Linux network security policy for small and medium-sized enterprises (1)

At present, many small and medium users are constantly updating or upgrading their networks due to business development, which leads to great differences in their user environments. The entire network system platform is uneven, and most of them use Linux and Unix on the server side, the PC end uses Windows 9X/2000/XP. Therefore, in enterprise applications, Linux/Unix and Windows operating systems coexist to form a heterogeneous network. Small and medium-sized enterprises lack experienced Linux network administrators and security product procurement funds, so network security is often a headache and a lack of comprehensive consideration.
Here, the author divides the security of small and medium-sized enterprises into four types to propose solutions. Server security, network device security, Internet access security, and internal network security.
I. Server Security:
1. Disable useless ports
Any network connection is implemented through open application ports. If we open the port as few as possible, we will turn the network attack into the source water, which greatly reduces the chance of successful attackers.
First check your inetd. conf file. Inetd monitors certain ports to provide necessary services. If someone develops a special inetd daemon, there is a security risk. You should comment out the services that will never be used in the inetd. conf file (such as echo, gopher, rsh, rlogin, rexec, ntalk, and finger ). Note: Unless absolutely required, you must comment out rsh, rlogin, and rexec. telnet recommends that you use a more secure ssh instead and then kill the lnetd process. In this way, inetd no longer monitors the daemon on your machine, so that no one can use it to steal your application port. You 'd better download a port scanner to scan your system. If you find an open port that you don't know, immediately find the process using it to determine whether to close it.
2. delete unused software packages
During system planning, the general principle is to remove all unnecessary services. By default, Linux is a powerful system that runs many services. However, many services are not required and may cause security risks. This file is/etc/inetd. conf, which defines the services to be listened to by/usr/sbin/inetd. You may only need two of them: telnet and ftp, other classes such as shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, and auth are all disabled unless you really want to use it.
3. Do not set the default route
In the host, you must strictly disable the default route, that is, the default route. We recommend that you set a route for each Subnet or CIDR block. Otherwise, other machines may access the host in a certain way.
4. Password Management
Generally, the password length should not be less than 8 characters. The composition of the password should be a combination of uppercase and lowercase letters, numbers and symbols with no rules, and password should be strictly avoided using English words or phrases, in addition, the passwords of various users should be changed regularly. In addition, password protection also involves the protection of/etc/passwd and/etc/shadow files. Only the system administrator can access these two files. Installing a password filtering tool and npasswd can help you check whether your password can withstand attacks. If you have not installed such tools before, we recommend that you install them now. If you are a system administrator and you have not installed a password filtering tool in your system, please immediately check whether all users' passwords can be searched in full, that is, your/ect/passwd file is fully searched.
5. Partition Management
A potential attack first tries to buffer overflow. In the past few years, buffer overflow is the most common form of security vulnerabilities. More seriously, the buffer overflow vulnerability accounts for the vast majority of remote network attacks. Such attacks can easily give an anonymous Internet user the opportunity to gain some or all control over a host!
To prevent such attacks, we should pay attention to them when installing the system. If you use the root partition to record data, such as log files, a large number of logs or spam may be generated due to denial of service, resulting in system crash. Therefore, we recommend that you create separate partitions for/var to store logs and emails to avoid overflow of the root partition. It is best to separate a partition for a special application, especially for programs that can generate a large number of logs. We also recommend that you separate a partition for/home so that they cannot fill up/partition, this avoids some malicious attacks against Linux partition overflow.