Comprehensively improves the security performance of Linux servers

Article Title: comprehensively improves the security performance of Linux servers. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

As we all know, Linux has more advantages than Windows in terms of security. However, no matter which Linux release version you choose, you should make necessary configurations after installation to enhance its security. The following describes how to harden the Linux server by using several steps. At present, many small and medium-sized users are constantly updating or upgrading the network due to business development, which leads to a large difference in their user environments. The entire network system platform is uneven, and most of them use Linux and Unix on the server side, the PC end uses Windows and Mac. Therefore, in enterprise applications, Linux, Unix, and Windows operating systems coexist to form a heterogeneous network.

　　1. install and configure a firewall

Configuring an appropriate firewall is not only the first line of defense for the system to effectively respond to external attacks, but also the most important line of defense. The firewall should be installed and configured before the new system is connected to the Internet for the first time. The firewall is configured to reject all data packets and then enable the packets that can be received, which is conducive to system security. Linux provides us with a very good firewall tool, netfilter/iptables (http://www.netfilter.org /). It is completely free and can run well on a low-configuration old machine. For more information about how to set the firewall, see iptables usage.

　　2. Disable useless services and ports

Any network connection is implemented through open application ports. If we open the port as few as possible, we will turn the network attack into the source water, which greatly reduces the chance of successful attackers. Using Linux as a dedicated server is a wise move. For example, if you want Linux to become a Web server, you can cancel all unnecessary services in the system and only enable necessary services. In this way, backdoors can be minimized to reduce risks, and system resources can be reasonably allocated to improve the performance of the entire machine. The following are some uncommon services:

1. the fingerd (finger server) reports the personal information of a specified user, including the user name, real name, shell, directory, and contact information. It will expose the system to undesirable intelligence collection activities, do not start this service.

2. the R Service (rshd, rlogin, rwhod, and rexec) provides various levels of commands that can run on remote hosts or interact with remote hosts, it is quite convenient to log on in a closed network environment without entering the user name and password. However, problems may be exposed on public servers, resulting in security threats.

　　3. delete unused software packages

During system planning, the general principle is to remove all unnecessary services. By default, Linux is a powerful system that runs many services. However, many services are not required and may cause security risks. This file is/etc/xinetd. conf, which defines the service to be listened to by/usr/sbin/xinetd. You may only need one of them: ftp, other classes such as telnet, shell, login, exec, talk, ntalk, imap, finger, and auth are all disabled unless you really want to use it.

　　4. Do not set the default route

In the host, you must strictly disable the default route, that is, the default route. We recommend that you set a route for each Subnet or CIDR block. Otherwise, other machines may access the host in a certain way.

　　5. Password Management

Generally, the password length should not be less than 8 characters. The composition of the password should be a combination of uppercase and lowercase letters, numbers and symbols with no rules, and password should be strictly avoided using English words or phrases, in addition, the passwords of various users should be changed regularly. In addition, password protection also involves the protection of/etc/passwd and/etc/shadow files. Only the system administrator can access these two files. Installing a password filtering tool and npasswd can help you check whether your password can withstand attacks. If you have not installed such tools before, we recommend that you install them now. If you are a system administrator and you have not installed a password filtering tool in your system, please immediately check whether all users' passwords can be searched in full, that is, your/ect/passwd file is fully searched. Using words as passwords does not support brute force attacks. Hackers often use common characters to crack passwords. An American hacker once said that as long as the word "password" is used, most computers in the United States can be opened. Other commonly used words include: account, ald, alpha, beta, computer, dead, demo, dollar, games, bod, hello, help, intro, kill, love, no, OK, okay, please, sex, secret, superuser, system, test, work, and yes. Password settings and principles:

1) long enough, as long as you move your fingers to add one password, the hard work of the attacker can be increased by ten times;

2) do not use complete words, including numbers, punctuation marks, and special characters as much as possible;

3) Use case-insensitive characters;

4) modify it frequently.

　　6. Partition Management

A potential attack first tries to buffer overflow. In the past few years, buffer overflow is the most common form of security vulnerabilities. More seriously, the buffer overflow vulnerability accounts for the vast majority of remote network attacks. Such attacks can easily give an anonymous Internet user the opportunity to gain some or all control over a host!

To prevent such attacks, we should pay attention to them when installing the system. If you use the root partition to record data, such as log files, a large number of logs or spam may be generated due to denial of service, resulting in system crash. Therefore, we recommend that you create separate partitions for/var to store logs and emails to avoid overflow of the root partition. It is best to separate a partition for a special application, especially for programs that can generate a large number of logs. We also recommend that you separate a partition for/home so that they cannot fill up/partition, this avoids some malicious attacks against Linux partition overflow.

