Help you build a Secure Linux platform (1)

So far, if you have installed a Linux computer without any security measures, I think you should have some knowledge about Linux security, in addition, we will use the methods described in this article to make your Linux platform more secure. Of course, I only reinforced the Linux platform according to my own needs, so it may not fully meet your requirements, but I think it should be helpful.
Security requirements
At home, I use Red Hat Linux. In general, I seldom shut down and often use this machine to connect to the Internet through broadband. That is to say, my machine is generally online. I have two considerations for the security of this computer:
1. I want to hide the data and documents I don't want others to see;
2. Never allow uninvited customers to use my computer resources.
There is a lot of important data on my computer. I think most people have their own documents and data on their computers. I don't want anyone except me to read or write these files. In addition, I don't want intruders to use my machine to attack another target. I am angry if I find someone using my machine to attack others. I believe everyone will share the same feelings with me. The even more disturbing problem is that although we are sometimes "Hacked" and acted as attackers to attack other people's systems, we are in the dark.
Make security plans
When you start to install the Linux system, I will configure Iptables in the kernel. Iptabels is considered to be the fourth-generation application in Linux to implement the packet filtering function. The first generation is used by Linux kernel 1.1, and Alan Cox transplanted ipfw from BSD Unix. In the Linux 2.0 kernel, Jos Vos and some other programmers have extended ipfw and added ipfwadm user tools. In the kernel of Linux2.2, Russell and Michael Neuling made some important improvements. That is, in this kernel, Russell adds an ipchains tool to help users control filtering rules. Now, Russell has completed the kernel framework named NetFilter.
NetFilter aims to provide users with an underlying structure dedicated to packet filtering. In addition, users and developers can also build it into the Linux kernel. Iptables is a module built in the NetFilter framework. It allows users to access kernel filtering planning and commands. If you know ipchains, you will find that Iptables and ipchains are very similar.
By configuring Iptables, I can prevent any data packet from entering or leaving my machine. This is very important because my machine is online 24 hours a day. With this new protection feature, my machine can immediately block various attacks from the Internet. It is not difficult to use and configure Iptables. I will not discuss it for a long time (readers can easily find relevant information on the Internet ).
Next we will discuss LIDS (Linux Intrusion Detection System ). The LIDS kernel patch method exists. LIDS aims to improve computer security by limiting access to computer files and processes. When someone tries to break these limits, it will alert you. Another advantage of LIDS is that it can even restrict the permissions of the root account. This method restricts root account permissions. When intruders obtain root permissions, the loss can be minimized. I use LIDS to protect binary system files, log files under the/var/log directory, and configuration files under the/etc directory. The binary file marked as Readonly does not have any users, including root, which can be deleted and modified. For log files, I mark them as Append. In this way, you can write files in the directory, but cannot modify or delete existing data.
What I need to do next is to minimize the number of services running on the machine. The fewer services run on the machine, the less likely someone else will intrude into my machine. By default, many Linux distributions run many resident programs. In my opinion, this is not very reasonable. So I disabled my Telnet, FTP, and all resident programs starting with the letter "R. In this way, I can avoid threats to the system when I have no time to upgrade or install some patches. For services that I must use, I will install security patches as soon as possible. In addition, if the service discovers a vulnerability and no related patches appear, I will temporarily close the service until a patch is fixed.
Once the number of services running on the computer is minimized, I use the "netstat l" command to listen. This is intended to ensure that I have not missed any services that I don't need. In fact, we often make mistakes by not listening. If you listen to any services that I don't need, you can fix them now.