Enhance system security for the Linux operating system installation kit

This article introduces the system security protection policy, allowing the system administrator to block intruders. Some improvement methods are discussed for different Linux systems.

Guide

Many people have begun to talk about intrusions into network hosts, while Linux and FreeBSD have become major attacks recently, including buffer overflow in imapd and BIND programs. Every day, various "system vulnerabilities" are announced in the BUGTRAQ postal forum that nearly 20,000 subscribers have been posted on this forum. (If you only want to subscribe to a system security-related postal Forum, do not miss this ).
Assume that at least one of the above 19,305-bit subscribers intends to write a for () loop in combination with a public system vulnerability attack program to quickly gain control of hosts on the network... in fact, this assumption is not too much.

In this way, your computer will become the next target to be attacked sooner or later, and then you may be caught off guard.

Maybe some "experts" have made you think that installing and maintaining a safe computer is as complicated as space science. In fact, it is not that difficult. With a complete and sound system management measure, you can avoid threats from global networks. This article discusses how to design a Red Hat Linux network system, general preventive actions. Although this document provides guidance to ensure system security, it is not a complete reference.

The following steps are intended to prevent your system from being the victim of the disclosure of Network Program security vulnerabilities. Note: If you are not sure what you are doing, do not do it. Some steps are assumed that you have the relevant knowledge to a certain extent. At the end of this article, we will also provide some recommended reference books.

SystemSecurity implementation steps

1. Remove all unnecessary network services from the system.The less ways you can connect to your computer, the less ways you can find intruders. Set/etc/inetd. in the conf file, all unnecessary items are added and canceled. if the system does not need telnet, cancel it, such as ftpd, rshd, rexmcm, gopher, chargen, echo, and pop3d. After modifying the inetd. conf file, do not forget to perform the 'Kill all-HUP inetd' action. In addition, do not ignore/etc/rc. d/init. something in the d directory, some network services (such as BIND and printer servo programs) are independently run programs, started through the command drafts in the directory.

2. Install SSH. SSH is a program used to replace the 'R' series of commands. The original Berkeley versions are outdated. Ssh (Secure Shell) is a program used to log on to a web host, execute commands on a remote host, or move files between two hosts. It provides powerful authentication functions and ensures secure data communication over the network. It can also handle some other things, which may be of interest to the experts who are interested in the research. Please download the SSH program by http://ftp.rge.com/pub/ssh.

3. Use vipw (1) to lock all accounts that Do Not Allow logon.It is worth noting that for accounts that do not specify the login shell, Red Hat Linux will specify them as/bin/sh by default, which may not be what you expected. At the same time, make sure that the password column is not empty in your user account. The following is part of a normal password file:

Daemon: *: 2: 2: daemon:/sbin:/bin/sync adm: *: 3: 4: adm:/var/adm:/bin/sync lp :*: 4: 7: lp:/var/spool/lpd:/bin/sync: *: 5: 0: sync:/sbin:/bin/sync shutdown: *: 6: 0: shutdown:/bin:/sync halt: *: 7: 0: halt:/sbin:/bin:/sync mail: *: 8: 12: mail: /var/spool/mail:/bin/sync news: *: 9: 13: news:/var/spool/news:/bin/sync uucp: *: 10: 14: uucp:/var/spool/uucp:/bin/sync operator: *: 11: 0: operator:/root:/bin/sync games: *: 12: 100: games: /us R/games:/bin/sync gopher: *: 13: 30: gopher:/usr/lib/gopher-data:/bin/sync ftp: *: 14: 50: FTP User:/home/ftp:/bin/sync nobody: *: 99: 99: Nobody: // bin/sync 4. remove the 's' meta permission of all programs owned by the root user. If such permission is not required. This action can be completed by the 'chmod a-S' command. The following parameter is the file name you want to change.

