Detailed analysis of network server configurations in Linux

For a secure Linux server, you must first understand the meaning of the configuration files related to network services in the Linux environment and how to configure security. In Linux, the TCPIP network is configured through several text files, you may need to edit these files to complete the security of the Linux server. First, you need to understand the meaning of the configuration files related to network services in the Linux environment and how to perform security configuration. In Linux, the TCP/IP network is configured through several text files. you may need to edit these files to complete networking, however, most of these configuration files can be implemented through the configuration command linuxconf (the network configuration can be implemented through the netconf command. The following describes the basic TCP/IP network configuration file.

*/Etc/conf. modules file

This configuration file defines the parameter information of various modules that need to be loaded at startup. This article focuses on the NIC configuration. When using Linux as a gateway, a Linux server must have at least two NICs. To reduce possible problems during startup, the Linux kernel does not automatically detect multiple NICs.

If you need to install multiple NICs for a system that does not compile the NIC driver into the kernel but is loaded dynamically as a module, configure the Nic in the "conf. modules" file.

If the device driver is compiled into a module (kernel module): For PCI devices, the module automatically detects all devices installed on the system. for ISA cards, you need to provide the IO address to the module so that the module knows where to find the card. The information is in "/etc/conf. modules.

For example, we have two ISA bus 3c509 cards. one IO address is 0x300, and the other is 0x320. Edit the "conf. modules" file as follows:

Alias eth0 3c509 alias eth1 3c509 options 3c509 io = 0x300,0x320

This indicates that drivers of 3c509 should be loaded with the eth0 or eth1 names (alias eth0, eth1) respectively, and they should be loaded with the io = 0x300 and 0x320 parameters, to notify the driver where to find the network card, of which 0x is indispensable.

For the PCI card, you only need the alias command to associate ethN with the appropriate driver module name. The IO address of the PCI card will be automatically detected. For the PCI card, edit the "conf. modules" file as follows:

Alias eth0 3c905 alias eth1 3c905

If the driver has been compiled into the kernel, the PCI detection program at system startup will automatically find all related NICs. The ISA card can also be automatically detected. However, in some cases, the ISA card still needs to be configured as follows:

Add the configuration information in "/etc/lilo. conf" by passing the startup parameter information to the kernel through the LILO program. For the ISA card, edit the "lilo. conf" file and add the following content:

Append = "ether =" 0, 0, eth0 ether = "0, 0, eth1"

Note: Do not add the startup parameter in "lilo. conf" to test your ISA card. if it fails, use the startup parameter.

If you use the method of passing the startup parameter, eth0 and eth1 are set according to the sequence found at startup.

*/Etc/HOSTNAME file

This file contains the host name of the system, including the full domain name, such as www.phpfensi.com.

*/Etc/sysconfig/network-scripts/ifcfg-ethN file

In RedHat, the configuration file for the system network device is saved in the/etc/sysconfig/network-scripts directory, the ifcfg-eth0 contains the configuration information for the first Nic, the ifcfg-eth1 contains the configuration information for the second Nic.

The following is an example of the/etc/sysconfig/network-scripts/ifcfg-eth0 file:

1. DEVICE = eth0
2. IPADDR = 208.164.186.1
3. NETMASK = 255.255.255.0
4. NETWORK = 208.164.186.0
5. BROADCAST = 208.164.186.255
6. ONBOOT = yes
7. BOOTPROTO = none
8. USERCTL = no

If you want to manually modify the network address or add a new network interface to the new interface, you can modify the corresponding file (ifcfg-ethN) or create a new file.

DEVICE = name

Name indicates the name of the physical device.

IPADDR = addr

Addr indicates the IP address assigned to the card

NETMASK = mask

Mask indicates the network mask

NETWORK = addr

Addr indicates the network address

BROADCAST = addr

Addr indicates the broadcast address.

