To establish a secure Linux server, you first need to understand the meaning of the configuration files that are related to the network service and how to configure them securely in the Linux environment. In a Linux system, TCP/IP networks are configured with several text files, and you may need to edit these files to complete networking, but most of these profiles can be configured with command Linuxconf (where the configuration of the network portion can be implemented through the netconf command) commands to implement. The basic TCP/IP network configuration files are described below.
*/etc/conf.modules File
This profile defines the various parameter information for modules that need to be loaded at startup. The main focus here is on the configuration of the NIC. With Linux as a gateway, Linux servers need to configure at least two network adapters. To reduce the number of problems that may occur at startup, the Linux kernel does not automatically detect multiple network adapters. For a system that does not compile the driver of the network card to the kernel but is dynamically loaded as a module, it should be configured in the "conf.modules" file if multiple network adapters need to be installed.
If the device driver is compiled as a module (kernel module): For PCI devices, the module will automatically detect all devices that have been installed on the system, and for the ISA card, you will need to provide an IO address to the module so that the module knows where to look for the card, which is provided in "/etc/conf.modules".
For example, we have two ISA bus 3c509 cards, one IO address is 0x300, and the other is 0x320. Edit the "conf.modules" file as follows:
Alias Eth0 3c509
Alias Eth1 3c509
Options 3c509 io=0x300,0x320
This is to say that 3c509 drivers should be loaded separately with eth0 or eth1 names (alias Eth0,eth1), and that they should be loaded with parameter io=0x300,0x320 to inform the driver where to look for the NIC, where 0x is indispensable.
For PCI cards, only the alias command is required to associate the ETHN with the appropriate driver module name, and the IO address of the PCI card will be automatically detected. For PCI cards, edit the "conf.modules" file as follows:
Alias Eth0 3c905
Alias Eth1 3c905
If the driver has been compiled into the kernel: The system starts the PCI detection program will automatically find all the relevant network cards. ISA cards can also be automatically detected, but in some cases the ISA card still needs to do the following configuration:
Add configuration information to the "/etc/lilo.conf" method by passing the startup parameter information to the kernel through the LILO program. For ISA card, edit the "lilo.conf" file to add the following:
Append= "ether=" 0,0,eth0 ether= "0,0,eth1"
Note: Do not include the start parameter in "lilo.conf", test your ISA card, and use the startup parameter if you fail.
If you use a method that passes the startup parameters, Eth0 and eth1 are set in the order in which they were found at startup.
*/etc/hostname File
This file contains the host name of the system, including the full domain name, such as: deep.openarch.com.
*/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-ETHN file
In Redhat, the configuration file for the system network device is saved under the "/etc/sysconfig/network-scripts" directory, Ifcfg-eth0 contains the configuration information for the first network card, and the configuration information that contains the second network card.
The following is an example of a "/etc/sysconfig/network-scripts/ifcfg-eth0" file:
Device=eth0
ipaddr=208.164.186.1
netmask=255.255.255.0
network=208.164.186.0
broadcast=208.164.186.255
Onboot=yes
Bootproto=none
Userctl=no
If you want to manually modify the network address or add a new network interface to the new interface, you can do so by modifying the corresponding file (IFCFG-ETHN) or by creating a new file.
Device=name name indicates the names of the physical devices
Ipaddr=addr addr represents the IP address assigned to the card
Netmask=maskmask represents a network mask
NETWORK=ADDRADDR represents the network address
Broadcast=addr addr Represents broadcast address
Onboot=yes/no whether the card is activated at startup
None: No need to start protocol
BOOTP: Using BOOTP protocol
DHCP: Using DHCP protocol
Userctl=yes/no whether to allow non-root users to control the device
*/etc/resolv.conf file
The file is a configuration file that is used by the domain name Parser (resolver, a library that resolves IP addresses based on the hostname), as shown in the following example:
Search openarch.com
NameServer 208.164.186.1
NameServer 208.164.186.2
"Search domainname.com" means that when a host name is provided that does not include a full domain name, the domainname.com suffix is added after the host name, and "NameServer" indicates that the host specified by the address when resolving the domain name is a domain name server. The domain name servers are queried in the order in which they appear in the file.
