Detailed analysis of network server configurations in Linux

For a secure Linux server, you must first understand the meaning of the configuration files related to network services in the Linux environment and how to configure security. In Linux, the TCP/IP network is configured through several text files. You may need to edit these files to complete networking, however, most of these configuration files can be implemented through the configuration command linuxconf (the network configuration can be implemented through the netconf command. The following describes the basic TCP/IP network configuration file. Content from China webmaster Information Network (www.chinahtml.com)

*/Etc/conf. modules file

This configuration file defines the parameter information of various modules that need to be loaded at startup. This article focuses on the NIC configuration. When using Linux as a gateway, a Linux server must have at least two NICs. To reduce possible problems during startup, the Linux kernel does not automatically detect multiple NICs.

If you need to install multiple NICs for a system that does not compile the NIC driver into the kernel but is loaded dynamically as a module, configure the Nic in the "conf. modules" file.

If the device driver is compiled into a module (kernel module): For PCI devices, the module automatically detects all devices installed on the system. For ISA cards, you need to provide the IO address to the module so that the module knows where to find the card. The information is in "/etc/conf. modules.

For example, we have two ISA bus 3c509 cards. One IO address is 0x300, and the other is 0x320. Edit the "conf. modules" file as follows:

Alias eth0 3c509 alias eth1 3c509 options 3c509 io = 0x300,0x320

This indicates that drivers of 3c509 should be loaded with the eth0 or eth1 names (alias eth0, eth1) respectively, and they should be loaded with the io = 0x300 and 0x320 parameters, to notify the driver where to find the network card, of which 0x is indispensable. Content from China webmaster Information Network (www.chinahtml.com)

For the PCI card, you only need the alias command to associate ethN with the appropriate driver module name. The IO address of the PCI card will be automatically detected. For the PCI card, edit the "conf. modules" file as follows:

Alias eth0 3c905 alias eth1 3c905

If the driver has been compiled into the kernel, the PCI detection program at system startup will automatically find all related NICs. The ISA card can also be automatically detected. However, in some cases, the ISA card still needs to be configured as follows:

Add the configuration information in "/etc/lilo. conf" by passing the startup parameter information to the kernel through the LILO program. For the ISA card, edit the "lilo. conf" file and add the following content:

Append = "ether =" 0, 0, eth0 ether = "0, 0, eth1"

Note: Do not add the startup parameter in "lilo. conf" to test your ISA card. If it fails, use the startup parameter.

If you use the method of passing the startup parameter, eth0 and eth1 are set according to the sequence found at startup.

*/Etc/HOSTNAME file

This file contains the host name of the system, including the full domain name, such as deep.openarch.com.

*/Etc/sysconfig/network-scripts/ifcfg-ethN file
In RedHat, the configuration file for the system network device is saved in the/etc/sysconfig/network-scripts directory, the ifcfg-eth0 contains the configuration information for the first Nic, the ifcfg-eth1 contains the configuration information for the second Nic.

The following is an example of the/etc/sysconfig/network-scripts/ifcfg-eth0 file:

DEVICE = eth0

IPADDR = 208.164.186.1

NETMASK = 255.255.255.0

NETWORK = 208.164.186.0

BROADCAST = 208.164.186.255

ONBOOT = yes

BOOTPROTO = none

USERCTL = no

 

If you want to manually modify the network address or add a new network interface to the new interface, you can modify the corresponding file (ifcfg-ethN) or create a new file.

DEVICE = name

Name indicates the name of the physical device.

IPADDR = addr

Addr indicates the IP address assigned to the card

NETMASK = mask

Mask indicates the network mask

NETWORK = addr

Addr indicates the network address

BROADCAST = addr

Addr indicates the broadcast address.

