Key Points of Centos Server Security Protection

With the prevalence of open-source Linux, its applications in large and medium-sized enterprises are gradually becoming more popular. Many enterprise application services are built on it, such as Web services, database services, and cluster services. Therefore, the security of Linux has become a foundation for enterprises to build secure applications and a top priority. How to protect it is a fundamental problem that enterprises need to solve. Based on this, this article provides the key points for enterprise-level Linux server security protection.

1. enhancement: Password Management

Setting a logon password is a very important security measure. If a user's password is not properly set, it will be easily deciphered, especially for users with super user permissions, if you do not have a good password, it will cause a large security vulnerability to the system.

Currently, most password cracking programs use dictionary attacks and brute-force attacks. improper user passwords are vulnerable to dictionary attacks. Many users prefer to use their English names, birthdays, accounts, and other information to set passwords. In this way, hackers may use dictionary attacks or social engineering techniques to crack passwords. Therefore, it is recommended that you use combinations of non-dictionary characters and password settings that combine numbers and characters, in combination with uppercase and lowercase Characters During password setting, increase the difficulty of password cracking. In addition, you can also use regular password changes and regularly invalidate the password to protect your logon password.

In a multi-user system, if you force each user to select a password that is difficult to guess, the security of the system will be greatly improved. However, if the passwd program cannot force each user on the machine to use the appropriate password, to ensure the security of the password, you can only rely on the password to crack the program. In fact, the password cracking program is a tool in the hacker toolbox. it encrypts common passwords or all words in the English dictionary that may be used as passwords into a password code word, then compare it with the/etc/passwd password file or/etc/shadow file in Linux. If there is a matched password, you can obtain the clear code. Many password cracking programs can be found on the network. the famous ones are crack and john the ripper. you can first execute a password cracking program to find the password that is easy to be cracked by hackers. It is better to correct the password first than to be cracked by hackers.

2. Limitation: Network Service Management

In earlier Linux versions, each different network service has a service program (Daemon) running in the background, later versions used the unified/etc/inetd server program to undertake this task. Inetd is short for Internetdaemon. It monitors multiple network ports at the same time. Once it receives connection information from the outside, it executes the corresponding TCP or UDP network service. Due to the unified command of inetd, Most TCP or UDP services in Linux are set in the/etc/inetd. conf file. Therefore, the first step to cancel unnecessary services is to check the/etc/inetd. conf file and add the "#" sign before the unwanted services.

In general, all services except http, smtp, telnet, and ftp should be canceled, such as the simple File Transfer Protocol tftp, the imap/ipop transport protocol used for network mail storage and receiving, the gopher for data searching, and the daytime and time used for time synchronization. There are also some services that report system status, such as finger, efinger, systat, and netstat. Although it is very useful for system error detection and user searching, it also provides a convenient portal for hackers. For example, hackers can use the finger service to find users' phones, directories, and other important information. Therefore, many Linux systems cancel all or partially cancel these services to enhance system security. In addition to setting system service items using/etc/Inetd. conf, inetd also uses the/etc/services file to find the ports used by various services. Therefore, you must carefully check the port settings in the file to avoid security vulnerabilities.

In subsequent Linux versions (such as after Red Hat Linux7.2), xinetd is used for network service management.

Of course, the specific services to be canceled cannot be generalized and should be determined based on the actual application situation, but the system administrator must be aware of them, because once the system has security problems, it is important to carry out the investigation and remedy work step by step and methodically.

3. Strict audit: System logon user management

Before entering the Linux system, all users need to log on, that is, users need to enter the user account and password. Only after they pass system verification can users enter the system.

Like other Unix operating systems, Linux typically stores passwords in the/etc/passwd file after encryption. All users in Linux can read the/etc/passwd file. Although the password stored in the file has been encrypted, it is still not safe. Generally, users can use the ready-made password cracking tool to guess the password. The safer method is to set the shadow file/etc/shadow and only allow users with special permissions to read the file.

In Linux, to use a shadow file, you must recompile all the utilities to support the shadow file. This method is troublesome. A simple method is to use the plug-in verification module (PAM ). Many Linux systems use Linux tool PAM, which is an identity authentication mechanism that can be used to dynamically change the authentication methods and requirements without re-compiling other utilities. This is because PAM uses a closed package to hide all authentication-related logic in the module, so it is the best helper for using shadow files.

In addition, PAM has many security features: it can rewrite the traditional DES encryption method to other more powerful encryption methods to ensure that user passwords are not easily decrypted; it can set the upper limit for each user to use computer resources; it can even set the user's computer time and location.

Linux administrators can install and set PAM in just a few hours to greatly improve the security of the Linux system and block many attacks outside the system.

4. Settings: User Account Security Level Management

In addition to passwords, user accounts also have security levels, because each account on Linux can be assigned different permissions. Therefore, when a new user ID is created, the system administrator should grant different permissions to the Account as needed and merge them into different user groups.

In some Linux Files, you can set the list of persons allowed or not allowed on the computer. You can set the host personnel list in/etc/hosts. allow. The host personnel list cannot be set in/etc/hosts. deny. In addition, Linux automatically records the results that allow or do not allow access to the/var/log/secure file. The system administrator can identify suspicious access records accordingly.

A dedicated person is responsible for each account ID. In an enterprise, if the employee in charge of an ID leaves the company, the administrator should immediately delete the account from the system. Many intrusion events are borrowed from accounts that have not been used for a long time.

Among the user accounts, hackers prefer root accounts. Such Super Users have the right to modify or delete various system settings, so they can freely access the system. Therefore, you must carefully consider before granting root permissions to any account.