*/etc/host.conf file
This file specifies how the host name is resolved. Linux uses the parser library to obtain the IP address of the host name. The following is an example of a "/etc/host.conf":
Order Bind,hosts
Multi on
Ospoof on
"Order Bind,hosts" specifies the sequence of host name queries, where DNS is used to resolve domain names before the "/etc/hosts" file (or vice versa) is queried.
"Multi on" Specifies whether the host specified in the "/etc/hosts" file can have multiple addresses, and hosts with multiple IP addresses are generally referred to as multiple-homed hosts.
"Nospoof on" means that IP address spoofing is not allowed on this server. IP spoofing is a means of attacking system security by disguising the IP address as another computer to gain the trust of other computers.
*/etc/sysconfig/network file
This file is used to specify network configuration information on the server, and here is an example:
Network=yes
Rorward_ipv4=yes
Hostname=deep.openarch.com
gareway=0.0.0.0
gatewaydev=
Whether the network=yes/no network is configured;
Forward_ipv4=yes/no whether IP forwarding is enabled
Hostname=hostname HOSTNAME represents the host name of the server
Gareway=gw-ip Gw-ip represents the IP address of a network gateway
Garewaydev=gw-dev GW-DW represents the device name of the gateway, such as: Etho, etc.
Note: In order to be compatible with older software, the "/etc/hostname" file should use the same hostname as hostname=hostname.
*/etc/hosts file
When the machine starts, before DNS can be queried, the machine needs to query some host names to match the IP address. These matching information is stored in the/etc/hosts file. In the absence of a domain name server, all network programs on the system query the file to resolve the IP address corresponding to a host name.
The following is an example of a "/etc/hosts" file:
IP Address Hostname Alias
127.0.0.1localhostgate.openarch.com
208.164.186.1gate.openarch.com Gate
............ ............ .........
The leftmost column is host IP information, and the middle column is the host name. Any subsequent columns are aliases for that host. Once you have configured the network profile for the machine, you should restart the network for the modifications to take effect. Use the following command to restart the network:/etc/rc.d/init.d/network restart
*/etc/inetd.conf File
As we all know, as a server, the more open the service port, the more difficult to guarantee the security stability of the system. So servers that provide specific services should be as open as possible to the ports that provide the service, and the services unrelated to the server will be shut down, for example, a machine that is a WWW and FTP server should open only 80 and 25 ports and turn off other unrelated services such as finger auth. To reduce system vulnerabilities.
And inetd, also called "Super Server", is to monitor some network request daemon, which calls the corresponding service process according to the network request to process the connection request. Inetd.conf is the inetd configuration file. The inetd.conf file tells inetd which network ports to monitor and which service to start for each port. The first thing to do with Linux in any network environment is to find out what services the server is offering. Those services that are not needed should be banned, preferably unloaded, so that hackers are less able to attack the system. Check out the "/etc/inetd.conf" file to find out what services inetd offers. Use the Annotated method (plus the # number at the beginning of a line) to prohibit any unwanted service and send a sighup signal to the inetd process.
First step: Change the permissions of the file to 600.
[root@deep]# chmod 600/etc/inetd.conf
Step two: Be sure that the file owner is root.
[root@deep]# stat/etc/inetd.conf
Step three: Edit the "inetd.conf" file (vi/etc/inetd.conf) to prohibit all unwanted services, such as FTP, Telnet, shell, login, exec, talk, Ntalk, IMAP, POP-2, pop-3, Finger, auth, and so on. If you feel that some services are useful, you may not ban these services. However, by banning these services, the system is less likely to be attacked. The contents of the changed "inetd.conf" file are as follows:
# to re-read this file after the changes, just do a ' killall-hup inetd '
Note: After changing the "inetd.conf" file, don't forget to send a sighup signal to the inetd process (Killall–hup inetd).