The above mentioned programs include the following types, but are not limited to those that you will never use. You do not want users other than root to use programs occasionally, however, if su (1) is changed to root, it doesn't matter whether the program is executed. I listed the program that will cancel the permission and put an asterisk (*) in front of it (*). Remember that your system still needs suid root programs for normal execution, so be especially careful.

Alternatively, you can create a special group name named 'suidexec '.Then, set the trusted user account in it and use the chgrp (1) command to change all suid programs to belong to the suidexec group, and remove the permissions that other users can execute.

# Find/-user root-perm "-u + s" */bin/ping */bin/mount -- only root can be mounted to the file system */bin/umount -- same as above /bin/su -- don't change it! /Bin/login/sbin/pwdb_chkpwd */sbin/cardctl -- control tool program of PCMCIA card */usr/bin/rcp -- Use ssh */usr/bin/rlogin -- same as above * /usr/bin/rsh -- "*/usr/bin/at -- use cron instead, or both are disabled */usr/bin/lpq -- Modified LPRNG */usr/bin/lpr -- "*/usr/bin/lprm --" */usr/bin/mh/ inc */usr/bin/mh/msgchk/usr/bin/passwd -- don't change it! */Usr/bin/suidperl -- each new version of suidperl seems to have buffer overflow problems */usr/bin/sperl5.003 -- use it/usr/bin/procmail only when necessary --* /usr/bin/chfn */usr/bin/chsh */usr/bin/newgrp */usr/bin/crontab */usr/X11R6/bin/dga -- X11 there are many buffer overflow problems */usr/X11R6/bin/xterm -- "*/usr/X11R6/bin/XF86_SVGA --" */usr/sbin/usernetctl/usr/sbin/ sendmail */usr/sbin/traceroute-you should be able to try the root password occasionally.

5. upgrade sendmail.Download the latest original code file from ftp://ftp.sendmail.org/pub/sendmailand read it. If you have some extra time, install smrsh (included in sendmail). Many people are concerned about sendmail security issues, for example, if you send a mail to a program that harms security, most of the programs are considered. Edit sendmail. cf file: Set the 'privateoptions' option to 'goaway ': O PrivacyOptions = goaway. If you do not want to receive emails from the Internet, do not run sendmail in the email receiving status (sendmail-bd! In the above case, cancel/etc/rc. d/init. d/sendmail. init and run the 'killall-TERM sendmail' command. However, you can send a message to the outside.

6. If you use BIND, remember to upgrade it.The latest BIND versions can be found in the http://www.isc.org, otherwise, close them all.

7. recompile the core program. If the preset core program is too large, I usually recompile it. Tip: Enable all firewall options, even if your computer is not a firewall.

CONFIG_FIREWALL = y CONFIG_NET_ALIAS = y CONFIG_INET = y # CONFIG_IP_FORWARD is not set # metadata is not set CONFIG_SYN_COOKIES = y CONFIG_RST_COOKIES = y CONFIG_IP_FIREWALL = y metadata = y # signature is not set # does not set CONFIG_IP_ALWAYS_DEFRAG = y CONFIG_IP_ACCT = y # CONFIG_IP_ROUTER is not set # CONFIG_NET_IPIP is not set CONFIG_IP_ALIAS = m

8. Patch all known Software Issues, Can be found on RedHat's "correction page" (please refer to http://www.redhat.com/support/docs/errata.html to find your program code). RedHat does a good job in maintaining and updating these pages. At the same time, these webpages also contain links to RPM files. You should use them. Please follow instructions to install them.

9. Set tcp_wrappers: tcp_wrappers can be used to manage networks and which computers can communicate with you 」.This program is written by Wieste Venema, a system security expert. It manages programs started through inetd (or linked to the inetd library, analyze their configuration files to determine whether to reject or agree to a network connection requirement. For example, to allow you to telnet and ftp through the ISP at home and reject all other connections at the same time, you can write in the/etc/hosts. allow file:

In. ftpd: .dialup.your-isp.com: allow all: deny

For example, SSH, sendmail, and other programs can be used to support each other with tcp_wrappers.