Protect Linux system security from blocking system vulnerabilities

LinuxWhen writing software, there is no unifiedVulnerabilitiesCheck, which causes many vulnerabilities in Linux software, but it is difficult for software developers to detect vulnerabilities in their own programming. However, hackers will pay close attention to these vulnerabilities, these vulnerabilities are used to achieve their own goals. Is the Linux system insecure? In fact, you don't have to worry about it. As long as you do the following, you can use the Linux system with peace of mind.

Cancel unnecessary services

In earlier versions of Unix, each different network service had a service program running in the background. Later versions used a uniform/etc/inetd server program. Inetd is short for Internetdaemon. It monitors multiple network ports at the same time. Once it receives connection information from the outside, it executes the corresponding TCP or UDP network service.

Due to the unified command of inetd, Most TCP or UDP services in Linux are set in the/etc/inetd. conf file. Therefore, the first step to cancel unnecessary services is to check the/etc/inetd. conf file and add the "#" sign before the unwanted services.

In general, all services except http, smtp, telnet, and ftp should be canceled, such as the simple File Transfer Protocol tftp, the imap/ipop transport protocol used for network mail storage and receiving, the gopher for data searching, and the daytime and time used for time synchronization.

There are also some services that report system status, such as finger, efinger, systat, and netstat. Although it is very useful for system error detection and user searching, it also provides a convenient portal for hackers. For example, hackers can use the finger service to find users' phones, directories, and other important information. Therefore, many Linux systems cancel all or partially cancel these services to enhance system security.

In addition to setting system service items using/etc/Inetd. conf, inetd also uses the/etc/services file to find the ports used by various services. Therefore, you must carefully check the port settings in the file to avoid security vulnerabilities.

In Linux, there are two different service-type states: one is a service that is executed only when necessary, such as the finger service, and the other is a service that is continuously executed and never paused. This type of service starts to run when the system starts. Therefore, you cannot stop the service by modifying inetd, but you can only modify/etc/rc. d/rc [n]. d/file or use Runleveleditor to modify it. NFS servers that provide file services and news that provide NNTP news services belong to such services. If not necessary, it is best to cancel these services.

Restrict System Access

Before entering the Linux system, all users need to log on, that is, users need to enter the user account and password. Only after they pass system verification can users enter the system.

Like other Unix operating systems, Linux typically stores passwords in the/etc/passwd file after encryption. All users in Linux can read the/etc/passwd file. Although the password stored in the file has been encrypted, it is still not safe. Generally, users can use the ready-made password cracking tool to guess the password. The safer method is to set the shadow file/etc/shadow and only allow users with special permissions to read the file.

In Linux, to use a shadow file, you must recompile all the utilities to support the shadow file. This method is troublesome. A simple method is to use the plug-in verification module (PAM ). Many Linux systems use Linux tool PAM, which is an identity authentication mechanism that can be used to dynamically change the authentication methods and requirements without re-compiling other utilities. This is because PAM uses a closed package to hide all authentication-related logic in the module, so it is the best helper for using shadow files.

In addition, PAM has many security features: it can rewrite the traditional DES encryption method to other more powerful encryption methods to ensure that user passwords are not easily decrypted; it can set the upper limit for each user to use computer resources; it can even set the user's computer time and location.

Linux administrators can install and set PAM in just a few hours to greatly improve the security of the Linux system and block many attacks outside the system.