Basic techniques for Linux security management _unix Linux

Basic techniques of Linux security management Chinese information position http://www.cnxxz.net Author: greenice
Linux as an open source of the free operating system, with its highly efficient implicit quality, more and more users are welcome, and in the world continues to spread. It is believed that Linux will get bigger and faster development in the near future. Although Linux is similar to UNIX, there are a number of important differences between them. For many system administrators who are accustomed to UNIX and windows, there are many new challenges to ensuring that Linux operating systems are secure and reliable. This article will introduce some Linux management security basic skills, hope to be helpful to everyone (very gratified).
First of all I would like to start with the security configuration of the system to begin our topic. Because I personally think that an administrator should be able to make full use of the security mechanism provided by the system, mining the system's own potential to the server for efficient and secure maintenance, can be called excellent. I'm not entirely opposed to using firewalls and other tools, but like people, we can disinfect and wear masks, but not as strong as we are and antibodies to be good. Linux is a fully open source free operating system, its potential for development is enormous, capable administrators can even adapt the kernel to meet the needs of their own server good work. Of course, here we only talk about some basic, but practical configuration techniques.
I. Security settings for ILO
Lilo is the abbreviation of Linux loader, it is Linux startup module!
。 We can configure it by modifying the contents of the "/etc/lilo.conf" file. Add the following two parameters to the file: Restricted,password. These two parameters enable your system to require password verification when you start Lilo.
Boot=/dev/hda
Map=/boot/map
install=/boot/boot.b
Prompt
Timeout=00 #把这行该为00 so that the system will not be waiting when it starts, and start Linux directly
Message=/boot/message
Linear
Default=linux
Restricted #加入这行
password= #加入这行并设置自己的密码
Image=/boot/vmlinuz-2.4.2-2
Label=linux
Root=/dev/hda6
Read-only
Because the "/etc/lilo.conf" file contains a plaintext password, it is set to read as root.
# chmod 0600/etc/lilo.conf
Also use the "chattr" command to make the "/etc/lilo.conf" file immutable.
# chattr +i/etc/lilo.conf
This can be a good protection for the "/etc/lilo.conf" file. (This method can also be used to protect other files)
Finally, to make the lilo.conf file effective
#/sbin/lilo-v
&nbs!
p; Update the system.
Second, password security
Password can be said to be the first defense of the system!
Line, currently
Most system intrusions on the network start with guessing passwords or intercepting passwords, so password security is critical.
First of all, do not set the password of the account exists. This can be found by looking at the/etc/passwd file. For example
There is an account with user name test, and no password is set, the following line is in the/etc/passwd file:
Test::100:9::/home/test:/bin/bash
The second item is empty, which means that the password is not set by test, which is very dangerous! You should delete or set the password for this type of account.
Second, in the old version of Linux, in the/etc/passwd file contains an encrypted password, which gives the security of the system a lot of hidden trouble, the simplest way is to use brute force method to obtain the password (such as, using John and other tools). You can use the command/usr/sbin/pwconv or/usr/sbin/grpconv to create/etc/shadow or/etc/gshadow files so that you no longer include encrypted passwords in/etc/passwd files, but instead in/etc/ Shadow file, this file can only be read by Superuser root!
The 3rd is to modify some of the system account shell variables, such as UUCP,FTP and news, and some just need the FTP function of the account, you must not set/bin/bash or/bin/sh and other shell variables. You can empty their shell variables in/etc/passwd, such as/bin/false or/dev/null, or you can use usermod!
-s/dev/null username command to change the username shell to/dev/null. Using these accounts will not telnet remotely to the system!
The 4th is to modify the default password length: When you install Linux, the default password length is 5 bytes. But that's not enough, to set it to 8. Modify the minimum password length need to edit the Login.defs file (vi/etc/login.defs), put the following line
Pass_min_len 5
To
Pass_min_len 8
The Login.defs file is the login program's configuration file.
Finally, don't be busy. Add a strong password for root, more than 8 digits, preferably containing special characters.
Third, login security
1, automatic cancellation account login, in the UNIX system root account is the highest privilege. If the system administrator forgets to log out of the root account before leaving the system, it will pose a significant security risk and should be automatically logged off. This functionality can be achieved by modifying the "tmout" parameter in the account. Tmout is counted in seconds. Edit your profile file (vi/etc/profile) and add the following line after "histfilesize=":
tmout=300
300, which means 300 seconds, which means 5 minutes. This allows the system to automatically log out of the account if the user logged on in the system does not move in 5 minutes. You can add this value to an individual user's ". BASHRC" file so that the system uses it?
 enemy sentence Jue Badger far ⑾ Ben Huan?
