Basic LINUX security management skills
China Information position http://www.cnxxz.net Author: greenice
As a free open-source operating system, Linux is becoming more and more popular among users with its highly efficient and hidden quality. I believe that in the near future, Linux will be more and faster. Although Linux and Unix are very similar, there are still many important differences between them. For many system administrators who are used to UNIX and Windows, there are many new challenges to ensure the security and reliability of the Linux operating system. This article will introduce some basic Linux management security skills and hope to help you (very pleased ).
First, I want to start from the security configuration of the system. I personally think that an administrator must be able to make full use of the security mechanisms provided by the system and explore the potential of the system to efficiently and securely maintain the server. I am not totally opposed to using firewalls and other tools, but just like people, We can disinfect and wear masks, but we are not as good as ourselves as we are physically strong and have antibodies. Linux is a free operating system with fully open source code. It has great potential for development. Competent administrators can even adapt their own Kernels to meet the needs of excellent server work. Of course, here we will only talk about some basic but practical configuration skills.
I. ILO Security Settings
LILO is short for Linux Loader. It is the startup module of LINUX!
. You can modify the content in the "/etc/lilo. conf" file to configure it. Add the following two parameters to the file: restricted and password. These two parameters allow your system to require password verification when starting lilo.
Boot =/dev/hda
Map =/boot/map
Install =/boot. B
Prompt
Timeout = 00 # Set this line to 00. In this way, the system starts LINUX directly instead of waiting.
Message =/boot/message
Linear
Default = linux
Restricted # Join this line
Password = # Add this line and set your own password
Image =/boot/vmlinuz-2.4.2-2
Label = linux
Root =/dev/hda6
Read-only
Because the "/etc/lilo. conf" file contains a plaintext password, set it to the root permission for reading.
# Chmod 0600/etc/lilo. conf
Use the "chattr" command to make the "/etc/lilo. conf" file unchangeable.
# Chattr + I/etc/lilo. conf
This protects the "/etc/lilo. conf" file. (This method can also be used to protect other files)
To make the lilo. conf file take effect, use
#/Sbin/lilo-v
& Nbs!
P; update the system.
Ii. Password Security
The password can be said to be the first defense of the system!
Line, currently
Most of the system intrusion on the network begins with password speculation or password interception. Therefore, password security is critical.
First, you must prevent accounts without passwords. This can be found by viewing the/etc/passwd file. For example,
There is an account with the user name "test". If no password is set, the following line is displayed in the/etc/passwd file:
Test: 100: 9:/home/test:/bin/bash
The second item is blank, indicating that the account test has no password, which is very dangerous! Delete or set a password for this type of account.
Secondly, in the earlier version of linux, the/etc/passwd file contains an encrypted password, which brings great security risks to the system, the simplest method is to use brute force cracking to obtain passwords (for example, John or other tools ). You can use the command/usr/sbin/pwconv or/usr/sbin/kgconv to create the/etc/shadow or/etc/gshadow file, in this way, the/etc/passwd file does not contain the encrypted password, but is stored in the/etc/shadow file, which is only readable by the root user!
The third point is to modify Shell variables of some system accounts, such as UCP, ftp, and news, and some accounts that only require FTP functions, do not set Shell variables such as/bin/bash or/bin/sh for them. You can leave their Shell variables blank in/etc/passwd, such as/bin/false or/dev/null, or use usermod!
-S/dev/null username command to change the Shell of username to/dev/null. By using these accounts, you cannot remotely log on to the system through Telnet!
The fourth step is to change the default password length: When you install linux, the default password length is 5 bytes. But this is not enough. Set it to 8. To change the shortest password length, edit the login. defs file (vi/etc/login. defs ).
PASS_MIN_LEN 5
Change
PASS_MIN_LEN 8
The login. defs file is the configuration file of the login program.
At last, don't be too busy. Add a strong password for the root account, which is more than 8 characters. It is best to include special characters.
Iii. login security
1. Automatically log out of the account. In unix systems, the root account has the highest privilege. If the system administrator forgets to log out of the root account before leaving the system, this poses a major security risk and should be automatically logged out by the system. You can implement this function by modifying the "TMOUT" parameter in your account. TMOUT is calculated in seconds. Edit your profile file (vi/etc/profile) and add the following line after "HISTFILESIZE =:
TMOUT = 300
300 indicates 300 seconds, that is, 5 minutes. In this way, if the user logged on to the system does not take action within five minutes, the system will automatically cancel the account. You can add this value to the ". bashrc" file of an individual user so that the system can use it?
What about the enemy's death?
