Security Settings for network services in Linux

The Linux operating system is stable, robust, efficient, and secure. Is becoming an ideal platform for various network services. Various network applications have superior performance applications in the Linux system, such as Apache servers providing Web services, Bind of DNS services, and Postfix, Sendmail, and Qmail of SMTP services; provides FTP services such as Wu-ftp, Vsftp, and Proftp. In addition, more and more network applications are also provided for implementation on Linux. For more applications, refer to "Linux Enterprise Application Case Study. With these open-source software, you can provide the same excellent network services as expensive commercial software through careful configuration. This article focuses on the control and management of network services in Linux. First, we will introduce two methods for providing network services in Linux: standalong and inetd/xinetd; this section describes how to view, start, and stop the services provided by the system.
 
I. stand-along and inetd/xinetd Methods
The Linux system provides network services in two ways: the traditional stand-alone mode and the inetd process of the system.
1). stand-alone method
(1) Working Process
Figure 1
The stand-alone method is shown in step 1. First, the server starts a network service process to listen to a specified network port and wait for the client's connection request to arrive. For example, the Web server listens to port 80 of TCP, And the telnet service listens to port 23 of TCP. Then, when a client connection request arrives, the listening process will respond to the connection request and generate a sub-process or thread to process the client's request. The parent service process will return, continue listening to the specified port and wait for the next customer request to arrive.
Finally, when the client completes the access, the child process that processes the request also exits. In some cases, for example, several sub-processes are generated on a Web server with a large access volume, so that the parent process does not have to generate sub-processes when receiving client requests, this improves the customer's access speed.
(2). Start and Stop the service
In Linux, the stand-alone method is usually used to start the service by starting the symbolic link in the corresponding running level under/etc/rc. d. The running level is explained first. A Linux running level is a system state, or a Mode, which is listed in/etc/rc. d/rc <x>. d directory, where <x> is a running-level number.
# Ls-l
Drwxr-xr-x 2 root 4096 07-30 22:31 init. d
-Rwxr-xr-x 1 root 2255 rc
Drwxr-xr-x 2 root 4096 07-30 22:31 rc0.d
Drwxr-xr-x 2 root 4096 07-30 rc1.d
Drwxr-xr-x 2 root 4096 07-30 22:31 rc2.d
Drwxr-xr-x 2 root 4096 07-30 22:31 rc3.d
Drwxr-xr-x 2 root 4096 07-30 rc4.d
Drwxr-xr-x 2 root 4096 08-23 19:28 rc5.d
Drwxr-xr-x 2 root 4096 07-30 22:31 rc6.d
-Rwxr-xr-x 1 root 220 rc. local
-Rwxr-xr-x 1 root 26918 rc. sysinit
The current running level is as follows:
0 out of service;
1. single-user mode;
2 not used (User-Defined );
3. Complete Multi-User Mode;
4 not used (User-Defined );
5. Complete Multi-user mode (with X-based logon screen );
6. Reboot.
If a text logon screen is used, the running level is 3. If a graphical logon screen is used, the running level is 5. The default running level can be changed by modifying the/etc/inittab file:
...................
# Run gettys in standard runlevels
1: 2345: respawn:/sbin/mingetty tty1
2: 2345: respawn:/sbin/mingetty tty2
3: 2345: respawn:/sbin/mingetty tty3
4: 2345: respawn:/sbin/mingetty tty4
5: 2345: respawn:/sbin/mingetty tty5
6: 2345: respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
X: 5: respawn:/etc/X11/preofdm-nodaemon
The modified running level takes effect after the system is rebooted, and the system enters the corresponding running level. Note: Do not set the running level to 0 or 6. To change the running level immediately, use the telinit command and follow the running level number. Only root users can use this command. Note that the telinit command does not change the/etc/inittab file, but only the current running level. After the system restarts, It is guided to the running level specified in/etc/inittab.
