Many network administrators who are new to Linux have found that it is difficult for them to switch from a click-based security configuration interface to another interface based on complex and unpredictable text files. This article lists the seven steps that administrators can and can do to help them build more secure Linux servers and significantly reduce the risks they face.
Ask the network administrator of any large organization to compare the Linux system with the network operating system (such as Windows NT or Novell). Maybe he will admit that Linux is a more stable and scalable solution. He may also admit that Linux may be the most difficult system to configure to protect the system from external attacks.
This kind of knowledge is quite common-many network administrators who are new to Linux have discovered that, it is difficult for them to switch from a click-oriented security configuration interface to another interface based on complex and unpredictable text files. Most administrators fully realize that they need to manually set obstacles and obstacles to prevent possible hacker attacks, thus protecting the company's data security. In the Linux field they are not familiar with, they are not sure whether their direction is correct or where to start.
This is the purpose of this Article. It lists simple steps to help administrators ensure the security of Linux systems and significantly reduce the risks they face. This tutorial lists seven of these steps, but you can also find more in the Linux manual and discussion forum.
Protect root accounts
The root account (or Super User Account) on a Linux system is like a background pass on the Rolling Stone concert-it allows you to access all the content in the system. Therefore, it is worth taking additional steps to protect it. First, use the PASSWORD command to set a difficult-to-guess password for this account, and regularly modify it, and the password should be limited to several main characters in the company (ideally, only two people are needed) yes.
Then, edit the/etc/securetty file to specify the terminal that can be accessed by the root. To prevent users from making the root terminal "open", you can set a time for using the TMOUT local variable for non-active root logon and set the HISTFILESIZE local variable to 0, ensure that the root command record file (which may contain confidential information) is forbidden. Finally, a mandatory policy is formulated to enable this account to only perform special management tasks and prevent users from logging on to the root user service by default.
Tip: after these vulnerabilities are closed, every common user must set a password for the account and ensure that the password is not an easy-to-recognize sensitive password, such as a birthday, username, or words in the dictionary.
Install a firewall
The firewall helps you filter incoming and outgoing data packets and ensure that only data packets that match the predefined rules can access the system. There are many excellent firewalls for Linux, and the Firewall code can even be directly compiled into the system kernel. First, use the ipchains or iptables command to define input, output, and forwarding rules for incoming and outgoing packets. Rules can be formulated based on IP addresses, network interfaces, ports, protocols, or combinations of these attributes. These rules also specify the action (accept, reject, or resend) to be taken during matching ). After the rules are set, perform a detailed inspection on the firewall to ensure that no vulnerabilities exist. A secure firewall is the first line of defense against common DDoS attacks.
Use OpenSSH to process network transactions
Data security transmitted over the network is an important issue for the customer-server architecture. If network transactions are carried out in plain text, hackers may "sniff" the data transmitted over the network to obtain confidential information. You can use Security shell applications such as OpenSSH to create an "encrypted" channel for transmitted data and disable this vulnerability. Encrypted connections in this form make it difficult for unauthorized users to read data transmitted between network hosts.
Disable unnecessary services
After most Linux systems are installed, various services are activated, such as FTP, telnet, UUCP, and ntalk. In most cases, we seldom use these services. Keeping them active is like opening a window and allowing thieves to sneak in. You can cancel these services in the/etc/inetd. conf or/etc/xinetd. conf file, and then restart the inetd or xinetd background program to disable them. In addition, some services (such as database servers) may be started by default during startup. You can disable these services by editing the/etc/rc. d/* directory level. Many experienced administrators disable all system services and leave only SSH communication ports.
Use spam and anti-virus Filters
Spam and viruses may interfere with users and sometimes cause serious network faults. Linux has strong anti-virus capabilities, but Windows client computers may be more vulnerable to virus attacks. Therefore, it is a good idea to install a spam and virus filter on the mail server to "Block" suspicious information and reduce the risk of chain crashes.
First, install SpamAssassin, a first-class open source tool that uses various technologies to identify and Mark spam. This program supports user-based whitelist and gray list, improving accuracy. Next, install user-level filtering based on regular expressions. This tool can automatically filter emails received in the inbox. Finally, install Clam Anti-Virus. This free Anti-Virus tool integrates Sendmail and SpamAssassin, and supports email attachment scanning.
Install an intrusion detection system
Intrusion Detection System (IDS) is an early warning system that helps you understand network changes. They can accurately identify (and confirm) attempts to intrude into the system at the cost of increasing resource consumption and error clues. You can try out two well-known IDS: tripwire, which tracks file signatures to detect modifications; snort, which uses rule-based instructions to perform real-time information packet analysis, search for and identify system detection or attack attempts. Both systems can generate email alerts (and other actions) that can be used when you suspect that your network is under security threats and need evidence.
Regular security check
To ensure network security, this last step may be the most important. In this case, you play a villain and try to break through the defense you have created in the previous six steps. In this way, you can directly and objectively evaluate the system security and determine the potential defects you should fix.
There are a number of tools to help you with this check: You can try to Crack your password file with a password breaker like Crack and John the Ripper; or use nmap or netstat to find open ports; you can also use tcpdump to detect the network. In addition, you can also use public vulnerabilities on your installed programs (network servers, firewalls, and Samba) to see if you can find the access method. If you try to find a way to break through the obstacles, others can do the same. You should take immediate action to close these vulnerabilities.
Protecting the Linux system is a long-term task. Completing the above steps does not leave you safe. Visit the linux security forum to learn more security tips, and actively monitor and update system security measures.