Seven steps to protect Linux Server Security

The main consideration for installing a Linux operating system is the security of the operating system. How can we have a Secure Linux server? Many new Linux network administrators find that it is difficult for them to switch from a click-to-click Security Configuration interface to another complex and unpredictable text file editing interface.
The following lists the seven steps that administrators can follow to help them build more secure Linux servers and significantly reduce the risks they face.
Ask the network administrator of any large organization to compare Linux with network operating systems (such as Windows NT or Novell). Maybe he will admit that Linux is a more stable and scalable solution. He may also admit that Linux may be the most difficult system to configure to protect the system from external attacks.
This kind of knowledge is quite common-many network administrators who are new to Linux have discovered that, it is difficult for them to switch from a click-oriented security configuration interface to another interface based on complex and unpredictable text files. Most administrators fully realize that they need to manually set obstacles and obstacles to prevent possible hacker attacks, thus protecting the company's data security. In the Linux field they are not familiar with, they are not sure whether their direction is correct or where to start.
This is the purpose of this Article. It lists simple steps to help administrators ensure Linux security and significantly reduce the risks they face. This tutorial lists seven of these steps, but you can also find more in the Linux manual and discussion forum.
Protect root accounts
The root account (or Super User Account) on a Linux system is like a background pass on the Rolling Stone concert-it allows you to access all the content in the system. Therefore, it is worth taking additional steps to protect it. First, use the PASSWORD command to set a difficult-to-guess password for this account, and regularly modify it, and the password should be limited to several main characters in the company (ideally, only two people are needed) yes.
Then, edit the/etc/securetty file to specify the terminal that can be accessed by the root. To prevent users from making the root terminal "open", you can set a time for using the TMOUT local variable for non-active root logon and set the HISTFILESIZE local variable to 0, ensure that the root command record file (which may contain confidential information) is forbidden. Finally, a mandatory policy is formulated to enable this account to only perform special management tasks and prevent users from logging on to the root user service by default.
Tip: after these vulnerabilities are closed, every common user must set a password for the account and ensure that the password is not an easy-to-recognize sensitive password, such as a birthday, username, or words in the dictionary.
Install a firewall
The firewall helps you filter incoming and outgoing data packets and ensure that only data packets that match the predefined rules can access the system. There are many excellent firewalls for Linux, and the Firewall code can even be directly compiled into the system kernel. First, use the ipchains or iptables command to define input, output, and forwarding rules for incoming and outgoing packets. Rules can be formulated based on IP addresses, network interfaces, ports, protocols, or combinations of these attributes. These rules also specify the action (accept, reject, or resend) to be taken during matching ). After the rules are set, perform a detailed inspection on the firewall to ensure that no vulnerabilities exist. A secure firewall is the first line of defense against common DDoS attacks.
Use OpenSSH to process network transactions
Data security transmitted over the network is an important issue for the customer-server architecture. If network transactions are carried out in plain text, hackers may "sniff" the data transmitted over the network to obtain confidential information. You can use Security shell applications such as OpenSSH to create an "encrypted" channel for transmitted data and disable this vulnerability. Encrypted connections in this form make it difficult for unauthorized users to read data transmitted between network hosts.
Disable unnecessary services
After most Linux systems are installed, various services are activated, such as FTP, telnet, UUCP, and ntalk. In most cases, we seldom use these services. Keeping them active is like opening a window and allowing thieves to sneak in. You can cancel these services in the/etc/inetd. conf or/etc/xinetd. conf file, and then restart the inetd or xinetd background program to disable them. In addition, some services (such as database servers) may be started by default during startup. You can disable these services by editing the/etc/rc. d/* directory level. Many experienced administrators disable all system services and leave only SSH communication ports.
Use spam and anti-virus Filters
Spam and viruses may interfere with users and sometimes cause serious network faults. Linux has strong anti-virus capabilities, but Windows client computers may be more vulnerable to virus attacks. Therefore, it is a good idea to install a spam and virus filter on the mail server to "Block" suspicious information and reduce the risk of chain crashes.
First, install SpamAssassin, a first-class open source tool that uses various technologies to identify and Mark spam. This program supports user-based whitelist and gray list, improving accuracy. Next, install user-level filtering based on regular expressions. This tool can automatically filter emails received in the inbox. Finally, install Clam Anti-Virus. This free Anti-Virus tool integrates Sendmail and SpamAssassin, and supports email attachment scanning.
