SuSE Security secrets"

[51cto.com exclusive Article] SuSE attracts many enterprise-level users due to its outstanding performance and good security control. At present, there have been a large number of key applications in China. However, this does not mean that SuSE is safe in use, and there are still many security details to pay attention to in SuSE. This article introduces these security details in SuSE one by one to reveal every point of attention.

I. Patch, ssh, and others

1. Patch

Each patch update means that this is a security vulnerability or has other serious functional problems. However, if a patch is updated, it may cause system exceptions or even service paralysis. Therefore, be cautious when updating patches. In practice, there are four methods:

1) the patch is updated immediately after the system is installed, and then applied.

2) It protects the server by means of peripheral protection, and can use firewall, IPS, and other means.

3) Update the patch on the test machine. However, it is worth noting that some patches bring about problems that are hidden and may be okay today and tomorrow, but there is a problem the day after tomorrow. Therefore, it takes a long time to observe.

4) if you have many SuSE servers, you can also use NFS sharing or internal FTP and HTTP Services. However, FTP and HTTP pose other security risks.
To upgrade the SuSE Patch, you need to download the new RPM of Novell. The RPM package will be installed first, but in most cases, the RPM will handle it based on its dependency. In addition, Novell also has some prompts under special circumstances, such as kernel update and C Runtime Library. Novell provides a powerful tool, YaST. Unfortunately, YaST itself is not secure and there is a temporary file creation vulnerability in online upgrades.

Reinforcement Method: Enter YaST and select online update in software.

2. SSH

By default, OpenSSH is installed on SuSE, OpenSSH is a popular and free encrypted connection tool, but the OpenSSH earlier version also has many security vulnerabilities, so it is best to go to The http://www.openssh.org to download the latest version. After upgrading to the latest version, there is still a lot of security reinforcement work to be done for SSH. For example, restrict the login of those accounts, change the default port, and specify accessible networks. But at least one thing you have to do is to change the Protocol version to 2. Because the security problem of version 1 is too serious, you can even intercept the password.

Reinforcement method:

VI/etc/ssh/ssh_config

Modify the value of Protocol to 2.

3. System Performance Audit

O & M personnel often need to monitor the system performance. sysstat provided by SuSE is a tool used to check the system status, such as CPU utilization and disk I/O. Sysstat collects system data every 10 minutes by default. You can use the sar command to view the data. Sysstat will first establish a normal performance curve. After the baseline is established, any activity beyond the baseline will be prompted. For example, password speculation, or events other than business peaks can lead to high CPU utilization and thus deviate from the normal baseline. Note that the data collected by sysstat is stored on the system for one week by default, and will be automatically removed by the cron task one week later. The collected data can be maintained in the/var/log/SA/directory. However, the server version installed by default does not include the sysstat package, unless you select full installation during installation.

Reinforcement Method: Install sysstat and run the sar command.

4. Firewall
Susefirewall2 is The SuSE package filtering firewall that allows and denies data access. By default, services are installed and activated, and no services are allowed by default. To enable services, you must enable them explicitly (such as the SSH mentioned above ).

Reinforcement method:

In YaST, center -- # security and users -- # firewall adjusts firewall policies.
For more fine-grained policy configuration, you can go to YaST center -- # system # --/etc/sysconfig Editor-Network/Firewall/susefirewall2, or directly edit the/etc/sysconfig/susefirewall2 file.

5. Regular System Security Check script seccheck

Seccheck is a system security check script that periodically generates reports every day, every week, and every month and sends emails. However, he occupies resources during regular operation, so he should choose to do it during off-peak hours.

Reinforcement Method: YaST center-system-#/etc/sysconfig-system/security/seccheck Selection

6. SuSE Security Application Framework apparmor
Compared with susefirewall2, apparmor features application-level protection and can manage file and directory access of applications and other fine-grained operations. It is a whitelist mechanism, that is to say, you can specify which behaviors are allowed and other dentions to better hide the internal system. For example, your system has a vulnerability, but the operation is not authorized by the white list, so the operation will be rejected.

Reinforcement Method: YaST center-Novell apparmor allows you to adjust detailed policies and view reports. If you are not familiar with it, apparmor also provides a wizard function.

