Linux Hardening measures

L Inux Safety Hardening Specification

Directory

1 Overview ... 5

2 installation ... 5

3 User account security password and accounts. 6

3.1 Password Security Policy ... 6

3.2 Check if the password is safe ... 6

3.3 Password shadowing. 6

3.4 Manage Password ... 6

3.5 Other ... 7

4 Network Service Security 7

4.1 Service filter filtering. 8

4.2/etc/inetd.conf 9

4.3 R service ... 9

4.4 Tcp_wrapper 9

4.5/etc/hosts.equiv file ... 10

4.6/etc/services 10

4.7/etc/aliases 11

4.8 NFS. 11

4.9 Trivial FTP (TFTP) 11

4.10 Sendmail 11

4.11 Finger 12

4.12 UUCP. 12

4.13 World Wide Web (WWW) –httpd. 13

4.14 FTP Security issues ... 13

5 System Setup Security (Setting) 14

5.1 Restricting the use of the console ... 14

5.2 System off Ping. 14

5.3 Turn off or change system information ... 15

5.4/etc/securetty file ... 15

5.5/etc/host.conf file ... 15

5.6 Disable IP Source path routing ... 15

5.7 Resource Limits ... 16

5.8 Lilo Security ... 16

5.9 control-alt-delete keyboard shutdown command ... 17

5.10 Log System security ... 17

5.11 Fix the permissions of the script file under the "/ETC/RC.D/INIT.D" directory ... 17

6 File system security 18

6.1 File Permissions ... 18

6.2 Controlling the file system on Mount ... 18

6.3 Backup and recovery ... 19

7 Other ... 19

7.1 Using Firewalls ... 19

7.2 Using third-party security tools ... 19

7.3 Reference website ... 19

1 overview

The internet has become more insecure in recent years. Network traffic is increasing, more and more important transactions are being done through the network, while the risk of data corruption, interception and modification is also increasing.

As long as there is something worth stealing, there are people who will try to steal it. Today, the Internet is more realistic than ever before, and Linux-based systems are not immune to this "universal law". Therefore, a good system should have sound security measures that should be strong enough to withstand attacks from the Internet, which is the main reason why Linux is popular and becomes the backbone of the Internet. However, if you inappropriately use Linux security tools, they will bury the hidden dangers. Poorly configured security systems can create a lot of problems, and this article will explain the Linux security knowledge that you must know. This article describes how to make a Linux system reliable with basic security measures.

2 installation

The system is in a separate (or isolated) network. To prevent unprotected systems from connecting to other networks or to the Internet for possible attacks

After the installation is complete, uninstall the following software

Pump APMD lsapnptools Redhat-logos

Mt-st Kernel-pcmcia-cs setserial Redhat-relese

Eject linuxconf kudzu GD

BC GETTY_PS raidtools pciutils

Mailcap Setconsole GnuPG

Uninstall the software with the following command:

[[email protected]] #rpm –e softwarename

It is a good idea to stop three processes before uninstalling them:

[[Email protected]]#/ETC/RC.D/INIT.D/APMD Stop

[[Email protected]]#/etc/rc.d/init.d/sendmail Stop

[[Email protected]]#/etc/rc.d/init.d/kudzu Stop

3 User account security password and Accounts Security 3.1 password safety policy

L password is at least 6 bits and includes special characters

L password is not too simple, do not use you or the relevant information about the person's password, such as birthdays, phone calls, names of pinyin or abbreviations, units of Pinyin or English abbreviation and so on.

L Password must be valid

L found someone who guessed the password for a long time, need to change the password

3.2 Checking the password is safe

You can use the following tools to check if your password is secure:

L John,crack and other violent guessing password tool

L online exhaustive tools, including EMAILCRK, streamer, etc.

3.3 Password Shadowing

L use Shadow to hide ciphertext (now the default configuration)

L Check the shadow file periodically, such as whether the password length is empty.

#awk-F: Length ($) ==0 {print $}/etc/shadow

L Set file properties and owner

3.4 Managing Passwords

L Set Password maximum effective time limit (edit/etc/login.defs file)

L Minimum password characters (e.g. Linux defaults to 5, can be modified by editing/etc/login.defs)

L only allow specific users to use the SU command as root.

