Article Title: Linux SECURITY: Step-by-Step fortification (3 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Ding Wei
NFS service
Network file systems constitute the basis for sharing files in the Unix world. If you want to disable any shared directories, you can add NFS restrictions, such as locking the/etc/exports file and defining the shared directories in advance. If you do not want to share the file with users and only restrict user access, you need to modify the NFS startup script. Edit the/etc/init. d/nfs file, find a line of the daemon and comment it out.
Many configuration files and commands in the system are very sensitive. Modifying permissions and adding read-only attributes can avoid security issues to some extent.
Chmod 700/bin/rpm
# NFS shared directory configuration file
Chmod 600/etc/exports
# Host access control file
Chmod 600/etc/hosts .*
Chmod R 751/var/log
Chmod 644/var/log/messages
# System Log configuration file
Chmod 640/etc/syslog. conf
Chmod 660/var/log/wtmp
Chmod 640/var/log/lastlog
Chmod 600/etc/ftpusers
# User Password File
Chmod 644/etc/passwd
Chmod 600/etc/shadow
# Check the configuration file directory of the module
Chmod R 750/etc/pam. d
Chmod 600/etc/lilo. conf
# Terminal Configuration File
Chmod 600/etc/securetty
Chmod 400/etc/shutdown. allow
# System Access Security Configuration File
Chmod 700/etc/security
# Network System Configuration File
Chmod R 751/etc/sysconfig
# Super daemon configuration file
Chmod 600/etc/xinetd. conf
Chmod 600/etc/inetd. conf
Chmod R 750/etc/rc. d/init. d/
Chmod 750/etc/rc. d/init. d /*
# Automatically run the program control file
Chmod 600/etc/crontab
Chmod 400/etc/cron .*
# SSH configuration file
Chmod 750/etc/ssh
# Kernel Control Configuration File
Chmod 400/etc/sysctl. confg
Use the log server first. It is a good idea to save a copy of the client's log information. You can create a server to store log files and check logs to find problems. Modify the/etc/sysconfig/syslog file to accept remote log records.
/Etc/sysconfig/syslog
SYSLOGD_OPTIONS = "-m r 0"
You should also set remote log storage. Modify the/etc/syslog. conf file and add it to the settings of the log server. syslog will save the copy on the log server.
/Etc/syslog. conf
*. * @ Log_server_IP
You can use a color LOG filter. Color log loco filter. The current version is 0.32. Use loco/var/log/messages | more to display color logs, clearly marking the root location and abnormal commands in the logs. This reduces the number of log analysis errors.
Regularly checks logs. Red Hat Linux provides the logwatch tool, which regularly checks logs and sends emails to the Administrator's mailbox. Modify the/etc/log. d/conf/logwatch. conf file and add the Administrator email address after the MailTo = root parameter. Logwatch regularly checks logs to filter information such as root, sudo, telnet, and ftp logon, and helps administrators analyze daily security.
Check the files with suid and sgid on the local machine. Files with suid and sgid are quite risky. Simply put, a common user can have the superuser permission when using these commands, and the user directly enters the superuser environment. Many Commands require suid and sgid. When installing the system, you can find these commands and use them as a standard to compare machines with problematic ones to detect security issues. In addition to suid and sgid, if you find that some files do not belong to any user, it may also cause a security vulnerability. The following command saves the above list of files to the files and backs up these files for convenient comparison.
When the Administrator remotely manages the client, in addition to Webmin's convenient browser management, the command line can be used more quickly. Telnet is transmitted in plain text. To prevent sensitive information from being captured by the sniffer, SSH is the best choice. During the first connection, SSH will generate a key between the two machines that communicate with each other. subsequent communication is encrypted and the sniffer will not be able to effectively analyze information. If it is Linux directly using SSH commands will be able to connect to the other host, if it is from Windows connection, it requires software support, it is recommended to use PuTTY, can be from http://www.chiark.greenend.org.uk /~ Sgtatham/putty/download. The current version is 0.52. SSH uses TCP port 22. Do not use any r processes, such as rlogin and rcp.