Many Linux desktop users usually use both Windows and Linux systems. It is best to use dual hard disks. The method is as follows: first, remove the data cable of the primary hard disk, find a hard disk of about 10 Gb to be mounted on the computer, set the small hard disk to a slave disk, and install the Linux Server version according to common operations, there is no difference except that the boot program is placed in MBR. After the desktop is debugged, disable the computer. Remove the data cable of the small hard disk, attach it to the original hard disk, set it to the master disk (this is to connect the original hard disk and the small hard disk to the same data cable at the same time), and then install the Windows software. Two hard disks are mounted on the data cable. The data cable is the IDE 0 interface. The original hard disk is set as the primary disk, and the small hard disk is set as the slave disk. If you want to boot from the original hard disk, set the boot sequence in CMOS to C, D, CDROM, or IDE0 (HDD-0 )". In this way, when the computer is started, enter the Windows interface. If you want to boot from a small hard disk, change the boot sequence to "D, C, CDROM", or "IDE1 (HDD-1)". After the boot, enter the Linux interface. Normally, the two operating systems cannot access each other.

　　7. Prevent Network sniffing:

Sniffer is widely used in network maintenance and management. It works like a passive sonar. It silently receives various information from the network and analyzes the data, the network administrator can gain an in-depth understanding of the current running status of the network to identify vulnerabilities in the network. Today, with increasing attention to network security, we must not only correctly use the sniffer, but also properly prevent the dangers of the sniffer, which can cause great security hazards, mainly because they are not easy to be discovered. For an enterprise with strict security performance requirements, it is necessary to use a secure topology, Session Encryption, and static ARP Address.

　　8. Complete Log Management

Log Files always record the running status of your system. The hacker cannot escape the log. Therefore, Hackers often modify log files to hide traces during attacks. Therefore, we need to restrict access to/var/log files and prohibit users with General permissions from viewing log files.

You must also use the log server. It is a good idea to save a copy of the client's log information. You can create a server to store log files and check logs to find problems. Modify the/etc/sysconfig/syslog file to accept remote log records.

/Etc/sysconfig/syslog

SYSLOGD_OPTIONS = "-m r 0"

You should also set remote log storage. Modify the/etc/syslog. conf file and add it to the settings of the log server. syslog will save the copy on the log server.

/Etc/syslog. conf

*. * @ Log_server_IP

You can use a color LOG filter. Color log loco filter. The current version is 0.32. Use loco/var/log/messages more to display color logs, clearly marking the root location and abnormal commands in the log. This reduces the number of log analysis errors. Regularly checks logs. Red Hat Linux provides the logwatch tool, which regularly checks logs and sends emails to the Administrator's mailbox. Modify the/etc/log. d/conf/logwatch. conf file and add the Administrator email address after the MailTo = root parameter. Logwatch regularly checks logs to filter information such as root, sudo, telnet, and ftp logon, and helps administrators analyze daily security. Complete Log management includes the correctness, validity, and validity of network data. Log File analysis can also prevent intrusion. For example, a user's 20 failed registration records within a few hours may be the attacker trying the user's password.

　　9. Stop ongoing attacks

If you find a user logging on from your unknown host while checking the log file, and you are sure that this user does not have an account on this host, you may be attacked. First, you need to lock the account immediately (in the password file or shadow file, add an Ib or other character before the user's password ). If the attacker has been connected to the system, you should immediately disconnect the physical connection between the host and the network. If possible, you need to further check the user's history to see if other users have been impersonated and whether the attacker has the root permission. Kill all processes of the user and add the IP address mask of the host to the file hosts. deny.

　　10. Use the security tool software:

Linux already has some tools to ensure the security of the server. Such as bastille linux and Selinux.

Bastille linux is a convenient software for users who are not familiar with linux security settings. bastille linux aims to build a secure environment on an existing linux system.

SELinux is a R & D project of the U.S. security department. It aims to enhance the Linux kernel for code development and provide stronger protection measures, prevent security-related application detours and mitigate the disaster caused by malware. The security of common Linux systems depends on the kernel, which is generated by setuid/setgid. Under the traditional security mechanism, some application authorization problems, configuration problems or process running have been exposed, resulting in security problems of the entire system. These problems exist in the current operating system due to their complexity and interoperability with other programs. SELinux only depends on the system kernel and Security Configuration Policy. Once you have correctly configured the system, the abnormal application configuration or error will only return the error to the user's program and its system background program. The security of other user programs and their background programs can still run normally and maintain their security system structure. To put it simply, no program configuration error can cause the entire system to crash. Install the SELinux kernel, tool, Program/toolkit, and documents of SELinux. You can download them on the Linux website for enhanced security. You must have an existing Linux system to compile your new kernel, in this way, you can access the system patch package that has not been changed.

[1] [2] Next page