How to enhance Linux Security

It is often said that Linux is safer than Windows. However, it is impossible for any computer connected to the network to be absolutely secure. Just as we often need to pay attention to whether the perimeter of the yard is solid, we also need to maintain and strengthen the operating system frequently. Here, we only talk about the general steps that several users can use to strengthen the system.

It is often said that Linux is safer than Windows. However, it is impossible for any computer connected to the network to be absolutely secure.
Just as we often need to pay attention to whether the perimeter of the yard is solid, we also need to maintain and strengthen the operating system frequently. Here, we only talk about the general steps that several users can use to strengthen the system.

This article focuses on how to strengthen the system. However, before starting to strengthen the system, you need to have a clear understanding of the following three questions: What is the purpose of the system, the second is what software it needs to run, and the third is what vulnerabilities or threats users need to protect. These three problems are in turn causal relationships, that is, the cause of the previous problem and the result of the previous problem.

Starting from scratch

It is entirely possible to harden a system from a known security state, but in fact this enhancement can also begin with a "naked" system. This means that users will have the opportunity to re-partition the system disk and separating all data files from operating system files is not a careful security measure.

The next step is to configure a minimal installation. of course, you have to start the system and add necessary packages that can complete the work. This step is critical. Why does it require minimal installation? The reason is that the fewer code on the machine, the fewer vulnerabilities that can be exploited: no one can exploit the vulnerabilities that do not exist, right? You also need to patch the operating system and patch all applications running on the system.

However, note that if someone is physically close to the Accessed machine, it is possible for someone to start the computer from the CD or other media and obtain access to the system. Therefore, it is recommended that you configure the BIOS of the system to only start from the hard disk and use a strong password to protect this setting.

The next step is to compile your own system kernel. here we should emphasize that it only contains what you need. Once your customized system is built and restarted to enter the kernel, the possibility of attacks on your own kernel will be greatly reduced. However, the method to strengthen the system is not limited to this.

Reduce service

After running the slimming system, the next step is to ensure that only the services you need are run. So far, many services have been cleared, but many services may still run in the background. You need to find these services in multiple locations, such as/etc/init. d and/etc/rc. d/rc. local and so on. you need to check everything started by cron. You can also use netstat or Nmap to check the listening socket. For example, services that many users need to disable may include network file systems (samba) and remote access services.

Of course, it cannot be generalized. if you really need some services, try to limit its potential destructive effect on the rest of the system and try to make it run in its own chroot path, separate it from the rest of the file system.

Pay attention to licensing issues

As a user or administrator, you must ensure that no user can execute unnecessary programs or open unnecessary files. Administrators should audit the entire system and minimize the licensing of each file. Our goal is that no one can read or write files unrelated to it. In addition, all sensitive data should be encrypted.

Further, administrators must ensure that they have a secure root password. the fewer people who know the password, the better. Only in this way can they ensure that no one can access the account they should not access. We also need to ensure that the user's login information is up-to-date and stick to Password Expiration Time and other policy issues. In addition, clearing pre-provided accounts is also a clever practice, or at least change the default password.

Security is a process rather than a temporary task. This means that management personnel should monitor and further strengthen the system. In particular, they must monitor system logs and patch the system as quickly as possible. We also need to pay attention to security warnings, so that we can respond to the latest vulnerabilities as soon as possible. Therefore, this article does not fully address Linux security, but shows users the possibility of strengthening the system.

If you are a linux user or administrator, you should take some steps to make it safer, but this may reduce system efficiency. So the key is to find an appropriate balance.