Article Title: helps you build a Secure Linux platform. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Yang yuyu
So far, if you have installed a Linux computer without any security measures, I think you should have some knowledge about Linux security, in addition, we will use the methods described in this article to make your Linux platform more secure. Of course, I only reinforced the Linux platform according to my own needs, so it may not fully meet your requirements, but I think it should be helpful.
Security requirements
At home, I use Red Hat Linux. In general, I seldom shut down and often use this machine to connect to the Internet through broadband. That is to say, my machine is generally online. I have two considerations for the security of this computer:
1. I want to hide the data and documents I don't want others to see;
2. Never allow uninvited customers to use my computer resources.
There is a lot of important data on my computer. I think most people have their own documents and data on their computers. I don't want anyone except me to read or write these files. In addition, I don't want intruders to use my machine to attack another target. I am angry if I find someone using my machine to attack others. I believe everyone will share the same feelings with me. The even more disturbing problem is that although we are sometimes "Hacked" and acted as attackers to attack other people's systems, we are in the dark.
Make security plans
When you start to install the Linux system, I will configure Iptables in the kernel. Iptabels is considered to be the fourth-generation application in Linux to implement the packet filtering function. The first generation is used by Linux kernel 1.1, and Alan Cox transplanted ipfw from BSD Unix. In the Linux 2.0 kernel, Jos Vos and some other programmers have extended ipfw and added ipfwadm user tools. In the kernel of Linux2.2, Russell and Michael Neuling made some important improvements. That is, in this kernel, Russell adds an ipchains tool to help users control filtering rules. Now, Russell has completed the kernel framework named NetFilter.
NetFilter aims to provide users with an underlying structure dedicated to packet filtering. In addition, users and developers can also build it into the Linux kernel. Iptables is a module built in the NetFilter framework. It allows users to access kernel filtering planning and commands. If you know ipchains, you will find that Iptables and ipchains are very similar.
By configuring Iptables, I can prevent any data packet from entering or leaving my machine. This is very important because my machine is online 24 hours a day. With this new protection feature, my machine can immediately block various attacks from the Internet. It is not difficult to use and configure Iptables. I will not discuss it for a long time (readers can easily find relevant information on the Internet ).
Next we will discuss LIDS (Linux Intrusion Detection System ). The LIDS kernel patch method exists. LIDS aims to improve computer security by limiting access to computer files and processes. When someone tries to break these limits, it will alert you. Another advantage of LIDS is that it can even restrict the permissions of the root account. This method restricts root account permissions. When intruders obtain root permissions, the loss can be minimized. I use LIDS to protect binary system files, log files under the/var/log directory, and configuration files under the/etc directory. The binary file marked as Readonly does not have any users, including root, which can be deleted and modified. For log files, I mark them as Append. In this way, you can write files in the directory, but cannot modify or delete existing data.
What I need to do next is to minimize the number of services running on the machine. The fewer services run on the machine, the less likely someone else will intrude into my machine. By default, many Linux distributions run many resident programs. In my opinion, this is not very reasonable. So I disabled my Telnet, FTP, and all resident programs starting with the letter "R. In this way, I can avoid threats to the system when I have no time to upgrade or install some patches. For services that I must use, I will install security patches as soon as possible. In addition, if the service discovers a vulnerability and no related patches appear, I will temporarily close the service until a patch is fixed.
Once the number of services running on the computer is minimized, I use the "netstat l" command to listen. This is intended to ensure that I have not missed any services that I don't need. In fact, we often make mistakes by not listening. If you listen to any services that I don't need, you can fix them now.
Good security door
In the computer world, there is no absolute security. That is to say, you cannot completely eliminate hacker attacks. Although my computer has not been broken, I never think it is 100% secure. In the first few months of using Linux, I hardly considered its security. My work is basically about how to make the new operating system work and work better. At that time, I put more energy into learning some basic Linux commands and how to use the system, instead of focusing on other things. During that time, I was under many attacks. Although it did not cause fatal harm at that time, I still have a lingering fear.
Well, since your machine is destined to be attacked forever, let's take a look at it. First let's take a look at TCT (The Coroner's Toolkit, http://www.porcupine.org/forensics/tct.html), which is a good tool. It can run on Linux, FreeBSD, OpenBSD, Solaris, Unix, and other platforms. It can analyze the last modification, access, or change time of a file, and extract the file list based on the value of the data node for restoration. You can run it on a machine that you suspect is dangerous to perform a check. After running this tool, it will collect data on your hard disk and check it. However, I feel that this tool is too difficult for beginners to use. Therefore, if you have never used TCT before, you must read a lot of documents before using it. Fortunately, there are many links to HOWTO documents on the tool's homepage, so if you want to try it, you can take a look at these documents first. If you find that the English document looks laborious, you can search for the Chinese webpage of the TCT keyword in Google to find a lot of relevant Chinese documents.
Secure Information Transmission
The default information transmission is insecure. In this case, the content you transmit over the Internet can be viewed by others. You can use traceroute for verification.
After entering "traceroute www.google.com" in the command line mode, you can know how many machines can view your data packets when you submit a search packet to Google.
When I log on to a website, make sure that I use the secure page-HTTPS. HTTPS uses SSL to encrypt the transmitted data. If this is not done, the data transmitted by me will be easily eavesdropped by dedicated machines. For example, Yahoo provides a secure login and submission method when using various Web services. I have a Yahoo email account. With this account, I can log in at any time to check my emails without worrying that my information will be peeked at by others.
For remote management, I use ssh and scp programs instead of Telnet and FTP. They are easy to install, and their functions fully meet my needs. Once installed, I can open the corresponding machine port in Iptables configuration, so that I can connect to the machine from outside.
Here we try to briefly introduce how I made my machine safe. We hope these experiences will be helpful for you to make good use of Linux safely.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.