How to improve the security of Linux system

Introduction: Because of learning Linux for a long time, nothing to tell about the Linux system problems hope to help. Linux system has many advantages in function, price or performance, however, as an open operating system, it inevitably has some security problems. about how to solve these hidden dangers, to provide a safe operation platform for the application, this article will tell you some of the most basic, most commonly used, but also the most effective tricks.

Linux is a UNIX-like operating system. In theory, there is no significant security flaw in the design of UNIX itself. For years, the vast majority of security problems found on Unix operating systems exist primarily in individual programs, so most UNIX vendors claim to be able to solve these problems and provide a secure UNIX operating system. But Linux is a bit different because it doesn't belong to a single vendor, and no vendor claims to provide security, so users only have to solve their own security problems.

Linux is an open system that can find a lot of off-the-shelf programs and tools on the Web, which is convenient for both users and hackers, because they can easily find programs and tools to sneak into Linux or steal important information on Linux systems. However, as long as we carefully set a variety of Linux system functions, and with the necessary security measures, we can allow hackers inorganic to multiply.

In general, security settings for Linux systems include eliminating unnecessary services, restricting remote access, hiding important information, patching security vulnerabilities, adopting security tools, and regular safety checks. This article teaches you 10 ways to improve the security of your Linux system. Although the trick is not big, but the recruit works, you may as well try.

1th Recruit: Eliminate unnecessary service

In earlier versions of UNIX, each of the different network services had a service program running in the background, and later versions were tasked with a unified/ETC/INETD server program. INETD is the abbreviation for Internetdaemon, which monitors multiple network ports and executes the appropriate TCP or UDP network service once the incoming connection information is received.

Because of the unified command of the inetd, most TCP or UDP services in Linux are set in/etc/inetd.conf files. So the first step in eliminating the need for a service is to check the/etc/inetd.conf file and add the "#" number before the service.

In general, in addition to HTTP, SMTP, Telnet, and FTP, other services should be canceled, such as Simple File Transfer Protocol TFTP, network mail storage and reception of the Imap/ipop transport Protocol, Find and search for data gopher and daytime and time for synchronization.

There are also reports of system State services, such as finger, Efinger, systat, and Netstat, which are useful for system error checking and search for users, but also for hackers. For example, a hacker can use the finger service to look up a user's phone, use a directory, and other important information. As a result, many Linux systems cancel or partially cancel these services to enhance the security of the system.

In addition to using/etc/inetd.conf to set up system service items, inetd uses/etc/services files to find the ports used by each service. Therefore, users must carefully check the settings of each port in the file to avoid a security vulnerability.

There are two different service types in Linux: one that is performed only when necessary, such as the finger service, and the Non-stop service that has been performed. Such services start when the system starts, so it is not possible to modify inetd to stop the service, and only modify it from/etc/rc.d/rc[n].d/files or runleveleditor. Server for NFS that provides file services and news that provide NNTP news services are part of this service and, if not necessary, it is best to cancel these services.

2nd strokes: Restricting access to the system

Before entering the Linux system, all users need to log in, that is to say, users need to enter the user account and password, only after they are authenticated by the system, users can enter the system. Like other Unix operating systems, Linux typically encrypts passwords and stores them in/etc/passwd files. All users on a Linux system can read the/etc/passwd file, although the password saved in the file is encrypted, but still unsafe. Because the general user can use the ready-made password deciphering tool, the exhaustive method guesses the password. A more secure approach is to set shadow file/etc/shadow, allowing only users with special permissions to read the file.

In a Linux system, if you want to use shadow files, you must recompile all the utilities to support shadow files. This approach is more cumbersome, and the simpler approach is to use the plug-in validation module (PAM). Many Linux systems have Linux toolkit Pam, an authentication mechanism that can be used to dynamically change authentication methods and requirements without requiring recompiling other utilities. This is because Pam hides all authentication-related logic in the module in a closed package, so it is the best helper to use shadow files.

In addition, Pam also has a lot of security features: it can rewrite the traditional des encryption method to other more powerful encryption methods to ensure that the user's password is not easily deciphered, it can set the limit on the use of computer resources per user, it can even set the user's time and location of the machine. The Linux system administrator spends only a few hours installing and setting Pam, which can greatly improve the security of the Linux system, blocking many attacks outside the system.