Introduction to Linux security mechanisms for Linux gamers

Article Title: Linux security mechanism for Linux gamers. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
I believe most of them know that there are too many linux releases. I have read many articles on many websites more than once. Many books have seen that the releases are the best. In fact, I personally think, in the linux world, there is no such statement as the best. As long as you get used to a version that you are familiar with, I can say that he is the best. After writing this article, I also tried to find a lot of information and try to find a common and familiar one. Finally, I think redhat linux is really good, although its kernel is large and the efficiency is not the highest among all releases, its universality, ease of use, software upgrade support, and application software support are worth mentioning, these aspects are exactly what a good linux release needs. This article is based on redhat linux 7.3 and all software settings are tested on this version.
　　
Speaking of this, we may ask why I want to use redhat 7.3? Isn't there many? For redhat, there are redhat 8.0, redhat 9.0, and other advanced redhat Enterprise editions. Why not use so many new things? This is a good question. This is what I should pay attention to when installing and selecting the release.
　　
　　 1. Version Selection
I have been using redhat for a long time. I personally think that redhat. version 0 is the first version of the major version upgrade. Many software packages in this version are not stable and are prone to faults. for administrators, most of linux is used as servers, to be the most server, the most important problem is stability, and the most important thing is security. So if you are an administrator, not an avid enthusiast, I suggest you choose redhat 7.3. The version number of redhat, followed by a small version number, is that the software package has a lot of updates and modifications. Although this update may not be the latest, it is at least the latest and most stable version of this stable version, I don't know if you understand this problem. I will introduce the version upgrade in detail later, where I will explain this theory.
　　
　　 2. Installation Method
After selecting the installation release version, we will start to install it. In fact, there are only a few things to note during installation. One is partitioning, and the other is the installed software package.
Partition is a matter of consideration. You need to plan partitions for your application. I have read a lot about whether linux has an optimal partition solution. Although many people have proposed many excellent partition solutions, however, I think it is best to use partitions made by my own applications. The partition schemes below are purely recommended.
I personally think that standard servers should at least expand common partitions. Therefore, we suggest dividing hard disks into the following:/boot swap/var/usr/home/tmp, the size depends on your application. The/value cannot be less than 1 GB. the/usr and/var values must be larger, because most of the software is in use and the others are more needed, speaking of swap, I think there is a lot of controversy about the size of this zone. After combining the opinions of many friends, I have concluded a rule, if your memory is less than 1 GB, it is divided into two times of memory. If your memory is greater than 1 GB, it is divided into a swap with a maximum of 2 GB. Why? As we all know about swap, It is a virtual memory space, and it cannot play the best role when it is small. It is a big waste of space. The reason for this size is that if the memory is large, therefore, the virtual space occupied by applications is small, but in order to fully meet the server's memory needs, according to the experience of many friends, I also have a personal experience, this method can be said to be the best solution, especially for the memory needs of large applications such as databases, and the memory of many servers is about 1 GB to 2 GB.
When installing a software package, the less the package is installed, the better it is. But when redhat is started, as a server, the following software package groups need to be selected.
Networ support (Network support)
Messaging and web tools (you can choose to install, and some online tools such as ncftp)
Router/Firewall (Firewall software needs to be installed, but it is difficult for him to install ipchian, iptables, ipwf, etc. I will explain how to delete it later)
Network managed workstation (Administrative Tools)
Utilities (common tools, backup tools, etc)
Although we have simply selected these software packages for installation, we will delete some unused packages in the subsequent security settings, which will be described later.
　　
　　 3. Update Software
Although redhat 7.3 is an updated version, there are still many software packages with vulnerabilities. The biggest vulnerability is the 2.4.18 vulnerability, which causes the ext3 file system to crash, I have met a few times (according to the ext3 Development Team, this phenomenon occurs only under specific operations and conditions, which is rarely seen by users ), although many of them have recently solved this problem, if 7.3 does not update the kernel, it is still unstable. There are two ways to update, one is to manually use rpm for the software package being updated? Uvh is used for update. Another method I recommend is to use up2date for update. This is a good thing. It can easily update your system, in addition, it is updated by the software package you installed. It will not update bind8 to bind9, and will not update redhat 7.3 to redhat 9.0, this ensures the stability and integrity of the version you are currently using. It only modifies the software package of this version. The version number is generally changed like this, for example, iptables, the rpm version of 7.3 is 1.2.5. After the update, many vulnerability errors are fixed in 1.2.8, but no major adjustments are made to ensure your use and compatibility with applications.
