Linux system security-installation and configuration

With the increasing popularity of networks, security issues have attracted more and more attention. Linux, as a free open-source operating system, is increasingly used as a server platform. With the diversity of application software in Linux, many people (including the author) also like to use Linux as a desktop. In this series of articles, we focus on using Linux to build secure servers. We use system settings and shared security software to solidify our system so that it can be truly secure. Due to the length of the article, it is impossible to discuss it in detail. Here I just give out the points of attention and concern. I will not repeat other common sense details.

The first part mainly describes the precautions for Linux as a server in terms of installation and setup.

1. Install the Linux Server

Everyone must have installed the Linux system. Maybe you are already familiar with it, but here we will discuss some issues that should be paid attention to during the installation process:

First, when partitioning, do not simply leave all the space to the root partition, but place different parts in different partitions. We strongly recommend that you put "/var" and "/tmp" in different partitions. If your server has a large number of users to access, this is almost what you must do. In addition, it is best to place "/var" and "/usr" in different partitions, in this way, you can avoid log or user failure because your hard disk is full or your server performance is reduced. The last warning to a partition is that if you want to provide one or more services, You must place the services related to this service in a separate partition. For example, if you want to create a WWW server, you must leave a separate partition (for example, "/www") When partitioning. In the future, you can use chroot to improve the security of this service.

Another important issue is the selection of software packages during installation. We use Redhat as an example. For the sake of security and performance, you must Select "Select individual package" single region, so that you can Select a software package. Some software you do not need to install, some software must be uninstalled after installation, and some software must be installed after installation. The following is a list:

Software packages that do not need to be installed:

Applications/Archiving: dumpApplications/File: gitApplications/Internet: finger, ftp, fwhois, ncftp, rsh, rsync, talk, telnetApplications/Publishing: ghostscript, ghostscript-fonts, mpage, rhs-printfiltersApplications/System: arpwatch, bind-utils, knfsd-clients, procinfo, rdate, rdist, screen, ucd-snmp-utilsDocumentation/indexhtmlSystem Environment/Base: chkfontpath, yp-toolsSystem Environment/Daemons: XFree86-xfs, lpr, pidentd, portmap, routed, rusers, rwho, tftp, ucd-snmp, ypbindSystem Environment/Libraries: XFree86-libs, libpngUser Interface/X: XFree86-75dpi-fonts, urw-fonts

Packages that must be uninstalled after installation:

pump  apmd  isapnptools  RedHat-logos  mt-st  kernel-pcmcia-cs  setserialRedHat-release  eject  linuxconf  kudzu  gd  bc  getty_ps  raidtools     pciutils  mailcap  setconsole  gnupg

Software packages that must be installed after installation (with these software packages, We can compile the program ):

autoconf-2.13-5.noarch.rpm  m4-1.4-12.i386.rpm  automake-1.4-5.noarch.rpmdev86-0.14.9-1.i386.rpm  bison-1.28-1.i386.rpm  byacc-1.9-11.i386.rpmcdecl-2.5-9.i386.rpm  cpp-1.1.2-24.i386.rpm  cproto-4.6-2.i386.rpmctags-3.2-1.i386.rpm  egcs-1.1.2-24.i386.rpm  ElectricFence-2.1-1.i386.rpmflex-2.5.4a-7.i386.rpm  gdb-4.18-4.i386.rpm  kernel-headers-2.2.12-20.i386.rpmglibc-devel-2.1.2-11.i386.rpm  make-3.77-6.i386.rpm  patch-2.5-9.i386.rpm

After you finish all your work on your server (there will be no compilation needs in the future), delete the above packages from your system. In this way, even if someone intrude into your system, he cannot compile the program on it, and this will speed up your future integrity check. You can save these software packages on the active media for future use. These software packages may not be the latest version. You can download the latest and most stable version.

2. system settings

2.1 passwords and accounts

First, you must set the BIOS password. Most of the current personal computer systems support this setting.

Second, you must set a password limit for your lilo single-user mode. Add the following information before the first image to be guided in/etc/lilo. conf:

restrictedpasswd="your password"

"Your passwd" is the password you want to set in single-user mode. After the configuration is complete, use lilo-u to re-read the information in/etc/lilo. conf.

In addition, the user password includes the root user password. The default user password is five characters. You can edit the "/etc/login. defs" file and change the minimum password length from 5 to 8. Change PASS_MIN_LEN 5 to PASS_MIN_LEN 8. "Login. defs" is an important configuration file. You can set other security policies in this file, such as the password validity period.

The selection of passwords should not include words in the dictionary, which is very dangerous. The correct password should be long enough and use special characters.

There are many preset accounts in the system. If you are not using them, you must delete them. These insecure passwords pose a huge challenge to system security.