ONBOOT = yes/no

Whether to activate the card at startup

None:No startup protocol required

Bootp:Use the bootp protocol

Dhcp:Use dhcp protocol

USERCTL = yes/no whether non-root users are allowed to control the device

*/Etc/resolv. conf file

This file is a configuration file used by the domain name parser (resolver, a database that resolves IP addresses based on the host name), for example:

1. Search phpfensi.com
2. Nameserver 208.164.186.1
3. Nameserver 208.164.186.2
4. "Search phpfensi.com"

When a host name that does not include a full domain name is provided, the suffix of domainname.com is added after the host name; "nameserver" indicates that the host specified by this address is the domain name server when the domain name is resolved. The domain name server is queried according to the order in which the file appears.

*/Etc/host. conf file

This file specifies how to resolve the host name. Linux uses the parser library to obtain the IP address corresponding to the host name. The following is an example of "/etc/host. conf:

Order bind, hosts multi on ospoof on "order bind, hosts"

Specify the query order of the host name. DNS is required to resolve the domain name, and then query the "/etc/hosts" file (or the opposite ).

"Multi on" specifies whether the host specified in the "/etc/hosts" file can have multiple addresses. a host with multiple IP addresses is generally called a multi-point host.

"Nospoof on" indicates that IP address spoofing is not allowed on the server. IP spoofing is a means of attacking system security. by disguising IP addresses as other computers, you can gain the trust of other computers. .

*/Etc/sysconfig/network file

This file is used to specify the network configuration information on the server. The following is an example:

1. NETWORK = yes
2. RORWARD_IPV4 = yes
3. HOSTNAME = deep.openarch.com
4. GAREWAY = 0.0.0.0
5. GATEWAYDEV =
6. NETWORK = yes/no
7. Indicates whether the network is configured;
8. FORWARD_IPV4 = yes/no
9. Enable IP forwarding?
10. HOSTNAME = hostname
11. Indicates the host name of the server.
12. GAREWAY = gw-ip
13. Gw-ip indicates the ip address of the network gateway.
14. GAREWAYDEV = gw-dev
15. Gw-dw indicates the gateway device name, such as etho.

Note: to be compatible with the old software, the "/etc/HOSTNAME" file should have the same host name as HOSTNAME = hostname.

*/Etc/hosts file

When the machine starts, before the DNS can be queried, the machine needs to query the matching of some host names to IP addresses. The matching information is stored in the/etc/hosts file. Without a domain name server, all network programs on the system query the file to resolve the IP address corresponding to a host name.

One column is the host IP information, and the middle column is the host name. All the columns that follow are aliases of the host. Once the network configuration file of the machine is configured, restart the network for the modification to take effect. Run the following command to restart the network:

/Etc/rc. d/init. d/network restart

*/Etc/inetd. conf file

As we all know, as servers, the more open service ports, the more difficult to guarantee system security and stability. Therefore, servers that provide specific services should open the ports necessary to provide services as much as possible, and disable services unrelated to server services, such as a machine that serves as www and ftp servers, port 80 and port 25 should be opened, and other unrelated services such as finger auth should be turned off to reduce system vulnerabilities.

Inetd, also known as "super server", monitors network request daemon processes and calls corresponding service processes to process connection requests based on network requests. Inetd. conf is the configuration file of inetd. The inetd. conf file tells inetd which network ports are listened for and which service is started for each port.

To use Linux in any network environment, the first thing to do is to understand what services the server will provide. Services that are not needed should be disabled. it is best to uninstall them so that hackers will lose some chance to attack the system.

View the "/etc/inetd. conf" file to learn about the services provided by inetd. Add a comment (add the # sign at the beginning of a line) to prohibit unnecessary services and send a SIGHUP signal to the inetd process.

Step 1: change the file license to 600.

[Root @ deep] # chmod 600/etc/inetd. conf

Step 2: Make sure that the file owner is root.

[Root @ deep] # stat/etc/inetd. conf

Step 3: edit the "inetd. conf" file(Vi/etc/inetd. conf). disable all unnecessary services, such as ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, and auth, and so on.