Use safer file transfers
You can use SCP instead of FTP to transmit a large number of files. Like SSH, SCP uses a key to create an encrypted channel. WinSCP on Windows can be downloaded from http://winscp.vse.cz/. currently, it is 2.0.0 (Build89 ). However, if you need to transmit a large number of files, SCP will cause the processor to spend too much resources on encryption. You can use proftp instead. The default Wuftp service in Red Hat Linux is downloaded from http://www.proftpd.org/. the current version is 1.2.4.
Use System snapshots
System snapshots use the System File orchestration database to regularly detect system changes. Tripwire is recommended. The current version is 2.3.1-10. However, the configuration file of tripwireis comprehensive, but it does not necessarily depend on your system. For this reason, the twpol.txt file is formulated. The customization principle is to first install the complete system, then install tripwire, and use the default configuration file to create a system snapshot. Use # To block the extra configuration information according to the error message, and then regenerate the database.
Rpm ivh tripwire-2.3.1-10.i386.rpm
#Modify the twpol.txt file to block files that do not exist in the system, and then start installation.
/Etc/tripwire/twinstall. sh
# The installation requires that you enter the password for generating the key and the password for updating the database.
# Note the operation of copying the key. Otherwise, an error indicating that the file does not exist will be prompted during initialization.
Cp/etc/tripwire/$ HOSTNAME-local.key/etc/tripwire/localhost-local.key
# Initialize tripwire and generate a database. The password of the key is required.
Tripwire -- init
# Identify system changes through system snapshots and send emails to specified users
Tripwire -- check-M
Use host-based Intrusion Detection
IDS helps administrators discover attempts to break through security. In enterprises, host-based intrusion defense is more important than network-based defense. After all, the enterprise's network is behind the firewall. We recommend that you use snare, Which is 7.2-1 currently supported on Red Hat Linux 0.9 and can be downloaded from the http://www.intersectalliance.com. Snare-core is the core daemon. Snare is a graphical display program. After the installation is complete, a daemon named audit will be generated. Snare is concerned with root operations or modification of file permissions, as well as access to sensitive data logs. Therefore, you can use the configuration file to define the Intrusion Detection Log system suitable for your system. The default installation provides complete configurations to meet general requirements.
Other security tools
Use the Bastille Tool
Bastille is a set of security settings scripts. Many of the preceding settings can be automatically completed using Bastille. After Bastille is installed for the first time, BastilleBackEnd can use the previously configured configuration file. You can customize the Security script by configuring the/etc/Bastille/config file. The common configuration of Bastille does not include firewall and other parameters. If necessary, you can use InteractiveBastille. pl for interactive installation after installation. Bastille will start the wizard window and generate a configuration file suitable for your system as long as you select Yes or No. The Bastille configuration scheme is omitted.
Use the trojan checking tool
Chkrootkit checks important commands in the system to determine whether to replace them. Because it is written based on existing Trojans and backdoor tools, it should be updated frequently.
Use automatic program running
Crontab can reduce the Administrator's work intensity. For example, regular tripwire and chkrootkit verification are added and the results are sent to the Administrator's mailbox.
Note: at least one log server should be used and different types of Linux versions or operating systems should be used. All desktop machines must be in the firewall and do not allow modem connections to the Internet; there should be at least one intrusion detection system with multiple sensors distributed in the network; at least two System Administrators backed up each other; do not use root to log on directly; do not use telnet to remotely log on; any system changes need to be documented; after all, one point of prevention is better than a very good treatment.
The above is just a simple description of the basic Linux security settings in the enterprise. If the basic settings are not met, the system administrator may be troubled by security issues. There are also many more complex security settings that are not introduced, such as limiting Network Interactions and restricting resources. Because we are talking about desktop machines in the firewall, the security settings of firewalls, email servers, files, and Web servers are not described, but the security settings are not described as follows, you can rest assured. These are just getting started and far from enough. Many specific usage and more in-depth configuration are welcome to contact the Linux security administrator.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
