How to build a Secure Linux Server

How to build a Secure Linux Server
To create a Secure Linux server, you must first understand the meaning of the configuration files related to network services in the Linux environment and how to configure security. In Linux, the TCP/IP network is configured through several text files. You may need to edit these files to complete networking, however, most of these configuration files can be implemented through the linuxconf command (the network configuration can be implemented through the netconf command ). The following describes the basic TCP/IP network configuration file.

*/Etc/conf. modules File

This configuration file defines the parameter information of various modules to be loaded upon activation. This article focuses on the NIC configuration. When using Linux as a gateway, a Linux server must have at least two NICs. To reduce possible problems during activation, the Linux kernel does not automatically detect multiple NICs. If you need to install multiple NICs for a system that does not compile the NIC driver into the kernel but is loaded dynamically as a module, configure the NIC in the "conf. modules" file.

If the device driver is compiled into a module (kernel module): for PCI devices, the module automatically detects all devices installed on the system. For ISA cards, you need to provide the IO address to the module so that the module knows where to find the card. The information is in "/etc/conf. modules.

For example, we have two ISA bus 3c509 cards. One IO address is 0x300, and the other is 0x320. Edit "conf. the modules file is as follows: alias eth0 3c509alias eth1 3c509options 3c509 io = 0x300, 0x320 this indicates that the driver of 3c509 should be loaded with the eth0 or eth1 name respectively (alias eth0, eth1), and they should be loaded with the parameter io = 0x300, 0x320 to notify the driver where to find the NIC, where 0x is indispensable.

For the PCI card, you only need the alias command to associate ethN with the appropriate driver module name. The IO address of the PCI Card will be automatically detected. For the PCI Card, edit "conf. modules file: alias eth0 3c905alias eth1 3c905 if the driver has been compiled into the kernel: when the system is activated, the PCI detection program will automatically find all the related NICs. The ISA card can also be automatically detected. However, in some cases, the ISA card still needs to be configured as follows:

Add the configuration information in "/etc/lilo. conf" by passing the activation parameter information to the kernel through the LILO program. For the ISA card, edit "lilo. in the conf file, add the following content: append = "ether =", eth0 ether = ", eth1" Note: Do not set it to "lilo. add the activation parameter to conf and test your ISA card. If it fails, use the activation parameter again.

If you use the method that passes the activation parameter, eth0 and eth1 are set according to the sequence found during activation.

*/Etc/HOSTNAME file:

This file contains the Host Name of the system, including the full domain name, such:

Deep.openarch.com

*/Etc/sysconfig/network-scripts/ifcfg-ethN file:

In RedHat, the configuration file for the system network device is saved in the/etc/sysconfig/network-scripts directory, the ifcfg-eth0 contains the configuration information for the first Nic, the ifcfg-eth1 contains the configuration information for the second Nic.

The following is an example of the "/etc/sysconfig/network-scripts/ifcfg-eth0" file: DEVICE = eth0IPADDR = 255.255.255.0NETWORK = 208.164.186.0BROADCAST = 208.164.186.255ONBOOT = yesBOOTPROTO = noneUSERCTL = no

If you want to manually modify the network address or add a new network interface to the new interface, you can modify the corresponding file (ifcfg-ethN) or create a new file.

DEVICE = name indicates the name of the physical DEVICE.

IPADDR = addr indicates the IP address assigned to the card

NETMASK = mask indicates the network mask

NETWORK = addr indicates the NETWORK address

BROADCAST = addr indicates the BROADCAST address.

ONBOOT = yes/no whether the card is activated when activated

None

Bootp: Use the bootp protocol

Dhcp: Use the dhcp protocol.

USERCTL = yes/no whether non-root users are allowed to control the device

*/Etc/resolv. conf file:

This file is a configuration file used by the domain name Parser (resolver, a database that resolves IP addresses based on the host name), for example:

Search openarch. comnameserver 208.164.186.1nameserver 208.164.186.2

"Search domainname.com" indicates that when a host name that does not include a full domain name is provided, the suffix of domainname.com is added after the host name; "nameserver" indicates that the host specified by this address is the Domain Name Server when the domain name is resolved. The Domain Name Server is queried according to the order in which the file appears.