A noteworthy command is chage. You can use it to set the account time limit. (For details, see man chage ).

For the root user, you can set/etc/securetty. This file can restrict the root user to log on to the console. You can use the "#" symbol to comment out the console number that the root user is not allowed to log on.

You can use the following script to disable access to the console:

# !/bin/shcd /etc/pam.dfor i in * ; dosed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $Idone

Disable all console programs, such as shutdown and halt. You can run the following command to achieve this:

[root@sound]# rm -f /etc/security/console.apps/servicename

Truncate your "~ /. Bash_history "file, which stores the list of previously used commands. Truncating this file can reduce the chances of exposing your previously executed commands to others' eyes (your commands may include confidential information such as password information ). You can do this by editing the following two items in/etc/profile:

HISTFILESIZE=20HISTSIZE=20

__

The following measures can be taken to prevent anyone from su as root:

1. Edit the su file (vi/etc/pam. d/su) and add the following two lines to the file header:

auth sufficient /lib/security/pam_rootok.so debugauth required /lib/security/pam_wheel.so group=wheel

2. Then, put the user you want to execute su as root into the wheel group.

[root@sound]# usermod -G10 admin

2.2 permissions and file systems

Linux ext2 file system has the attribute feature. We can use the lsattr command to list the attributes of a file and use the chattr command to change the attributes of the file. There are many file system attributes. Here we should note two attributes:

A can only add attributes. I cannot change attributes.

For system configuration files, it is best to set unchangeable attributes, while for some log files, it is best to set only attributes. The following are two examples:

chattr  +i  /etc/inetd.confchattr  +a  /var/log/secure

If you want to remove these attributes, replace "+" in the preceding command.

In addition, we need to restrict the mount file system. This configuration is in/etc/fstab. By setting the mount option, we can make the mounted file system more secure. Common mount options include default, nodev, noexec, nosuid, noatime, ro, and user.

We can also restrict system resources to make our system more secure. refer to the following method:

Edit the limits. conf file (vi/etc/security/limits. conf) and add or change the following lines:

* hard core 0* hard rss 5000* hard nproc 20

These rows mean: "core 0" indicates that the creation of core files is prohibited; "nproc 20" limits the maximum number of processes to 20; "RSS 5000" indicates that apart from root, other users can only use up to 5 MB of memory. All of the above are valid only for users logging on to the system. With these restrictions, you can better control the usage of processes, core files, and memory in the system. The asterisk "*" indicates all users logged on to the system.

Edit the "/etc/PAM. d/login" file and add the following line to the end of the file:

session required /lib/security/pam_limits.so

2.3 other settings

1. Comment out unnecessary services in/etc/inetd. conf.

2. in/etc/host. Allow and/etc/host. Deny, set the computer that can access your system.

3. Use the following method to make the system unresponsive to ping

     echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

4 _ use the following command to disable the original IP route on your server:

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; doecho 0 > $fdone

_ Add the above command to the "/etc/rc. d/rc. Local" file.

5. Use the following methods to improve the system's ability to prevent SYN Attacks:

[root@sound]# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Add this command to the "/etc/rc. d/rc. Local" file.

6. The soft shutdown of control-alt-delete is invalid.
Edit the inittab file (VI/etc/inittab) and set this line:

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

Changed:

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

Run the following command to make the change take effect:

[root@sound]# /sbin/init q

7. Remove User prompt information
Edit the "/ECT/rc. d/rc. Local" file and add "#" before the following rows "#":

--# This will overwrite /etc/issue at every boot. So, make any changes you# want to make to /etc/issue here or you will lose them when you reboot.#echo "" > /etc/issue#echo "$R" >> /etc/issue#echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue##cp -f /etc/issue /etc/issue.net#echo >> /etc/issue--

Delete the "issue.net" and "issue" files under the "/etc" Directory: "/etc/issue.net" when you log on to your computer from the network (for example, telnet or SSH ), logon prompt. There is also an "issue" file in the "/etc" Directory, which is a prompt displayed when the user logs on from the local device. Both files are text files and can be changed as needed. However, if you want to delete these two files, you must add "/etc/rc. d/RC. the lines in the local "script are commented out. Otherwise, the system will re-create these two files each time it restarts.

Resources

Www.redhat.com-the main site of Red Hat Linux
Www.debian.org-Main Site of the Debian Linux release
Www.linuxforum.net-China's largest Linux Forum
Www.linuxbyte.net-a well-integrated Linux website in China
Www.nsfocus.com-site of lumeng
Www.securityfocus.com-well-integrated security websites outside China

About the author

Jin Liang, network security engineer, can contact him through the sound810@sina.com.