Edit the/etc/pam.d/su file and add the file header:

Auth sufficient/lib/security/pam_rootok.so Debug

Auth required/lib/security/pam_wheel.so Group=wheel

In Red Hat 7.0, the SU file has been modified to directly remove the first two lines of the comment character.

[[Email protected]]# usermod-g10 admin to add user to wheel Group

3.5 Other

L Clear Unnecessary system accounts

[Email protected]]# Userdel ADM

[Email protected]]# Userdel LP

[[Email protected]]# userdel Sync

[Email protected]]# userdel shutdown

[Email protected]]# Userdel Halt

[Email protected]]# Userdel News

[Email protected]]# userdel UUCP

[Email protected]]# userdel operator

[Email protected]]# userdel Games (Delete if X Window is not used)

[Email protected]]# Userdel Gopher

[[Email protected]]# userdel FTP (delete if not using FTP service)

L try not to include personal information in the passwd file to prevent leaks by programs such as finger.

L Modify Shadow,passwd,gshadow file cannot change bit

[Email protected]]# chattr +i/etc/passwd

[Email protected]]# chattr +i/etc/shadow

[Email protected]]# chattr +i/etc/group

[Email protected]]# chattr +i/etc/gshadow

l do not use. netrc files, you can pre-generate $HOME/.NETRC. set to 0000.

Touch/.rhosts; chmod 0/.rhosts

L use SSH instead of common services such as Telnetd,ftpd.pop. Traditional Web service programs such as FTP, pop, and telnet are inherently insecure because they transmit passwords and data in clear text on the network.

4 Network Service security

Linux systems provide a strong, diverse range of services, and because of the diversity and complexity of services, it is particularly easy to make mistakes in the configuration and management of these services, and the software that provides these services has a variety of vulnerabilities, so there are two basic principles to keep in mind when deciding the system to open services:

L only open the required services and close all services that are not needed. The less external services are available, the smaller the outside threats that they face.

L distributes the different services required on different hosts, which not only improves the performance of the system, but also facilitates configuration and management, reducing the security risk of the system.

In the above two basic principles, but also to further check the system service function and security vulnerabilities.

This provides the basic security configuration for the services provided by the host, please refer to the relevant documentation for the security configuration of some common services.

4.1 Service Filter Filtering

• Disable these services on the server

If you must open these services, specify trusted IP access through firewalls and routes.

L Make sure that only the services that are really needed are allowed external access and are legitimately filtered through the user's router. In particular, the following services are not needed by the user to filter them off the router.

NAME PORT PROTOCOL

Echo 7 TCP/UDP

Systat TCP

Netstat TCP

BOOTP for UDP

TFTP UDP

Link TCP

Supdup TCP

SUNRPC 111 TCP/UDP

News 144 TCP

SNMP 161 UDP

XDMCP 177 UDP

EXEC TCP

Login 513 TCP

Shell 514 TCP

Printer 515 TCP

Biff UDP

Who 513 UDP

Syslog 514 UDP

UUCP 540 TCP

Route 520 UDP

Openwin TCP

NFS 2049 UDP/TCP

X11 6000 to 6000+n TCP

Note: Some UDP services can cause Dos attacks and remote overflows, such as

rpc.ypupdated

Rpcbind

RPC.CMSD 100068

RPC.STATD 100024

Rpc.ttdbserver 100083

Sadmind 100232/10

After the configuration is complete, the network scanner is used to simulate the external scan test by the intruder. If using Nmap

4.2/etc/inetd.conf

L Make sure file permissions are set to 600

L Make sure the file owner is set to root

L Comment out all unwanted services and need to restart the inetd process

L Use the Netstat–an command to view the services provided by this machine. Make sure you've stopped the services you don't need

4.3 R Service

Do not need to use R service

L Close R Service, Red hat 6.2 notes the following services in the/etc/inetd.conf file, and restarts the inetd service. Red Hat 7.0 is removed in the/ETC/XINETD.D directory

EXEC TCP

Rlogin 513 TCP

Rshell 514 TCP

L pre-generate the $home/.rhosts,/etc/hosts.equiv file and set it to 0000 to prevent it from being written to "+ +". (attackers often use similar symbolic links or write with Rootshell, and remotely open R services for protected hosts)

Must use R service

L Use a more secure version of R service. such as the Wietse Venema Logdaemon program.

The 512,513 and 514 (TCP) port of the protected host is blocked from being accessed by the external network on the routing or firewall.

