Linux SECURITY: Step-by-Step fortification (1)

Article Title: Linux SECURITY: Step-by-Step fortification (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Ding Wei
　　
Just as there is no unbreakable shield, no system is absolutely secure. No one in the security field can say that they are masters. The security of the system is exchanged by the sweat and wisdom of many predecessors. System security involves all aspects. Security problems exist in both banking and telephone systems, MS Windows systems, and Unix systems that are widely recognized as secure. The only focus of security is on how many users are using the system. The more users the system has, the more critical the security issues are. The faster the system discovers security vulnerabilities. In addition, the better the scalability of the system, the more application services supported, the more security problems. In MS Windows, the system can be set to security or damage to the system by using the mouse's staff to obtain online materials. Security Settings are a double-edged sword. One side is the ability to tear up undefended systems, destroy data, and block illegal intrusions and protect data. This boundary is the difference between Nuker and Hacker.
　　
Linux is an open-source system, and its security can be enhanced at the code level. But it is too complicated for users who are new to Linux. If you want to use Linux as a desktop operating system, the settings must be different from those on the server. The server may be used on the Internet, whether it is its firewall, proxy server or other applications, Security Settings focus on key applications, and desktop applications focus on different.
　　
For the commonly used Mandrake, Red Hat, SuSE, and Debian on the market, the security settings are different, but the methods are consistent. Taking Red Hat, which has many users in the Chinese market as an example, we will take the following section as an example ~ A 300-person Company uses Red Hat Linux as the desktop operating system and sets system security step by step. The configuration of surrounding resources will also be mentioned.
　　
　　
Hardware Security
　　
　　
The chassis must be locked. Any system may be physically exposed, reducing the security by at least half. This is because anyone can unload the hard disk and read data from other systems, undermining security protection. As a result, desktop and server should avoid physical access as much as possible.
　　
　　
BIOS Security
　　
　　
Although there are many tools to read the BIOS password and many BIOS have a common password, it is necessary to set the BIOS password protection. The password must be more than 8 characters long. It must be a combination of uppercase and lowercase numbers, symbols, and letters, and must not be the same as any system password. If you are worried that all machines will be compromised, you can consider adding a personalized password bit. For example, you can use the abbreviation of the person on the machine or the password in front of the unique machine number combination to become a password that is better remembered and meets the complexity and uniqueness requirements.
　　
　　
Startup settings
　　
　　
After the system is installed, apart from hard disk boot, the boot of floppy disks, optical disks, and even USB flash memory may bring security issues. Therefore, you must disable the startup of any device except the hard disk in the BIOS.
　　
　　
System Partition
　　
　　
The current hard disks can all meet the capacity requirements of Linux. Take 20 ~ For 40 Gb hard disk, there is no additional partitioning method. Using Red Hat's automatic partitioning can meet the requirements. The specific partitioning method is a 40 MB boot partition (/boot), which is twice the memory swap partition (swap), and the rest is the root partition (/). The reason for not separating the/home directory and/var directory is that too many system partitions increase management complexity because it is used by a single user. For example, if the/var partition is full, the system exception occurs. Simple partitions can be used by users.
　　
　　
Install
　　
　　
Avoid full installation, that is, the Everything option. As mentioned above, the more services provided by the system, the more vulnerabilities, and the worse the security. Try to use non-interactive installation, such as creating an installation floppy disk, using NFS or installation script. The fewer users directly participate, the stronger the manageability. Uniform Rules are used for host naming, such as the company's e-mail address and extension number, to facilitate troubleshooting and locating. Try to use a static IP address or a DHCP address bound to the MAC address as much as possible, so that any exceptions can be quickly ruled out. Note that the ext3 file system can reduce hard disk data loss caused by power loss and cannot be started.
　　
　　
Account and center control
　　
　　
Using NIS for account and central control may be good, but it is also an option to increase management complexity. If the environment is a single user logon, and the files are shared by the server, it is also a good choice to log on to the server without using NIS. Of course, you can choose not only NIS but also central account management. The account on the local machine must use the company's email address as the login name. Of course, you must have an administrator account, but do not add the local account to the local administrator group. It is dangerous to have multiple root accounts on the local machine.