To change this setting, you must first log off!
Households, and then use
The user logged in to activate this feature.
2, using PAM (pluggable authentication module) to prohibit anyone through the SU command to change to root user su (substitute
User override) command allows you to become an existing user in the system. If you do not want anyone to change the SU command to root or limit the use of the SU command to some users, you can add the following two lines to the beginning of the SU configuration file (under the "/etc/pam.d/" directory):
Edit the Su file (vi/etc/pam.d/su) and add the following two lines to the beginning:
Auth sufficient/lib/security/pam_rootok.so
Auth required/lib/security/pam_wheel.so Group=wheel
This indicates that only members of the "wheel" group can use the SU command to become the root user. You can add users to the "wheel" group so that it can use the SU command to become the root user. Add method you can use this command: CHMOD-G10 username. Four, console access security
1, cancel the ordinary user's console access rights, you should cancel the normal user's console access.
such as shutdown, reboot, Halt and other orders.
# rm-f/etc/security/console.apps/
is the name of the program you want to unregister.
2. Do not allow root login from different consoles
The "/etc/securetty" file allows you to define how the root user can be set from that TTY?
Fu Jian d irresolute 嗉? quot;/etc/securetty "file, no longer need to log on the TTY device before adding" # "flag, to prohibit from the TTY device for root landing.
In the/etc/inittab file, there are the following paragraphs:
# Run Gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty Tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty Tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
The system defaults to the use of 6 consoles, alt+f1,alt+f2 ..., where you add "#" to the front of the 3,4,5,6 and annotate the sentence so that there are only two consoles available, preferably two. Then restart the init process and the changes will take effect! V. Security of SERVICES
Cancel and reverse install all unused services
Cancel and reverse install all unused services, so you will have a lot less worry. Look at the "/etc/inetd.conf" file and uncomment all the services you don't need (add a "#" before the service item). Then use the "sighup" command to upgrade the "inetd.conf" file.
First step:
Change the "/etc/inetd.conf" permission to 600, allowing only root to read and write the file!
。
# chmod 600/etc/inetd.conf
Step Two:
!
Determine
/etc/inetd.conf "file owner is root.
Step Three:
Edit the/etc/inetd.conf file (vi/etc/inetd.conf) and cancel the following services (you don't need): FTP, Telnet, shell, login, exec, talk, Ntalk, IMAP, POP-2, pop-3, F Inger, Auth and so on. Shutting down unwanted services can reduce the risk of a system. Fourth Step:
Send a HUP signal to the inetd process:
# killall-hup inetd
Fifth Step:
Use the chattr command to make the/ec/inetd.conf file immutable so that no one can modify it:
# chattr +i/etc/inetd.conf
This prevents any changes to the inetd.conf (unexpected or other reason). The only person who can cancel this property is root. If you want to modify the inetd.conf file, first cancel the non modifiable nature:
# chattr-i/etc/inetd.conf
Also repair the properties of the "/etc/services" file to prevent unauthorized deletion or addition of services:
# chattr +i/etc/services
Do not forget to change the nature of the future, and then change their properties can be modified on the line.
Vi. Other integrated settings security
1, Tcp_wrappers
Using Tcp_wrappers can make your system secure against external intrusions. The best strategy is to block all hosts ("/etc/hosts.deny!
File, add "All:all@all, Paranoid"), and then add the list of all hosts that are allowed to access in the/etc/hosts.allow file.
First step:
Edit the Hosts.deny file (vi/etc/hosts.deny) and join the line below
# Deny access to everyone.
All:all@all, Paranoid
This means that all services and addresses are blocked unless the address is wrapped in a list of hosts that are allowed to access.
Step Two:
Edit the Hosts.allow file (Vi/etc/hosts.allow) to include a list of hosts that are allowed to access, such as:
ftp:202.54.15.99 foo.com
202.54.15.99 and foo.com are the IP addresses and host names that allow access to the FTP service.
Step Three:
The TCPDCHK program is the TEPD wrapper setup check program. It is used to check your TCP wrapper settings and report the potential and real problems found. When you are finished, run the following command:
# Tcpdchk
2, modify "/etc/host.conf" file
"/etc/host.conf" explains how to resolve an address. Edit the "/etc/host.conf" file (vi/etc/host.conf) and add the following line:
# Lookup names via DNS-then fall back to/etc/hosts.
Order Bind,hosts
# We have mach!
Ines with multiple IP addresses.
