How to make your Linux operating system more secure

As we all know, Linux has more advantages than Windows in terms of security. However, no matter which Linux release version you choose, you should make necessary configurations after installation to enhance its security. The following describes how to install a Secure Linux operating system.

Install and configure a firewall

Configuring an appropriate firewall is not only the first line of defense for the system to effectively respond to external attacks, but also the most important line of defense. The firewall should be installed and configured before the new system is connected to the Internet for the first time.

Configuring the firewall to reject all data packets and then enable the data packets that can be received will benefit system security. For more information about how to set the firewall, see iptables usage.

Upgrade all installed software packages

A standard Linux release usually contains more than 1000 software packages. It is important to keep all installed software up-to-date. Obviously, this is a time-consuming job. Fortunately, there are already many tools that can automatically complete this job. Two of the most commonly used tools are APTAdvanced Package Tool) and YumYellowdog Updater, Modified ).

Some releases may provide their own upgrade tools to make full use of them for software updates. For example, Red Hat and Fedora use up2date by default, and Debian uses APT.

If you want to install your own software upgrade tool, we recommend that you use APT. Enter the release name and APT in any search engine to quickly find the apt rpm installation package and the required software repository location.

Once APT is installed and the software warehouse is set up, it is usually in/etc/apt/sources. list or similar files), you can use the following two commands to update the software. Run as root user:

# Apt-get update
# Apt-get upgrade

The first command downloads the latest package information from the specified software repository, the second command will use this information to download and install the updated version of the existing software in the system if any updates are available ). The Administrator should regularly execute commands to ensure that the system is always up-to-date.
In addition, when downloading a single file or software package from the Internet

Use MD5SUM for check. MD5SUM can check the software downloaded from the Internet to ensure that the downloaded version is not a Trojan version.

Finally, users should subscribe to the security email list of the release version. These email lists can be notified to users in a timely manner when software packages are updated or software vulnerabilities are corrected.

Disable all unnecessary services

When a new Linux system is configured by default, many services and background programs are started at the same time. For example, some releases will start the HTTP web server), POP3/IMAP email) monitoring programs, database servers, and so on. For most users, these services are not actually needed, and these services will become potential targets of attackers. Therefore, to ensure security, you should view the list of these services and then disable all unnecessary services.

In the Red Hat system, the command line tool used to configure the server is named chkconfig. To list all installed services, run the following command:

# Chkconfig-list

The following content is displayed:

Iptables 0: off 1: off 2: on 3: on 4: on 5: on 6: off
Sshd 0: off 1: off 2: on 3: on 4: on 5: on 6: off
........................
Squid 0: off 1: off 2: off 3: off 4: off 5: off 6: off
Xinetd based services:
Rsync: off
......
Sgi_fam: on

In the preceding list, numbers 0 to 6 indicate the system running level.

For example, to enable the squid service to run at the 2, 3, 4, and 5 running levels, run the following command:

# Chkconfig -- level 2345 squid on

If you want to disable the sshd service at the 3 and 5 running levels, run the following command:

# Chkconfig -- level 35 sshd off

The Service set using the chkconfig command will take effect the next time it is started, without any impact on the currently running service. To set the current service, run the following command in Red Hat:

# Service service_name sta

Rt
# Service service_name stop
# Service service_name restart
# Service service_name status

The service_name in the preceding command is the same as the name in the chkconfig -- list command.

Run netstat -- l to check whether all services are not required. For services that still need to run, make sure that the firewall is correctly configured.

Change the undesired SUID/SGID

SUIDSet User ID) or SGIDSet Group ID) The program allows common users to execute it in a way that exceeds their own permissions. A common example is passwd, which has the following access permissions:

-R-s -- x 1 root 18992 Jun 6 2003/usr/bin/passwd

We can see that the owner's execution permission is set to "s" instead of "x", which is a SUID program. For example, when a common user executes passwd, it runs the program with the permission of the file owner (root user in this example.

Many SUID/SGID executable programs are required, such as passwd mentioned above. However, many are not required. The SUID/SGID program will be exploited by some malicious local users to obtain the permissions they do not have. Run the following command to find all programs with this property:

# Find/(-perm-4000-o-perm-2000)

Users must view this list and try to delete or modify files whose owner is root or that have SUID/SGID attributes in the root group.

To delete a file with the SUID/SGID attribute, run:

# Rpm-q -- whatprovides/usr/sbin/kppp

Then you can use the following command to delete it:

# Rpm-e package-name

The SUID/SGID attribute bit can be deleted using the chmod command, for example, chmod-s/usr/sbin/kppp.

Follow logs

Although users will do their best to ensure the security of their systems, the reality is that no matter how hard they try, the system cannot be absolutely secure. The following are other things that require attention. It allows users to know whether or when the system is cracked.
A very common and easily underestimated intrusion detection program is Tri.

Pwire the program regularly checks system files to determine if they are changed.

If any unexpected change occurs, Tripwire generates a report for the user. To make Tripwire work properly, it takes some time to configure it, but it is indeed worth the time.

A very important way to understand the system situation is to view the log file. System logs in Linux are processed by the syslogd monitoring program. The configuration file is/etc/syslog. conf. In the configuration file, you can specify the tools or programs that require recording information, such as cron, daemon, or email ), levels of information, such as debug, info, or warning, need to be written into logs, and how to add the information to a log file or send it to a printer ).

System logs can also be performed remotely, that is, the log files are stored in another system on the network. The advantage of this is that if the system is broken, intruders will not be able to delete the traces left on other systems, so that they can be easily tracked.

However, it is not easy for common users to process a large amount of information from various log files every day. Therefore, Logwatch is used instead. This tool periodically analyzes system log files, creates an analysis report based on the analysis results, and sends it to the root user by email.

These reports are generally relatively short, so they are suitable for users to read every day. According to the configuration, it will highlight some information, such as illegal logon attempts or port scanning ). The configuration file is generally located in/etc/log. d/conf/logwatch. conf. The annotations in the configuration file allow users to conveniently set it.

In addition to Logwatch, there are many intrusion detection systems to choose from. For example, Snort can easily find these tools in search engines.

Efforts are still needed for security

System security is not a permanent task. In fact, you must consider the security of the system when doing everything. The Administrator must keep the system up-to-date, use a suitable password, set an appropriate access level, read logs every day, check the Tripwire report, and read the list of emails of the released version..

This article describes some basic and important steps that every user has to do. Of course, in addition to the content described in this article, you have a lot to do.

Below are a fewAdvice.

1. Never use Telnet, FTP, or any other plain text remote session to transmit the user name and password. You can only use SSH, SFTP, or similar programs to transmit the content.

2. Make sure that you use a strict firewall policy. By default, all connections are closed, and only the required connections are enabled, which requires strict restrictions. For example, if you need to SSH from the work location to the system, you can only allow it to pass through Based on IP addresses.