Effective and reasonable strategies for UNIX Network Security

Most of the Business Systems of the financial system are UNIX/XENIX Operating Systems and TCP/IP network platforms. The author takes sco unix 3.2V4.2 as an example to discuss how to enhance the security management of UNIX network systems.

The security mentioned here mainly refers to protecting the information reliability and normal operation of the system by preventing illegal intrusion and access from the local machine or the website. This article only discusses this scope, we will not consider other aspects.

1. Managing hosts on the network is a prerequisite for network security management.

User and password management is always one of the most important aspects of system security management. It is impossible to have a legitimate user and password for any attacks on the Network (with the exception of backend webshells ). However, at present, most system administrators only focus on the management of privileged users, while ignoring the management of common users. It is mainly manifested in the convenience of setting users, and the random setting of user permissions (ID), GROUP and file permissions, leaving a gap for illegal users to steal information and damage the system.

Financial system UNIX users are all end users. They only need to work in a specific application system to complete some fixed tasks and generally do not need to execute system (SHELL) commands.

After a user logs on normally, if he presses the interrupt key delete, turns off the terminal power, or simultaneously presses "Ctrl" "\", the user enters the SHELL (command) state. For example, you can create sub-directories in your own directory and consume the system's node I number, or using yes> aa to create a huge junk file and exhaust hard disk space may cause system crash and paralysis. If the file system's permissions are not strictly set, you can run, peat, or even modify the permissions of the file system. You can also use commands such as su to steal higher permissions. You can also log on to other hosts to make trouble ...... You are vulnerable to risks. All these problems are related to user settings. So try not to set the user to the above form. If this is required, you can check whether the user's sh can be changed to restricted sh, such as rsh, as follows:

Dzhd: x: 200: 50:/usr/dzhd/obj:/bin/rsh

The format is as follows:

Dzhd: x: 200: 50:/usr/dzhd:./main

Add the following line in the header of main (. profile:

Tarp ''0 1 2 3 5 15

All the above problems can be avoided.

In addition, regularly check the/etc/passwd file to see if you have permissions for unknown users and users; Regularly modify user passwords, especially uucp, bin, and other infrequently used user passwords, in case someone opens a skylight for the activity here-a user window that can be freely accessed and deleted from all sleeping users.

Therefore, the author believes that setting users properly is the key to host management.

2. Setting up your network environment is an effective way to prevent unauthorized access

Common online access tools include telnet, ftp, rlogin, rcp, rcmd, and other network operation commands, which must be restricted. The simplest way is to modify the corresponding service port number in/etc/services. But in this way, all access outside the network will be rejected, even if the access is legal. I do not advocate this kind of self-protection, because this will make this website incompatible with the Internet and cause inconvenience to myself. Through the analysis of UNIX systems, the author believes that there may be conditions to restrict (allow) access to the Internet.

1) Create the/etc/ftpuser file: an undesirable ftp User table. The configuration is as follows:

# Username

Dgxt

Dzhd

...

The above are some users in the local machine. Intruders access this website through the above user names and ftp will be rejected. The related commands are ftp.

2) confidentiality. netre: Remote Registration of data files. Contains data registered to a remote host on the network for file transfer by ftp. The permission is usually stored in the current user directory, and the file permission must be 0600.

3) create anonymous ftp: anonymous ftp allows users on other hosts to send and receive data using ftp or anyones without any password.

4) Restrict. rhosts user equivalent files, also known as trusted user files. Related Commands include rlogin, rcp, and rcmd.

The user equivalent means that the user does not need to enter a password and logs on to another host with the same user information. The user's equivalent file name is. rhosts, which is stored under the root or the user's main directory.

5) restrict hosts. equiv host equivalent files, also known as trusted host files. Related Commands include rlogin, rcp, and rcmd. The host equivalent is similar to the user equivalent. It is valid in all regions except the root directory of the two computers. The host equivalent file is hosts. equiv and is stored under/etc.

The control method is as follows:

When you remotely access the system using ftp, the UNIX system first verifies the user name and password, and then checks the ftpusers file. Once it contains all the user names that log on to the system, the connection is automatically denied. Therefore, as long as all users except anonymous ftp in the local machine are included in the ftpusers file, even if the intruders obtain the correct user information in the local machine, the door of the local machine cannot be opened. Put the information to be released to the public under/usr/ftp/pub, so that the remote site can be obtained through anonymous ftp. Using anonymous ftp without a password does not pose a threat to the security of the local system. Because it cannot change the directory, it cannot obtain other information in the local machine. When using the. netrc configuration, you must keep it confidential to prevent leakage of information about other related hosts.

This type of access is equivalent to host equivalence. Because users do not need a password and log on to the remote system like other valid users, it is highly insecure, it must be strictly controlled or used in a very reliable environment. Remote users can log on directly using rlogin without a password. You can also use rcp commands to copy files to or from a local host, or use rcmd to remotely execute commands on the local host. When users need to log on to another system frequently, it can effectively increase the logon speed, reduce the number of processes running in the remote system, and prevent online eavesdropping.

The UNIX system does not directly provide telnet control. However,/ctc/profile is the system default SHELL variable file, which must be executed first when all users log on. If several SHELL commands are added to the header of the file, the unauthorized user cannot be remotely used even if he or she has obtained a valid user name and password. The system administrator regularly reads the diary file and pays attention to the console information to obtain illegal access and take timely measures. If you use the C language to implement the above process, the accept password is not displayed, the effect is better.

Iii. Confidentiality of important materials

It mainly includes the hosts table, X.25 address, route, the telephone number connecting to the Modem, the type of the communication software used, and the user name in the network. Such information should be kept confidential, prevents arbitrary spread. If you can apply to the telecommunications department, the phone numbers for communications are not published or for query. Information may be tampered with or leaked after being transferred through public or common Telecommunications Exchange devices.

A reasonable route can effectively prevent information leakage.

4. Manage important network devices

Routers are an important part of the network security plan. Most routers now have some firewall functions. For example, prohibit access from telnet or access from illegal network segments. Correct access filtering from network routers is a simple and effective method to restrict external access.

If conditions are met, You can also set a gateway to isolate this website from other networks. The gateway does not store any business data and deletes users other than those necessary for normal system operation, it also enhances network security.

In short, as long as you start from now on, cultivate network security awareness, and pay attention to experience accumulation and learning, it is entirely possible to ensure the safe and normal operation of the information system.