*/Etc/host. conf file:

This file specifies how to resolve the host name. Linux uses the parser library to obtain the IP address corresponding to the host name. The following is an example of "/etc/host. conf:

Order bind, hosts

Multi on

Ospoof on

"Order bind, hosts" specifies the host name query order. Here, DNS is required to resolve the domain name and then query the "/etc/hosts" file (or the opposite ).

"Multi on" specifies whether the host specified in the "/etc/hosts" file can have multiple addresses. A host with multiple IP addresses is generally called a multi-point host.

"Nospoof on" indicates that IP address spoofing is not allowed on the server. IP spoofing is a means of attacking system security. By disguising IP addresses as other calculators, you can gain the trust of other calculators.

*/Etc/sysconfig/network File

This file is used to specify the network configuration information on the server. The following is an example:

NETWORK = yesRORWARD_IPV4 = yesHOSTNAME = deep. openarch. comGAREWAY = 0.0.0.0GATEWAYDEV = NETWORK = yes/no whether the NETWORK is configured; FORWARD_IPV4 = yes/no whether IP Forwarding is enabled HOSTNAME = hostname indicates the server host name GAREWAY = gw-ip indicates the IP address GAREWAYDEV = gw-dev gw-dw of the Network Gateway gateway device name, for example, etho

Note: to be compatible with the old software, the "/etc/HOSTNAME" file should have the same host name as HOSTNAME = hostname.

*/Etc/hosts file

When the machine is activated, before the DNS can be queried, the machine needs to query the matching of some host names to IP addresses. The matching information is stored in the/etc/hosts file. Without a Domain Name Server, all network programs on the system query the file to resolve the IP address corresponding to a host name.

The following is an example of a "/etc/hosts" file:

IP Address Hostname Alias127.0.0.1 Localhost Gate. openarch. com208.164.186.1 gate.openarch.com Gate

The leftmost column is the Host IP information, and the middle column is the host name. All the columns that follow are aliases of the host. Once the network configuration file of the machine is configured, the network should be re-activated for the modification to take effect. Use the following command to reactivate the network:/etc/rc. d/init. d/network restart

*/Etc/inetd. conf file

As we all know, as servers, the more open service ports, the more difficult to guarantee system security and stability. Therefore, servers that provide specific services should open the ports necessary to provide services as much as possible, and disable services unrelated to server services, such as a machine that serves as www and Ftp servers, port 80 and port 25 should be opened, and other unrelated services such as finger auth should be turned off to reduce system vulnerabilities.

Inetd, also known as "super server", monitors network request Daemon Processes and calls corresponding service processes to process connection requests based on network requests. Inetd. conf is the configuration file of inetd. The inetd. conf file tells inetd which network ports are monitored and which service is activated for each port. To use Linux in any network environment, the first thing to do is to understand what services the server will provide. Services that are not needed should be disabled. It is best to uninstall them so that hackers will lose some chance to attack the system. View the "/etc/inetd. conf" file to learn about the services provided by inetd. Add a comment (add the # sign at the beginning of a line) to prohibit unnecessary services and send a SIGHUP signal to the inetd process.

Step 1: Change the File Permission to 600.

[Root @ deep] # chmod 600/etc/inetd. conf

Step 2: Make sure that the file owner is root.

[Root @ deep] # stat/etc/inetd. conf

Step 3: edit "inetd. conf file (vi/etc/inetd. conf). Disable all unnecessary services, such as ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, and auth, and so on. If you find some services useful, do not disable them. However, if these services are disabled, the system may be more vulnerable to attacks. The content of the changed "inetd. conf" file is shown below:

# To re-read this file after changes, just do a 'killall-HUP inetd' # echo stream tcp nowait root internal # echo dgram udp wait root internal # discard stream tcp nowait root internal # discard dgram udp wait root internal # daytime stream tcp nowait root internal # daytime dgram udp wait root internal # chargen stream tcp nowait root internal # chargen dgram udp wait root internal # time stream tcp nowait root internal # time dgram udp wait root internal # These are standard services. # ftp stream tcp nowait root/usr/sbin/tcpd in. ftpd-l-a # telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd # Shell, login, exec, comsat and talk are BSD protocols.