For each running level, there is a corresponding sub-directory in the/etc/rc. d sub-directory. The sub-directories at the running level are named as rcX. d. X indicates the number at the running level. For example, all the Command Script programs at run level 3 are saved in the/etc/rc. d/rc3.d subdirectory.
# Ls
K02avahi-dnsconfd K35smb K88wpa_supplicant S08iptables S22messagebus S80sendmail
K02dhcdbd K35vncserver K89dund S09isdn S25bluetooth S85gpm
K02NetworkManager K35winbind K89netplugd S10network S25netfs S90crond
......
S56xinetd S99smartd
K25squid K87multipathd S08ip6tables S20kdump S77netbackup
 
From the above we can see that in each running level subdirectory, there are many files starting with the letter S or letter K. These files are all in/etc/init. d. For example:
# Ls-l S77netbackup
Lrwxrwxrwx 1 root 26 07-30 S77netbackup->/etc/rc. d/init. d/netbackup
The real STARTUP script stores/etc/init. d/. When the system is started, the Linux system runs a specific directory based on the running level set in/etc/initab. First, run the command script program with the letter K headers, and then run the command script program with the letter s headers. For the command script program that starts with K, the Stop parameter is passed to Stop the service. Similarly, for the command script program with the letter s headers, the Start parameter is passed to Start the service.
In many cases, the execution sequence of the command script program is very important. For example, if you do not configure a network interface first, you cannot use the DNS service to resolve the host name. Therefore, in order to arrange their execution order, a two-digit character is followed by the letter s or K, and a small value is executed before a large value. For example,/etc/rc. d/rc3.d/S5Oinet will be executed before/etc/rc. d/rc3.d/S55named (s50inet configures network settings, S55named shoulders DNS server ).
Ii. inetd/xinetd Method
(1) Working Process
Compared with the stand-alone method, the inetd/xinetd method is also called "Internet Super-Server" because it manages links to multiple daemon, these daemon processes provide network services such as FTP and Telnet. The inetd/xinetd working method 2 is shown. For more details about xinetd, refer to the Linux system management tutorial.
Figure 2
Control Service start and stop
There are several ways to manage system service access. You can decide which management method to use based on the service, system configuration, and understanding of Linux.
The easiest way to refuse to use a service is to disable it. Whether it is a service managed by xinetd or in/etc/rc. you can use the service configuration tool, ntsysv, chkconfig, and other three different applications to configure the service to start or stop.
1. service configuration tool
Graphical applications can be used to display the description of each service and whether each service is started at boot (runtime Level 3, 4, and 5 ), and enable, stop, or restart each service, as shown in figure 4.
Figure 4 service configuration tool
 
2. ntsysv
Ntsysv is a text-based program that allows you to configure the services to be started at each running level. Changes do not take effect immediately for services that do not belong to xinetd. You cannot use this program to start, stop, or restart services that do not belong to xinetd.
3. chkconfig
Chkconfig is a command line tool that allows you to start and close services at different running levels. Changes do not take effect immediately for services that do not belong to xinetd. You cannot start, stop, or restart a service that does not belong to xinetd.
