Linux network security settings

To partition a potential hacker to attack your Linux server, he will first try to buffer overflow. In the past few years, buffer overflow is the most common form of security vulnerabilities. More seriously, the buffer overflow vulnerability accounts for the majority of remote network attacks.

About partitions
　　
If a potential hacker attempts to attack your Linux server, he will first try buffer overflow. In the past few years, buffer overflow is the most common form of security vulnerabilities. More seriously, the buffer overflow vulnerability accounts for the vast majority of remote network attacks. such attacks can easily give an anonymous Internet user the opportunity to gain some or all control over a host!
　　
To prevent such attacks, we should pay attention to them when installing the system. If you use the root partition to record data, such as log files and emails, a large number of logs or spam messages may be generated due to denial of service, resulting in system crash. Therefore, we recommend that you create separate partitions for/var to store logs and emails to avoid overflow of the root partition. It is best to separate a partition for a special application, especially for programs that can generate a large number of logs. We also recommend that you separate a partition for/home so that they cannot fill up/partition, this avoids some malicious attacks against Linux partition overflow.
　　
About BIOS
　　
Remember to set a BIOS password in the BIOS settings and do not receive the boot from a floppy disk. This prevents malicious users from starting your Linux system with a dedicated boot disk, and prevents others from changing BIOS settings, such as changing the Boot settings of a floppy disk or directly starting the server without a password box.
　　
Password
　　
Password is the main means to authenticate users in the system. the default minimum password length during system installation is usually 5. to ensure that the password is not easy to guess, you can increase the minimum password length, at least 8. To this end, modify the PASS_MIN_LEN parameter in the/etc/login. defs File (minimum password length ). At the same time, the password usage time should be limited to ensure regular password replacement. we recommend that you modify the parameter PASS_MIN_DAYS (password usage time ).
　　
Ping
　　
Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command to/etc/rc. d/rc. local to automatically run after each startup. This will prevent your system from responding to any external/internal ping requests.
　　
Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
　　
About Telnet
　　
If you want to use Telnet to remotely log on to your server without displaying the operating system and version information (which can prevent targeted vulnerability attacks), you should rewrite/etc/inetd. the line in conf is as follows:
　　
Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h
　　
Add the-h sign to the end so that the telnet background does not display system information, but only login.
　　
About privileged accounts
　　
Disable all accounts that are started by the operating system and do not need it by default. this check should be performed when you install the system for the first time. Linux provides various accounts, which you may not need, if you do not need this account, remove it. the more accounts you have, the more vulnerable you will be to attacks.
　　
To delete users on your system, run the following command: userdel username
　　
To delete a group user account on your system, run the following command: groupdel username