Install an intrusion detection system
Intrusion Detection System (IDS) is an early warning system that helps you understand network changes. They can accurately identify (and confirm) attempts to intrude into the system at the cost of increasing resource consumption and error clues. You can try out two well-known IDS: tripwire, which tracks file signatures to detect modifications; snort, which uses rule-based instructions to perform real-time information packet analysis, search for and identify system detection or attack attempts. Both systems can generate email alerts (and other actions) that can be used when you suspect that your network is under security threats and need evidence.
Regular security check
To ensure network security, this last step may be the most important. In this case, you play a villain and try to break through the defense you have created in the previous six steps. In this way, you can directly and objectively evaluate the system security and determine the potential defects you should fix.
There are a number of tools to help you with this check: You can try to Crack your password file with a password breaker like Crack and John the Ripper; or use nmap or netstat to find open ports; you can also use tcpdump to detect the network. In addition, you can also use public vulnerabilities on your installed programs (network servers, firewalls, and Samba) to see if you can find the access method. If you try to find a way to break through the obstacles, others can do the same. You should take immediate action to close these vulnerabilities.
Protecting a Linux Server is a long-term task. Completing the preceding steps does not mean you can rest assured. You also need to maintain your Linux Server frequently.
The powerful features of the Linux operating system allow many people to apply it, so we have to talk about the Linux firewall. The security of the Linux firewall can be favored by many users. You can use the Linux firewall to prevent other hosts from scanning the local machine.
If an enterprise network has an independent firewall, similar restrictions can be implemented. For example, some enterprises have deployed intrusion detection systems to actively prevent suspicious malicious behaviors, such as NMAP scanning. However, the NMAP command can be used with some options, but it can be used with the Linux firewall or intrusion detection system.
Although some administrators question the NMAP developer's intention to provide these options, these options are easily exploited by attackers. But the tool is not good or bad, it depends on how people use it. Some System Administrators often use these NMAP commands to improve the security of network deployment. For example, I like to use this command to play games with security software such as firewalls. That is to say, I pretend to be an attacker to test whether these security systems can block my attacks or leave my traces in the security system logs. From another perspective, you may be able to discover security vulnerabilities in your enterprise.
There are many similar options. Due to space limitations, we cannot elaborate too much. The following describes some common options.
1. segment packets.
Similar security devices such as firewalls can be used to filter scan packets. However, this filtering policy is not very secure. If you use the-f option of the NMAP command, you can segment the Tcp Header in several packages. In this case, the packet filter in the firewall or intrusion detection system is difficult to filter the TCP packet. In this way, SNMP scan commands can be used with these security measures to play games that hide and hide.
When the-f option is used, a 20-byte TCP header is divided into three packages, two of which have eight bytes of the TCP Header; the other package has the remaining four bytes of the TCP header. Generally, the packet filters used by security measures queue all IP segments, rather than directly using these segments. Because packets are segmented, it is difficult for these filters to identify the packet types. Then these packages will be reintegrated at the host to become a valid TCP packet. In most cases, these security measures should disable these packages. These packages will have a great impact on the performance of the enterprise network, whether it is a firewall or a terminal device. For example, if a configuration item exists in the firewall of a Linux system, you can restrict the TCP packet segmentation by prohibiting the queuing of IP segments.
It can be seen that the nmap-f command is deceptive to firewall and other security measures. We can use this command to test whether the security software we use is truly secure. As far as I know, although this security risk has been around for many years, not all security products can effectively prevent it. Therefore, using this-f option can help the system administrator determine whether the adopted security product can respond to this possible attack. If scanning is disabled on the firewall and the system administrator fails to obtain the expected result using the nmap-f command, the firewall policy is valid. But on the contrary, it can still return normal results (which may take a long time), indicating that the nmap-f command can successfully play with the firewall. The system administrator should pay attention to the security of the Linux firewall.
2. Use a fake IP address for scanning.
Generally, information about visitors, such as IP addresses, can be recorded on firewalls or client computers. If the nmap command is used for scanning, the scanned IP address is left on the firewall or client host. Leaving this "evidence" is very unfavorable for scanning. In addition, in the firewall configuration, the system administrator may allow a specific IP address to scan jobs. Scan packets sent from other IP addresses are filtered out. In this case, whether it is to hide your real identity or use a combination