Essentials of Enterprise Linux Server security protection

With the popularity of Linux in Open source system, its application in large and medium-sized enterprises is becoming more and more popular, many enterprise application services are built on it, such as Web services, database services, cluster services and so on. Therefore, the security of Linux has become an enterprise to build a security application of a foundation, is the most important, how to protect its security is an enterprise needs to solve a fundamental problem, based on this, this article will give the top ten enterprise-class Linux server security protection points.

1. Strengthening: password management

Setting the login password is a very important security measure, if the user's password settings are not appropriate, it is very easy to decipher, especially the user with the power of superuser, if there is no good password, will give the system a great security hole.

At present, most of the password cracking programs use dictionary attack and brute force attack method, and the user's password is set improperly, then it is very vulnerable to the threat of dictionary attack. Many users like to use their own English name, birthday or account information to set the password, so that hackers may be through the dictionary attack or social engineering means to crack the password. Therefore, it is recommended that users in the process of setting the password, should try to use the combination of non-dictionary characters, and the combination of numbers and characters, combined with the combination of the password settings, increase password by hackers to crack the difficulty. Also, you can protect your login password by using regular password changes to invalidate your password periodically.

In multi-user system, if each user is forced to choose a password which is not easy to guess, it will greatly improve the security of the system. However, if the passwd program can not force each user to use the appropriate password, to ensure the security of the password, you can only rely on password cracking program. In fact, a password-cracking program is a tool in the hacker's toolbox, which encrypts the commonly used password or all the words in the English dictionary that might be used as a password, and then compares it to the/etc/passwd password file or/etc/shadow Shadow file of the Linux system. If you find a matching password, you can obtain the code. On the network can find a lot of password cracking procedures, the more famous program is crack and John the Ripper. Users can perform their own password-cracking procedures, to find the password that is easy to be cracked by hackers, the first correction is better than being hacker to crack to benefit.

2, Limited: Network service Management

In earlier versions of Linux, each of the different network services had a service program (daemon, Daemon) running in the background, and later versions were tasked with a unified/ETC/INETD server program. INETD is the abbreviation for Internetdaemon, which monitors multiple network ports and executes the appropriate TCP or UDP network service once the incoming connection information is received. Because of the unified command of the inetd, most TCP or UDP services in Linux are set in/etc/inetd.conf files. So the first step in eliminating the need for a service is to check the/etc/inetd.conf file and add the "#" number before the service.

In general, in addition to HTTP, SMTP, Telnet, and FTP, other services should be canceled, such as Simple File Transfer Protocol TFTP, network mail storage and reception of the Imap/ipop transport Protocol, Find and search for data gopher and daytime and time for synchronization. There are also reports of system State services, such as finger, Efinger, systat, and Netstat, which are useful for system error checking and search for users, but also for hackers. For example, a hacker can use the finger service to look up a user's phone, use a directory, and other important information. As a result, many Linux systems cancel or partially cancel these services to enhance the security of the system. In addition to using/etc/inetd.conf to set up system service items, inetd uses/etc/services files to find the ports used by each service. Therefore, users must carefully check the settings of each port in the file to avoid a security vulnerability.

In subsequent Linux versions (such as Red Hat Linux7.2), the xinetd is used to manage network services.

Of course, the specific cancellation of which services can not be generalized, need to be based on the actual application of the situation to determine, but the system administrator needs to be aware of, because once the system security problems, it is necessary to do a step, orderly leak check and remedial work, this is more important.

3, Strict Audit: System login User Management

Before entering the Linux system, all users need to log in, that is to say, users need to enter the user account and password, only after they are authenticated by the system, users can enter the system.

Like other Unix operating systems, Linux typically encrypts passwords and stores them in/etc/passwd files. All users on a Linux system can read the/etc/passwd file, although the password saved in the file is encrypted, but still unsafe. Because the general user can use the ready-made password deciphering tool, the exhaustive method guesses the password. A more secure approach is to set shadow file/etc/shadow, allowing only users with special permissions to read the file.