[root@deep/root]# killall-hup inetd
Fourth Step:
To ensure the security of the "inetd.conf" file, you can use the CHATTR command to set it to immutable. To make the file immutable, just use the following command:
[root@deep]# chattr +i/etc/inetd.conf
This avoids any changes to the "inetd.conf" file (unexpected or otherwise). A file with the "I" attribute cannot be changed: cannot delete or rename, cannot create a link to this file, cannot write data to this file. Only the system administrator can set and clear this property. If you want to change the inetd.conf file, you must first clear the flag that is not allowed to change:
[root@deep]# chattr-i/etc/inetd.conf
However, for services such as SENDMAIL,NAMED,WWW, because they are not like finger,telnet services, the inet daemon initiates the corresponding process to provide services when the request arrives, but runs as a daemon at system startup. For Redhat Linux, a linuxconfig command is provided to interactively set whether to run related services at startup by using the graphical interface. You can also use a command to set whether to start a service when started, such as: [root@deep]# Chkconfig–level named off
Specific commands can refer to the description of the man chkconfig.
*/etc/hosts.allow File
However, for services such as Telnet, FTP, and so on, it will be inconvenient for administrators to manage remotely if they are shut down together. Linux provides another, more flexible and efficient way to implement restrictions on service-requesting users, enabling trusted users to use a variety of services on a secure basis. Linux provides a program called a TCP wrapper. This program is often installed by default in most release versions. Using TCP wrapper You can restrict access to some of the services mentioned earlier. And the TCP wrapper record file records all attempts to access your system's behavior. By using the last command to view the log of the program, the administrator can learn who has or has attempted to connect to your system.
In the/etc directory, there are two files: Hosts.deny Hosts.allow by configuring these two files, you can specify which machines can use these services and which ones are not available.
When a service request arrives at the server, TCP wrapper queries the two files in the following order until a match is encountered:
1. When there is an item in the/etc/hosts.allow that matches the host address entry of the requesting service, the host is allowed to obtain the service
2. Otherwise, if there is an entry in/etc/hosts.deny that matches the host address entry of the requesting service, the host is prohibited from using the service.
3. If the corresponding configuration file does not exist, the access control software is considered an empty file, so you can clear all settings by deleting or removing the configuration file implementation. In a file, a blank line or a line beginning with a # is ignored, and you can implement the annotation function by adding the # before the row.
The configuration of these two files is achieved through a simple access control language, and the basic format of the access control statements is:
List of program names: Host name/IP address lists.
The list of program names specifies the name of one or more programs that provide the appropriate service, separated by commas or spaces, You can view the name of the program that provides the service in the inetd.conf file: As in the previous file example, the last item in the Telent row is the desired program name: IN.TELNETD.
Host name/IP Address list Specifies the identity of one or more hosts that are allowed or prohibited from using the service, separated by commas or spaces between the host names. Both the program name and the host address can be used with wildcards to facilitate the designation of multiple services and multiple hosts.
Linux offers the following flexible way to specify a process or host list:
1. One with "." The starting domain name string, such as. amms.ac.cn so www.amms.ac.cn matches this one.
2. With the "." End of IP string such as 202.37.152. Then the IP address includes 202.37.152. The host is matched to this one.
3. The format is N.N.N.N/M.M.M.M to represent the network/mask, and if the IP address of the host requesting the service and the bit of the mask is equal to the result of N.N.N.N, then the host matches that item.
4.ALL means match all possibilities
The 5.EXPECT represents the removal of the host defined later. For example: List_1 EXCEPT list_2 indicates that the host listed in the LIST_1 host list is removed from the list_2
6.LOCAL indicates that the "." is not included in all host names. The host
Several of the above are just a few of the ways Linux offers, but it's enough for our general applications. Let's take a few examples to illustrate the problem:
We only want to allow the same LAN machine to use the FTP function of the server, but prohibit the FTP service request above the WAN, local LAN by 202.39.154., 202.39.153. and 202.39.152. Three network segment composition.