Ii. Minimize xinetd

1. Disable Standard Services

SuSE uses Xinetd, which is better and more convenient to use than inetd. By default, Suse disables all services. After SSH is enabled, you can configure xinetd services. This should also be the case for security. First, disable all services and then only enable necessary services.

Reinforcement Method: Run chkconfig to check the activation status of all services and disable unnecessary services.

2. trusted network access

Access to the server should be controlled, so susefirewall2 or other measures should be used to control the access to only trusted networks.

Reinforcement method:

VI/etc/sysconfig/susefirewall2. You can also configure it in YaST center # system #/etc/sysconfig editor.

3. Telnet

If there is no special reason, do not use Telnet. telnet uses an unencrypted network protocol, which means that data transmitted from your account to you can be eavesdropped, you can use session hijacking to control your system. Therefore, SSH is strongly recommended, although SSH is not that secure.

Reinforcement method:

The command is chkconfig telnet on.

The command to close is chkconfig telnet off.

4. FTP

Similarly, do not use ftp, especially anonymous FTP, for no good reason. Like telnet, FTP is not encrypted and can be eavesdropped or hijacked. SSH provides SCP and sftp, which can replace FTP. Note that sometimes FTP may be bound to some applications, such as the Web upload channel I have seen many times, so you must use this anonymous FTP. If you must use ftp, you still need to do some control. Note that the FTP directory should be controlled and you 'd better have your own partitions. Vsftpd is not installed on SuSE by default.

Reinforcement method:

The command is chkconfig vsftpd.

The command to close is chkconfig vsftpd off.

5. rlogin/rsh/rcp

All r-series commands should be disabled. In addition to being eavesdropped, they also have problems with the verification mechanism and other security vulnerabilities, such as buffer overflow and arbitrary command execution. We recommend that you use SSH instead.

Reinforcement method:

Run the following command:

Chkconfig rexec on

Chkconfig rlogin on

Chkconfig RSH on

Close them:

Chkconfig rexec off

Chkconfig rlogin off

Chkconfig RSH off

6. TFTP

TFTP is generally used in diskless workstation and X-terminals. The configuration data of a vro or other network devices can be copied to implement the backup function. Of course, there is no special reason for this. We recommend that you disable it. TFTP is not installed by default on SuSE.

Close command chkconfig TFTP off

7. imap

IMAP is only used by the mail server. Some mail clients (such as Eudora, Netscape Mail, and kmail) need to use IMAP to retrieve remote mail.

Reinforcement Method: Command to disable the service

Chkconfig Cyrus off or chkconfig IMAP off.

8. Pop

This is an email receiving service. Do I need to receive emails as a server? If not, close the service.

Reinforcement Method: chkconfig Qpopper off or chkconfig Cyrus off.

Iii. Minimal startup of services

1. Set umask

The default umask should be set to at least 027. Some daemon processes, such as system logs, are set to be accessible to anyone by default. If a daemon needs to release the permission restriction, you can consider modifying the startup script of the daemon, giving it the permission without affecting other security of the server.

Reinforcement method:

VI/etc/profile, change umask value to 027.

For all users in/home, the umask value is defined based on the shell type. Generally, add a new umask 027 line in/home/. profile.

2. SMTP

Check whether the server needs to process the email. In Suse, Postfix is installed by default and is activated. If this server is an email server, it is important to note that it is a security risk to have the permission to search for attachments on the Web interface. In addition, if you have experience in Mail Server Management, you will know how important it is to plan a chroot environment for Postfix. In the chroot environment, even if someone breaks into the smtpd daemon, the damage can be limited.

Reinforcement method:

Open VI/etc/sysconfig/mail and set smtpd_listen_remote = "yes ". It must also be enabled on the firewall.

Close: VI/etc/sysconfig/mail and set smtpd_listen_remote = "no ".

3. Running level

There are two main running levels in SuSE. Level 5 is directly started to X Windows, and level 3 is the character interface. However, even if the system runs at level 3, you can still run startx under shelle to start X Windows.

Reinforcement method:

Set it to level 3, VI/etc/inittab, and change 5 in ID: 5: initdefault to 3.