Multi on
# ch!
Eck for
IP address spoofing.
Nospoof on
The first setting first resolves the IP address through DNS and then resolves it through the Hosts file. The second setting detects whether the host in the "/etc/hosts" file has more than one IP address (for example, multiple Ethernet network adapters). The third setting describes the need to pay attention to unauthorized electronic spoofing of the machine.
3, Shell logging Bash
The shell saves 500 used commands in the "~/.bash_history" ("~/" user directory) file, which makes it easy to enter long commands you've used. Each user who has an account in the system has a ". Bash_history" file in his directory. Bash
The shell should save a small number of commands and delete the history commands each time the user logs off.
First step:
The "Histfilesize" and "histsize" lines in the "/etc/profile" file determine the number of old command bars that can be saved in the. bash_history file for all users. It is highly recommended to set the value of the "Histfilesize" and "histsize" lines in the "/etc/profile" file to a smaller number, such as 30. Edit profile (vi/etc/profile) to change the following line to:
Histfilesize=30
Histsize=30
This means that each user's ". Bash_history" file can save only 30 old commands.
Step Two:
Network management should also be in the "/e!
Tc/skel/.bash_logout file, add the following line, "Rm-f $HOME/.bash_history." This way, the ". Bash_history" file is deleted each time the user logs off.
Edit the. bash_logout file (vi/etc/skel/.bash_logout) and add the following line:
Rm-f $HOME/.bash_history
4, Prohibit control-alt-delete keyboard shutdown command
Comment out the following line in the "/etc/inittab" file (using #):
Ca::ctrlaltdel:/sbin/shutdown-t3-r now
To
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now
To make this change work, enter the following command:
#/sbin/init Q 5, set permissions for the script file under "/ETC/RC.D/INIT.D"
Sets permissions for script files that perform or turn off programs executed at startup.
# Chmod-r 700/etc/rc.d/init.d/*
This means that only root is allowed to read, write, and execute script files in this directory.
6. Hide System Information
By default, when you log on to the Linux system, it tells you the name, version, kernel version, and server name of the Linux distribution. This information is enough for hackers to invade your system. You should just show it one!
A "login:" prompt.
First edit "/etc/rc.d/rc.local&!
quot Text
, add a "#" to the lines shown below to comment out the command for the output information.
# This would overwrite/etc/issue at every boot. So, make no changes you
# Want to make to/etc/issue this or you'll lose them when you reboot.
#echo "" >/etc/issue
#echo "$R" >>/etc/issue
#echo "Kernel $ (uname-r) on $a $ (uname-m)" >>/etc/issue
#
#cp-F/etc/issue/etc/issue.net
#echo >>/etc/issue
Second, delete the "isue.net" and "issue" files under the "/etc" directory:
# rm-f/etc/issue
# rm-f/etc/issue.net
7, prohibit not to use the Suid/sgid procedure
If a program is set to Suid
Root, the normal user can run the program as root. The network management should use the Suid/sgid program as little as possible and prohibit all unnecessary suid/sgid programs.
Find programs that use S-bit in root-owned programs:
# Find/-type F (-perm-04000-o-perm-02000)-exec ls-lg {};
Use the following command to prohibit the selected program with S-bit:
# chmod A-s [program!
These are some basic security techniques, as the saying goes: "while, outsmart." As long as the computer is connected to the Internet, it can be invaded. Therefore, the periodic inspection and maintenance of the system is very important, it is very helpful for discovering the intrusion in time, and it helps us to make it clear before the intruder has destroyed the system and data. So let's talk about the skills in this area.
Optimizing the structure of a partition
This is good for maintenance, we should be the Linux file system into several major partitions, each partition for different configuration and installation, in general, at least to establish/,/usr/local,/var and/home and other partitions. /usr can be installed as read-only and can be considered not modifiable. If any of the files in/usr have changed, the system will issue a security alert immediately. Of course this does not include the user changing the contents of/usr themselves. The installation and setup of/lib,/boot, and/sbin are the same. They should be set as read-only at installation time, and any modifications to their files, directories, and properties will cause the system to be alerted.
Of course, it is impossible to set all the primary partitions to read-only, some partitions such as/var, and so on, whose nature determines that they cannot be set to read-only, but it should not be allowed to have execute permissions.
Second, protect log files
This is especially useful when used with log files and log backups, and to add only these two file attributes. This usually involves adding some control commands to the log Update script