　　
Run the following command on the terminal to delete the following privileged account:
　　
Userdel adm
　　
Userdel lp
　　
Userdel sync
　　
Userdel shutdown
　　
Userdel halt
　　
Userdel mail
　　
If you do not need the sendmail server, delete these accounts:
　　
Userdel news
　　
Userdel uuucp
　　
Userdel operator
　　
Userdel games
　　
If you do not need X windows Server, delete this account.
　　
Userdel gopher
　　
If you do not allow anonymous FTP, delete this user account:
　　
Userdel ftp
　　
About su commands
　　
If you don't want anyone to su root, edit the/etc/pam. d/su file and add the following lines:
　　
Auth sufficient/lib-
　　
/Security/pam_rootok-
　　
. So debug
　　
Auth required/lib-
　　
/Security/pam_wheel-
　　
. So group = isd
　　
This means that only users in the isd group can use su as the root user. If you want admin to su as root, run the following command:
　　
Usermod-G10 admin
　　
Suid programs are also very dangerous. these programs are executed by common users as euid = 0 (that is, root), and only a few programs can be set as suid. Use this command to list the system's suid binary program:
　　
Suneagle # find/-permb-4000-print
　　
You can use chmod-s to remove some suid bits without programs.
　　
About account cancellation
　　
If the system administrator forgets to log out from the root account when leaving the system, the system should be able to log out from the shell automatically. Then, you need to set a special Linux variable "tmout" to set the time. Similarly, if you forget to log out of your account when you leave the machine, it may pose a security risk to the system. You can modify the/etc/profile file to ensure that the account is automatically canceled from the system after it has not been operated for a period of time. Edit the/etc/profile file and add the following line to the next line of "histfilesize =:
　　
Tmout = 600
　　
All users will log out automatically after 10 minutes of no operation. Note: After this parameter is modified, you must exit and log on to the root user again to make the change take effect.
　　
About System files
　　
Some key files in the system, such as passwd and passwd. old, passwd. _, shadow, and shadown. _, inetd. conf, services, and lilo. conf and so on can be modified to prevent accidental modification and viewing by common users. For example, change the inetd file attribute to 600:
　　
# Chmod 600/etc/inetd. conf
　　
In this way, ensure that the file owner is root, and set it to unchangeable:
　　
# Chattr + I/etc/inetd. conf
　　
In this way, any changes to the file will be prohibited. You may want to ask: Can't I modify it myself? Of course, we can set it to be modified only after the root user resets the reset flag:
　　
# Chattr-I/etc/inetd. conf
　　
About User resources
　　
Setting resource limits for all users on your system can prevent DoS attacks, such as the maximum number of processes and the number of memories. For example, to restrict all users, add the following lines to edit/etc/security/limits. con:
　　
* Hard core 0
　　
* Hard rss 5000
　　
* Hard nproc 20
　　
You must also edit the/etc/pam. d/login file to check the existence of this line:
　　
Session required/lib/security/pam_limits.so
　　
The preceding command disables core files "core 0", limits the number of processes to "nproc 50", and limits the memory usage to 5 MB "rss 5000 ".
　　
About NFS servers
　　
You must be careful when dealing with NFS server vulnerabilities. If you want to use the NFS network file system service, make sure that your/etc/exports has the strictest access permission settings. This does not mean that you do not use any wildcards or allow root write permissions, mount the file to a read-only file system. You can edit the/etc/exports file and add:
　　
/Dir/to/export host1.mydomain.com (ro, root_squash)
　　
/Dir/to/export host2.mydomain.com (ro, root_squash)
　　
Here,/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs on to this directory, ro means to mount it into a read-only system, and root_squash prohibits root from writing to this directory. Finally, to make the preceding changes take effect, run/usr/sbin/exportfs-.
　　
About the Enabled Service
　　
By default, linux is a powerful system that runs many services. However, many services are not required and may cause security risks. This file is/etc/inetd. conf, which defines the services to be listened to by/usr/sbin/inetd. you may only need two of them: telnet and ftp, and other classes such as shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. unless you really want to use it. Otherwise, close all of them.
　　
Use the following command to display services that are not commented out:
　　
Grep-v "#"/etc/inetd. conf
　　
This command counts the total number of services in front of the service:
　　
Ps-eaf | wc-l
　　
We recommend that you disable the following three service vulnerabilities: S34yppasswdd (NIS Server), S35ypserv (NIS Server), and S60nfs (NFS server ).
　　
We can run # killall-HUP inetd to disable unnecessary services. Of course, you can also run
　　
# Chattr + I/etc/inetd. conf
　　
If you want to enable the inetd. conf file to have attributes that cannot be changed, and only the root user can unbind them, run the following command:
　　
# Chattr-I/etc/inetd. conf
　　
After you close some services, run the preceding command again to check how many services are missing. The fewer services run, the safer the system. We can use the following command to check which services are running:
　　
Netstat-na? Ip
　　
If you use Redhat, it is much more convenient. Pai_^ Redhat provides a tool to help you close the service, input/usr/sbin/setup, and then select "system services" to customize the services that the system runs at startup. Another option is the chkconfig command, which is provided by many linux systems. The numbers in the script name are in the starting order. the numbers starting with an uppercase key are used to kill the process.
　　
About logs
　　
All logs are under/var/log (for linux systems only). by default, linux logs are powerful, except for ftp. Therefore, we can modify/etc/ftpaccess or/etc/inetd. conf to ensure that every ftp connection log can be recorded. The following is an example of modifying inetd. conf. assume there is a next line:
　　
Ftp stream tcp nowait root/usr/sbin/tcpd in. ftpd-l-L-I-o string 3
　　
Note:
　　
-L each ftp connection is written to syslog
　　
-L record every user command
　　
-I file stored ed, record to xferlog
　　
-O file transmitted, record to xferlog
　　
But do not trust logs too much, because most hackers have the "good" habit of "wiping footprints ?? Too many? What is the regression ring model? Why? Nifer.
　　
About TCP_WRAPPERS
　　
By default, Redhat Linux allows all requests, which is dangerous. If you use TCP_WRAPPERS to enhance my