4. X Font Server

For servers, X Windows is generally not required. If the graphic interface is not used, X Font Server can be switched off. It provides a font set for the graphic interface, in addition, XFS has some buffer overflow problems.

Reinforcement method:

Disable X Font Server: chkconfig XFS off

5. Standard start service

Every system daemon should be disabled if you do not know that it must be enabled. Vulnerable applications running on servers will greatly increase risks. SuSE uses chkconfig to manage all system service scripts. Note that SuSE PatchesProgramSome services may be restarted. Before updating the patch, you 'd better record the services you have started first. In addition, some daemon may have some accounts, which should be deleted or locked to prevent others from logging on, or their shell should be set to/bin/false.

Reinforcement method:

You can add or delete a service to or from a directory of different running levels. First, you need to know your system runtime sectors and run the runlevel command to view the running level, if the running level is 3, it must be in/etc/rc. d/rc3.d. All services starting with S are running at startup. For example, the MV/etc/rc3.d/s04rpcbind ETC/rc3.d/k04rpcbind service is disabled.

In addition, you also need to delete or lock the account of the daemon. The delete USER command is userdel. You can delete these users: adm lp sync shutdown halt news uucp operator gopher, games can be deleted without using X Windows, and FTP can be deleted without anonymous FTP.

6. SMB and nmb

SuSE provides Samba to provide file and print sharing for Windows users, so that UNIX systems can act as file servers and print servers on Windows networks, it even acts as a domain control Verification server for early Windows systems. Samba requires SMB and nmb protocols. SMB is a Windows File Sharing and nmb is a NetBIOS message block. If you do not need to play these roles, you should close these two protocols. Close command chkconfig SMB off

7. NFS

NFS is often used for unauthorized access to files, so you should disable it if you do not need it. Even if you really need the NFS service, you should take control measures, including limiting the IP address range for access and file read-only. The NFS client service should also be disabled.

Close command:

Chkconfig nfsserver off

Chkconfig autofs off

8. NIS

Do not use NIS unless necessary. NIS is short for Network Information Services, similar to domain controllers in windows. Although NIS is easy to maintain, it has design security problems and can be completely replaced by LDAP.

Close command:

Chkconfig ypserv off

Chkconfig yppasswdd off

9. rpc port ing

To run NIS, you must first run the Portmap daemon. However, the RPC authentication mechanism is weak and can be bypassed easily, but RPC can be used to obtain a lot of important information. Unless NIS is required, it is recommended to disable it.

Close command: chkconfig Portmap off

10. ncpfs script

Ncpfs is required for file sharing in NFS and Windows networks, but it is not installed by default. If there is no network sharing, stop it. This script will be mounted to the client's network drive. Fortunately, it is not a persistent daemon, so it is not so dangerous.

Close command: chkconfig ncpfs off

11. Apache

Only Web servers can be used. Even if this server is a web server, do not store database and other environment support on this server.

Close command: chkconfig apache2 off

12. SNMP

Network management protocols are frequently used in large networks. You need to determine if you are using remote monitoring tools that depend on SNMP, such as HP Openview, MRTG, and cricket. If SNMP is used, we recommend that you change the default community string. In Suse, SNMP is set in/etc/snmpd. conf.

Close command: chkconfig snmpd off

13. DNS Server

Determine whether your network needs domain name resolution servers. The number of DNS attacks has increased over the past two years. If you need to use them, we recommend using Access Control in/etc/named. conf. For example, the internal DNS server should not open external queries. In a relatively large network, the internal and external DNS servers are generally used to provide separate queries, but some small networks do not have the conditions to separate the internal and external, you should consider access control.

Close command: chkconfig named off

14. Squid Cache Server

Squid is a proxy server software. In fact, squid is a good security architecture, because it sets a proxy between the client and the server, which reduces the risk of system information leakage to a certain extent, prevent internal vulnerabilities from being discovered. However, you must carefully configure squid when using it. There are many vulnerabilities related to Squid cache. Without security concerns, attackers can still detect internal hosts or use your cache to hide the real IP addresses of attackers. Therefore, it should be configured as: do not allow external personnel to use your cache without authentication.