L Use TCP wrappers to set up a trusted machine that can access the protected host R service.

4.4 Tcp_wrapper

The purpose of this software is to filter the TCP/UDP service on UNIX platforms, which is now widely used to monitor and filter the standard TCP/UDP services such as FTP, Telnet, rsh, rlogin, tftp, finger, etc., which occur on the host computer.

When the system installs Tcp_wrapper, the in.telnetd of/usr/sbin/in.telnetd in the in.conf file is replaced by Tcp_wrapper programs that are included with TCPD. The program intercepts the service request from the client, logs the time the request occurred, and the IP address, and checks by access control. When the user of this connection, the IP of the request source conforms to the administrator's preset value, the request is passed to the system in.telnetd, and the system IN.TELNETD completes the follow-up work; If the connection does not meet the requirements, the connection request will be rejected. Similarly, FTP, RSH and other TCP/UDP services can be replaced by TCPD, TCPD act as setter.

L Use paranoid mode, you need to add the name and IP address of the client that is allowed to use Telnet or FTP service in the/etc/hosts file after using this parameter

L set to All:all in/etc/hosts.deny, default all do not allow

Access is denied by default.

# Deny access to everyone.

All: [e-mail protected], PARANOID #Matches any host whose name does not match its address, see

Bellow.

L set allowed services and addresses in/etc/hosts.allow

such as: sshd:208.164.186.1 gate.openarch.com

L Use Tcpdchk Check

The UDP service uses the NOWAIT option in/etc/inetd.conf when using Tcpwrapper.

4.5/ETC/HOSTS.EQUIV file

You do not have to use/etc/hosts.equiv files

L Delete this file from the system

L pre-generate the/etc/hosts.equiv file and set it to 0000 to prevent it from being written to "+ +". (attackers often use similar symbolic links or write with Rootshell, and remotely open R services for protected hosts)

You must use the/etc/hosts.equiv file

L Ensure that trusted hosts in this file are required.

L pre-generate the/etc/hosts.equiv file and set it to 0000 to prevent it from being written to "+ +". (attackers often use similar symbolic links or write with Rootshell, and remotely open R services for protected hosts)

L If you use NIS or nis+, the groups in this file should be manageable.

L Trusted host must ensure reliable

L Trust hosts use full names, such as hostname.domainname.cn

L the "+" character should not appear at any time, as this will enable any user on any one host to access the system without password

L do not use '! ' and ' # ' symbols in the file, because that does not imply a comment.

L file start character should not be '-'., please refer to C8

l Ensure that access to the file is set to 600.

L file owner is guaranteed root.

• After each patch or operating system installation, you should re-check the settings of the folder

4.6/etc/services

L Make sure file permissions are set to 600

L Make sure the file owner is set to root

• If you need to provide some common services, such as telnetd, you can modify the port here

This file is the port number and the service correspondence, adds the protection to this file, avoids the unauthorized modification and the deletion

[Email protected]]# chattr +i/etc/services

4.7/etc/aliases

L Modify the/etc/aliases file and comment out "decode" "Games,ingress,system,toor,manager,....".

L Use the/usr/bin/newaliases command to activate the new configuration

L Make sure file permissions are set to 755

L Make sure the file owner is set to root

4.8 NFS

The NFS file system should be aware of the following aspects of security

L Filter Ports 111, 2049 (TCP/UDP) on external routes, and do not allow external access.

L Check for patch update status.

L Check the/etc/exports output path permission, make sure only root can modify, all user can only read

L use Exportfs to add or remove directories

Exportfs-o ACCESS=ENGINEERING,RO=DANCER/USR

Exportfs-u/usr

L If your machine does not have NIS (YP server) services, remember to modify the information when changing

/etc/passwd
/etc/group
/etc/hosts
/etc/ethers

L do not allow export to the directory containing the local entry

L Make sure that the other machine is completely trustworthy. Use full name

L Make sure the output list is not more than 256 characters.

L Use the showmount–e command to view your export settings

L SET the/etc/exports permission to 644, which is the master root

L use options such as Noexec,nodev.nosuid to control the file system of mount, set in/etc/fstab.

4.9 Trivial FTP (TFTP)

This service process should not be started under any circumstances.

