Site: Love seed little Doctor keywords: Linux Network service configuration file detailed
Linux Network Service configuration file detailed
/etc/conf.module
/etc/hostname
/etc/sysconfig/network-scripts/ifcfg-ethn
/etc/resolv.conf
/etc/host.conf
/etc/sysconfig/network
/etc/hosts
/etc/inetd.conf
/etc/hosts.allow
/etc/services
/etc/securetty
/etc/rc.d/rc.local
To establish a secure Linux server, you first need to understand the meaning of the configuration files that are related to the network service and how to configure them securely in the Linux environment. In a Linux system, TCP/IP networks are configured with several text files, and you may need to edit these files to complete networking, but most of these profiles can be configured with command Linuxconf (where the configuration of the network portion can be implemented through the netconf command) commands to implement. The basic TCP/IP network configuration files are described below.
*/etc/conf.modules File
This profile defines the various parameter information for modules that need to be loaded at startup. The main focus here is on the configuration of the NIC. With Linux as a gateway, Linux servers need to configure at least two network adapters. To reduce the number of problems that may occur at startup, the Linux kernel does not automatically detect multiple network adapters. For a system that does not compile the driver of the NIC to the kernel but is dynamically loaded as a module, it should be configured in the Conf.modules file if multiple network adapters need to be installed.
If the device driver is compiled into a module (kernel module): For a PCI device, the module will automatically detect all devices that have been installed on the system, and for ISA card, you need to provide the module with an IO address so that the module knows where to look for the card, which is provided in/etc/conf.modules.
For example, we have two ISA bus 3c509 cards, one IO address is 0x300, and the other is 0x320. Edit the Conf.modules file as follows:
Alias Eth0 3c509
Alias Eth1 3c509
Options 3c509 io=0x300,0x320
This is to say that 3c509 drivers should be loaded separately with eth0 or eth1 names (alias Eth0,eth1), and that they should be loaded with parameter io=0x300,0x320 to inform the driver where to look for the NIC, where 0x is indispensable.
For PCI cards, only the alias command is required to associate the ETHN with the appropriate driver module name, and the IO address of the PCI card will be automatically detected. For PCI cards, edit the Conf.modules file as follows:
Alias Eth0 3c905
Alias Eth1 3c905
If the driver has been compiled into the kernel: The system starts the PCI detection program will automatically find all the relevant network cards. ISA cards can also be automatically detected, but in some cases the ISA card still needs to do the following configuration:
Add configuration information to the/etc/lilo.conf by passing the startup parameter information to the kernel through the LILO program. For ISA card, edit the lilo.conf file and add the following:
Append= "ether=" 0,0,eth0 ether= "0,0,eth1"
Note: Do not include the start parameter in the lilo.conf, test your ISA card, and use the startup parameter if you fail.
If you use a method that passes the startup parameters, Eth0 and eth1 are set in the order in which they were found at startup.
*/etc/hostname File
This file contains the host name of the system, including the full domain name, such as: deep.openarch.com.
*/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-ETHN file
In Redhat, the configuration file of the system network device is saved in the/etc/sysconfig/network-scripts directory, Ifcfg-eth0 contains the configuration information of the first network card, ifcfg-eth1 the configuration information containing the second network card.
The following is an example of a/etc/sysconfig/network-scripts/ifcfg-eth0 file:
Device=eth0
ipaddr=208.164.186.1
netmask=255.255.255.0
network=208.164.186.0
broadcast=208.164.186.255
Onboot=yes
Bootproto=none
Userctl=no
If you want to manually modify the network address or add a new network interface to the new interface, you can do so by modifying the corresponding file (IFCFG-ETHN) or by creating a new file.
Device=name name indicates the names of the physical devices
Ipaddr=addr addr represents the IP address assigned to the card
Netmask=mask Mask represents a network mask
NETWORK=ADDR addr represents the network address
Broadcast=addr addr Represents broadcast address
Onboot=yes/no whether the card is activated at startup
None: No need to start protocol
BOOTP: Using BOOTP protocol
DHCP: Using DHCP protocol
Userctl=yes/no whether to allow non-root users to control the device
*/etc/resolv.conf file
The file is a configuration file that is used by the domain name Parser (resolver, a library that resolves IP addresses based on the hostname), as shown in the following example:
Search openarch.com
NameServer 208.164.186.1
NameServer 208.164.186.2
Search domainname.com indicates that when a host name is provided that does not include a full domain name, the domainname.com suffix is added after the hostname; nameserver indicates that the host specified when resolving the domain name is a domain name server. The domain name servers are queried in the order in which they appear in the file.