[Root @ jie rc3.d] # chkconfig -- list
NetworkManager 0: Close 1: Close 2: Close 3: Close 4: Close 5: Close 6: Close
NetworkManagerDispatcher 0: Close 1: Close 2: Close 3: Close 4: Close 5: Close 6: Close
Acpid 0: Disable 1: Disable 2: Disable 3: Enable 4: Enable 5: Enable 6: Disable
Anacron 0: off 1: off 2: Enable 3: Enable 4: Enable 5: Enable 6: Disable
Apmd 0: Disable 1: Disable 2: Enable 3: Enable 4: Enable 5: Enable 6: Disable
Atd 0: Disable 1: Disable 2: Disable 3: Enable 4: Enable 5: Enable 6: Disable
Auditd 0: off 1: off 2: Enable 3: Enable 4: Enable 5: Enable 6: Disable
Autofs 0: Disable 1: Disable 2: Disable 3: Enable 4: Enable 5: Enable 6: Disable
Avahi-daemon 0: Disable 1: Disable 2: Disable 3: Enable 4: Enable 5: Enable 6: Disable
Avahi-dnsconfd 0: Close 1: Close 2: Close 3: Close 4: Close 5: Close 6: Close
Bluetooth 0: Disable 1: Disable 2: Enable 3: Enable 4: Enable 5: Enable 6: Disable
Capi 0: Close 1: Close 2: Close 3: Close 4: Close 5: Close 6: Close
Conman 0: Close 1: Close 2: Close 3: Close 4: Close 5: Close 6: Close
Cpuspeed 0: off 1: Enable 2: Enable 3: Enable 4: Enable 5: Enable 6: Disable
In addition, you can directly edit the file/etc/rc. d/rcX. d, or directly control the system services provided by Linux under the/etc/xinet. d/file. Note that X corresponds to the startup level.
Iii. Web Service Security
1. Threats to Web Services
Due to the popularity of Web services, various attack methods are also emerging. For Web Services, the objects targeted by threats can be divided into three types: Needle-to-server, client-to-client, and transmission between servers and clients.
(1) server-side threats: server-side threats include unauthorized users using configuration vulnerabilities or other vulnerabilities to obtain server-side confidential information, intruders gain control of the server host through the Web Service Process Vulnerability. Intruders initiate DoS attacks to invalidate the service.
(2) Client-specific threats the client-specific threats mainly include using browser vulnerabilities to execute ActiveX, Javaapplet, and other dynamic execution programs to harm the user system and obtain user confidential information.
(3) threats of transmission from the server to the client. Threats of transmission from the server to the client: attackers can obtain communication information between customers and servers through network eavesdropping or maliciously tamper with the communication content.
Here we will focus on the security of Web servers and communication. For most Web servers, attacks are mainly caused by application or script leaks and these vulnerabilities are exploited by intruders.
2. Apache Security Configuration instance
(1) User/user group, file system and default settings
According to the minimum privilege principle, you need to assign an appropriate permission to Apache to complete the Web service. Make sure that Apache uses a dedicated user and user group. Do not use a pre-defined account, such as the nobody user and nogroup user group.
For Apache systems, there are four main directories: ServerRoot, DocumentRoot, ScriptAlias, CustomLog, and Errorlog. the preceding four directories must be independent of each other, that is, there is no parent-child relationship between any two directories. For example, the following Configuration:
ServerRoot "/etc/httpd"
DocumentRoot "/var/www/html"
ScriptAlias/cgi-bin/"/var/www/cgi-bin /"
CustomLog/var/log/httpd/access. log
ErrorLog logs/var/log/httpd/error. log
No other user except the root user can configure or run Apache, so ServerRoot should be configured to be accessible only by the root user. DocumentRoot should be able to be accessed by users who manage Web site content, and accessed by Apache server using Apache users and apache user groups. The ScriptAlias directory should be accessible only to CGI developers and apache users. During management, it is best to set up webcontent and webdev groups for the Web content maintainer and CGI developers respectively, and then use the usermod command to add users to the two groups respectively. For example, add the user cgweb to the root group:
# Usermod-G root cgweb
You can use the groups command to view which groups the user belongs:
# Groups cgweb
Cgweb: cgweb root
Modify the following items in the default settings:
• Prohibit the use of Directory Index files
When receiving user access to a directory, the Apache server looks for the Directory Index file specified by the Directorvlndex command. The file is index.html. If the file does not exist, Apache will create a dynamic list to display the contents of the directory. 1. You can access the test Directory on the Web server through http: // ipaddress/test.
If index.html is not found in the directory, the Apache server displays all files and directory information under the test directory. This setting usually exposes the Web site structure, so you need to modify the configuration file to prohibit the display of dynamic directory lists.