After this setting is changed, you must log out first!
User, Reuse
This function can be activated only when the user logs in.
2. Use PAM (Pluggable Authentication Module) to prohibit anyone from using the su command to change to the root user su (Substitute
The User command allows you to become another existing User in the system. If you do not want anyone to change to a root user using the su command or restrict the use of the su command for some users, you can go to the su configuration file (in "/etc/pam. add the following two lines at the beginning of d/"Directory:
Edit the su file (vi/etc/pam. d/su) and add the following two lines at the beginning:
Auth sufficient/lib/security/pam_rootok.so
Auth required/lib/security/Pam_wheel.so group = wheel
This indicates that only members of the "wheel" group can use the su command to become the root user. You can add a user to the "wheel" group so that it can use the su command to become a root user. Run the command chmod-G10 username to add the username.
Iv. console access security
1. Cancel the console access permissions of normal users. You should cancel the console access permissions of normal users.
For example, shutdown, reboot, halt, and other commands.
# Rm-f/etc/security/console. apps/
Is the name of the program you want to deregister.
2. root login from different consoles is not allowed
The "/etc/securetty" file allows you to define which TTY the root user can set?
Fu zhijian D is the best expert? Quot;/etc/securetty "file. You do not need to add the" # "mark before the TTY device to be logged in to prevent root login from this TTY device.
The/etc/inittab file contains the following paragraph:
# Run gettys in standard runlevels
1: 2345: respawn:/sbin/mingetty tty1
2: 2345: respawn:/sbin/mingetty tty2
#3: 2345: respawn:/sbin/mingetty tty3
#4: 2345: respawn:/sbin/mingetty tty4
#5: 2345: respawn:/sbin/mingetty tty5
#6: 2345: respawn:/sbin/mingetty tty6
By default, the system can use six consoles, namely Alt + F1, Alt + F2 ..., add "#" in front of 3, 4, 5, and 6 to comment out this sentence. Now there are only two consoles available. It is best to keep two. Restart the init process and the changes will take effect!
5. Service Security
Cancel and reinstall all unused services
Cancel and reinstall all unused services, so you will be less worried. Check the "/etc/inetd. conf" file and annotate it to cancel all services you do not need (Add a "#" before the service project). Run the "sighup" command to upgrade the "inetd. conf" file.
Step 1:
Change the "/etc/inetd. conf" permission to 600. Only the root user is allowed to read and write the file!
.
# Chmod 600/etc/inetd. conf
Step 2:
!
Confirm"
The owner of the/etc/inetd. conf file is root.
Step 3:
Edit/etc/inetd. conf file (vi/etc/inetd. conf), cancel the following services (which you do not need): ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth and so on. Disabling unnecessary services can significantly reduce the risk of the system.
Step 4:
Send an HUP signal to the inetd process:
# Killall-HUP inetd
Step 5:
Use the chattr command to set the/ec/inetd. conf file as unchangeable, so that no one can modify it:
# Chattr + I/etc/inetd. conf
This prevents any modifications to inetd. conf (unexpected or otherwise ). Only root users can cancel this attribute. If you want to modify the inetd. conf file, you must first cancel the unmodifiable nature:
# Chattr-I/etc/inetd. conf
Modify the attributes of the "/etc/services" file to prevent unauthorized deletion or addition of services:
# Chattr + I/etc/services
Don't forget to change their nature to modifiable in the future.
6. Other Comprehensive Security Settings
1. TCP_WRAPPERS
Using TCP_WRAPPERS can protect your system against external intrusion. The best policy is to stop all hosts ("/etc/hosts. deny!
"Add" ALL: ALL @ ALL, PARANOID ") to the file, and then add the list of ALL allowed hosts to the"/etc/hosts. allow "file.
Step 1:
Edit the hosts. deny file (vi/etc/hosts. deny) and add the following line:
# Deny access to everyone.
ALL: ALL @ ALL, PARANOID
This indicates that all services and addresses are blocked unless the address package is in the list of hosts allowed to access.
Step 2:
Edit the hosts. allow file (vi/etc/hosts. allow) and add it to the list of allowed hosts, for example:
Ftp: 202.54.15.99 foo.com
202.54.15.99 and foo.com are IP addresses and host names that allow access to the ftp service.
Step 3:
The tcpdchk program is the tepd wrapper setting check program. It is used to check your tcp wrapper settings and report potential and real problems found. After setting, run the following command:
# Tcpdchk
2. Modify the "/etc/host. conf" file.
"/Etc/host. conf" describes how to resolve the address. Edit the "/etc/host. conf" file (vi/etc/host. conf) and add the following line:
# Lookup names via DNS first then fall back to/etc/hosts.
Order bind, hosts
# We have mach!
Ines with multiple IP addresses.