Close command: chkconfig squid off

 

Iv. kernel Optimization

1. modify Network Parameters

Like other Linux systems, Suse places all network parameter modifications under/proc/sys/NET/IPv4, all variables with the "rate" and "Max" in the file names can prevent DoS attacks. For details about each parameter, refer to the relevant documentation.

Recommended modification:

Net. ipv4.tcp _ max_syn_backlog = 4096

Net. ipv4.conf. All. accept_source_route = 0

Net. ipv4.conf. All. accept_redirects = 0

Net. ipv4.conf. All. secure_redirects = 0

Net. ipv4.conf. Default. rp_filter = 1

Net. ipv4.conf. Default. accept_source_route = 0

Net. ipv4.conf. Default. accept_redirects = 0

Net. ipv4.conf. Default. secure_redirects = 0

Net. ipv4.icmp _ echo_ignore_broadcasts = 1

2. Other parameters

If the system is not a firewall or gateway, You need to modify the following section.

Recommended modification:

Net. ipv4.ip _ forward = 0

Net. ipv4.conf. All. send_redirects = 0

Net. ipv4.conf. Default. send_redirects = 0

5. Logs

1. Syslog

SuSE uses syslog-ng to record logs. /Var/log/messages includes iptables, mail, news, and messages, and sends them to (/var/log/firewall,/var/log/mail *, and/var/log/news. The default file permission is u = RW, G = r, O =.

2. NTP

NTP is a Network Time Protocol designed to keep the computer time synchronized with the network. It is installed by default but not enabled. The system clock should maintain a high accuracy so that the log records can accurately reflect the time. After NTP is enabled, listen on the udp123 port. In terms of configuration, you should ignore any unexplicitly permitted messages, and only allow local loopback 127.0.0.1 and NTP server messages, to prevent others from forging the time server. Modify NTP under/etc/NTP. conf.

3. Log File Permissions

Ensure that the ownership and permissions of the system log files are correct, the log file permissions are configured in/etc/syslog-ng/syslog-ng.conf.in and/etc/logrotate. d

4. Remote logging

Configure system log records to be sent to other hosts on the network. Note that a precise system clock is required at this time, so NTP is required. Why do we need to remotely record logs? What is the cause of a system failure or crash? You can find the cause on this remote log recorded host. Syslog-ng can use UDP or TCP. However, TCP is recommended to prevent data loss unless the remote host is always available and the network is reliable.

For example, add

Destination logserver {tcp ("10.10.10.10" port (514 ));};

Vi. File Permission permission

1. Use nodev in/etc/fstab
The nodev option prohibits users from attaching unauthorized devices to any partition. When a device needs to be mounted, it should be elsewhere, such as/dev. But there are also exceptions. For example, in the chroot environment, you often need to create multiple devices in the chroot directory. If you use chroot on your machine, pay attention to this nodev option.

2. Use nosuid in/etc/fstab
There are often viruses and malware on mobile media. With the nosuid option, users can be prevented from running the set-UID permission program on the optical drive, soft drive, or USB flash drive. If multiple mobile devices exist on the machine, you can also set nosuid in the fourth column of Related Devices in/etc/fstab.

3. Prohibit users from attaching removable media
By default, only the root user can mount the mobile media in SuSE. If/etc/fstab is changed to allow the user to mount the mobile media, the virus may be sent to the server or the data may be modified and deleted. Changing it back to the nouser option is more helpful for security.

4. Verify passwd, shadow, and group file permissions.
All these files have the Default Owner and access permissions. You must modify the/etc/shadow permission to 644 and perform regular checks. Aide is a good tool that reminds you of the permissions of these files. However, aide is a non-commercial improvement of tripwire. It is still a beta version and may not be suitable for key production systems.

5. The directory without permission restrictions should be set to a sticky bit.
After you set a sticky bit on any directory, only the file owner can delete the files in the directory, rather than deleting the files by anyone with write permission. Setting a sticky bit prevents overwriting files, whether accidental or malicious. However, you should also check your application documentation before setting the sticky bit to avoid damaging the dependencies of your application.

