Configure a Secure Linux Server

Article Title: configure a Secure Linux server. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Song Lixin, Qin Gang
　　
---- As we all know, network security is a very important topic, and servers are the most critical link in network security. Linux is considered to be a safer Internet server. As an open-source operating system, once a security vulnerability is found in Linux, volunteers from around the world on the Internet will actively fix it. However, system administrators often cannot obtain and correct information in a timely manner, which gives hackers an opportunity. However, compared with the security vulnerabilities of these systems, more security problems are caused by improper configuration and can be prevented by appropriate configuration. The more services run on the server, the more opportunities for improper configuration, and the greater the possibility of security problems. This article introduces how to enhance the security of Linux/Unix servers.
　　
1. system security record files
　　
---- Record files in the operating system are important clues for detecting network intrusion. If your system is directly connected to the Internet, you find that many people try to Telnet or FTP your system, you can run "# more/var/log/secure | grep refused" to check the system's attacks and take corresponding countermeasures, such as replacing Telnet/rlogin with SSH.
　　
Ii. startup and login security
　　
---- 1. BIOS Security
　　
---- Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.
　　
---- 2. User Password
　　
---- The user password is a basic starting point for Linux security. Many users use too simple passwords, which opens the door for intruders. Although theoretically, as long as you have enough time and resources to use, there is no user password that cannot be cracked, but it is difficult to choose a proper password. A good user password is a string of characters that can only be easily remembered and understood by him, and should never be written anywhere.
　　
---- 3. Default Account
　　
---- All Default Accounts started by the operating system and unnecessary accounts should be prohibited. This should be done when you install the system for the first time. Linux provides many default accounts, the more accounts the system is vulnerable to attacks.
　　
---- You can use the following command to delete an account.
---- # Userdel User Name
---- Or use the following command to delete the group user account.
---- # Groupdel username
　　
---- 4. Password File
　　
---- The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.
　　
---- # Chattr + I/etc/passwd
---- # Chattr + I/etc/shadow
---- # Chattr + I/etc/group
---- # Chattr + I/etc/gshadow
　　
---- 5. Disable Ctrl + Alt + Delete to restart the machine command
　　
---- Modify the/etc/inittab file and comment out the line "ca: ctrlaltdel:/sbin/shutdown-t3-r now. Then reset the permission for all files in the/etc/rc. d/init. d/directory and run the following command:
　　
----- # Chmod-R 700/etc/rc. d/init. d /*
　　
---- In this way, only the root user can read, write, or execute all the above script files.
　　
---- 6. Restrict su commands
　　
---- If you do not want anyone to use su as the root user, you can edit the/etc/pam. d/su file and add the following two lines:
---- Auth sufficient/lib/security/pam_rootok.so debug
---- Auth required/lib/security/pam_wheel.so group = isd
　　
---- In this case, only users in the isd group can use su as the root user. After that, if you want the user admin to su as the root user, you can run the following command:
　　
---- # Usermod-G10 admin
　　
---- 7. Delete logon information
　　
---- By default, the logon prompt includes the Linux release, kernel version, and server host name. For a machine with high security requirements, too much information is leaked. You can edit/etc/rc. d/rc. local to comment out the following lines of output system information.
　　
---- # This will overwrite/etc/issue at every boot. So, make any changes you
---- # Want to make to/etc/issue here or you will lose them when you reboot.
---- # Echo "">/etc/issue
---- # Echo "$ R">/etc/issue
---- # Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue
---- # Cp-f/etc/issue/etc/issue.net
---- # Echo>/etc/issue
　　
---- Then, perform the following operations:
---- # Rm-f/etc/issue
---- # Rm-f/etc/issue.net
---- # Touch/etc/issue
---- # Touch/etc/issue.net
　　
3. restrict network access
　　
---- 1. NFS access
　　
---- If you use the NFS Network File System Service, make sure that your/etc/exports has the strictest access permission settings, that is to say, do not use any wildcard characters, do not allow root write permissions, and can only be installed as a read-only file system. Edit the/etc/exports file and add the following two lines.
　　
----/Dir/to/export host1.mydomain.com (ro, root_squash)
----/Dir/to/export host2.mydomain.com (ro, root_squash)
　　
----/Dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs on to this directory, ro means mounting to a read-only system, and root_squash prohibits root from writing to this directory. To make the changes take effect, run the following command.
　　
---- #/Usr/sbin/exportfs-
　　
---- 2. Inetd settings
　　
---- Make sure that the owner of/etc/inetd. conf is root and the File Permission is set to 600. After the settings are complete, you can run the "stat" command to check.
---- # Chmod 600/etc/inetd. conf
---- Edit/etc/inetd. conf to disable the following services.
---- Ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth
　　
---- If you have installed ssh/scp, you can disable Telnet/FTP. To make the change take effect, run the following command:
---- # Killall-HUP inetd
　　
---- By default, most Linux systems allow all requests, and using TCP_WRAPPERS to enhance system security is a breeze. You can modify/etc/hosts. deny and/etc/hosts. allow to add access restrictions. For example, setting/etc/hosts. deny to "ALL: ALL" can deny ALL access by default. Then add the allowed access to the/etc/hosts. allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" indicates that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to be connected through SSH.
　　
---- After the configuration is complete, you can use tcpdchk to check:
---- # Tcpdchk
　　
---- Tcpchk is the TCP_Wrapper configuration check tool, which checks your tcp wrapper configuration and reports all detected potential/existing problems.
　　
---- 3. logon terminal settings
　　
---- The/etc/securetty file specifies the tty device that allows root login, which is read by the/bin/login program in the format of a list of permitted names, you can edit/etc/securetty and comment out the following lines.
　　
---- Tty1
---- # Tty2
---- # Tty3
---- # Tty4
---- # Tty5
---- # Tty6
---- Root can only log on to the tty1 terminal.
　　
---- 4. Avoid Displaying System and version information.
　　
---- If you want to remotely log on to the user without seeing the system and version information, you can change the/etc/inetd. conf file through the following operations:
　　
---- Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h
　　
---- Adding-h indicates that telnet does not display system information, but only "login :".
　　
4. Prevent Attacks
　　
---- 1. Prevent ping. If no one can ping your system, the security will naturally increase. Therefore, you can add the following line to the/etc/rc. d/rc. local file:
　　
---- Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
　　
---- 2. prevent IP Spoofing
　　
---- Edit the host. conf file and add the following lines to prevent IP spoofing attacks.
---- Order bind, hosts
---- Multi off
---- Nospoof on
　　
---- 3. Prevent DoS Attacks
　　
---- Setting resource limits for all users in the system can prevent DoS attacks. Such as the maximum number of processes and memory usage. For example, you can add the following lines in/etc/security/limits. conf:
　　
---- * Hard core 0
---- * Hard rss 5000
---- * Hard nproc 20
　　
---- Then you must edit the/etc/pam. d/login file to check whether the following row exists.
　　
---- Session required/lib/security/pam_limits.so
　　
---- The preceding command prohibits debugging files. The maximum number of processes is 50 and the memory usage is 5 MB.
　　
---- After the above settings, your Linux Server can be immune to the vast majority of known security issues and network attacks, but an excellent system administrator should always pay attention to the network security dynamics, fix exposed and potential security vulnerabilities at any time.