languages, such as debuggers, code formatting tools, and Git integrations. VS Code also includes an intuitive debugger that helps quickly find and resolve bugs in your code.