Modify the configuration file httpd. conf
<Directory "/var/www/html">
Options-Indexes FolIowSymLinks
AllowOverride None
Order allow, deny
Allow from all
</Directory>
Adding "-Indexes" in the Options field indicates that the Active Directory is prohibited.
• Disable default access
A good security model should stipulate that all access is denied by default. In order to achieve the default access denied, the following configuration can be used in httpd. conf:
<Directory/>
Order deny, allow
Deny from all
</Directory>
To access a specific Directory, use <Directory...> again for configuration.
<Directory "/var/www/html">
Order allow, deny
Allow from all
</Directory>
• Prohibit user Overloading
The following settings prevent users from using the. htaccess configuration file in any directory to overload the configuration.
<Directory/>
AllowOverride None
</Directory>
(2) control CGI scripts
The CGI Script Vulnerability has become the top security risk of the Web eye server. Many programmers do not pay attention to its security when writing CGI programs, and many backdoors and vulnerabilities are generated unexpectedly. The CGI script control vulnerability should not only check the validity of input data, but also exercise caution when using system calls, security Configuration of the Apache server can also eliminate the impact of many insecure CGI programs.
By default, these CGI programs are run with the UID used by the Apache server. In many cases, if you run these programs with the ui d of the CGI program owner, it will bring security benefits. In this case, these CGI programs may have some vulnerabilities, the harm is also limited to the files that the XJID can access. In this case, only the user's files can be hurt without causing a fatal impact on the entire system.
(3) use SSL encryption
The use of SSL (Secure Sockets Layer, Secure Socket Layer) can ensure data security during the communication between the Web server and the client. HTTP uses plain text for transmission. Therefore, intruders can easily eavesdrop and tamper with data transmitted between the server and the client. To solve this problem, Netscape initially developed the Secure socket layer (SSL) protocol, now SSL has become a global standard for identifying websites and Web page viewers and encrypted communication between browsers and Web servers. SSL technology is supported by all major browsers and Web servers.
Iv. DNS Service Security
As one of the basic services of the network, DNS is responsible for translating domain names into IP address formats that can be recognized by computers and reverse translation of domain names corresponding to IP addresses. The DNS service is very important to the network. Once the DNS service fails, the user cannot access it by domain name, the corresponding email service will also fail because the domain name cannot be properly resolved. Because of the importance of DNS to the network, it has become an important target of hacker attacks.
1. Threats to DNS services
DNS services face threats such as Domain Name Information spoofing, DoS/DDOS attacks, and buffer overflow attacks.
(1) Domain Name Information Spoofing
Domain Name Information Spoofing (DNS Spoofing) refers to an error or unconfirmed response to the client due to the DNS server being attacked or misconfigured during DNS query on the client. Domain Name Information spoofing has serious consequences. The customer believes that the wrong information on the DNS server will lead the user to access a wrong website, which may be a malicious website, this results in very serious consequences.
1) intruders usually use the following two methods to cheat Domain Name Information:
• The cache infected intruders put their data into the cache of the DNS server through specific DNS access. The cache information is returned to the customer when the customer accesses the DNS, so that the customer is directed to the malicious server set by the hacker.
• DNS hijacking intruders listen to the conversation between the client and the DNS server, and give false responses to the user by guessing the DNS query id that the server responds to the client before the server, in this way, the client is deceived to access malicious websites.
(2) DoS Attacks
A vulnerability exists in the default settings of Many DNS servers, which may cause DoS attacks ). If a Domain Name Server allows a remote host to ask for the domain names of other domains (these domains are not managed by themselves), this means that recursive queries are allowed, which may cause an abnormal increase in network traffic. The increase in traffic caused by a single host may not result in DoS attacks. However, the weakness of the DNS classification method may lead to a large amount of data traffic for a single site, blocking normal network traffic services. This problem occurs when the Domain Name Server fails to receive the domain name resolution response from an authoritative Domain Server. When the Domain Name Server receives a domain name resolution request, it will usually forward it to the upper-level DNS server. If the query request cannot be resolved, because the DNS service is not started or no response is received on its authoritative Domain Name Server. then each forwarded server tries to resolve the issue by itself, and usually tries three times (at 0 s, 12 S, and 24 s respectively), or even more times. In this case, the network traffic of the domain name increases significantly. By using a large number of domain name servers for such inquiry, a large amount of data may be sent to the target network, resulting in DoS attacks.