Use this script to check:
For part in 'awk' ($3 ~ "Ext2 | ext3 | reiserfs ")\
{Print $2} '/etc/fstab'; do
Find $ part-xdev-type D \
\ (-Permb-0002-! -Perm-1000 \)-print
Done
If your system is secure enough, no response is returned.

6. files that can be written by anyone
If anyone can write a file, it may cause modifications to the system or affect users on the system. To avoid the appearance of such files, you should pay attention when writing scripts or programs, because this will affect the integrity of the system. In general, write access (chmod o-w ), But for key servers, you still need to consult the relevant vendors.

Check with this script
For part in 'awk' ($6! = "0") {print $2} '/etc/fstab'; do
Find $ part-xdev-type F \
\ (-Permb-0002-! -Perm-1000 \)-print
Done

If your system is secure enough, no response is returned.

7. Unauthenticated SUID/SGID executable files

The administrator needs to check whether there is any unauthorized set-uid in the system. In addition, if possible, audit set-UID or reduce the set-UID program.
Check Method:
For part in 'awk' ($6! = "0") {print $2} '/etc/fstab'; do
Find $ part \ (-Perm-04000-o-Perm-02000 \)\
-Type F-xdev-print
Done

8. Search for non-master files
Do not let your system have any primary files. A primary file may be caused by an intruder accessing your system or improper maintenance and installation of file packages. For example, the user or group is deleted, but the related files are not deleted. Another common case is that the owner is not correctly set during software installation. Mounting an NFS file may ignore the ing between the user ID and the system, and may also generate a non-primary file. If you are using NIS or LDAP, it may be caused by other reasons. You need to check the cause carefully.

Check Method:
For part in 'awk' ($6! = "0") {print $2} '/etc/fstab'; do
Find $ part-nouser-o-nogroup-print
Done

 

7. system management, authorization, and authentication

1. Remove. rhosts support from the PAM Configuration File
. Rhosts defines which computers and users can execute remote commands on the local computer without providing a password, which is easily exploited by attackers. The use of. rhosts is a violation of user access control rules. Close it whenever possible. For special reasons, you must take preventive measures. Never use the + wildcard in. rhosts .. Rhosts must specify a specific trusted user name, such as trustedhost db1, rather than trustedhost. This is common When configuring ha. Avoid hosts outside of the trust relationship, and firewall or other security devices should prevent external rlogin/rsh/rcp access. Finally, make sure that the. rHost file is only readable by the owner. For example, 600 File Permission.

2./etc/ftpusers
The/etc/ftpusers List defines which users are not allowed to use the system's FTP. Generally, only common users can use FTP instead of system accounts. Of course, root users should never directly transmit files using FTP.
SuSE provides a netcfg package, pre-filling accounts that should not use ftp.

3. Prevent X server from listening on tcp6000
X server listens on tcp6000 and accepts requests from other clients. However, X server uses a relatively insecure authentication protocol, allowing attackers to access the local X server without authorization. The "-nolisten TCP" method can be used to cancel the default listening of X server on tcp6000.

4. restrict the use of AT/cron
Cron. allow and at. allow define who can use crontab and AT command to run the job at a specified time. In many systems, only the system administrator has this capability. Even if a user is not in cron. allow, the user can still run the cron job. Cron. allow controls the permissions for crontab command scheduling and cron job modification. Note: do not modify the/etc/at. deny and/etc/cron. deny files. Unless you know them well, both files have reasonable default content. If at and cron must be controlled, create the/etc/at. allow and/etc/cron. allow files and add appropriate users.

5. Restrict crontab file permissions
The crontab file of the system can only be accessed by the cron daemon (running the Super User permission) and the crontab command (set-UID is root. Unauthorized users are allowed to read and modify crontab, which improves the user's permissions.

6. Configure xinetd Access Control
You can use simple IP-based access control to restrict illegal connections to xinted. Currently, PortSentry is a popular tool that can be used to monitor behavior attempts to access unused ports. Then use the system firewall susefirewall2 for control.

7. Restrict root login to the system console
Root login to the system console is not allowed, unless in special circumstances. In other cases, administrators should use non-privileged accounts and authorization mechanisms, such as Su and sudo, to obtain additional privileges. These mechanisms provide at least audit evidence. /Etc/securtty allows you to specify which tty the root user can log on. All items listed in/etc/securtty can be logged on. Comments and nonexistent items cannot be logged on as root.

