How to configure a secure SCO UNIX network system

The degree of security of a network system depends to a great extent on the quality of the manager and the security measures taken by the manager. In the configuration of the system at the same time, to put security issues in an important position.

SCO UNIX, as a sophisticated commercial network operating system, widely used in finance, insurance, post and telecommunications industries, its own built a wealth of network functions, with good stability and security. However, if the user does not set the UNIX system correctly, it gives the intruder an opportunity to do so. Therefore, in the network security management, not only to use the necessary network security equipment, such as: firewalls, but also at the level of the operating system to carry out reasonable planning, configuration, to avoid the management of the loopholes in the application system to create risks.

Following the SCO UNIX OpenServer V5.0.5 as an example, the operating system-level network security settings to mention a few points for your reference.

Setting system security Level reasonably

SCO UNIX provides four levels of security, namely, low, traditional, improved and high, the system defaults to the traditional level, the improved level meets the Pentagon's C2 level security standards, and the high level is higher than the C2 level. Users can be based on the importance of their own system and the number of customers to set their own needs of the system security level, the specific steps are set: Scoadmin→system→security→security Profile Manager.

Set up users reasonably

When creating a user, be sure to consider which group the user belongs to, and not to use the system default group groups randomly. If you want, you can add a user group and identify the same group of members, where the access rights of the new file are determined by the user's profile, in the home directory of the user. The value of the umask. The value of the umask depends on the system security level, and the tradition security level umask has a value of 022, which has the following types of permissions:

File permissions:-R w-r--R--

Directory permissions: D r W x r-x r-x

In addition, limit the number of unsuccessful user logons and avoid attempts by intruders to log on using a guessing user password. To set a login limit for an account: Scoadmin--〉account manager--〉 The selected account--〉user--〉login controls--〉 the number of new unsuccessful logins.

Specify limits for console and terminal logins

If you want the root user to be able to log on to only one terminal (or virtual screen), specify the console, for example, by specifying that the root user can only log on on the first screen tty01 of the host, thus avoiding the remote attack of Superuser root from the network. The Set method is to add a row to the/etc/default/login file: Console=/dev/tty01.

Note: When setting up the console, it takes effect when the host is running and does not need to reboot the host.

If your terminal is through modem asynchronous dial-up or long-distance drive asynchronous serial port access to UNIX host, you have to consider setting a terminal unsuccessful login, more than the number of times, lock the terminal. Set the method to: Scoadmin→sysrem→terminal manager→examine→ Select Terminal, and then set a terminal unsuccessful login number. If a terminal is locked, it can be unlocked using the Ttyunlock〈 terminal number. You can also use the Ttylock〈 terminal number to lock directly.

Permissions management for files and directories

Sometimes we set many directory and file permissions to 777 or 666 for ease of use, but this is convenient for hacking attacks. Therefore, you must carefully assign permissions to the application, data, and corresponding directories. The right to find directories and files is not appropriate, should be corrected in time with the chmod command.

Password-protected settings

Passwords generally do not less than 8 characters, the composition of the password should be no rule of uppercase and lowercase letters, numbers and symbols combined, absolutely avoid the use of English words or phrases, such as setting passwords, and should develop the habit of regularly changing the password of each user. By editing the/etc/default/passwd file, you can force the minimum password length to be set, and the shortest and longest time between password modifications two times. In addition, password protection involves the protection of/etc/passwd and/etc/shadow files, and only system administrators must be able to access these two files.

Reasonable setting of equivalence host

Setting the equivalent host can facilitate the user to operate, but to prevent unauthorized access to the system. So you have to manage the 3 files of/etc/hosts.equiv,. rhosts and. Netrc. Among them,/etc/hosts.equiv lists the host names that allow remote commands such as Rsh, RCP, and so on. rhosts specifies the name of the remote user in the user directory, and its remote users do not have to provide a password to execute RCP, rlogin, and RSH commands using local user accounts ;. NETRC provides the information needed for FTP and REXEC commands to automatically connect to the host without having to provide a password, which is also placed in the user's local directory. Because the settings for these 3 files allow some commands to access the host without having to provide a password, you must strictly limit the settings for these 3 files. Try not to "+ +" in. rhosts, because it allows users of any host to perform commands such as RCP, rlogin, and rsh without having to provide a password.

Reasonable configuration of/etc/inetd.conf files

The UNIX system runs the inetd process when it starts, listens to most network connections, and initiates the process according to different applications. where FTP, Telnet, rcmd, rlogin, and finger are all started by inetd to start the corresponding service process. Therefore, from the point of view of system security, we should reasonably set up/etc/inetd.conf files and turn off unnecessary services. The way to close is to insert the "#" character at the beginning of the file, and execute the following command to make the configured command effective immediately.

#ps-ef | grep inetd | Grep-v grep

#kill-hup〈inetd-pid〉

Properly set up/etc/ftpusers files

The file is listed in the/etc/ftpuser file with FTP protocol for file transfer users, in order to prevent untrusted users to transfer sensitive files, you must plan the document reasonably. In systems with high security requirements, FTP access to root and UUCP is not allowed, and root and UUCP are included in the/etc/ftpusers.

Reasonable setting of network segment and routing

When setting the IP address of the TCP/IP protocol in the host computer, the subnet mask (netmask) should be set up reasonably to isolate the IP address that is forbidden to access. Setting the default route (that is, default route) is strictly prohibited. It is recommended that you set a route for each subnet or segment, or else the other machine may access the host in a certain way.

Do not set UUCP

UUCP provides a simple and economical solution to the use of dial-up subscribers, but also provides an intrusion method for hackers, so it is necessary to avoid using this mode for network interconnection.

Remove unused packages and protocols

In the system planning, the general principle is to remove all the functions that are not needed. Remove the x Window via Scoadmin--〉soft Manager, and remove UUCP, SNMP, POPs, POP2, POP3, and other protocols by modifying the/etc/services file.

The correct configuration. profile file provides user login procedures and environment variables, in order to prevent the general user from using the interrupt method into the $ symbol state, the System Manager must block off the keyboard interrupt function. The specific method is to add the following line to the. Porfile Header:

Trap ' 0 1 2 3 5 15

Create anonymous FTP

If you need to publish information and worry about data security, you can create anonymous FTP, allow any user to use anonymous FTP, no password access to the specified directory of files or subdirectories, does not pose a threat to the security of the native system, because it can not change the directory, and can not get other information inside the machine. Be careful not to replicate/etc/passwd,/etc/proup to anonymous FTP, etc, which poses a potential threat to security.

Separating the application user from the maintenance user

The users of the financial system Unix are the end users who only need to perform certain tasks in a specific application system, typically without executing a system command (shell), whose application is called by the. Profile, and the application is returned to the login state when it is finished. It is inconvenient to use the root level su command to enter the application user during maintenance. You can resolve it by modifying the. profile file and then creating a method with the same ID user. Example: The user work has a user worksh with the same home directory as the same ID, and the user work's. profile file ends with:

set -- `who am i`
case $1 in
work ) exec workmain；exit；；
worksh ) break；；
esac

This allows you to execute the Workmain program when you log in with work, and when you log on with Worksh, you enter the $ status of work.