　　
　　
Start the loader
　　
　　
Start the loader and try to use GRUB instead of LILO. The reason is: although they can all be added with the Startup Password, LILO uses the plaintext password in the configuration file, while GRUB uses the md5 Algorithm for encryption. Password protection can prevent you from using the customized kernel to start the system, and set the startup wait time to 0 without other operating systems. The configuration of LILO is in the/etc/lilo. conf file, and the GRUB configuration file is in/boot/grub. conf:
　　
/Etc/lilo. conf
Image =/boot/2.4.18-vmlinuz
Label = Linux
Read-only
# The password is plain text
Password = Clear-TextPassword
# Add protection
Restricted
/Boot/grub. conf
# Modify the start time to 0, that is, direct start
Timeout 0
# You can use the grub-md5-crypt to generate an encrypted password after md5
Password -- md5 $1 $ LS8eV/$ mdN1bcyLrIZGXfM7CkBvU1
　　
　　
　　
Use sudo
　　
Users sometimes use commands that require root permission, and then use sudo. Sudo is a tool based on commands restricted in the configuration file and used for users within a limited period of time and recorded in logs. It is configured in the/etc/sudoers file. When using sudo, you need to enter your own password to verify the identity of the user. You can use the defined command later. When using commands not in the configuration file, there will be an alarm record.
　　
/Etc/sudoers
Sudo [-bhHpV] [-s ] [-U <用户> ] [Command] or sudo [-klv]
-B: execute commands in the background
-H Show Help
-H: Set the HOME environment variable as the HOME environment variable of the new identity.
-K ends the password's validity period, that is, the password will be entered next time
-L LIST commands available to the current user
-P: the prompt symbol for changing the query Password
-S Execute the specified shell
-U <用户> Use the specified user as the new identity. The default value is root when the user is not in use.
-V the password is valid for 5 minutes
-V: display version information
　　
　　
　　
　　
Limit the number of su users
　　
　　
As mentioned above, the new user on the local machine does not have the root permission. Therefore, you need to use su to switch users. Linux can add restrictions on switching to the root user. You can use PAM (Pluggable Authentication Modules) to disable anyone except in the wheel group from su root, modify the/etc/pam. d/su file, and remove the blocked ID #. Use/usr/sbin/usermod G10 bjecadm to add the account bjecadm to the group with the gid of 10, that is, the wheel group.
　　
/Etc/pam. d/su
# Password verification
Auth sufficient/lib/security/pam_wheel.so debug
# Restrict users in the wheel group to switch to the root user.
Auth required/lib/security/pam_wheel.so use_uid
　　
　　
　　
　　
Enhanced login security
　　
　　
You can modify the/etc/login. defs file to add settings such as logon error delay, logging, logon password length limit, and expiration limit.
　　
/Etc/login. defs
# The logon password is valid for 90 days.
PASS_MAX_DAYS 90
# The shortest time for changing the logon password, which can prevent unauthorized users from changing the password multiple times in a short time
PASS_MIN_DAYS 0
# Minimum length of Logon password: 8 characters
PASS_MIN_LEN 8
# A message is prompted 7 days before the logon password expires.
PASS_WARN_AGE 7
# Wait 10 seconds for a logon Error
FAIL_DELAY 10
# Logging for Logon errors
FAILLOG_ENAB yes
# Used when a Super User is limited to manage logs
SYSLOG_SU_ENAB yes
# Used when logs are managed by a limited Super User Group
SYSLOG_SG_ENAB yes
# Use md5 as the password encryption method
MD5_CRYPT_ENAB yes
　　
　　
　　
　　
Restrict the terminal window for root Login
　　
　　
Modify the/etc/securetty file to prevent brute force password cracking. Once the root user cannot log on directly, the user can only switch Through su, and is limited by pam. d, the probability of breakthrough through this method will be reduced.
　　
/Etc/securetty
Vc/1
Vc/2
Vc/3
Vc/4
Vc/5
Vc/6
Vc/7
Vc/8
Vc/9
Vc/10
Vc/11
# Shield the root logon in the terminal window and limit the number of terminals opened at the same time.
# Tty1
# Tty2
# Tty7
# Tty8
# Tty9
　　
　　
　　
In addition, the historical records in the terminal window should be restricted. Modify the/etc/profile file. If necessary, change the profile file in the user directory.
　　
/Etc/profile
# Restrict the history of the input command to 20 records, which is similar to the doskey function.
HISTSIZE = 20
# Restrict the size of the file that records the history of the input command
HISTFILESIZE = 20
# Set the terminal window to exit 600 seconds after no operation. This setting is not applicable to all windows
TMOUT = 600
　　
　　
　　
　　
Back up important files
　　
　　
Many Trojans, worms, and backdoors hide themselves by replacing important files. backing up the most important and frequently used commands is a good habit. Prepare a set of read-only media, optical disks, or USB flash drives, or even download them online. In short, it is necessary to use the original command instead of the command that may be infected in the system. Note that the backup is as follows:
　　
/Bin/su
/Bin/ps
/Bin/rpm
/Usr/bin/top
/Sbin/ifconfig
/Bin/mount