ONBOOT = yes/no

Whether to activate the card at startup

None:

No startup protocol required

Bootp:

Use the bootp protocol

Dhcp:

Use dhcp protocol

USERCTL = yes/no

Allow non-root users to control the device

*/Etc/resolv. conf file

This file is a configuration file used by the domain name parser (resolver, a database that resolves IP addresses based on the host name), for example:

 

Search openarch.com

Nameserver 208.164.186.1

Nameserver 208.164.186.2

"Search domainname.com"

 

When a host name that does not include a full domain name is provided, the suffix of domainname.com is added after the host name; "nameserver" indicates that the host specified by this address is the domain name server when the domain name is resolved. The domain name server is queried according to the order in which the file appears.

*/Etc/host. conf file
This file specifies how to resolve the host name. Linux uses the parser library to obtain the IP address corresponding to the host name. The following is an example of "/etc/host. conf:

Order bind, hosts multi on ospoof on "order bind, hosts"

Specify the query order of the host name. DNS is required to resolve the domain name, and then query the "/etc/hosts" file (or the opposite ).

"Multi on" specifies whether the host specified in the "/etc/hosts" file can have multiple addresses. A host with multiple IP addresses is generally called a multi-point host.

"Nospoof on" indicates that IP address spoofing is not allowed on the server. IP spoofing is a means of attacking system security. By disguising IP addresses as other computers, you can gain the trust of other computers. .
*/Etc/sysconfig/network file

This file is used to specify the network configuration information on the server. The following is an example:

NETWORK = yes

RORWARD_IPV4 = yes

HOSTNAME = deep.openarch.com

GAREWAY = 0.0.0.0

GATEWAYDEV =

NETWORK = yes/no

Indicates whether the network is configured;

FORWARD_IPV4 = yes/no

Enable IP forwarding?

HOSTNAME = hostname

Indicates the host name of the server.

GAREWAY = gw-ip

Gw-ip indicates the ip address of the network gateway.

GAREWAYDEV = gw-dev

Gw-dw indicates the gateway device name, such as etho.

Note: to be compatible with the old software, the "/etc/HOSTNAME" file should have the same host name as HOSTNAME = hostname.

*/Etc/hosts file

When the machine starts, before the DNS can be queried, the machine needs to query the matching of some host names to IP addresses. The matching information is stored in the/etc/hosts file. Without a domain name server, all network programs on the system query the file to resolve the IP address corresponding to a host name.

The following is an example of a "/etc/hosts" file:

The leftmost column is the host IP information, and the middle column is the host name. All the columns that follow are aliases of the host. Once the network configuration file of the machine is configured, restart the network for the modification to take effect. Run the following command to restart the network:
/Etc/rc. d/init. d/network restart

*/Etc/inetd. conf file

As we all know, as servers, the more open service ports, the more difficult to guarantee system security and stability. Therefore, servers that provide specific services should open the ports necessary to provide services as much as possible, and disable services unrelated to server services, such as a machine that serves as www and ftp servers, port 80 and port 25 should be opened, and other unrelated services such as finger auth should be turned off to reduce system vulnerabilities.

Inetd, also known as "super server", monitors network request daemon processes and calls corresponding service processes to process connection requests based on network requests. Inetd. conf is the configuration file of inetd. The inetd. conf file tells inetd which network ports are listened for and which service is started for each port.
To use Linux in any network environment, the first thing to do is to understand what services the server will provide. Services that are not needed should be disabled. It is best to uninstall them so that hackers will lose some chance to attack the system.

View the "/etc/inetd. conf" file to learn about the services provided by inetd. Add a comment (add the # sign at the beginning of a line) to prohibit unnecessary services and send a SIGHUP signal to the inetd process.

Step 1: change the file license to 600.