In a Linux system, if you want to use shadow files, you must recompile all the utilities to support shadow files. This approach is more cumbersome, and the simpler approach is to use the plug-in validation module (PAM). Many Linux systems have Linux toolkit Pam, an authentication mechanism that can be used to dynamically change authentication methods and requirements without requiring recompiling other utilities. This is because Pam hides all authentication-related logic in the module in a closed package, so it is the best helper to use shadow files.

In addition, Pam also has a lot of security features: it can rewrite the traditional des encryption method to other more powerful encryption methods to ensure that the user's password is not easily deciphered, it can set the limit on the use of computer resources per user, it can even set the user's time and location of the machine.

The Linux system administrator spends only a few hours installing and setting Pam, which can greatly improve the security of the Linux system, blocking many attacks outside the system.

4, set: User account security Level management

In addition to passwords, user accounts have a security level, because each account on Linux can be given different permissions, so in the establishment of a new user ID, the system administrator should give the account according to different permissions, and merged into different user groups.

In some files in a Linux system, you can set up a list of people who are allowed to go on and are not allowed to go to the computer. Among them, allow the list of personnel on the machine set in the/etc/hosts.allow, do not allow the list of personnel on the machine set in/etc/hosts.deny. In addition, Linux will automatically log the results that are allowed in or disallowed into the/var/log/secure file, and the system administrator can detect suspicious entry records accordingly.

Each account ID should be assigned to someone. In an enterprise, an administrator should remove the account from the system immediately if the employee who is responsible for an ID leaves the office. Many intrusions are borrowed from accounts that have been unused for a long time.

In the user account, the hacker likes the account with root permission most, this kind of super user has the right to modify or delete various system settings, can unimpeded in the system. Therefore, before giving any account root permissions, it must be considered carefully.

The/etc/securetty file in the Linux system contains a set of terminal names that can be logged in with the root account. For example, in a redhatlinux system, the initial value of the file allows only the local Virtual Console (Rtys) to log on as root, and not allow remote users to log on as root. It is best not to modify the file, if you must be from Telnet to root permissions, it is best to first log on as a regular account, and then use the SU command to upgrade to Superuser.

5, cautious use: "R Series" Remote Program management

In a Linux system there are a series of utility programs for r headers, such as RLOGIN,RCP and so on. They are very easy for hackers to invade our system, so it is very dangerous, so never open the root account to these utilities. Because these utilities are all used. rhosts files or hosts.equiv files are approved for entry, so make sure that the root account is not included in these files.

Because remote directives such as R are a good way for hackers to attack a system, many security tools are designed to address this security vulnerability. For example, the PAM tool can be used to effectively disable the R-header utility by adding an instruction that the login must first approve in the/etc/pam.d/rlogin file, so that users of the entire system cannot use their own home directory. rhosts files.

6, limit: Root User Rights Management

Root has always been the focus of Linux protection, because it has unlimited power, so it is best not to easily authorize the super user. However, some programs must be installed and maintained with Superuser privileges, and in this case, other tools can be used to give such users some power over some superuser. Sudo is such a tool.

Sudo program allows the general user after configuration settings, with the user's own password to log in again, to obtain the power of the superuser, but only a limited number of instructions to execute. For example, when sudo is applied, managers who manage tape backups can log on to the system on a daily basis, gain superuser privileges to perform a document backup, but have no privileges to do other work that only superuser can do.

sudo not only restricts the user's permissions, but also records each instruction that is executed with sudo, regardless of whether the instruction succeeds or fails. In large enterprises, there are times when many people manage different parts of the Linux system at the same time, and each manager has the ability to use Sudo's power to empower certain users with superuser privileges, from the sudo log, to track who did what and what parts of the system were changed.

