Content Summary:
This paper describes the system security protection strategy, so that the system administrator to prevent intruders. For different Linux systems, discuss some ways to improve.
Guide
Many people are beginning to talk extensively about intrusions into Internet hosts, while Linux and FreeBSD are the main targets of recent attacks, including the buffer overflow problem in IMAPD and bind programs. Every day, a wide range of "system vulnerabilities" will be announced in the Bugtraq Mailing forum, which has nearly 20,000 subscribers. (If you only want to subscribe to a system security-related mailing forum, this should not be missed).
Suppose at least one of the above 19,305 subscribers is going to write a for () loop, with a public system vulnerability attack program, to quickly gain control of the host on the network ... In fact, such assumptions are not too much.
In this way, your computer will be the next target to be attacked sooner or later, and you may be caught off guard by then.
Perhaps some "experts" have made you think that installing and maintaining a secure computer is as complex as "space science", in fact not so difficult. With a sound and sound system management approach to protect you from threats from the global network, this article discusses the precautions I would normally take when planning the Red Hat Linux network system. Although the article provides guidelines to safeguard system security, it is not a complete reference.
The following steps are intended to keep your system from becoming a victim of open Network program security vulnerabilities. Please pay special attention to this: if you are unsure what you are doing, do not do it. Some of the steps are to assume that you already have the relevant knowledge of the degree. At the end of the article there are also some suggested reference readings.
The implementation steps for system security
1. Remove all unnecessary network services from the system. The fewer ways you can connect to your computer, the less the intruders have. Remove all unwanted items from the/etc/inetd.conf file, if the system does not need Telnet, cancel it, such as FTPD, rshd, REXECD, Gopher, Chargen, Echo, POP3D, etc. Is the same principle of treatment. After you change the inetd.conf file, don't forget to do a ' killall-hup inetd ' action. Also, do not ignore the contents of the/ETC/RC.D/INIT.D directory, some network services (such as BIND, printer servo program) is a separate program, through the directory of the command script to start.
2. Install SSH. SSH is a program to replace the ' R ' series instructions, and the Berkeley version of the program is old. Ssh (Secure Shell) is a program that is used to log into a network host, execute instructions on a remote host, or move files between two hosts. It provides powerful authentication capabilities and ensures secure data communications on the Web. It is also able to deal with some of the extra things that may be of interest to the expert who is interested in studying. Please download the SSH program from HTTP://FTP.RGE.COM/PUB/SSH.
3. Use VIPW (1) To lock all accounts that are not logged in. It is noteworthy that Red Hat Linux presets to designate them as/bin/sh without specifying the login Shell's account, which may not be what you expect. Also make sure that your user account does not empty the password bar, the following is part of a normal password file:daemon:*:2:2:daemon:/sbin:/bin/sync
adm:*:3:4:adm:/var/adm:/bin/sync
lp:*:4:7:lp:/var/spool/lpd:/bin/sync
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/bin:/sync
halt:*:7:0:halt:/sbin:/bin:/sync
mail:*:8:12:mail:/var/spool/mail:/bin/sync
news:*:9:13:news:/var/spool/news:/bin/sync
uucp:*:10:14:uucp:/var/spool/uucp:/bin/sync
operator:*:11:0:operator:/root:/bin/sync
games:*:12:100:games:/usr/games:/bin/sync
gopher:*:13:30:gopher:/usr/lib/gopher-data:/bin/sync
ftp:*:14:50:FTP User:/home/ftp:/bin/sync
nobody:*:99:99:Nobody:/:/bin/sync
4. Remove the ' s ' bit permissions for all programs owned by Root, if it does not require such permission at all. This action can be done by the ' chmod a-s ' command, followed by the parameter, is the file name you want to change.
The above mentioned procedures include the following categories, but not limited to this, you will never use the program; You do not want a user who is outside of root to execute a program that will be used, but it does not matter if SU (1) becomes root and then executes, and I put an asterisk (*) in front of the program that I will revoke my permissions. Remember that your system still needs some suid root programs to perform properly, so be particularly careful.
Alternatively, you could create a special group name called ' Suidexec ' and then set up a trusted user account, use CHGRP (1) to convert all suid programs to belong to Suidexec, and remove any other user's permissions.# find / -user root -perm "-u+s"
*/bin/ping
*/bin/mount -- 应该只有 root 才可以挂上档案系统
*/bin/umount -- 同上
/bin/su -- 别乱改它啊!
/bin/login
/sbin/pwdb_chkpwd
*/sbin/cardctl -- PCMCIA 卡的控制工具程式
*/usr/bin/rcp -- 改用 ssh
*/usr/bin/rlogin -- 同上
*/usr/bin/rsh -- "
*/usr/bin/at -- 改用 cron,或两者都停用
*/usr/bin/lpq -- 改装 LPRNG
*/usr/bin/lpr -- "
*/usr/bin/lprm -- "
*/usr/bin/mh/inc
*/usr/bin/mh/msgchk
/usr/bin/passwd -- 别乱改它啊!
*/usr/bin/suidperl -- 每个新版的suidperl 好像都有
buffer overflow 的问题
*/usr/bin/sperl5.003 -- 只有必要时才用它
/usr/bin/procmail --
*/usr/bin/chfn
*/usr/bin/chsh
*/usr/bin/newgrp
*/usr/bin/crontab
*/usr/X11R6/bin/dga -- X11 里也有许多 buffer overflow 的问题
*/usr/X11R6/bin/xterm -- "
*/usr/X11R6/bin/XF86_SVGA -- "
*/usr/sbin/usernetctl
/usr/sbin/sendmail
*/usr/sbin/traceroute -- 您应该可以忍受偶而打一下 root 密码吧