LINUX security management 10 key points

Article Title: LINUX security management 10 key points. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Cao jianghua
　　
Linux has powerful networking capabilities, and its TCP/IP code is the highest level. Linux provides full support for the current TCP/IP protocol, and includes support for the Next Generation Internet Protocol IPv6. A large part of machines connected to the internet use the Linux operating system. But Linux is a multi-user system. In order to hide itself in an attack, Hackers often choose the Linux system as the first target to attack and then use it to do some illegal operations, such: launch DOS attacks, run IRC bot, and release illegal software. As a Linux user, we always need to prevent attacks. The following ten suggestions can make your Linux system more secure.
　　
Disable useless ports
　　
Any network connection is implemented through open application ports. If we open the port as few as possible, we will turn the network attack into the source water, which greatly reduces the chance of successful attackers.
　　
First check your inetd. conf file. Inetd monitors certain ports to provide necessary services. If someone develops a special inetd daemon, there is a security risk. You should be in inetd. comment out services that will never be used in the conf file (such as echo, gopher, rsh, rlogin, rexec, talk, ntalk, pop-2, and finger ). Note: Unless absolutely required, you must comment out rsh, rlogin, and rexec. telnet recommends that you use a more secure ssh instead and then kill the lnetd process. In this way, inetd no longer monitors the daemon on your machine, so that no one can use it to steal your application port. You 'd better download a port scanner to scan your system. If you find an open port that you don't know, immediately find the process using it to determine whether to close it.
　　
Delete unused software packages
　　
During system planning, the general principle is to remove all unnecessary services. By default, Linux is a powerful system that runs many services. However, many services are not required and may cause security risks. This file is/etc/inetd. conf, which defines the services to be listened to by/usr/sbin/inetd. You may only need two of them: telnet and ftp, other classes such as shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, and auth are all disabled unless you really want to use it.
　　
We recommend that you disable the following three service vulnerabilities: S34yppasswdd (NIS Server), S35ypserv (NIS Server), and S60nfs (NFS server ).
　　
Do not set the default route
　　
In the host, you must strictly disable the default route, that is, the default route. We recommend that you set a route for each Subnet or CIDR block. Otherwise, other machines may access the host in a certain way.
　　
Password Management
　　
Generally, the password length should not be less than 8 characters. The composition of the password should be a combination of uppercase and lowercase letters, numbers and symbols with no rules, and password should be strictly avoided using English words or phrases, in addition, the passwords of various users should be changed regularly. In addition, password protection also involves the protection of/etc/passwd and/etc/shadow files. Only the system administrator can access these two files. Installing a password filtering tool and npasswd can help you check whether your password can withstand attacks. If you have not installed such tools before, we recommend that you install them now. If you are a system administrator and you have not installed a password filtering tool in your system, please immediately check whether all users' passwords can be searched in full, that is, your/ect/passwd file is fully searched. For bad passwords, force their masters to modify them, or simply lock their accounts.
　　
Partition Management
　　
A potential attack first tries to buffer overflow. In the past few years, buffer overflow is the most common form of security vulnerabilities. More seriously, the buffer overflow vulnerability accounts for the vast majority of remote network attacks. Such attacks can easily give an anonymous Internet user the opportunity to gain some or all control over a host!
　　
To prevent such attacks, we should pay attention to them when installing the system. If you use the root partition to record data, such as log files and emails, a large number of logs or spam messages may be generated due to denial of service, resulting in system crash. Therefore, we recommend that you create separate partitions for/var to store logs and emails to avoid overflow of the root partition. It is best to separate a partition for a special application, especially for programs that can generate a large number of logs. We also recommend that you separate a partition for/home so that they cannot fill up/partition, this avoids some malicious attacks against Linux partition overflow.
　　
Use the. rhosts file with caution
　　
The. rhosts file stores the host and user name that can directly access the system remotely. When you remotely access the system using telnet or r * commands (such as rlogin and rcp), the system first checks whether your host name and user name are in the. rhosts file. After finding your host name and user name, it allows you to directly access it without entering a password. Once a hacker breaks your system, he will leave a backdoor in your system for free access in the future. As long as he writes his host name and user name into the. rhosts file, this is done.
　　
Therefore, we need to check our orhosts files at all times. Once an inexplicable host name and user name appear in the file, delete them immediately. And report them to their service providers to warn them of their actions.
　　
Log Management
　　
Log Files always record the running status of your system. The hacker cannot escape the log. Therefore, Hackers often modify log files to hide traces during attacks. Therefore, we need to restrict access to/var/log files and prohibit users with General permissions from viewing log files.
　　
In addition, we can install an icmp/tcp log manager, such as iplogger, to observe the suspicious multiple connection attempts (add icmp flood3 or similar situations ). Be careful with logon from unknown hosts.
　　
Terminate ongoing attacks
　　
If you find a user logging on from your unknown host while checking the log file, and you are sure that this user does not have an account on this host, you may be attacked. First, you need to lock the account immediately (in the password file or shadow file, add an Ib or other character before the user's password ). If the attacker has been connected to the system, you should immediately disconnect the physical connection between the host and the network. If possible, you need to further check the user's history to see if other users have been impersonated and whether the attacker has the root permission. Kill all processes of the user and add the IP address mask of the host to the file hosts. deny.
　　
Defense against attacks
　　
If there are attackers hiding around you, it is difficult to prevent them. They can even use the following methods to obtain your root permissions: attackers first use the boot disk to start the system, then mount your hard disk, change the root password, and restart the machine. At this time, attackers have the root password, but you are rejected as the administrator. To avoid this, the simplest way is to change the BIOS configuration of the machine, change the startup sequence of the machine to the first sequence of the hard disk, and set a password for your BIOS.
　　
Patch Problems
　　
You should always go to the home page of the Linux system publisher you have installed to find the latest patch. For example, for the Redhat system, you can find the patch on http://www.redhat.com/corp/support/errata. In Versions later than Redhat6.1, there is an automatic upgrade tool up2date, which can automatically determine which rpm packages need to be upgraded, and then automatically download and complete the installation from the Redhat site.