It is worth noting that sudo does not limit all user behavior, especially when some simple instructions are not set to limit, it is possible to be abused by hackers. For example, a/ETC/CAT directive, typically used to display the contents of a file, can be used by hackers to modify or delete important files if they have the privileges of a superuser.

7, Tracking Hacker traces: Log Management

When users carefully set up various Linux-related configurations (most commonly used log management options), and the necessary security tools are installed, the Linux operating system security is significantly improved, but it does not guarantee that the more skilled network hackers to prevent the intrusion.

In peacetime, network management personnel should be constantly vigilant, always pay attention to all kinds of suspicious conditions, and timely inspection of various system log files, including general information log, network connection log, file transfer log, and user login log. When checking these logs, pay attention to whether there is an unreasonable time record. For example:

Normal user login in midnight;

Abnormal logging, such as logging only half of the log was cut off, or the entire log file was deleted;

Users from unfamiliar URLs into the system;

Due to the password error or user account error was abandoned outside of the log records, especially those who repeatedly tried to enter the failure, but there is a certain mode of trial and error method;

Illegal use or improper use of super user rights Su's instructions;

Reboot or restart the records for each service.

All these problems require the system administrator to keep an eye on the user status of the system login and view the corresponding log files, many deviations from normal behavior should be highly noticed.

8, HORIZONTAL expansion: Integrated defense management

Firewall, IDs and other protection technology has been successfully applied to all areas of network security, but also have very mature products.

In the Linux system, there is a netfilter/iptables firewall framework, which can also play the function of the host firewall by properly configuring it. The Linux system also has a corresponding lightweight network intrusion detection system snort and host intrusion detection system lids (Linux Intrusion detection system), use them to quickly and efficiently protect.

Note that you need to be reminded that: in most application scenarios, we need to use both technologies, because firewalls are the first layer of security protection, which filters network traffic simply by comparing IP address/port pairs, and IDs is more specific, and it needs to go through specific packets (some or all) To filter network traffic, is the second layer of security protection. Comprehensive use of them, can be complementary, and play their own advantages, and ultimately achieve comprehensive defense.

9, Evaluation: Vulnerability tracking and management

Linux as a good open source software, its own development is changing, at the same time, its existing problems will be exposed in future applications. Hacker's attention to the new technology is to a certain extent higher than our protection personnel, so in order to be in the network attack and defense of the war in a favorable position, to protect the security of Linux system, it requires us to maintain a high degree of vigilance and high attention to new technologies. Users, especially the system administrators who use Linux as a key business system, need to get some new technologies of the system as soon as possible through some authoritative websites and forums of Linux, as well as some information about the system vulnerabilities, perform the related work such as vulnerability scanning, penetration testing, etc. Early action, in the presence of a loophole or even the shortest period of time before the closure of the system loopholes, and in practice constantly improve the safety protection skills, this is a comparison of the solution and the way out.

10, keep the update: patch Management

Linux as a good open source software, its stability, security and availability of a very reliable guarantee, the world's Linux master Common maintenance of a good product, so many channels, and often have updated procedures and system patches appear, therefore, in order to enhance the system security, Be sure to update the system kernel frequently.

Kernel is the core of the Linux operating system, which resides in memory for loading other parts of the operating system and implementing the basic functions of the operating system. Because kernel controls the various functions of the computer and the network, its security is critical to the security of the system as a whole. Earlier versions of the kernel had many well-known security vulnerabilities, and were less stable, and only more than 2.0.x versions were more stable and secure (generally, the kernel version numbers were relatively stable, while the odd ones were typically beta versions, and users had to pay more attention when they used them). The running efficiency of the new version has also changed a lot. In setting the function of kernel, only select the necessary function, do not have all the functions according to the full collection, otherwise it will make the kernel become very large, both occupy the system resources, but also to leave the opportunity for hackers.

With the latest security patches on the Internet, Linux system administrators should be well-informed and often patronize security newsgroups to review new patches.