In the Hosts.deny file, we define that all machines are prohibited from requesting all services:
All:all
In the Hosts.allow file, we define that only LAN access to FTP functionality is allowed:
in.ftpd-l–a:202.39.154 202.39.153. 202.39.152.
This way, when a non-LAN machine requests an FTP service, it is rejected. And the LAN machine can use the FTP service. In addition, log files in the/var/log directory should be checked regularly to identify logon events that are at risk for system security. The last command is an effective way to view the system logon events and identify the problem.
Finally Tcpdchk is the program that checks the Tcp_wappers configuration. It examines the configuration of the tcp_wappers and reports the problems it can uncover or potential problems. After all the configurations have been completed, run the TCPDCHK program:
[root@deep]# Tcpdchk
*/etc/services File
The correspondence between the port number and the standard service is defined in detail in the RFC 1700 "Assigned Numbers". The "/etc/services" file allows the server and client programs to convert the name of the service to the port number, which is present on each host, with the filename "/etc/services". Only the "root" user has permission to modify this file, and in general it is not necessary to modify the file because it already contains the port number of the commonly used service. To improve security, we can add protection to this file to avoid unauthorized deletion and change. To protect this file, you can use the following command:
[root@deep]# chattr +i/etc/services
*/etc/securetty File
The "/etc/securetty" file allows you to specify that the "root" user can log on from that TTY device. The login program (usually "/bin/login") needs to read the "/etc/securetty" file. Its format is: The listed TTY device is allowed to log in, note out or in this file does not exist are not allowed to log in.
Comment Out (plus # at the beginning of this line) all the TTY devices you want to leave the root on.
Edit the Securetty file (Vi/etc/securetty) to comment out some lines as follows:
Tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
* Invalidates the Control-alt-delete shutdown key
You can disable the use of Control-alt-delete to turn off your computer by commenting out a line in the "/etc/inittab" file. This is important if the server is not in a safe place.
Edit the Inittab file (vi/etc/inittab) to put this line:
Ca::ctrlaltdel:/sbin/shutdown-t3-r now
To
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now
Use the following command to make the change effective:
[root@deep]#/sbin/init Q
* Change access permissions for script files in the "/etc/rc.d/init.d/" directory
The scripts under/etc/rc.d/init.d/mainly include script programs that start the service. The general user has little need to know the contents of the script file. So you should change the permissions for these script files.
[root@deep]# chmod-r 700/etc/rc.d/init.d/*
This way only root can read, write, and execute scripts in this directory.
*/etc/rc.d/rc.local File
By default, when you log on to a computer that has a Linux system, the system tells you the Linux distribution's name, version number, kernel version, and server name. This leaks too much information about the system. It is best to display only one "Login:" message.
First step:
Edit the "/ect/rc.d/rc.local" file by adding "#" in front of the following lines:
--
# This would overwrite/etc/issue at every boot. So, make no changes you
# Want to make to/etc/issue this or you'll lose them when you reboot.
#echo "" >/etc/issue
#echo "$R" >>/etc/issue
#echo "Kernel $ (uname-r) on $a $ (uname-m)" >>/etc/issue
#
#cp-F/etc/issue/etc/issue.net
#echo >>/etc/issue
--
Step Two:
Delete the "issue.net" and "issue" files under the "/etc" directory:
[root@deep]# rm-f/etc/issue
[root@deep]# rm-f/etc/issue.net
Note: the "/etc/issue.net" file is the login prompt that users see when they log on to the computer from the network (for example, Telnet, SSH). Also, there is a "issue" file under the directory, which is a hint that users see when they log on locally. These two files are text files that can be changed as needed. However, if you want to delete these two files, you must comment out those lines in the "/etc/rc.d/rc.local" script as described above, or the system will re-create the two files each time you reboot.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.