Linux Server--security chapter

Security is critical for Linux/unix production servers and is a basic lesson for every system administrator. This article is "Plainly your Linux Server" series of the fourth, all listed below is about the basic Linux server settings, and strive to use the simplest language to explain the basic Linux server security settings, especially for the novice, if the security of the Linux server has higher requirements, It is recommended to work with a hardware firewall.

First, the hardware protection of Linux server

In my project implementation and my own web site, I found that anti-DDoS attacks and SQL injection, cross-site scripting, worms, hacker scans and attacks, and other good results are:

① three layer firewall + Tian Tai Web firewall;

②juniper Series Firewall;

If your Linux or FreeBSD front end has no hardware protection, remember to turn on the iptables or IPFW firewall. While they do not protect against DDoS attacks, they are more or less useful in security protection, and if it is a windows2003 server, it is recommended to turn on its own system firewall and disable ping.

A 64-bit Linux operating system, such as CentOS 5.4, is recommended, and FreeBSD 8.0 (64-bit) is recommended for UNIX use. More attention to the server's kernel vulnerabilities, now Linux many attacks are aimed at the kernel, the kernel version is guaranteed to 2.6.9 or more.

Two, remote connection to your Linux server

For remote connections, it is recommended that you only allow SSH operations on the intranet and deny external network control, which is more secure (this may be done with the company's network engineers).

If you do not want to ssh from the extranet, it is recommended that you properly configure the public and private keys for remote connection tools such as X-shell, Putty, and so on. Root password I generally set to more than 28, it is recommended to use a combination of letters + numbers, such as [email protected], and some important server must only a few people know the root password, which is set according to company permissions, if the company's system administrator leaves, The root password must be changed; people who play Linux for a long time should know that changing the root password does not affect the Linux crontab task (this is not the same in windows2003, if you change the administrator password arbitrarily, Directly affect its scheduled task run).

Third, Linux server How to prevent SSH brute force hack

My Nagios external Network monitoring Server, just start testing when the password is redhat, put into the public network one day was changed, depressed dead; later, after the environment deployment mature found that there are still a lot of network IP in the scanning and testing, it seems not to point tools do ah; I try to use the recommended denyhosts, it is a program written in Python2.3, it will analyze/var/log/secure and other log files, when the same IP is found in multiple SSH password attempts will be recorded IP to/etc/ Hosts.deny file to automatically block the IP. DenyHosts official website is: http://denyhosts.sourceforge.net

① Check Installation conditions

1, first determine whether the system installed SSHD support Tcp_wrappers (default is supported)

# ldd/usr/sbin/sshdlibwrap.so.0 =/usr/lib/libwrap.so.0 (0x0046e000)

2. Determine the Python version that is installed by default

# Python-vpython 2.3.4

3, has installed Python2.3 above version of the situation can be installed directly denyhosts

# cd/usr/local/src# wget http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz# tar zxf denyhosts-2.6.tar.gz# CD denyhosts-2.6# python setup.py install

Program scripts are automatically installed to/usr/share/denyhosts

Library files are automatically installed to/usr/lib/python2.3/site-packages/denyhosts

denyhosts.py automatically installed to/usr/bin

② Setting the startup script

# cd/usr/share/denyhosts/# CP daemon-control-dist daemon-control# chown root daemon-control# chmod-daemon-control# GR Ep-v "^#" denyhosts.cfg-dist > denyhosts.cfg# VI denyhosts.cfg

Make the appropriate changes according to your needs

Denyhosts.cfg

Secure_log =/var/log/secure#redhat/fedora Core parses the log file # Other versions of Linux are selected according to the prompts in the denyhosts.cfg-dist. Purge_deny = 30m# too long after clearing deny_threshold_invalid = # Allow invalid users (/etc/passwd not listed) Number of logon failures Deny_threshold_valid = AA The number of times a valid (normal) User logon failure is allowed Deny_threshold_root = 3# The number of times the ROOT login failed to be allowed hostname_lookup=no# do not reverse the domain name

If you need denyhosts to start automatically with the system reboot, you need to set the following:

# vi/etc/rc.local

Add the following command

/usr/share/denyhosts/daemon-control start

③ start

#/usr/share/denyhosts/daemon-control Start

If you want the denyhosts to start automatically after each restart, the following settings are required:

# cd/etc/init.d# ln-s/usr/share/denyhosts/daemon-control denyhosts# chkconfig--add denyhosts# chkconfig--level 345 de Nyhosts on

Then you can start it up:

Service DenyHosts Start

DenyHosts configuration file:

Vi/etc/denyhosts.cfg

Secure_log =/var/log/secure #ssh日志文件, it is based on this file to judge. Hosts_deny =/etc/hosts.deny #控制用户登陆的文件PURGE_DENY = 5m# after too long clears the forbidden Block_service = sshd# Forbidden Service Name Deny_threshold_invalid = 1 #允许无效用户失败的次数DENY_THRESHOLD_VALID = 10# The number of times a normal user is allowed to log on failed Deny_threshold_root = * The number of failed ROOT login attempts hostname_lookup=no# Whether to do domain reverse Daemon_log =/var/log/denyhosts# own log file Admin_email = [email protected] #管理员邮件地址, it will send an email to the administrator

The following is a fully automatic download installation of the foot (recommended), of course, after installation has to manually adjust the configuration file. The contents of the install_denyhosts.sh script are as follows:

#!/bin/bashcd/usr/local/srcwget Http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gztar ZXF denyhosts-2.6.tar.gzcd Denyhosts-2.6python setup.py installcd/usr/share/denyhosts/cp daemon-control-dist Daemon-controlchown root daemon-controlchmod daemon-controlgrep-v "^#" denyhosts.cfg-dist > Denyhosts.cfgecho "/ Usr/share/denyhosts/daemon-control start ">>/etc/rc.localcd/etc/init.dln-s/usr/share/denyhosts/ Daemon-control denyhostschkconfig--add denyhostschkconfig--level 345 denyhosts onservice denyhosts start

The following is an example of Hostsdeny:

Connection to 192.168.0.154 closed. [[email protected] ~]# ssh 192.168.0.154[email protected] ' s password:permission denied, please try again. [email protected] ' s password:permission denied, please try again. [email protected] ' s password:permission denied (Publickey,gssapi-with-mic,password)

Reference: http://os.51cto.com/art/201008/215932.htm

This article is from the "--" blog, please be sure to keep this source http://57388.blog.51cto.com/47388/1548838

Linux Server--security chapter