If you find some services useful, do not disable them. However, if these services are disabled, the system may be more vulnerable to attacks. The content of the changed "inetd. conf" file is shown below:

1. # To re-read this file after changes, just do a 'killall-HUP inetd'
2. #
3. # Echo stream tcp nowait root internal
4. # Echo dgram udp wait root internal
5. # Discard stream tcp nowait root internal
6. # Discard dgram udp wait root internal
7. # Daytime stream tcp nowait root internal
8. # Daytime dgram udp wait root internal
9. # Chargen stream tcp nowait root internal
10. # Chargen dgram udp wait root internal
11. # Time stream tcp nowait root internal
12. # Time dgram udp wait root internal
13. #
14. # These are standard services.
15. #
16. # Ftp stream tcp nowait root
17. /Usr/sbin/tcpd in. ftpd-l-
18. # Telnet stream tcp nowait root
19. /Usr/sbin/tcpd in. telnetd
20. #
21. # Shell, login, exec, comsat and talk are BSD protocols.
22. #
23. # Shell stream tcp nowait root
24. /Usr/sbin/tcpd in. rshd
25. # Login stream tcp nowait root
26. /Usr/sbin/tcpd in. rlogind
27. # Exec stream tcp nowait root
28. /Usr/sbin/tcpd in. rexmcm
29. # Comsat dgram udp wait root
30. /Usr/sbin/tcpd in. comsat
31. # Talk dgram udp wait root
32. /Usr/sbin/tcpd in. talkd
33. # Ntalk dgram udp wait root
34. /Usr/sbin/tcpd in. ntalkd
35. # Dtalk stream tcp wait nobody
36. /Usr/sbin/tcpd in. dtalkd
37. #
38. # Pop and imap mail services et al
39. #
40. # Pop-2 stream tcp nowait root
41. /Usr/sbin/tcpd ipop2d
42. # Pop-3 stream tcp nowait root
43. /Usr/sbin/tcpd ipop3d
44. # Imap stream tcp nowait root
45. /Usr/sbin/tcpd imapd
46. #
47. # The Internet UUCP service.
48. #
49. # Uucp stream tcp nowait uucp
50. /Usr/sbin/tcpd/usr/lib/uucp/uucico-l
51. #
52. # Tftp service is provided primarily
53. For booting. Most sites
54. # Run this only on machines acting
55. "Boot servers." Do not uncomment
56. # This unless you * need * it.
57. #
58. # Tftp dgram udp wait root
59. /Usr/sbin/tcpd in. tftpd
60. # Bootps dgram udp wait root
61. /Usr/sbin/tcpd bootpd
62. #
63. # Finger, timed at and netstat give out
64. User information which may be
65. # Valuable to potential "system crackers ."
66. Many sites choose to disable
67. # Some or all of these services to improve security.
68. #
69. # Finger stream tcp nowait root
70. /Usr/sbin/tcpd in. fingerd
71. # Cfinger stream tcp nowait root
72. /Usr/sbin/tcpd in. cfingerd
73. # Wait at stream tcp nowait guest
74. /Usr/sbin/tcpd/bin/ps-auwwx
75. # Netstat stream tcp nowait guest
76. /Usr/sbin/tcpd/bin/netstat-f inet
77. #
78. # Authentication
79. #
80. # Auth stream tcp nowait nobody
81. /Usr/sbin/in. identd in. identd-l-e-o
82. #
83. # End of inetd. conf

Step 4:

To ensure the security of the "inetd. conf" file, you can use the chattr command to make it unchangeable. If you set the file to unchangeable, use the following command:

[Root @ deep] # chattr + I/etc/inetd. conf

This avoids any changes (unexpected or other reasons) to the "inetd. conf" file ). A file with the "I" attribute cannot be changed: it cannot be deleted or renamed, the link to the file cannot be created, and data cannot be written into the file. Only the system administrator can set and clear this attribute. To change the inetd. conf file, you must first clear the flag that cannot be changed:

[Root @ deep] # chattr-I/etc/inetd. conf

However, for services such as sendmail, named, and www, because they are not like finger and telnet services, when requests arrive, the inet daemon starts the corresponding process to provide services, instead, it runs as a daemon when the system is started.

For redhat linux, a linuxconfig command is provided to interactively set whether to run related services at startup on the GUI. You can also run a command to determine whether to start a service at startup, for example, [root @ deep] # chkconfig-level 35 named off.