Whether you're a regular Linux desktop user or a system administrator who manages multiple servers, you're faced with the same problem: a growing variety of threats. Linux is an open system that can find a lot of off-the-shelf programs and tools on the Web, which is convenient for both users and hackers, because they can easily find programs and tools to sneak into Linux or steal important information on Linux systems.
"The enemy, win." As a good system Manager, we should ensure the safe operation of the whole system. The best way is to understand how the attack works and how to understand what tools are used in the attack, how to manipulate the intrusion, and so on. and know how to reduce risk from deploying Linux.
One, clues: start from the log
The log records what happens to the system every day, through which he can examine the cause of the error or the traces left by the attacker, as well as real-time monitoring of the system state, monitoring and tracking of intruders, and so on. So for Linux systems, log is very important, it is best to set up a separate log server to store logs.
TIPS: In a Linux system, there are three main log subsystems: (1) connection time logs. Executed by multiple programs, writing records to "/var/log/wtmp" and/"var/run/utmp", login, and other programs to update wtmp and utmp files so that system administrators can track who is logged on to the system.
(2) Process statistics performed by the system kernel. When a process terminates, write a record in the statistics file. The purpose of process statistics is to provide command usage statistics for basic services in the system.
(3) Error log. Executed by SYSLOGD (8), various system daemons, user programs, and kernels report noteworthy events to the file "/var/log/messages". There are also many UNIX programs that create logs. Servers that provide network services, such as HTTP and FTP, also maintain detailed logs.
From an attack point of view, the security files on the server are important, and if you shut down the external network access to your server, the attacker would always try to connect to several ports on the server, but the log system logged these access rejections because the server shut down all the services that inetd started. Common log files are as follows: Access-log record Http/web transmission acct/pacct Record user command Aculog record modem activity btmp record failure record Lastlog recent successful logins and last time no Successful login messages record information from syslog sudolog record use sudo issued command Sulog record use of the SU command to log information from Syslog utmp records each user who is currently logged on Wtmp users to enter and exit every time the permanent record Xferlog record FTP session
Second, mend: Strengthen defense
On the one hand, we should actively look for common vulnerabilities of this operating system and update the patches released by vendors. For example, you can modify the inetd.conf file to shut down certain services, reboot, and then use a NMAP scan to make up for the vulnerability of an attacker to discovering its own system earlier. On the other hand, password protection should be enhanced. The main methods of attacking passwords are: Dictionary attack (Dictionaryattack), mixed Attack (Hybridattack), Brute Force attack (Bruteforceattack). The best defense method is to strictly control access to the privilege, that is, to use a valid password. This includes rules that passwords should follow a combination of letters, numbers, and capitalization (because Linux has a distinction between capitalization), such as adding "#" or "%" or "$" special characters to add complexity.
1. Maintain the latest system core
Due to the many Linux channels, and often updated procedures and system patches appear, so in order to enhance the system security, it is necessary to constantly update the system kernel.
Kernel is the core of the Linux operating system, which resides in memory for loading other parts of the operating system and implementing the basic functions of the operating system. Because kernel controls the various functions of the computer and the network, its security is critical to the security of the system as a whole.
Earlier versions of the kernel had many well-known security vulnerabilities, and were less stable, and only more than 2.0.x was more stable and secure, and the efficiency of the new version was greatly improved. In setting the function of kernel, only select the necessary function, do not have all the functions according to the full collection, otherwise it will make the kernel become very large, both occupy the system resources, but also to leave the opportunity for hackers.
With the latest security patches on the Internet, Linux system administrators should be well-informed and often patronize security newsgroups to review new patches.
2. Enhanced Safety protection tools
SSH is the acronym for a Secure Sockets Layer, which is a set of programs that can be safely used to replace common programs such as Rlogin, rsh, and RCP. SSH uses public key technology to encrypt communication information between two hosts on the network and uses its key to act as an authentication tool.
Because SSH encrypts information on the network, it can be used to securely log on to a remote host and securely transfer information between the two hosts. In fact, ssh not only protects the secure communication between Linux hosts, but Windows users can also securely connect to Linux servers via SSH.
Many Linux distributions contain some very useful gadgets, and lsof is one of them. Lsof can list all files that are currently open on the system. In a Linux environment, everything exists as a file, and access to network connections and hardware can be accessed through files, not just regular data. The Lsof tool enables you to see which processes are using which ports, its process ID, and who is running it. If you find something out of it, you're definitely worth examining.
3. Restricting the power of super users
As we mentioned earlier, Root is the focus of Linux protection, because it has unlimited power, so it is best not to easily authorize superuser. However, some programs must be installed and maintained with Superuser privileges, and in this case, other tools can be used to give such users some power over some superuser. Sudo is such a tool.
Sudo program allows the general user after configuration settings, with the user's own password to log in again, to obtain the power of the superuser, but only a limited number of instructions to execute.
See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/OS/Linux/