4.10 Sendmail

SendMail provides many feature features that are selected during compilation. Typically, you can meet the needs of a general user by default configuration. However, understanding the features it provides allows for more accurate configuration of sendmail many functions. From a network security perspective, by properly configuring the relevant features, you can find a more accurate balance between providing services and securing security (the way to configure features is to add the required features to the. mc file for the appropriate system, and then use the tool M4 to generate the final SENDMAIL.CF file. Currently the latest version is sendmail8.11.1. (www.sendmail.org)

L The latest release package

L Promiscuous_relay: This feature turns on any forwarding function, which also turns off the security enhancement control of mail forwarding for 8.9. The use of this feature leaves many pitfalls in the misuse of the e-mail service, and it is recommended that you do not use this feature unless in exceptional circumstances.

L Accept_unqualified_senders: By default, this feature is turned off, that is, when the address in the mail from: parameter indicates a network connection but does not contain a valid host address, SendMail will refuse to continue communication. Turning on this attribute no longer rejects messages based on the mail from: parameter. It is not recommended to use this feature easily.

L Loose_relay_check: Typically, when a message uses a source routing feature, such as User%[email protected], SendMail will detach othersite if othersite belongs to the scope of the forwarded message. Continue to check if site is a forwarding scope. Using this feature will change the above default action. It is not recommended to use this feature easily

L Accept_unresolvable_domains: Normally, when the host address portion of the mail from: parameter cannot be resolved, that is, the SendMail will reject the connection when it cannot be determined as a legitimate host address. Using this feature will change the above operation. In some cases, for example, the mail server is behind a firewall and cannot resolve the external host address properly, but you may want to take advantage of this feature if you still wish to receive mail normally.

L Blacklist_recipients: Turn on the receive blacklist feature. The blacklist can include user name, hostname, or other address.

L Relay_entire_domain: By default, SendMail provides the forwarding mail service only for hosts defined as relay in the Forward Control database (Access db). The use of this feature will enable SendMail to provide forwarding capabilities to users on all hosts within the local domain (defined by the $=m class)

L SendMail's restricted shell program Smrsh can prevent malicious internal user operations.

L Prevent System Information leakage, such as modify banner, prohibit Expn,vrfy command

L recommended configuration to require SMTP authentication.

L Other related MailServer

qmail:www.qmail.org

postfix:www.postfix.org

qpop:http://www.qpopper.org/

imail:http://www.imailbox.com/

4.11 Finger

L should not start this service process.

L Use the latest version if you must use it.

4.12 UUCP

L do not recommend using

L Delete all rhosts files (UUCP directory)

l ensure that the. cmds file belongs to the master root

L Restrictions on UUCP landing

L Make sure that the UUCP file is not set to everyone writable

4.13 World Wide Web (WWW) –httpd

L Use the latest version of the webserver you choose

L do not run httpd with root user

L run httpd in chroot environment

L Try not to use CGI scripts

• Security audits of CGI scripts

L Link Use static library

L Filter dangerous characters, such as \ r (.,/;~!) >|^&$ ' <, etc.

L use HTTPS for critical business delivery.

The more popular webserver are

Apache http://www.apache.org

NETSCPE Web server and browser http://home.netscape.com/enterprise/v3.6/index.html

The IETF Web Transaction security team maintains a mailing list specifically for WWW security issues.

To subscribe, you can send e-mail to www-security-[email protected] in the information

The text is written in

SUBSCRIBE www-security your email address.

The main WWW FAQ also contains questions and answers about web security, such as document management and source of service software. The latest version of this FAQ is in: http://www.boutell.com/faq/

4.14 FTP Security Issues

The Primary FTP server

L WUFTP The latest version is 26.1

It's ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/wu-ftpd-2.6.1.tar.gz.

L PROFTP The latest version is 1.2.0RC2

It's ftp://ftp.proftpd.net/pub/proftpd.

L NCFTP The latest version is 2.6.3

It's http://www.ncftp.com/ncftpd/.

Configuring the Configuration

L Check all the default configuration options

L Determine that there is no site exec problem

L set/etc/ftpusers to determine which users are forbidden to use FTP

L Run FTPD with chroot environment

l Use your own LS and other commands

L added support for quota,pam, etc.

L Configure/etc/ftpaccess file, prohibit system information leakage and set maximum number of connections

L Configure/etc/ftphosts, set the host and user that allow FTP to be used

L set different permissions for different users

L frequently view log records/var/log/xferlog

L profile property changed to 600

Anonymous FTP

L Open Allow anonymous option at compile time

If you use distributed passwords (e.g., NIS, nis+), you need to set up a good password file.