8. Set the LILO/GRUB Password
In most Linux systems, by default, there is a loading prompt during boot, which makes it easy for attackers to damage normal boot. Set a password for LILO or grub, and verify the password when trying to modify LILO or grub. Of course, the password must be strong enough.

Method

A. If you have a/etc/Lilo. conf file
Add the following before/etc/Lilo. conf:
Password =

Run the following command as root:
Chown root: Root/etc/Lilo. conf
Chmod 600/etc/Lilo. conf

B. If the file is/etc/grub. conf
Cancel password at/etc/grub. conf .
Run the following command as root:
Chown root: Root/etc/grub. conf
Chmod 600/etc/grub. conf

9. Verify the single-user mode

In some Linux systems, you can enter linux single in lilo mode or go to grub's pilot editing menu. This poses a risk. For system authentication, root-level access is always required to prevent attackers from accessing the system physically. This access method is disabled by SuSE by default, but you still need to check it. If it is changed, you need to clarify the cause and recover it. Both projects 8 and 9 are designed to solve the physical/startup security issues. You can also consider setting to only start from the primary hard disk or set the BIOS password.

10. Restrict the privileged port for NFS client requests

Setting: the NFS server ignores access from the client's source port less than 1024, which does not affect normal NFS operations, but can prevent some users who use tool software attacks. The configuration file is in/etc/exports.

11. receive syslog messages

Is your server a log server? Do I need to receive logs from the network or other hosts? If yes, enable the remote message reception function of the log system. By default, the system log daemon is syslogd and does not listen to log messages from other systems on udp514 (Solaris, by default, is accepted .) Setting up an independent log server to record one or more logs is a recommended security practice. However, if you are not a log server, you should not enable the udp514 listener, because the transfer of such information does not have any authentication mechanism. Attackers can also use this port to initiate DDoS attacks, or constantly send log messages to fill your log system, so that subsequent attacks will not be recorded.
In the syslog-ng.conf.in, add # comment out the following line
# UDP (IP ("0.0.0.0") Port (514 ))

VIII. User Account and Environment

1. Lock the system account
Many accounts are system accounts and will not be used. Locking these accounts helps reduce attackers. These accounts should not have shell. If no daemon or service is available, you can even delete the account. The simple method is to stop the instance directly. The method of disabling the instance is to lock the password and set an invalid shell (such as/bin/false ). Use/bin/false in SuSE instead of/dev/null and/bin/nologin.

2. Empty Password account
Use awk-F: '($2 = "") {print $1}'/etc/shadow to find an empty password account. An empty password account allows anyone to log on without providing a password. All accounts should have a strong password, or use the string that locks the password: NP, * locked *.

3. Set Account expiration and Password parameters
Force the user to change the password on a regular basis and set the password to be forcibly changed for all active accounts (except the system account), for example, every 90 days (-m 90 ), the minimum number of days (-M 7) before the next password change is allowed. The user receives a warning 28 days before the password expires (-W 28 ). Once the password expires, the account will be locked for 7 days (-I 7 ). The minimum password length is 6. This is just some suggestions. You need to adjust it according to your actual situation in/etc/login. defs.

4. confirm that there is no '+' In passwd, shadow, and group'
Run the grep ^ +:/etc/passwd/etc/shadow/etc/group command to check the status. + For NIS data ing configuration, the number + exists in the passwd, shadow, and group files, which will provide an attacker with a way to escalate permissions and delete them all.

5. Check that there is no account with UID 0 except root.
Check Method: awk-F: '($3 = 0) {print $1}'/etc/passwd
Any account with a uid of 0 has the Super User permission of the system. The only super user should be root, and the super user should also obtain the permission through the non-privileged account Su.

6. the user's home directory should be 750 permissions or more restrictions
If the user's home directory has a directory that can be written by anyone, it may cause others to steal, modify data, or obtain permissions of other users. Revoke read and execution permissions from other group members. However, modifications to the user's home directory permissions may cause service interruption.

