Linux and network security

Linux and network security I. Introduction below, first let's take a look at the management of compressed files in linux. Ii. System Security: 1. logon operations before the host (1) use single-user mode: normal Logon: Direct root login without a password solution: You can add password verification in the boot management program, it can be set during system installation. If it is not set during installation, you can also add the settings as follows: [root @ linux ~] # Grub [root @ linux ~] # Md5crypt, enter the password, generate an encrypted password, copy it, paste it to/etc/grub. conf, and enter quit to exit [root @ linux ~] # Vi/etc/grub. conf adds a new line before the title: password -- md5 encrypted password, then restarts, press any key to enter the boot screen, press the e key, no response, press the P key and enter the password before using the E key to enter the boot menu. (2) ctrl + alt + del management: in the/etc/inittab, by default, all users can use ctrl + alt + del to reboot, the main setting statement in the/etc/inittab is ca: ctrlaltdel:/sbin/shutdown-t3-r now. If you do not want to enable this function, add # In front of this line and then re-boot. If you want a specific user to use this function, you can add a-a parameter, as shown below: ca: ctrlaltdel: /sbin/shutdown-a-t3-r now with the parameter-a added, the shutdown will view/etc/shutdown when it is executed. allow file to check whether the user is in it. The/etc/shutdown. allow file needs to be added by yourself. The format is as follows: after john mary is set, it will take effect after it is restarted. (3) restrict the use of the su command: if you do not want any user to switch to the root with su, you can edit/etc/pam. add the following two lines to the d/su file: auth sufficient/lib/security/pam_rootok.so debug auth required/lib/security/pam_wheel.so group = isd so that only users in the isd group can switch to the root using su; if you want tom to switch to the root using su, run the following command: [root @ linux ~] # Usermod-G 10 admin (4) logon terminal settings: the/etc/securetty file specifies the tty device that allows root login, which is read by the/bin/login program, the format is a list of permitted names. Edit the/etc/securetty file for comment, so that the root user cannot log on to the commented terminal. 2. Default and hidden permissions for files and directories: (1) file permissions: You can set permissions to restrict or allow access to the following three types of users: file owner (owner), file owner of the same group of users, other users of the system. File permissions include r: read, W: Write, X: executable for the file, and permission to enter the directory for the Directory; SUID: an executable file can be used with this permission to obtain privileges. All system resources that the owner of the file can use can be accessed. This permission is only available for binary files, it cannot be used in directories or batchcompute files (shell scripts). SGID: the effect on files is the same as that on SUID. It only replaces the file owner with a user group. It can be used in binary files and directories. Sticky: the/tmp and/var/tmp directories allow all users to temporarily access files. Users with this permission can only modify their own files or directories. They are only valid for directories and invalid for files. SUID, SGID, and Sticky occupy the positions of x, which are case-sensitive. If both the execution permission and SUID, SGID, and Sticky are enabled, the permission characters are lowercase s; if the execution permission is disabled, the permission characters are converted to uppercase S; the number of file permissions is R: 4; W: 2; X: 1; if you add a number before three groups of numbers, the preceding number indicates a special permission, where: SUID: 4; SGID: 2; Sticky: 1 (2) Permission settings: change file permissions: when copying A file, use A to change the user group: Command: chgrp Syntax: chgrp [-R] File Name or directory name Example 1: change the user group of the file amf to root [root @ linux ~]. # Chgrp root amf B. Change the file owner: Command: chown Syntax: chown [-R] account name [: User Group name] File Name or directory name Example 1: change the amf owner of the file to root [root @ linux ~]. # Chown root amf C. Change file permissions: Command: chmod Syntax: chmod [who] [+ |-| =] [mode] file or directory name parameter meaning: Who: u, g, o, and a indicate the owner, user group, other users, and all users respectively. Operators: + add permissions;-revoke permissions; = grant permissions; Mode: r readable, w writable, x executable, t saves the program text to the switch device, s is divided into "u + s" set SUID permission and "g + s" set SGID permission; description: multiple permission methods can be provided in a command line, which are separated by commas (,). You can also set permissions using numbers. Example 1: Modify the file amf permission [root @ linux ~] # Chmod u + rw, g + wx amf D, set file default permissions: Command: umask view default permissions: umask [-S] Set Default Permissions: umask permission number to be removed (3) Hide Property Management A. View hidden properties: Command: lsattr [file or directory] B. Set hidden properties: command: chattr [+-=] [ASacdistu] [file or directory] parameter meaning: A: do not modify the access time atime; S: write data directly to the disk, which can effectively avoid data loss; a: Only data can be added, data cannot be deleted, and only root can be set. c: It is useful for large files and can be automatically compressed and decompressed. d: When dump backup is executed, the file can be dump; I: do not modify the file; Help System Security; s: completely delete from the hard disk space; u: opposite to s, the data content still exists in the disk, can be used to restore and delete; 2. Network Security 1. Block ping: in/etc/rc. d/rc. add a line in local: echo 1> /Proc/sys/net/ipv4/icmp_echo_ignore_all save the file and restart the computer. 2. prevent IP Spoofing: in/etc/host. add several lines in conf: Order bind, hosts Multi off Nospoof on 3, XINETD: Service Location:/etc/xinetd. d/. enable the Service: Modify the corresponding file in the directory, change "disable = yes" to "disable = no", and restart XINETD: [root @ linux ~]. #/Sbin/service xinetd restart 4. iptables: Firewall (1) installation: yum install iptables (2) start: service iptables start (3) close: service iptables stop 5, SELinux usage: (1) temporarily disabled: setenforce 0 (2) restart: setenforce 1 (3) completely disabled: Modify the/etc/selinux/config file, change "SELINUX = enforcing" to "SELINUX = disabled", and then restart the system. We recommend that you change "SELINUX = enforcing" to "SELINUX = permissive ". 6. Install the patch: Go to the official website to download the patch and run the command to install it: rpm-fvl [file name]. 4. Summary