L Anonymous user only gives Read permission (set in/etc/ftpaccess)

5 System Setting Security 5.1 restricting the use of the console

Disable the use of the console program: Delete Services in/etc/security/console.apps

[Email protected]]# rm-f/etc/security/console.apps/servicename,

For example: [[email protected]]# rm-f/etc/security/console.apps/halt

[Email protected]]# rm-f/etc/security/console.apps/poweroff

[Email protected]]# rm-f/etc/security/console.apps/reboot

[Email protected]]# rm-f/etc/security/console.apps/shutdown

[[Email protected]]# rm-f/etc/security/console.apps/xserver (if deleted, only root can start Xserver)

Disable console access: in all Files in/etc/pam.d, add a comment to the line containing the pam_console.so

5.2 System Shutdown Ping

Turning off Ping, so that the system does not respond to ping, is of great benefit to network security.

You can use the following command:

[[email protected]] #echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

You can add this line to the/etc/rc.d/rc.local file so that it will be executed automatically after the system restarts.

To restore the system's ping response:

[[email protected]] #echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all

5.3 Turning off or changing system information

Turn off Telnet System Information

Red Hat 6.2, edit/etc/inetd.conf

Telnet stream TCP nowait ROOT/USR/SBIN/TCPD in.telnetd–h

Plus the parameter-H to turn off Telnet information

Red Hat 7.0, edit/etc/xinetd.d/telnet

With Server_args =-H, you can turn off the Telnet message

Shutting down or modifying system information in/etc/rc.d/rc.local

/etc/issue and/etc/issue.net contain system information that is prompted by local logins and network logins, and changes can change system information, or delete them directly, and annotate the related lines in the/etc/rc.d/rc.local file:

#echo "" >/etc/issue

#echo "$R" >>/etc/issue

#echo "Kernel $ (uname-r) on $a $ (uname-m)" >>/etc/issue

#cp-F/etc/issue/etc/issue.net

#echo >>/etc/issue

5.4/etc/securetty file

The/etc/securetty file specifies which TTY device root is logged into, lists the allowed TTY devices, and comments off the disallowed TTY device lines.

5.5/etc/host.conf file

/etc/host.conf define how the hostname is parsed, what services to use, and what sequence to parse

# Lookup names via DNS first then fall back to/etc/hosts.

Order Bind,hosts

# We have a machines with multiple IP addresses.

Multi on

# Check for IP address spoofing.

Nospoof on

order specifies the sequence in which services are selected

Multi Specifies whether the host can have multiple IP addresses, on means allow

NOSPOOF Specifies that IP spoofing is not allowed, this parameter must be set to ON

5.6 Disable IP Source path routing

Allowing the IP source path routing (IP source routing) will allow hackers to spoof your computer and intercept packets. It is strongly recommended to prohibit, use the following command:

for f In/proc/sys/net/ipv4/conf/*/accept_source_route; Do

echo 0 > $f

Done

Set Accept_source_route to 0 and add the above command to/etc/rc.d/rc.local, each time the restart will be performed automatically

5.7 Resource limits

To avoid denial of service attacks, you need to make some restrictions on the use of system resources.

First, edit the/etc/security/limits.conf, add or change the following

* Hard Core 0 (no core file creation)

* Hard RSS 5000 (other users use up to 5 m of memory except Root)

* Hard Nproc 20 (maximum number of processes is limited to 20)

Edit the/etc/pam.d/login and add the following at the end of the file:

Session required/lib/security/pam_limits.so

Protection of TCP SYN Cookies: (prevents SYN flood attacks)

[[Email protected]]# echo 1 >/proc/sys/net/ipv4/tcp_syncookies

5.8 Lilo Security

Add 3 parameters to the "/etc/lilo.conf" file: Time-out, restricted, and password. These options require a password when the startup time (such as "Linux single") goes to the start of the reprint process.

Step 1

Edit the lilo.conf file (/etc/lilo.conf) to add and change these three options:

Boot=/dev/hda

Map=/boot/map

install=/boot/boot.b

time-out=00 #change this line to 00

Prompt

Default=linux

Restricted #add this line

Password= #add this line and put your password

Image=/boot/vmlinuz-2.2.14-12

Label=linux

Initrd=/boot/initrd-2.2.14-12.img

Root=/dev/hda6

Read-only

Step 2

Because the password is not encrypted, the "/etc/lilo.conf" file is readable only to the root user.