7. Delete the user. netrc file
Find/-name. netrc
. Netrc is the FTP command initialization file, which can bring some convenience to FTP. However, the file may contain an unencrypted password. Before getting them out, consider the role of the. netrc file, because it may affect the application. However, a well-designed application should not use. netrc.

8. Set the default user umask value
Set umask to 077 so that the files and directories created by the user will not be readable by any other user on the system. To change the permission, run the CHMOD command. You can insert the uamsk command into the shell configuration file, such as. Profile,. cshrc, etc. 027 can be readable by people in the same group, while 022 umask can be read by every user on the system. However, an overly strict umask may cause software installation problems. For example, if umask is set to 700, its application or daemon cannot read files. Therefore, the setting of umask cannot be too strict, or the umask can be controlled after the file is installed.

9. Disable Core Dump
To solve this problem, you need to ask your software developers if they need to debug the program or view the debug information? If the answer is no, you can disable it. The core dump consumes a lot of disk space, and the core dump contains sensitive data. Developers need this function to help debugging. The limits. Con file under/etc/security is used to control the core dump.

10. Restrict Root Account Su
The su command allows you to become another user on the system and is often used as the root to execute commands. If you do not want some users to Su root, add the following to/etc/PAM. d/su:

Auth required pam_wheel.so

This line of command means that only the users in the wheel group can be allowed, and Su Can be root. Other users will receive a message when Su root says the password is incorrect. By limiting the use of the root account, even if the user knows the root password, it cannot become a root user, unless it can physically control this server, or he is added to the wheel group.
In this way, a security protection layer is added to prevent unauthorized access.

9. Anti-Virus

In some systems, such as email servers and file servers, they are mainly used by Windows users and should be protected by anti-virus software. Anti-Virus Software on Linux platforms:
Sophos http://www.sophos.com/commercial software
Nai virus scan commercial software
McAfee http://www.mcafee.com/commercial software
ClamAV http://www.clamav.net/open source software
F-Prot AntiVirus commercial software
F-Prot AntiVirus http://www.f-prot.com commercial software
Trend Micro commercial software
Computer Associates inoculateit http://www.cai.com/Business Software

10. Others

1. Create Symbolic Links for dangerous files
/Root /. rhosts,/root /. shosts,/etc/hosts. equiv and other files have weak access control. We have discussed in chapter 7 that attackers often attack these vulnerabilities and link them to/dev/null, this means that any data will be simply discarded.

You can use this script:
For file in/root/. rhosts/root/. shosts/etc/hosts. equiv \
/Etc/shosts. equiv; do
Rm-F $ File
Ln-S/dev/null $ File
Done

2. Enable tcp syn Cookie Protection

SYN attacks are denial-of-service attacks designed to consume system resources. This attack is caused by a TCP connection handshake vulnerability. The other party sends SYN messages and no longer responds. Such an attack keeps the system semi-open with hundreds or thousands of connections. Is a very simple attack method.

3. LILO/GRUB Security

Add an I attribute to Lilo and grub so that Lilo and grub cannot be deleted or modified. This can effectively prevent any changes to the configuration file (whether unexpected or otherwise ). If you want to modify the settings, you must use the chattr-I command.
Chattr + I/etc/Lilo. conf
Chattr + I/boot/GRUB/menu. lst

4. Configure sudo

Sudo is a file package that allows the Administrator to grant some privileges to the user. These privileges are beyond the user's permissions, such as restarting the web service. For example, because your web service has bugs or keeps failing, you may need to constantly modify the Web configuration file to find out the cause of the problem. At this time, if you want to use Su-root, it will be very complicated, because you just need to restart the Web service after modifying the configuration file. At this time, sudo comes in handy. It allows the Administrator to authorize the user to restart the web service. After sudo is installed, use the cmddo configuration instead of the VI configuration file, because the cmddo has the error check function.

5. Delete All compilers and assembler programs

In terms of security, the C compiler will pose a threat to system credibility. The compiler should be installed on the machine of the development system, rather than a production application system. This is just to remind you to check. Check these: GCC, gcc3, gcc3-c ++, gcc3-g77, gcc3-java, gcc3-objc, GCC-C ++, GCC-Chill, gcc-g77, GCC-Java, GCC-objc, bin86, dev86, NASM.