1. System security record files
The record files inside the operating system are important clues to detect whether there is a network intrusion. If your system is directly connected to the Internet and you find that there are many people making telnet/ftp login attempts to your system, you can run "#more /var/log/secure grep refused" to check the attacks on the system so that you can take action Corresponding countermeasures, such as using ssh to replace telnet/rlogin, etc.
2. Startup and login security
1. bios security
Set the bios password and modify the boot sequence to prohibit booting the system from a floppy disk.
2. User password
User password is a basic starting point for Linux security. The user password used by many people is too simple, which opens the door to intruders. Although in theory, as long as there are enough time and resources, it can With the help of Internet Security, there is no user password that cannot be cracked, but a properly chosen password is difficult to crack. A better user password is a string of characters that only he can easily remember and understand, and should never be written out anywhere.
3. The default account
should prohibit all unnecessary accounts that are started by the operating system itself. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts there are, the better The more vulnerable the system becomes to attack.
You can use the following command to delete the account.
# userdel用户名
Or use the following command to delete the group user account.
# groupdel username
4. Password file
chattr command adds unchangeable attributes to the following file to prevent unauthorized users from gaining permissions.
# chattr +i /etc/passwd # chattr +i /etc/shadow # chattr +i /etc/group # chattr +i /etc/gshadow
5. Disable the ctrl alt delete command to restart the machine
Modify the /etc/inittab file and comment out the line "ca::ctrlaltdel:/sbin/shutdown -t3 -r now
". Then reset the permissions of all files in the /etc/rc.d/init.d/ directory and run the following command:
# chmod -r 700 /etc/rc.d/init.d/*
In this way, only root can read, write or execute all the above script files.
6. Restrict the su command
If you don’t want anyone to be able to su as root, you can edit the /etc/pam.d/su file and add the following two lines:
auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=isd
At this time, only the isd group Users can su as root. Afterwards, if you want user admin to be able to su as root, you can run the following command:
# usermod -g10 admin
7. Delete login information
By default, the login prompt information includes the Linux distribution version, kernel version name, server host name, etc. For a machine with high security requirements, this leaks too much information. You can edit /etc/rc.d/rc.local to comment out the following lines that output system information.
# this will overwrite /etc/issue at every boot. so, make any changes you # want to make to /etc/issue here or you will lose them when you reboot. # echo "" > /etc/issue # echo "$r" >> /etc/issue # echo "kernel $(uname -r) on $a $(uname -m)" >> /etc/issue # cp -f /etc/issue /etc/issue.net # echo >> /etc/issue
Then, perform the following operations:
# rm -f /etc/issue # rm -f /etc/issue.net # touch /etc/issue # touch /etc/issue.net
3. Restrict network access
1. nfs access
If you use the nfs network file system service, you should ensure that your /etc/exports has the most restrictive access permission settings, which means do not use any wildcards, do not allow root write permissions, and only Mounted as a read-only file system. Edit the file /etc/exports and add the following two lines.
/dir/to/export host1.mydomain.com(ro,root_squash) /dir/to/export host2.mydomain.com(ro,root_squash)
/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine logged into this directory, ro means mount as a read-only system, and root_squash prohibits root from writing to the directory. In order for the changes to take effect, run the following command.
# /usr/sbin/exportfs -a
2. inetd settings
First make sure that the owner of /etc/inetd.conf is root and the file permissions are set to 600. After the settings are completed, you can use the "stat
" command to check.
# chmod 600 /etc/inetd.conf
Then, edit /etc/inetd.conf to disable the following services.
ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth
If you have ssh/scp installed, you can also disable telnet/ftp. In order for the changes to take effect, run the following command:
#killall -hup inetd
By default, most Linux systems allow all requests, and using tcp_wrappers to enhance system security is a piece of cake. You can modify /etc /hosts.deny and /etc /hosts.allow to increase access restrictions. For example, setting /etc/hosts.deny to "all: all" denies all access by default. Then add allowed access in the /etc/hosts.allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" means that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to connect via ssh.
After the configuration is completed, you can use tcpdchk to check:
# tcpdchk
tcpchk is a tcp_wrapper configuration checking tool, which checks your tcp wrapper configuration and reports all potential/existing problems found.
3. Login terminal settings
/etc/securetty file specifies the tty device that allows root login. It is read by the /bin/login program. Its format is a list of allowed names. You can edit /etc/securetty and Comment out the following lines.
# tty1 # tty2 # tty3 # tty4 # tty5 # tty6
At this time, root can only log in at the tty1 terminal.
4. Avoid displaying system and version information.
If you want remote login users not to see system and version information, you can change the /etc/inetd.conf file through the following operations:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -
Add -h to indicate that telnet does not display system information. Instead, only "login:" is displayed.
4. Prevent attacks
1. Block ping If no one can ping your system, security is naturally increased. To do this, you can add the following line to the /etc/rc.d/rc.local file:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
2. Prevent IP spoofing
编辑host.conf文件并增加如下几行来防止ip欺骗攻击。
order bind,hosts multi off nospoof on
3.防止dos攻击
对系统所有的用户设置资源限制可以防止dos类型攻击。如最大进程数和内存使用数量等。例如,可以在/etc/security/limits.conf中添加如下几行:
* hard core 0
* hard rss 5000
* hard nproc 20
然后必须编辑/etc/pam.d/login文件检查下面一行是否存在。
session required /lib/security/pam_limits.so
上面的命令禁止调试文件,限制进程数为50并且限制内存使用为5mb。
The above is the detailed content of How to Enhance the Security of Linux and Unix Servers. For more information, please follow other related articles on the PHP Chinese website!