Before using Up2date, several operations are recommended before automatic upgrade,
First, because the up2date of redhat 7.3 has an SSL bug, you need to update it in the latest up2date,
Https://rhn.redhat.com/errata/RHSA-2003-267.html
Second, in general, we do not want up2date to automatically update the kernel, and then Kernel updates directly solve many major vulnerabilities, especially the newly installed redhat 7.3 has the ext3 Crash Vulnerability, I suggest you upgrade the kernel manually. Of course, you can use the rpm package to upgrade the kernel, which saves a lot of time. As I said at first, although redhat is not the most efficient, but it is indeed the most common system, and the convenience of rpm fully reflects this advantage, the redhat 7.3 Kernel
Http://updates.redhat.com/7.3/en/ OS /i386/kernel-2.4.20-20.7.i386.rpm
Http://updates.redhat.com/7.3/en/ OS /i386/kernel-2.4.20-20.7.i586.rpm
Http://updates.redhat.com/7.3/en/ OS /i386/kernel-2.4.20-20.7.i686.rpm
For your own system, can you use uname? A. Check whether i386 or i686 is used to download the kernel upgrade package.
Is it best to use rpm? Ivh to upgrade, so that the original kernel can be retained to ensure that there is no problem with the original kernel rpm? E. This rpm package is very simple and you don't need to modify your lilo. conf or grub. conf configuration file, which is automatically added to you. What you need to do is to restart and select a new kernel to start.
After kernel upgrade, it is time for up2date to restart with the new kernel.
Run rhn_register to register a random number (this should be kept confidential. I did my own research. The rhn network upgrade is actually a paid service, but one email address and one account are free of charge, however, an account has only one permission to upgrade the system. You can use the rhn network to log on and modify this permission to other machines, but this is too troublesome, in addition, the upgrade of redhat7.3 is basically stable. You only need to upgrade the redhat7.3 for the first installation. Therefore, you can register an account to upgrade the redhat7.3: P) as prompted, by default, it selects all the packages on your machine and upgrades them for you. It doesn't matter if you finish them all the way to next and then return to the console. next, you can perform an exciting upgrade by running the following command:
Up2date? U
The upgrade starts. It takes about one hour to see your network.
It will automatically download and install the tool for you. Although you do not need to restart the tool, we recommend that you restart the tool to ensure that the new kernel and new software package can be correctly used.
So far, the system update is complete, and the following are important security settings.
　　
　　 4. Security Settings
In fact, the security of linux is quite good. We have a very simple discussion about security. We just need to close the service and set up a firewall. If you are interested in anti-hacker and advanced security settings, so please pay attention to my next several articles. I will introduce some simple anti-Black technologies such as IDS. Thank you.
Many articles have raised this question about disabling unused services. I personally think the most effective method for disabling services is as follows. We all know that the services controlled in linux include chkconfig and ntsysv, in fact, the services controlled by these tools are all started services that have been stored in the sysV style in linux. They are all/etc/rc. d/The following things. rc3.d is used as an example. 3 indicates the project to be created during init3, the files in it are all connected, and the start of S indicates start, and the start of K indicates termination, therefore, rc0.d is basically started with K, so you don't have to worry about how mysterious the linux service is. Here we will introduce two simple and feasible methods to control the service.
Run ntsysv Control Service
Disable the service with ntsysv
Crond can define scheduled tasks
Network
Random Number generated by random for the generation of ssh session symmetric keys
Sshd ssh Server
Syslog System Log Service
Xinetd super process (if there is no service to use, you can close it)
In fact, xinetd is a process similar to the init super process, but it can be completely closed, because the following are some useless Service Listening programs, for general servers, basically, you only need the services listed in ntsysv. All the other services are disabled. Of course, if you want to open httpd on the web.
After the service is closed, remove unnecessary users and use vipw
# Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
# Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
# Sync: x: 5: 0: sync:/sbin:/bin/sync
# News: x: 9: 13: news:/var/spool/news:
# Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
# Operator: x: 11: 0: operator:/root:/sbin/nologin
# Games: x: 12: 100: games:/usr/games:/sbin/nologin
# Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
# Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin
# Vcsa: x: 69: 69: virtual console memory owner:/dev:/sbin/nologin
# Rpc: x: 32: 32: Portmapper RPC user: // sbin/nologin
# Rpcuser: x: 29: 29: RPC Service User:/var/lib/nfs:/sbin/nologin
# Nfsnobody: x: 65534: 65534: Anonymous NFS User:/var/lib/nfs:/sbin/nologin
# Nscd: x: 28: 28: NSCD Daemon: // bin/false
# Radvd: x: 75: 75: radvd user: // bin/false
Remove these users
Excess rpm packages
Rpm-e softname
Rpm e autofs-3.1.7-28
Rpm e gd-devel-1.8.4-4
Rpm e up2date-2.7.86-7.x.3
Rpm-e pump
Rpm