Whether you are an ordinary Linux Desktop user or a system administrator managing multiple servers, you are faced with the same problem: an increasing number of threats. Linux is an open system that allows you to find many ready-made programs and tools on the network. This facilitates both users and hackers, because they can also easily find programs and tools to sneak into the Linux system, or steal important information from the Linux system.
"Know yourself and know what you want ". As a good system manager, the best way to ensure the security of the entire system is to understand the operating principles and mechanisms of attacks, what tools are used in attacks, and how to perform intrusions. And know how to reduce risks from deploying linux.
I. clues: Start With the log
Logs record the daily events of the system. They can be used to check the cause of the error or trace the traces left by the attacker. They can also monitor the system status in real time and monitor and track intrusions. Therefore, for Linux systems, logs are very important. It is best to create a separate log server to store logs.
TIPS: in Linux, there are three major log subsystems:
(1) connection time log. Multiple programs write records to "/var/log/wtmp", "var/run/utmp", and Login to update the Wtmp and Utmp files, enables the system administrator to track who is logged on to the system at any time.
(2) process Statistics executed by the system kernel. When a process is terminated, a record is written to the statistics file. Process statistics are used to provide command usage statistics for basic services in the system.
(3) Error Log. Executed by Syslogd (8), various system Daemon Processes, user programs, and kernels report noteworthy events to the file "/var/log/messages. In addition, many UNIX programs create logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs.
From the perspective of attacks, security files on the server are very important. If you disable External network access to your server, attackers always try to connect several ports on the server, however, because the server has disabled all services started by Inetd, the LOG system records these Access denied. Common log files are as follows:
Access-log records HTTP/web transmission
Acct/pacct record user commands
Aculog records MODEM activities
Btmp record failure record
Lastlog recent successes and last unsuccessful logins
Messages records information from syslog
Sudolog records commands issued by using sudo
Sulog logs the use of the su command
Syslog records information from syslog
Utmp records each user currently logged on
A permanent record of the entry and exit times for each wtmp User Login
Xferlog records FTP sessions
2. Reinforce defense
On the one hand, we must actively search for common vulnerabilities in the operating system and promptly upgrade the patches published by the vendor. For example, you can modify the Inetd. conf file to disable some services, restart the service, and then use NMAP for scanning. The attacker finds and makes up for the earlier vulnerabilities in his system.
On the other hand, we need to strengthen password protection. The main attack methods include dictionary attacks, Hybridattack, and Bruteforceattack ). The best defense method is to strictly control access to privileges, that is, use a valid password. This includes password rules that should be used in combination with letters, numbers, and cases (because Linux is case sensitive, add special characters such as "#", "%", or "$" to add complexity.
1. Keep the latest system core
Because there are many channels for Linux distribution, and there are often updated programs and system patches, We must update the system kernel frequently to enhance system security.
Kernel is the core of the Linux operating system. It is used to load other parts of the operating system and implement the basic functions of the operating system. As Kernel controls various functions of the computer and network, its security is crucial to the security of the entire system.
Many well-known security vulnerabilities exist in earlier versions of Kernel, which are also unstable. Only versions 2.0.x and later are stable and secure, and the running efficiency of the new versions is greatly improved. When setting the Kernel function, you only need to select the necessary functions. Do not accept all functions as per your order. Otherwise, the Kernel will become large, occupying both system resources and leaving hackers with an opportunity.
There are often the latest security patches on the Internet. Linux administrators should be well-informed and often patronize Security newsgroups to check new patches.
2. Enhanced security protection tools
SSH is short for Secure Sockets Layer. It is a set of program groups that can be safely used to replace public programs such as rlogin, rsh, and rcp. SSH uses public key technology to encrypt the communication information between two hosts on the network, and uses its key as an authentication tool.
Because SSH encrypts information on the network, it can be used to securely log on to a remote host and transmit information between the two hosts securely. In fact, SSH not only ensures secure communication between Linux Hosts, but also allows Windows users to Securely connect to Linux servers through SSH.
Many Linux distributions contain some very useful gadgets. lsof is one of them. Lsof can list all files opened by the current system. In linux, everything exists in the form of a file. Through a file, you can not only access common data, but also access network connections and hardware. The lsof tool allows you to view which processes are using which ports, whose process IDs, and who are running it. If you find some exceptions, you must check them carefully.
3. restrict the power of Super Users
As we mentioned above, root is the focus of Linux protection. Because it has unlimited power, it is best not to authorize super users easily. However, the installation and maintenance of some programs must require Super User Permissions. In this case, other tools can be used to grant these users the permissions of some super users. Sudo is such a tool.
The Sudo program allows a general user to log on again with the user's own password after the configuration is set, to obtain the permissions of the Super User, but only a limited number of commands can be executed.
4. Set the security level of the user account
In addition to passwords, user accounts also have security levels, because each account on Linux can be assigned different permissions. Therefore, when a new user ID is created, the system administrator should grant different permissions to the Account as needed and merge them into different user groups.
In tcpd on Linux, you can set the list of persons allowed or not allowed on the computer. You can set the host personnel list in/etc/hosts. allow. The host personnel list cannot be set in/etc/hosts. deny. After the configuration is complete, you need to restart the inetd program to take effect. In addition, Linux automatically records the results that allow or do not allow access to the/rar/log/secure file. The system administrator can identify suspicious access records accordingly.
A dedicated person is responsible for each account ID. In an enterprise, if the employee in charge of an ID leaves the company, the administrator should immediately delete the account from the system. Many intrusion events are borrowed from accounts that have not been used for a long time.
Among the user accounts, hackers prefer root accounts. Such Super Users have the right to modify or delete various system settings, so they can freely access the system. Therefore, you must carefully consider before granting root permissions to any account.
The/etc/securetty file in Linux contains a group of terminal names that can be logged on with the root account. For example, in the RedHatLinux system, the initial value of this file only allows the local virtual console (rtys) to log on with the root permission, but does not allow remote users to log on with the root permission. It is recommended that you do not modify the file. If you must grant the root permission from remote logon, you should first log on with a common account and then use the su command to upgrade to a Super User.
Password aging. Password aging is an enhanced system password authentication mechanism. Although it may weaken users' convenience, it can ensure regular password replacement, this is a very good security measure. Therefore, if an account is attacked by a hacker and is not found, but in the next password change cycle, the account cannot be accessed.
5. Physical protection
Although most attacks rely on the Internet, and hackers have very limited access to your computer, it does not mean that you do not need to be defended.
Add password protection to the boot program to ensure that it is always locked when you leave the computer. And you should be sure that no one can start your server from an external device.
6. Deploy a firewall
This sounds like the most "obvious" suggestion (just like using a strong password), but it is surprising that few people actually set up a firewall. Even if your vro may have a built-in firewall, deploying a software firewall in a Linux system is very easy and you will benefit from it.
Graphic firewalls, such as Firestarter, are very suitable for defining port forwarding and monitoring activity rules.
Iii. counterattack: Starting from the system
Attackers have full control over the Linux server and can completely shut down or even destroy the network at any time. Possible counterattack measures include backing up important key data, changing all passwords in the system, notifying users to update the password, and isolating the network segment so that the attack can only appear in a small scope; allow the action to continue. If possible, do not rush to drive attackers out of the system to collect evidence; conduct various attempts to identify the attack source