The/etc/securetty file in Linux contains a group of terminal names that can be logged on with the root account. For example, in the RedHatLinux system, the initial value of this file only allows the local virtual console (rtys) to log on with the root permission, but does not allow remote users to log on with the root permission. It is recommended that you do not modify the file. If you must grant the root permission from remote logon, you should first log on with a common account and then use the su command to upgrade to a Super User.

5. Careful Use: Remote program management of the "r series"

In Linux, there are a series of r header utilities, such as rlogin and rcp. They are very vulnerable to hacking into our systems. Therefore, do not open the root account to these utilities. Because these utilities are all used. The rhosts file or the hosts. equiv file must be approved. Therefore, make sure that the root account is not included in these files.

Since remote commands such as r are a good way for hackers to attack the system, many security tools are designed for this security vulnerability. For example, the PAM tool can be used to effectively disable the r header utility in/etc/pam. d. Add commands that must be approved before logon to the rlogin file so that users in the entire system cannot use the commands in their home directory. Rhosts file.

6. Restrictions: root user permission management

Root has always been the focus of Linux protection. Because of its unlimited power, it is best not to authorize super users easily. However, the installation and maintenance of some programs must require Super User Permissions. In this case, other tools can be used to grant these users the permissions of some super users. Sudo is such a tool.

The sudo program allows a general user to log on again with the user's own password after the configuration is set, to obtain the permissions of the Super User, but only a limited number of commands can be executed. For example, after applying sudo, you can have the tape backup Management Personnel log on to the system on time every day and obtain the superuser permission to perform document backup, however, there is no privilege to do other jobs that only super users can do.

Sudo not only limits user permissions, but also records the commands executed by using sudo each time, whether the command is successful or failed. In large enterprises, many people sometimes manage different parts of the Linux system at the same time. Each administrator can use sudo to grant super user permissions to some users. From sudo logs, we can track who has done and what has changed the system.

It is worth noting that sudo does not limit all user behaviors, especially when some simple commands are not set to a limit, they may be abused by hackers. For example, the/etc/cat command is generally used to display the file content. If a Super User has the permission, hackers can use it to modify or delete important files.

7. Tracking hacker traces: Log Management

After you have carefully configured various Linux-related configurations (the most common log management options) and installed necessary security protection tools, the security of the Linux operating system is indeed greatly improved, however, it cannot prevent intrusion by skilled network hackers.

At ordinary times, network administrators should always be vigilant, pay attention to various suspicious situations at any time, and check various system log files on time, including general information logs, network connection logs, file transfer logs, and user logon logs. When checking these logs, pay attention to whether there are unreasonable time records. For example:

Normal users log on at midnight;

Abnormal log records. For example, if only half of the logs are recorded, the log is cut off or the entire log file is deleted;

The user enters the system from a strange website;

Log records that are discarded due to wrong passwords or user account errors, especially those that fail to access the database repeatedly but fail to access the database in a certain mode;

Commands for illegal use or improper use of Super User Permissions su;

Record of restarting or restarting various services.

All of these problems require the system administrator to pay close attention to the user status of the system logon and view the corresponding log files at any time. Many clues that deviate from normal behavior should be taken into consideration.

8. horizontal scaling: Comprehensive Defense Management

Firewall, IDS and other protection technologies have been successfully applied to various fields of network security, and there are very mature products.

In Linux, there is a built-in Netfilter/Iptables firewall framework, which can also be used as a host firewall through reasonable configuration. In Linux, the lightweight network Intrusion Detection System Snort and the Host Intrusion Detection System LIDS (Linux Intrusion Detection System) are also available for fast and efficient protection.

Note: In most application scenarios, we need to use these two technologies comprehensively, because the firewall is equivalent to the first layer of security protection, it simply compares IP Address/port pairs to filter network traffic, while IDS is more specific. It needs to filter network traffic through specific packets (in part or all, is the second layer of security protection. Using them comprehensively can complement each other and give full play to their respective advantages to achieve comprehensive defense.

9. Evaluation: vulnerability tracking and management

As an excellent open-source software, Linux has developed rapidly. At the same time, its existing problems will be gradually exposed in future applications. Hackers pay more attention to new technologies than our protection personnel to a certain extent. Therefore, if they want to be in a favorable position in the cyber attack and defense war to protect the security of Linux systems, we need to maintain a high degree of attention and a high degree of attention to new technologies. Users, especially system administrators who use Linux as key business systems, you need to obtain information about some new technologies and system vulnerabilities on some authoritative websites and forums of Linux as soon as possible, conducts systematic vulnerability scanning, penetration testing, and other supporting work to prevent unexpected and early actions, and block system vulnerabilities in the shortest time before or even after a vulnerability occurs, in addition, in practice, we constantly improve the security protection skills. This is a comparative solution and a way out.

10. Update: Patch Management

As an excellent open-source software, Linux provides extremely reliable stability, security, and availability. the Linux experts in the world jointly maintain an excellent product, so there are many circulation channels, in addition, updated programs and System Patches often appear. Therefore, to enhance system security, the system kernel must be updated frequently.

Kernel is the core of the Linux operating system. It is used to load other parts of the operating system and implement the basic functions of the operating system. As Kernel controls various functions of the computer and network, its security is crucial to the security of the entire system. Many well-known security vulnerabilities exist in earlier Kernel versions, and they are not very stable. Only versions 2.0.x and later are relatively stable and secure (generally, the Kernel version is relatively stable with an even number, for an odd number, the test version is generally used, and users should pay more attention to it when using it), and the running efficiency of the new version has also greatly improved. When setting the Kernel function, you only need to select the necessary functions. Do not accept all functions as per your order. Otherwise, the Kernel will become large, occupying both system resources and leaving hackers with an opportunity.

There are often the latest security patches on the Internet. Linux administrators should be well-informed and often patronize Security newsgroups to check new patches.