(3) buffer overflow attacks
If there are vulnerabilities in the implementation of DNS server software, such as not performing a strict check on specific input, attackers may exploit the vulnerability, attackers construct special malformed data packets to conduct buffer overflow attacks on the DNS server. If the attack succeeds, the DNS service will be stopped, or the attacker can execute arbitrary code on the DNS server.
2. Bind Security Configuration instance
The following uses the famous BIND software as an example to describe the Security Configuration of the DNS server.
(1) control regional transmission if the DNS server allows regional transmission for anyone, the host name, Host IP address list, router name, and router IP address list of the entire network architecture will be available, even the locations and hardware configurations of each host are easily obtained by intruders. Therefore, it is necessary to restrict regional transmission.
You can add the following statement to the/etc/named. conf file to restrict regional transmission:
Acl "zero-transfer "{
192.168.0.3,
192.168.0.100,
};
Zone "yourdomain.com "{
Type master;
File "mydomain. dns ";
Allow-transfer {zero-transfer ;};
};
Currently, only the hosts with IP addresses 192.168.0.53 and 192.168.0.100 can transmit data in the same region as the DNS server.
(2) limiting access areas and limiting the scope of services provided by the DNS server is also crucial to the security of the DNS server, so that many intruders can be rejected. To achieve this, you only need to add the following statement to the configuration file/etc/named. conf of the BIND server:
Options {
Allow-query {192.168.0.0/24 ;};
In this way, the allow-query command ensures that all hosts on the CIDR Block 192.168.0.0/24 can access the DNS service provided by the server, hosts that are not in this CIDR block cannot access the services provided by the DNS server.
(3) run the DNS service as a non-root User
Use the-u option provided by the BIND software to run the BIND as a non-root User:
#/Usr/sbin/named-u nobody
Run BIND as a nobody using the above command to reduce the harm caused by the buffer overflow attack.
V. FTP service security
FTP is a File Transfer Service. It was once one of the most widely used file exchange methods on the Internet, the FTP protocol has insurmountable security vulnerabilities.
1. Threats to FTP services
FTP services are faced with several attacks, including buffer overflow attacks, plaintext passwords, and anonymous access.
(1) buffer overflow attacks
The buffer overflow vulnerability is an address space error caused by improper design of border conditions and function pointers in software. The principle is to copy a long string to a buffer with limited space, which has two consequences. One is that a long string overwrites the adjacent storage unit and causes program paralysis, it even causes downtime, system or process restart, etc. Second, attackers can exploit the vulnerability to run malicious code, execute arbitrary commands, and even obtain super permissions.
(2) plaintext Password
Because the FTP protocol uses plain text to transmit its password, attackers can easily obtain the password through eavesdropping.
(3) Anonymous Access
Anonymous access is widely supported in the FTP service. However, anonymous FTP does not require real authentication. Therefore, it is easy to provide an access channel for intruders, in combination with a buffer overflow attack, this can cause serious consequences. For example, the Ramen worm uses anonymous access and buffer overflow attacks to pose great threats to the famous wu-ftpd server.
2. Vsftp Security Configuration instance
Vsftpd is used as an example to describe the Security Configuration of the FTP server. Vsftpd has good performance in security, high performance, and stability, it provides powerful functions including virtual IP settings, virtual users, Standalone, xinetd operation modes, powerful single-user setting capabilities, and bandwidth throttling. In terms of security, it fixes the installation defects of most wu_ftp and ProFTP, and uses Secure encoding technology to solve the buffer overflow problem, this effectively prevents "globbing" type denial of service attacks.