Multi on
# Ch!
Eck
IP address spoofing.
Nospoof on
The first setting first resolves the IP address through DNS and then the hosts file. The second setting checks whether the host in the "/etc/hosts" file has multiple IP addresses (for example, multiple Ethernet interfaces ). The third setting indicates that you should pay attention to unauthorized electronic spoofing on the local machine.
3. Shell logging Bash
Shell in /. Bash_history "(" ~ /"Indicates the user directory.) The file saves 500 used commands, which makes it easy to enter the used long commands. Each user with an account in the system has a ". bash_history" file in his directory. Bash
Shell should save a small number of commands and delete these historical commands each time the user logs out.
Step 1:
The "HISTFILESIZE" and "HISTSIZE" lines in the "/etc/profile" file determine the number of old command lines that can be saved in the ". bash_history" file of all users. We strongly recommend that you set the values of "HISTFILESIZE" and "HISTSIZE" in the "/etc/profile" file to a smaller number, such as 30. Edit the profile file (vi/etc/profile) and change the following line:
HISTFILESIZE = 30
HISTSIZE = 30
This means that each user's ". bash_history" file can only save 30 old commands.
Step 2:
The network management should also be in "/e!
In the tc/skel/. bash_logout file, add the following line "rm-f $ HOME/. bash_history ". In this way, the ". bash_history" file will be deleted every time you log out.
Edit the. bash_logout file (vi/etc/skel/. bash_logout) and add the following line:
Rm-f $ HOME/. bash_history
4. Disable the Control-Alt-Delete command on the keyboard.
Comment out the following line in the "/etc/inittab" file (use #):
Ca: ctrlaltdel:/sbin/shutdown-t3-r now
Changed:
# Ca: ctrlaltdel:/sbin/shutdown-t3-r now
To make this change take effect, enter the following command:
#/Sbin/init q
5. Set permissions for the script file under "/etc/rc. d/init. d ".
Set permissions for script files of programs executed during execution or shutdown.
# Chmod-R 700/etc/rc. d/init. d /*
This indicates that only the root user can read, write, and execute script files in this directory.
6. Hide System Information
By default, When you log on to the linux system, it will tell you the name, version, kernel version, and server name of the linux release. This information is sufficient for hackers to intrude into your system. You should show it only one!
"Login:" prompt.
First edit "/etc/rc. d/rc. local &!
Quot; text
Add a "#" in front of the lines shown below to comment out the command for output information.
# This will overwrite/etc/issue at every boot. So, make any changes you
# Want to make to/etc/issue here or you will lose them when you reboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue
#
# Cp-f/etc/issue/etc/issue.net
# Echo>/etc/issue
Delete the "isue.net" and "issue" files under the "/etc" directory:
# Rm-f/etc/issue
# Rm-f/etc/issue.net
7. Disable unused SUID/SGID programs
If a program is set to SUID
Root, then normal users can run this program as root. The Network Management should use SUID/SGID programs as little as possible to prohibit all unnecessary SUID/SGID programs.
Find the programs that use the s-bit in the root-owned program:
# Find/-type f (-perm-04000-o-perm-02000)-exec ls-lg {};
Use the following command to disable the selected program with s-bit:
# Chmod a-s [program!
]
The above are some basic security settings skills, as the saying goes: "A high foot, a high foot ". Computers connected to the Internet can be infiltrated. Therefore, the regular inspection and maintenance of the system is very important. It is helpful to detect intrusions in time and help us to make up for it, so that they can be cleared before intruders have damaged the system and data. So let's talk about this technique.
I. Optimizing the partition structure
This is very good for maintenance. we should divide the Linux File System into several major partitions, and each partition should be configured and installed separately, generally, at least/,/usr/local,/var,/home, and other partitions must be created. /Usr can be installed as read-only and can be considered unmodifiable. If any file in/usr has changed, the system will immediately issue a security alarm. Of course, this does not include the content in/usr changed by the user. The installation and configuration of/lib,/boot, And/sbin are the same. During installation, you should try to set them as read-only, and any modifications to their files, directories, and attributes will trigger system alarms.
Of course, it is impossible to set all major partitions as read-only. Some partitions, such as/var, cannot be set as read-only because of their own nature, however, it should not be allowed to have execution permissions.
Ii. Protect log files
It is particularly useful when used together with log files and log backups, and only adding these two file attributes. This usually requires adding some control commands in the log update script.