[Root @ deep] # chmod 600/etc/inetd. conf

Step 2: Make sure that the file owner is root.
[Root @ deep] # stat/etc/inetd. conf

Step 3: edit "inetd. conf file (vi/etc/inetd. conf). Disable all unnecessary services, such as ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, and auth, and so on.
If you find some services useful, do not disable them. However, if these services are disabled, the system may be more vulnerable to attacks. The content of the changed "inetd. conf" file is shown below: the content is from www.chinahtml.com)

# To re-read this file after changes, just do a 'killall-HUP inetd'
#
# Echo stream tcp nowait root internal
# Echo dgram udp wait root internal
# Discard stream tcp nowait root internal
# Discard dgram udp wait root internal
# Daytime stream tcp nowait root internal
# Daytime dgram udp wait root internal
# Chargen stream tcp nowait root internal
# Chargen dgram udp wait root internal
# Time stream tcp nowait root internal
# Time dgram udp wait root internal
#
# These are standard services.
#
# Ftp stream tcp nowait root
/Usr/sbin/tcpd in. ftpd-l-
# Telnet stream tcp nowait root
/Usr/sbin/tcpd in. telnetd
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
# Shell stream tcp nowait root
/Usr/sbin/tcpd in. rshd
# Login stream tcp nowait root
/Usr/sbin/tcpd in. rlogind
# Exec stream tcp nowait root
/Usr/sbin/tcpd in. Rexmcm
# Comsat dgram udp wait root
/Usr/sbin/tcpd in. comsat
# Talk dgram udp wait root
/Usr/sbin/tcpd in. talkd
# Ntalk dgram udp wait root
/Usr/sbin/tcpd in. ntalkd
# Dtalk stream tcp wait nobody
/Usr/sbin/tcpd in. dtalkd
#
# Pop and imap mail services et al
#
# Pop-2 stream tcp nowait root
/Usr/sbin/tcpd ipop2d
# Pop-3 stream tcp nowait root
/Usr/sbin/tcpd ipop3d
# Imap stream tcp nowait root
/Usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
# Uucp stream tcp nowait uucp
/Usr/sbin/tcpd/usr/lib/uucp/uucico-l
#
# Tftp service is provided primarily
For booting. Most sites
# Run this only on machines acting
"Boot servers." Do not uncomment
# This unless you * need * it.
#
# Tftp dgram udp wait root
/Usr/sbin/tcpd in. tftpd
# Bootps dgram udp wait root
/Usr/sbin/tcpd bootpd
#
# Finger, timed at and netstat give out
User information which may be
# Valuable to potential "system crackers ."
Many sites choose to disable
# Some or all of these services to improve security.
#
# Finger stream tcp nowait root
/Usr/sbin/tcpd in. fingerd
# Cfinger stream tcp nowait root
/Usr/sbin/tcpd in. cfingerd

# Wait at stream tcp nowait guest
/Usr/sbin/tcpd/bin/ps-auwwx

# Netstat stream tcp nowait guest
/Usr/sbin/tcpd/bin/netstat-f inet

#

# Authentication

#

# Auth stream tcp nowait nobody
/Usr/sbin/in. identd in. identd-l-e-o

#

# End of inetd. conf

Step 4:

To ensure the security of the "inetd. conf" file, you can use the chattr command to make it unchangeable. If you set the file to unchangeable, use the following command:
[Root @ deep] # chattr + I/etc/inetd. conf

This avoids any changes (unexpected or other reasons) to the "inetd. conf" file ). A file with the "I" attribute cannot be changed: it cannot be deleted or renamed, the link to the file cannot be created, and data cannot be written into the file. Only the system administrator can set and clear this attribute. To change the inetd. conf file, you must first clear the flag that cannot be changed:
[Root @ deep] # chattr-I/etc/inetd. conf

However, for services such as sendmail, named, and www, because they are not like finger and telnet services, when requests arrive, the inet daemon starts the corresponding process to provide services, instead, it runs as a daemon when the system is started. Content from China webmaster Information Network (www.chinahtml.com)

For redhat linux, a linuxconfig command is provided to interactively set whether to run related services at startup on the GUI. You can also run a command to determine whether to start a service at startup, for example, [root @ deep] # chkconfig-level 35 named off.