How to make your Linux operating system more secure

Article Title: How to make your Linux operating system more secure. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
As we all know, Linux has more advantages than Windows in terms of security. However, no matter which Linux release version you choose, you should make necessary configurations after installation to enhance its security. The following describes how to install a Secure Linux operating system.
　　
　　 Install and configure a firewall
　　
Configuring an appropriate firewall is not only the first line of defense for the system to effectively respond to external attacks, but also the most important line of defense. The firewall should be installed and configured before the new system is connected to the Internet for the first time.
　　
Configuring the firewall to reject all data packets and then enable the data packets that can be received will benefit system security. For more information about how to set the firewall, see iptables usage.
　　
　　 Upgrade all installed software packages
　　
A standard Linux release usually contains more than 1000 software packages. It is important to keep all installed software up-to-date. Obviously, this is a time-consuming job. Fortunately, there are already many tools that can automatically complete this job. The two most commonly used tools are APT (Advanced Package Tool) and Yum (Yellowdog Updater, Modified ).
　　
Some releases may provide their own upgrade tools to make full use of them for software updates. For example, Red Hat and Fedora use up2date by default, and Debian uses APT.
　　
If you want to install your own software upgrade tool, we recommend that you use APT. Enter the release name and APT in any search engine to quickly find the apt rpm installation package and the required software repository location.
　　
Once APT is installed and the software warehouse is set up (usually in/etc/apt/sources. list or similar files), you can use the following two commands to update the software. Run as root user:
　　
# Apt-get update
# Apt-get upgrade
　　
The first command downloads the latest package information from the specified software repository, the second command will use this information to download and install the updated version of the existing software in the system (if any updates are available ). The Administrator should regularly execute commands to ensure that the system is always up-to-date.
　　
In addition, when downloading a single file or software package from the Internet, MD5SUM is always used for check. MD5SUM can check the software downloaded from the Internet to ensure that the downloaded version is not a Trojan version.
　　
Finally, users should subscribe to the security email list of the release version. These email lists can be notified to users in a timely manner when software packages are updated or software vulnerabilities are corrected.
　　
　　 Disable all unnecessary services
　　
When a new Linux system is configured by default, many services and background programs are started at the same time. For example, some releases start HTTP (Web Server), POP3/IMAP (email) monitoring programs, database servers, and so on. For most users, these services are not actually needed, and these services will become potential targets of attackers. Therefore, to ensure security, you should view the list of these services and then disable all unnecessary services.
　　
In the Red Hat system, the command line tool used to configure the server is named chkconfig. To list all installed services, run the following command:
　　
# Chkconfig-list
　　
The following content is displayed:
　　
Iptables 0: off 1: off 2: on 3: on 4: on 5: on 6: off
Sshd 0: off 1: off 2: on 3: on 4: on 5: on 6: off
........................
Squid 0: off 1: off 2: off 3: off 4: off 5: off 6: off
Xinetd based services:
Rsync: off
......
Sgi_fam: on
　　
In the preceding list, numbers 0 to 6 indicate the system running level.
　　
For example, to enable the squid service to run at the 2, 3, 4, and 5 running levels, run the following command:
　　
# Chkconfig -- level 2345 squid on
　　
If you want to disable the sshd service at the 3 and 5 running levels, run the following command:
　　
# Chkconfig -- level 35 sshd off
　　
The Service set using the chkconfig command will take effect the next time it is started, without any impact on the currently running service. To set the current service, run the following command in Red Hat:
　　
# Service service_name start
# Service service_name stop
# Service service_name restart
# Service service_name status
　　
The service_name in the preceding command is the same as the name in the chkconfig -- list command.
　　
Run netstat -- l to check whether all services are not required. For services that still need to run, make sure that the firewall is correctly configured.
　　
　　 Change the undesired SUID/SGID
　　
The SUID (Set User ID) or SGID (Set Group ID) program allows common users to execute it in a way that exceeds their own permissions. A common example is passwd, which has the following access permissions:
　　
-R-s -- x 1 root 18992 Jun 6 2003/usr/bin/passwd
　　
We can see that the owner's execution permission is set to "s" instead of "x", which is a SUID program. For example, when a common user executes passwd, it runs the program with the permissions of the file owner (in this example, the root user.
　　
Many SUID/SGID executable programs are required, such as passwd mentioned above. However, many are not required. The SUID/SGID program will be exploited by some malicious local users to obtain the permissions they do not have. Run the following command to find all programs with this property:
　　
# Find/\ (-perm-4000-o-perm-2000 \)
　　
Users must view this list and try to delete or modify files whose owner is root or that have SUID/SGID attributes in the root group.
　　
To delete a file with the SUID/SGID attribute, run:
　　
# Rpm-q -- whatprovides/usr/sbin/kppp
　　
Then you can use the following command to delete it:
　　
# Rpm-e package-name
　　
The SUID/SGID attribute bit can be deleted using the chmod command, for example, chmod-s/usr/sbin/kppp.
　　
　　 Follow logs
　　
Although users will do their best to ensure the security of their systems, the reality is that no matter how hard they try, the system cannot be absolutely secure. The following are other things that require attention. It allows users to know whether or when the system is cracked.
　　
A very common and easily underestimated intrusion detection program is Tripwire (http://www.tripwire.org ). The program periodically detects system files to determine if they are changed.
　　
If any unexpected change occurs, Tripwire generates a report for the user. To make Tripwire work properly, it takes some time to configure it, but it is indeed worth the time.
　　
A very important way to understand the system situation is to view the log file. System logs in Linux are processed by the syslogd monitoring program. The configuration file is/etc/syslog. conf. In the configuration file, you can specify the tools or programs that need to record information (such as cron, daemon, or email ), what level of information needs to be written into the log (such as debug, info, or warning), and how the information is processed (added to a log file or sent to a printer ).
　　
System logs can also be performed remotely, that is, the log files are stored in another system on the network. The advantage of this is that if the system is broken, intruders will not be able to delete the traces left on other systems, so that they can be easily tracked.
　　
However, for common users, it is not easy to process a large amount of information from various log files every day, so instead use the Logwatch (http://www.logwatch.org) tool. This tool periodically analyzes system log files, creates an analysis report based on the analysis results, and sends it to the root user by email.
　　
These reports are generally relatively short, so they are suitable for users to read every day. According to the configuration, it will highlight some information (such as illegal logon attempts or port scans ). The configuration file is generally located in/etc/log. d/conf/logwatch. conf. The annotations in the configuration file allow users to conveniently set it.
　　
In addition to Logwatch, there are many intrusion detection systems to choose from, such as Snort (http://www.snort.org), which can be easily found in search engines.
　　
　　 Efforts are still needed for security
　　
System security is not a permanent task. In fact, you must consider the security of the system when doing everything. The Administrator must keep the system up-to-date, use a suitable password, set an appropriate access level, read logs every day, check the Tripwire report, and read the list of emails of the released version..
　　
This article describes some basic and important steps that every user has to do. Of course, in addition to the content described in this article, you have a lot to do. The following are some suggestions.
　　
1. Never use Telnet, FTP, or any other plain text remote session to transmit the user name and password. You can only use SSH, SFTP, or similar programs to transmit the content.
　　
2. Make sure that you use a strict firewall policy. By default, all connections are closed, and only the required connections are enabled, which requires strict restrictions. For example, if you need to SSH from the work location to the system, you can only allow it to pass through Based on IP addresses.