Linux security (1)

This article is intended for linux administrators, fans, and colleagues who are very concerned about linux security. I hope it will be helpful to everyone and I will not talk much about it. Let's go to the topic.
Before talking about security settings, I 'd like to talk about the release and Installation issues. I believe most people know that there are too many linux releases. I have read many articles on many websites and many books have seen that the releases are the best, in fact, I personally think that in the linux world, there is no such statement as the best. As long as you get used to a version that you are familiar with, I can say that he is the best. After writing this article, I also tried to find a lot of information and try to find a common and familiar one. Finally, I think redhat linux is really good, although its kernel is large and the efficiency is not the highest among all releases, its universality, ease of use, software upgrade support, and application software support are worth mentioning, these aspects are exactly what a good linux release needs. This article is based on redhat linux 7.3 and all software settings are tested on this version.
Speaking of this, we may ask why I want to use redhat 7.3? Isn't there many? For redhat, there are redhat 8.0, redhat 9.0, and other advanced redhat Enterprise editions. Why not use so many new things? This is a good question. This is what I should pay attention to when installing and selecting the release.
1. Version Selection
I have been using redhat for a long time. I personally think that redhat. version 0 is the first version of the major version upgrade. Many software packages in this version are not stable and are prone to faults. for administrators, most of linux is used as servers, to be the most server, the most important problem is stability, and the most important thing is security. So if you are an administrator, not an avid enthusiast, I suggest you choose redhat 7.3. The version number of redhat, followed by a small version number, is that the software package has a lot of updates and modifications. Although this update may not be the latest, it is at least the latest and most stable version of this stable version, I don't know if you understand this problem. I will introduce the version upgrade in detail later, where I will explain this theory.
2. Installation Method
After selecting the installation release version, we will start to install it. In fact, there are only a few things to note during installation. One is partitioning, and the other is the installed software package. Partition is a matter of consideration. You need to plan partitions for your application. I have read a lot about whether linux has an optimal partition solution. Although many people have proposed many excellent partition solutions, however, I think it is best to use partitions made by my own applications. The partition schemes below are purely recommended. I personally think that standard servers should at least expand common partitions. Therefore, we suggest dividing hard disks into the following:/boot swap/var/usr/home/tmp, the size depends on your application. The/value cannot be less than 1 GB. the/usr and/var values must be larger, because most of the software is in use and the others are more needed, speaking of swap, I think there is a lot of controversy about the size of this zone. After combining the opinions of many friends, I have concluded a rule, if your memory is less than 1 GB, it is divided into two times of memory. If your memory is greater than 1 GB, it is divided into a swap with a maximum of 2 GB. Why? As we all know about swap, It is a virtual memory space, and it cannot play the best role when it is small. It is a big waste of space. The reason for this size is that if the memory is large, therefore, the virtual space occupied by applications is small, but in order to fully meet the server's memory needs, according to the experience of many friends, I also have a personal experience, this method can be said to be the best solution, especially for the memory needs of large applications such as databases, and the memory of many servers is about 1 GB to 2 GB. When installing a software package, the less the package is installed, the better it is. But when redhat starts to install, as a server, the following software package groups should be selected:
Networ support Network support)
Messaging and web tools can be installed, and some online tools such as ncftp)
The Router/Firewall software needs to be installed, but it is not easy to install ipchian, iptables, ipwf, and so on. How to delete it will be explained later)
Network managed workstation management tools)
Utilities tools and backup tools)
Although we have simply selected these software packages for installation, we will delete some unused packages in the subsequent security settings, which will be described later.
3. Update Software
Although redhat 7.3 is an updated version, there are still many software packages with vulnerabilities. The biggest vulnerability is the 2.4.18 vulnerability, which causes the ext3 file system to crash, I have met a few times according to the ext3 Development Team, this phenomenon occurs only under specific operations and conditions, and is rarely seen by users ), although many of them have recently solved this problem, if 7.3 does not update the kernel, it is still unstable. There are two ways to update the kernel, one software package is updated manually with rpm-Uvh, and the other is recommended by me. This is a good thing, it can easily update your system, and is updated by a software package that you install. It will not update bind8 to bind9, nor update redhat 7.3 to redhat 9.0, this ensures the stability and integrity of the version you are currently using. It only modifies the software package of this version. The version number is generally changed like this, for example, iptables, if the rpm version of 7.3 is 1.2.5, the updated version is 1.2.8. Many vulnerability errors have been fixed, but no major adjustments have been made to ensure your use and compatibility with applications.
Before using Up2date, several operations are recommended:
First, because the redhat 7.3 comes with the up2date has the SSL bug, so, you need to remove the latest up2date to update, https://rhn.redhat.com/errata/RHSA-2003-267.html
Second, in general, we do not want up2date to automatically update the kernel, and then Kernel updates directly solve many major vulnerabilities, especially the newly installed redhat 7.3 has the ext3 Crash Vulnerability, I suggest you upgrade the kernel manually. Of course, you can use the rpm package to upgrade the kernel, which saves a lot of time. As I said at first, although redhat is not the most efficient, but it is indeed the most common system, and the convenience of rpm fully reflects this advantage, the redhat 7.3 kernel:
Http://updates.redhat.com/7.3/en/ OS /i386/kernel-2.4.20-20.7.i386.rpm
Http://updates.redhat.com/7.3/en/ OS /i386/kernel-2.4.20-20.7.i586.rpm
Http://updates.redhat.com/7.3/en/ OS /i386/kernel-2.4.20-20.7.i686.rpm