[[email protected]/]# chmod 600/etc/lilo.conf (no longer global readable)

Step 3

After making the above changes, update the configuration file "/etc/lilo.conf".

[[email protected]/]#/sbin/lilo-v (update lilo.conf file)

Step 4

There is also a way to make "/etc/lilo.conf" more secure, which is to use the chattr command to set it to not:

[Email protected]/]# chattr +i/etc/lilo.conf

It will block any changes to the "lilo.conf" file, whether intentionally or not.

5.9 control-alt-delete Keyboard Shutdown command

To edit the "/etc/inittab" file, simply add "#" in front of the line below to comment the line instead.

Ca::ctrlaltdel:/sbin/shutdown-t3-r now

Switch

#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now

Then, for the change to take effect, enter it at the prompt:

[Email protected]/]#/sbin/init Q

5.10 Log System security

In order to ensure the integrity of the log system, to prevent hackers to delete the log, the log system needs to be configured securely. This topic will have special documentation to describe the security of the log system.

5.11 Fix the permissions of the script file under the "/ETC/RC.D/INIT.D" directory

The permissions of the script file are corrected, and the script file is used to determine the opening and stopping of all normal processes that need to be run at startup. add: [[email protected]/]# chmod-r 700/etc/rc.d/init.d/*

This means that only the root user is allowed to use Read, Write, and Execute script files in this directory.

6 File system security 6.1 file permissions

L Remove unnecessary suid program, can be viewed by script

[[Email protected]]# find/-type f \ (-perm-04000-o-perm-02000 \) \-exec LS–LG {}\;

Use the following command to remove unwanted programs from the ' s ' bit

[Email protected]]# chmod a-s/usr/bin/commandname

• Important profiles such as/etc/passwd,/etc/shadow,/etc/inetd.conf are set to 0755 and are set to not be changed

L/etc,/usr/etc,/bin,/usr/bin,/sbin,/usr/sbin,/tmp and/var/tmp the owner is root and is set to sticky.

There are no special files in the L/dev directory.

L Find files and directories that can be written by anyone

[[Email protected]]# find/-type f \ (-perm-2-o-perm-20 \)-exec ls-lg {} \;

[[Email protected]]# find/-type d \ (-perm-2-o-perm-20 \)-exec ls-ldg {} \;

L Look for exception files, such as: File... Documents, etc.

Find/-name ":"-print–xdev

Find/-name ". *"-print-xdev | Cat-v

L Check for files that are not owned by the master.

Find/-nouser–o–nogroup

L Check that there are no special block files outside the/dev directory

Find/\ (-type b-o-type c \)-print | Grep-v ' ^/dev/'

L use checksum MD5 or PGP for validation of files

6.2 Controlling the file system on Mount

You can use Noexec, Nodev, Nosuid to control the file system on mount. Set in/etc/fstab, for example:

Will/dev/sda11/tmp ext2 defaults 1 2

/dev/sda6/home ext2 Defaults 1 2

Instead:/dev/sda11/tmp ext2 nosuid,nodev,noexec 1 2

/dev/sda6/home ext2 Nosuid,nodev 1 2

Noexec means no executable is allowed, Nodev indicates that block devices are not allowed, nosuid indicates that suid bits are not allowed

6.3 Backup and Recovery

You can minimize the loss by regularly backing up the file system.

There are several ways to back up Linux, such as: DD, cpio, tar, dump, etc.

7 Other 7.1 using firewalls

Firewall is an important aspect of network security, we will have another topic to elaborate on the firewall, including the principle of the firewall, Linux 2.2 kernel under the IPChains implementation, Linux 2.4 kernel NetFilter implementation, commercial firewall product applications.

7.2 Using third-party security tools

Linux has a lot of good security tools, such as: Tripwire, SSH, Sudo, Tcpdump, Nmap, Nessus, snort, sniffit ... We will arrange special topics to specifically describe these very practical security tools.

7.3 Reference Sites

Patches:http://www.redhat.com/apps/support/updates.html

Exploits:http://darknet.securityinfos.com/os/linux/redhat/index.html

Linux Hardening measures