Article Title: Create ?? Secure Linux server? Ops? Inux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
To create a Secure Linux server, you must first understand the meaning of the configuration files related to network services in the Linux environment and how to configure security. In Linux, the TCP/IP network is configured through several text files. You may need to edit these files to complete networking, however, most of these configuration files can be implemented through the linuxconf command (the network configuration can be implemented through the netconf command ). The following describes the basic TCP/IP network configuration file.
*/Etc/conf. modules File
This configuration file defines the parameter information of various modules to be loaded upon activation. This article focuses on the NIC configuration. When using Linux as a gateway, a Linux server must have at least two NICs. To reduce possible problems during activation, the Linux kernel does not automatically detect multiple NICs. If you need to install multiple NICs for a system that does not compile the NIC driver into the kernel but is loaded dynamically as a module, configure the NIC in the "conf. modules" file.
If the device driver is compiled into a module (kernel module): for PCI devices, the module automatically detects all devices installed on the system. For ISA cards, you need to provide the IO address to the module so that the module knows where to find the card. The information is in "/etc/conf. modules.
For example, we have two ISA bus 3c509 cards. One IO address is 0x300, and the other is 0x320. Edit the "conf. modules" file as follows:
Alias eth0 3c509
Alias eth1 3c509
Options 3c509 io = 0x320, 0 x
This indicates that drivers of 3c509 should be loaded with the eth0 or eth1 names (alias eth0, eth1) respectively, and they should be loaded with the io = 0x300 and 0x320 parameters, to notify the driver where to find the network card, of which 0x is indispensable.
For the PCI card, you only need the alias command to associate ethN with the appropriate driver module name. The IO address of the PCI Card will be automatically detected. For the PCI Card, edit the "conf. modules" file as follows:
Alias eth0 3c905
Alias eth1 3c905
If the driver has been compiled into the kernel, the PCI detection program automatically finds all related NICs when the system is activated. The ISA card can also be automatically detected. However, in some cases, the ISA card still needs to be configured as follows:
Add the configuration information in "/etc/lilo. conf" by passing the activation parameter information to the kernel through the LILO program. For the ISA card, edit the "lilo. conf" file and add the following content:
Note: Do not add the activation parameter to "lilo. conf" to test your ISA card. If it fails, use the activation parameter.
If you use the method that passes the activation parameter, eth0 and eth1 are set according to the sequence found during activation.
*/Etc/HOSTNAME file:
This file contains the Host Name of the system, including the full domain name, such:
Deep.openarch.com
*/Etc/sysconfig/network-scripts/ifcfg-ethN file:
In RedHat, the configuration file for the system network device is saved in the/etc/sysconfig/network-scripts directory, the ifcfg-eth0 contains the configuration information for the first Nic, the ifcfg-eth1 contains the configuration information for the second Nic.
The following is an example of the/etc/sysconfig/network-scripts/ifcfg-eth0 file:
If you want to manually modify the network address or add a new network interface to the new interface, you can modify the corresponding file (ifcfg-ethN) or create a new file.
DEVICE = name indicates the name of the physical DEVICE.
IPADDR = addr indicates the IP address assigned to the card
NETMASK = mask indicates the network mask
NETWORK = addr indicates the NETWORK address
BROADCAST = addr indicates the BROADCAST address.
ONBOOT = yes/no whether the card is activated when activated
None
Bootp: Use the bootp protocol
Dhcp: Use the dhcp protocol.
USERCTL = yes/no whether non-root users are allowed to control the device
*/Etc/resolv. conf file:
This file is a configuration file used by the domain name Parser (resolver, a database that resolves IP addresses based on the host name), for example:
"Search domainname.com" indicates that when a host name that does not include a full domain name is provided, the suffix of domainname.com is added after the host name; "nameserver" indicates that the host specified by this address is the Domain Name Server when the domain name is resolved. The Domain Name Server is queried according to the order in which the file appears.
