Linux Server-Security

Article Title: Linux Server-Security. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

I. hardware protection for Linux servers

During the project implementation and my website setup, I found that anti-DDOS and SQL injection, cross-site scripting, worms, hacker scans and attacks, and other good solutions include:

① Huasai layer-3 firewall + Tiantai web firewall;

② Juniper series firewalls;

If your Linux or FreeBSD front-end does not have any hardware protection, enable the iptables or ipfw firewall. Although they do not defend against DDOS attacks, they are more or less helpful in security protection. If it is a windows2003 server, we recommend that you enable its built-in system firewall and disable ping.

We recommend that you use a 64-bit Linux operating system, such as CentOS 5.4. If it is UNIX, we recommend that you use FreeBSD 8.0 (also 64-bit ). Pay more attention to the server kernel vulnerabilities. Now many linux attacks are targeted at the kernel and ensure that the kernel version is 2.6.9 or later.

2. Remotely connect to your Linux Server

For remote connections, we recommend that you only allow ssh operations on the Intranet, but deny Internet control. This is safer (this step may be performed with the company's network engineers ).

If you have to perform ssh operations from the Internet, we recommend that you configure the public key and private key of the remote connection tool such as x-shell and Putty correctly. I usually set the root password to 28 or more characters. We recommend that you use a combination of letters and numbers, for example, p @ sSw0rdyuhongchun027nagios. In addition, only a few important servers must know the root password, this is set based on the company's permissions. If a company's system administrator leaves, the root password must be changed. Anyone who has been playing linux For A Long Time should know that, changing the root password does not affect linux crontab scheduled tasks (this is different in windows2003. Changing the administrator password will directly affect the running of the scheduled tasks ).

Iii. How to Prevent ssh Brute force cracking on Linux servers

My Nagios Internet monitoring server, whose password was redhat at the beginning of the test, was changed one day after being put into the public network; after mature environment deployment, I found that many Internet ip addresses are still being scanned and tested. It seems that I don't need to use any tools. I am trying to use DenyHosts, which is recommended by everyone, it is a program written in Python2.3. It will analyze log files such as/var/log/secure, when you find that the same IP address is used for multiple SSH password attempts, the IP address is recorded in/etc/hosts. deny file to automatically block the IP address. DenyHosts Official Website: http://denyhosts.sourceforge.net

① Check installation conditions

1. First, determine whether the sshd installed in the system supports tcp_wrappers (supported by default)

# Ldd/usr/sbin/sshd

Libwrap. so.0 =>/usr/lib/libwrap. so.0 (0x0046e000)

2. Determine the Python version installed by default.

# Python-V

Python 2.3.4

3. If you have installed Python or a later version, you can directly install DenyHosts.

# Cd/usr/local/src

# Wget http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz

# Tar zxf DenyHosts-2.6.tar.gz

# Cd DenyHosts-2.6

# Python setup. py install

The program script is automatically installed in/usr/share/denyhosts.

Library files are automatically installed in/usr/lib/python2.3/site-packages/DenyHosts

Denyhosts. py is automatically installed in/usr/bin.

② Set the Startup Script

# Cd/usr/share/denyhosts/

# Cp daemon-control-dist daemon-control

# Chown root daemon-control

# Chmod 700 daemon-control

# Grep-v "^ #" denyhosts. cfg-dist> denyhosts. cfg

# Vi denyhosts. cfg

Modify as needed

Denyhosts. cfg

SECURE_LOG =/var/log/secure

# RedHat/Fedora Core analyze the log file

# For other linux versions, select according to the prompt in denyhosts. cfg-dist.

PURGE_DENY = 30 m

# How soon will it be cleared?

DENY_THRESHOLD_INVALID = 1

# Number of Logon failures allowed for invalid users (not listed in/etc/passwd)

DENY_THRESHOLD_VALID = 5

# Number of Logon failures allowed for valid (common) Users

DENY_THRESHOLD_ROOT = 3

# Number of root logon failures allowed

HOSTNAME_LOOKUP = NO

# Whether domain name resolution is performed

If you need to enable the DenyHosts automatically when the system restarts, you also need to make the following settings:

# Vi/etc/rc. local

Add the following command

/Usr/share/denyhosts/daemon-control start

③ Start

#/Usr/share/denyhosts/daemon-control start

If You Want To Enable Automatic startup of DenyHosts after each restart, you also need to make the following settings:

# Cd/etc/init. d

# Ln-s/usr/share/denyhosts/daemon-control denyhosts

# Chkconfig -- add denyhosts

# Chkconfig -- level 345 denyhosts on

Then you can start it:

Service denyhosts start

DenyHosts configuration file:

Vi/etc/denyhosts. cfg

SECURE_LOG =/var/log/secure # ssh log file, which is determined based on this file.

HOSTS_DENY =/etc/hosts. deny # control user login files

PURGE_DENY = 5 m # How long will it take to clear prohibited

BLOCK_SERVICE = sshd # Name of the service to be banned

DENY_THRESHOLD_INVALID = 1 # number of failures allowed for invalid users

DENY_THRESHOLD_VALID = 10 # number of failed login attempts allowed by common users

DENY_THRESHOLD_ROOT = 5 # number of failures allowed for root Login

HOSTNAME_LOOKUP = NO # Do You Want To reverse domain name resolution?

DAEMON_LOG =/var/log/denyhosts # Your Own log File

ADMIN_EMAIL = yuhongchun027@163.com # administrator email address, which sends emails to administrators

The following is a small script for Fully Automatic download and installation (recommended). Of course, you must manually adjust the configuration file after installation. The content of the install_denyhosts.sh script is as follows:

#! /Bin/bash

Cd/usr/local/src

Wget http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz

Tar zxf DenyHosts-2.6.tar.gz

Cd DenyHosts-2.6

Python setup. py install

Cd/usr/share/denyhosts/

Cp daemon-control-dist daemon-control

Chown root daemon-control

Chmod 700 daemon-control

Grep-v "^ #" denyhosts. cfg-dist> denyhosts. cfg

Echo "/usr/share/denyhosts/daemon-control start">/etc/rc. local

Cd/etc/init. d

Ln-s/usr/share/denyhosts/daemon-control denyhosts

Chkconfig -- add denyhosts

Chkconfig -- level 345 denyhosts on

Service denyhosts start

The following is an example of hostsdeny:

Connection to 192.168.0.154 closed.

[Root @ autolemp ~] # Ssh 192.168.0.154

Root@192.168.0.154's password:

Permission denied, please try again.

Root@192.168.0.154's password:

Permission denied, please try again.

Root@192.168.0.154's password:

Permission denied (publickey, gssapi-with-mic, password)

The last line is valid.