*/etc/host.conf file
This file specifies how the host name is resolved. Linux uses the parser library to obtain the IP address of the host name. The following is an example of a/etc/host.conf:
Order Bind,hosts
Multi on
Ospoof on
Order bind,hosts Specifies the sequence of host name queries, where DNS is used to resolve domain names before querying/etc/hosts files (or vice versa).
Multi on Specifies whether the host specified in the/etc/hosts file can have multiple addresses, and hosts with multiple IP addresses are commonly referred to as multiple-homed hosts.
Nospoof on means that IP address spoofing is not allowed on this server. IP spoofing is a means of attacking system security by disguising the IP address as another computer to gain the trust of other computers. */etc/sysconfig/network file
This file is used to specify network configuration information on the server, and here is an example:
Network=yes
Rorward_ipv4=yes
Hostname=deep.openarch.com
gareway=0.0.0.0
gatewaydev=
Whether the network=yes/no network is configured;
Forward_ipv4=yes/no whether IP forwarding is enabled
Hostname=hostname HOSTNAME represents the host name of the server
Gareway=gw-ip Gw-ip represents the IP address of a network gateway
Garewaydev=gw-dev GW-DW represents the device name of the gateway, such as: Etho, etc.
Note: To be compatible with older software, the/etc/hostname file should use the same host name as Hostname=hostname.
*/etc/hosts file
When the machine starts, before DNS can be queried, the machine needs to query some host names to match the IP address. These matching information is stored in the/etc/hosts file. In the absence of a domain name server, all network programs on the system query the file to resolve the IP address corresponding to a host name.
The following is an example of a/etc/hosts file:
IP Address Hostname Alias
127.0.0.1 Localhost Gate.openarch.com
208.164.186.1 gate.openarch.com Gate
............ ............ .........
The leftmost column is host IP information, and the middle column is the host name. Any subsequent columns are aliases for that host. Once you have configured the network profile for the machine, you should restart the network for the modifications to take effect. Use the following command to restart the network:/etc/rc.d/init.d/network restart
*/etc/inetd.conf File
As we all know, as a server, the more open the service port, the more difficult to guarantee the security stability of the system. So servers that provide specific services should be as open as possible to the ports that provide the service, and the services unrelated to the server will be shut down, for example, a machine that is a WWW and FTP server should open only 80 and 25 ports and turn off other unrelated services such as finger auth. To reduce system vulnerabilities.
And inetd, also called Super Server, is to monitor some network request daemon, which calls the corresponding service process according to the network request to process the connection request. Inetd.conf is the inetd configuration file. The inetd.conf file tells inetd which network ports to monitor and which service to start for each port. The first thing to do with Linux in any network environment is to find out what services the server is offering. Those services that are not needed should be banned, preferably unloaded, so that hackers are less able to attack the system. Check the/etc/inetd.conf file to find out what services inetd offers. Use the Annotated method (plus the # number at the beginning of a line) to prohibit any unwanted service and send a sighup signal to the inetd process.
First step: Change the permissions of the file to 600.
[root@deep]# chmod 600/etc/inetd.conf
Step two: Be sure that the file owner is root.
[root@deep]# stat/etc/inetd.conf
Step three: Edit the inetd.conf file (vi/etc/inetd.conf) to prohibit all unwanted services, such as FTP, Telnet, shell, login, exec, talk, Ntalk, IMAP, POP-2, pop-3, Finger, auth, and so on. If you feel that some services are useful, you may not ban these services. However, by banning these services, the system is less likely to be attacked. The contents of the changed inetd.conf file are shown below: inetd.conf
Fourth Step:
In order to ensure the security of inetd.conf files, you can use the CHATTR command to set it as immutable. To make the file immutable, just use the following command:
[root@deep]# chattr +i/etc/inetd.conf
This avoids any changes to the inetd.conf file (unexpected or otherwise). A file with the I attribute cannot be changed: cannot delete or rename, cannot create a link to this file, cannot write data to this file. Only the system administrator can set and clear this property. If you want to change the inetd.conf file, you must first clear the flag that is not allowed to change:
[root@deep]# chattr-i/etc/inetd.conf
However, for services such as SENDMAIL,NAMED,WWW, because they are not like finger,telnet services, the inet daemon initiates the corresponding process to provide services when the request arrives, but runs as a daemon at system startup. For Redhat Linux, a linuxconfig command is provided to interactively set whether to run related services at startup by using the graphical interface. You can also use a command to set whether to start a service when started, such as: [Root@deep] # chkconfig–level named off
Specific commands can refer to the description of the man chkconfig.
*/etc/hosts.allow File
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.