*/Etc/host. conf file:
This file specifies how to resolve the host name. Linux uses the parser library to obtain the IP address corresponding to the host name. The following is an example of "/etc/host. conf:
Order bind, hosts
Multi on
Ospoof on
"Order bind, hosts" specifies the host name query order. Here, DNS is required to resolve the domain name and then query the "/etc/hosts" file (or the opposite ).
"Multi on" specifies whether the host specified in the "/etc/hosts" file can have multiple addresses. A host with multiple IP addresses is generally called a multi-point host.
"Nospoof on" indicates that IP address spoofing is not allowed on the server. IP spoofing is a means of attacking system security. By disguising IP addresses as other calculators, you can gain the trust of other calculators.
*/Etc/sysconfig/network File
This file is used to specify the network configuration information on the server. The following is an example:
NETWORK = yes
RORWARD_IPV4 = yes
HOSTNAME = deep.openarch.com
GAREWAY = 0.0.0.0
GATEWAYDEV =
NETWORK = yes/no whether the NETWORK is configured;
FORWARD_IPV4 = yes/no whether IP Forwarding is enabled
HOSTNAME = hostname indicates the Host Name of the server.
GAREWAY = gw-ip indicates the ip address of the Network Gateway.
GAREWAYDEV = gw-dev gw-dw indicates the gateway device name, such as etho.
Note: to be compatible with the old software, the "/etc/HOSTNAME" file should have the same host name as HOSTNAME = hostname.
*/Etc/hosts file
When the machine is activated, before the DNS can be queried, the machine needs to query the matching of some host names to IP addresses. The matching information is stored in the/etc/hosts file. Without a Domain Name Server, all network programs on the system query the file to resolve the IP address corresponding to a host name.
The following is an example of a "/etc/hosts" file:
IP Address Hostname Alias
127.0.0.1 Localhost Gate.openarch.com
208.164.186.1 gate.openarch.com Gate
............ ............ .........
The leftmost column is the Host IP information, and the middle column is the host name. All the columns that follow are aliases of the host. Once the network configuration file of the machine is configured, the network should be re-activated for the modification to take effect. Use the following command to reactivate the network:/etc/rc. d/init. d/network restart
*/Etc/inetd. conf file
As we all know, as servers, the more open service ports, the more difficult to guarantee system security and stability. Therefore, servers that provide specific services should open the ports necessary to provide services as much as possible, and disable services unrelated to server services, such as a machine that serves as www and ftp servers, port 80 and port 25 should be opened, and other unrelated services such as finger auth should be turned off to reduce system vulnerabilities.
Inetd, also known as "super server", monitors network request Daemon Processes and calls corresponding service processes to process connection requests based on network requests. Inetd. conf is the configuration file of inetd. The inetd. conf file tells inetd which network ports are monitored and which service is activated for each port. To use Linux in any network environment, the first thing to do is to understand what services the server will provide. Services that are not needed should be disabled. It is best to uninstall them so that hackers will lose some chance to attack the system. View the "/etc/inetd. conf" file to learn about the services provided by inetd. Add a comment (add the # sign at the beginning of a line) to prohibit unnecessary services and send a SIGHUP signal to the inetd process.
Step 1: Change the File Permission to 600.
[Root @ deep] # chmod 600/etc/inetd. conf
Step 2: Make sure that the file owner is root.
[Root @ deep] # stat/etc/inetd. conf
Step 3: edit "inetd. conf file (vi/etc/inetd. conf). Disable all unnecessary services, such as ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, and auth, and so on. If you find some services useful, do not disable them. However, if these services are disabled, the system may be more vulnerable to attacks. The content of the changed "inetd. conf" file is shown below:
# To re-read this file after changes, just do a 'killall-HUP inetd'
#
# Echo stream tcp nowait root internal
# Echo dgram udp wait root internal
# Discard stream tcp nowait root internal
# Discard dgram udp wait root internal
# Daytime stream tcp nowait root internal
# Daytime dgram udp wait root internal
# Chargen stream tcp nowait root internal
# Chargen dgram udp wait root internal
# Time stream tcp nowait root internal
# Time dgram udp wait root internal
#
# These are standard services.
#
# Ftp stream tcp nowait root/usr/sbin/tcpd in. ftpd-l-
# Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.