The basic configurations of installation and vsftp are not described here. For more information, see the relevant documentation.
The following describes how to enhance the security of VSftp in two aspects:
(1) Use tcp_wrappers for access control
To use this function, you first need to build a vsftpd containing tcp_wrappers before installing and compiling. You can edit "builddefs. h file, change "# undef VSF_BUILD_TCPWRAPPERS" to "# define VSF_BU I LD_TCPWRAPPERS", and then re-build and compile to generate executable code. Second, enable vsftpd in the configuration file. In conf, select "tcp_wrappers = YES ". This function depends on the configuration of the file "/etc/hosts. allow. The following is an example:
Vsftpd; 192.168.1.3: setenv VSFTPD_LOAD_CONF/etc/vsftpd_tcp_wrap. conf
Vsftpd: 192.168.1.4: DENY
The first line indicates that if a client is connected from 192.168.1.3, vsftpd applies the vsftpd configuration file "/etc/vsftpd_tcp_wrap.conf" to connect. These settings are applied before the default vsftpd. conf. This is useful at 01:10. It can be used to apply different access restrictions to some IP addresses (for example, the upload capability). You can also specify certain IP addresses that have the ability to exceed the connection limit (max_clients = 0 ); or increase or decrease the bandwidth limit for some IP addresses. The second line indicates that the connection to 192.168.1.4 is denied. This is useful for dedicated connectors.
(2) enable virtual users
Virtual users are not as objective users as real users in the system. Therefore, virtual users are safer than real users. Virtual users are often used to serve content that they do not want to open to untrusted users. This generally does not affect normal users.
• Create a virtual user database
To use pam_userdb to authenticate a user name/password file in "db" format. To create a "db" format file, you must first create a non-format text file with a user name and password written on the alternate line. The Code is as follows:
$ Cat logins.txt
Upload
Foo
Download
Bar
The above "upload" corresponds to the password "foo": "download" corresponds to the password "bar ". Log in as root and create the actual database file. The Code is as follows:
$ Db_load-T-t hash-f logins.txt/etc/Vsftpd_login.db
Note that the Berkeley db program must be installed. In this way, you can create "/etc/vsftpd_login.db ". To change the access permission, run the following command:
$ Chmod 600/etc/vsftpd_login.db
• Create a PAM file using the new database
Create the edit file vsftpd. pam, which contains the following two lines:
Auth required/lib/security/pam_userdb.so db =/etc/vsftpd_login
Accound required/lib/security/pam_userdb.so db =/etc/vsftpd_login
Tell PAM to use a new database to identify users. Save the PAM file to the PAM directory (usually "/etc/pam. d/cp vsftpd. pam/etc/pam. d/ftp ").
• Set file locations for virtual users
Next, run the following command to set the file location for the virtual user:
$ Useradd-d/home/ftpsite virtual
$ Ls-ld/home/ftpsite
The following figure is displayed:
Drwx ----- 3 virtual 4096 Aug 25/home/ftpsite
It indicates that a user named "virtual" has been created and a home directory "/home/ftpsite" has been created ". Add some content to the Download Area. The Code is as follows:
$ Cp/etc/hosts/home/ftpsite
$ Chown virtual. virtual/home/ftpsite/hosts
• Custom vsftpd. conf configuration file
Re-customize the vsftpd. conf file:
Anonymous_enable = NO
Local_enable = YES
Anonymous FTP should be disabled for security reasons and non-Anonymous FTP should be enabled (for virtual users ).
Write_enable = NO
Anon_upload_enable = NO
Anon_mkdir_writei_enable = NO
Anon_other_write_enable = NO
Write these commands for security purposes. Do not write them for execution.
Chroot_local_user = YES
Restrict virtual users to the virtual FTP region/home/ftpsite set above.
Guest _ enable = YES