Linux Network security Incomplete notes

First, the installation of CentOS
Second, Linux network environment settings
A. Configuring Linux to connect to the client
B. Configure Linux Internet access
Third, Yum detailed
Basic operation of Yum
A. Installing new software with Yum
Yum Install–y Software
B. Updating software with Yum
Yum Update–y Software
C. removing software using Yum
Yum Remove–y Software
D. Using Yum to search for software
Search by software name and attributes
Yum List software
Advanced Search
Yum Search software (you can also use a match to search for for example *)
E. Using yum to update your system
Check Yum update content
Yum Check-update
Use Yum to update your system
Yum Update
Automatically update your system (updated daily)/sbin/chkconfig--level 345 yum on; /sbin/service Yum Start

Four. Close the unwanted ports
Viewing the System daemon
Common daemons kudzu sshd inetd LDAP and so on
Linux Run Level Introduction
The most commonly used 3,5
Chkconfig Change daemon Run level

View System ports
The netstat command uses
Lsof with Netstat to see what program initiated the corresponding port
NTSYSV shutting down services that you do not need

Five, Linux physical security
Physical security protection of the server
Set the password to grub, even if the attacker is physically in contact with the operating system
Locking the terminal with Vlock
Vi. information collection of cyber security
Network host Survival Test
Ping
Nmap
Telnet

Network host survivability Test protection
Install the firewall to screen out the ping test.
Installs snort time to detect system status.

Find Network topology
Zone Transfer is the process of replicating a zone database file between multiple DNS servers. Mainly through the copy process to complete
How to use Nslookup for zone transfer (DEMO)
DNS Zone transfer protection
Bind on Linux allows only specific hosts to query the zone
WHOIS database collects administrator information
Whois command
How to read the results of whois output
Seven. Port Scan for network security
Port Scan Basics
Port classification
For example, TCP port, UDP port
Port status
Listen waiting for connection requests from any remote TCP and port
Established communication between the two sides to establish a connection
Closing waiting for connection termination request acknowledgement from remote TCP
Closed not connected state
Determine what services are open to the server

Common port scanning software: NC, Nmap (most commonly used)
The basics of Nmap port scanning:
6 port states identified by Nmap
Open (opening)
Closed (off)
Filtered (filtered)
Unfiltered (unfiltered)
open|filtered (open or filtered)
closed|filtered (closed or filtered)
Nmap Command Parameters
Using Nmap to determine the operating system: Nmap–o .... Discover the operating system

VIII. installation and configuration Intrusion detection system
Installation Configuration Intrusion Detection system
Vulnerability scanning software: SSS (Security Shadow Scan), WVS (vulnerability Scan), other x-scan,solarwinds (Cisco vulnerability scanning)
Snort:
Snort has three modes of operation: sniffer, packet recorder, network intrusion detection system. The sniffer mode simply reads the packet from the network and displays it as a continuous stream on the terminal. The packet logger mode logs the packet to the hard disk. The network intrusion detection mode is the most complex and configurable. We can let snort analyze the network traffic to match some user-defined rules and take certain actions based on the results of the test.
Snort download, install,

Snort configuration
Groupadd snort
Useradd-g Snort snort-s/bin/false
Passwd-s snort
Mkdir-p/etc/snort/rules
Mkdir-p/var/log/snort/archive
Chown-r Snort.snort/var/log/snort
CD etc; CP */etc/snort

Sniffing device
Snort-dev
-V
Using this command will cause snort to output only the header information for IP and tcp/udp/icmp.
-vd
See the data for the application tier
-E
Displaying Data link layer data
#########
Snort command parameters
-L Log
Put all intercepted packets into one file
-B
The packet intercepts the binary that can be unpacked in some software
############
The most important use of snort is also as a network intrusion detection system (NIDS), using the following command line to start this mode:
./snort-d-L/log-h 192.168.0.0/24-c snort.conf
Nine, Linux log analysis

Linux Log System classification
Connection time Log--The connection time log is executed by multiple programs, writing records to/var/log/wtmp and/var/run/utmp. Login and other programs update the WTMP and utmp files so that system administrators can track who is logged on to the system.
Log format-select criteria and priority.
Error log-executed by SYSLOGD (8). Various system daemons, user programs, and cores report noteworthy events to file/var/log/messages through Syslog (3). There are also many Linux programs that create logs. Servers that provide network services, such as HTTP and FTP, also maintain detailed logs.
Connection Time Log
Utmp, wtmp, and lastlog log files are the key to most reuse of the UNIX log subsystem-keeping the log entry and exit records for the user. Information about the currently logged-on user is recorded in the file utmp, the login entry and exit record is in the file Wtmp, and the last login file can be viewed with the Lastlog command. Data exchange, shutdown, and restart are also recorded in the Wtmp file.
The WHO, W, users, and AC commands are executed by the system kernel. When a process terminates, write a record for each process toward the process statistics file (PACCT or acct). The purpose of process statistics is to provide command usage statistics for basic services in the system.
/var/log/secure log into the system record
including sshd telnet pop, etc.

Error log (syslog configuration)
Syslog has been adopted by many log functions and is used in many protections-any program can record events through a syslog. Syslog can record system events, can write to a file or device, or send a message to the user. It can record local events or record events on another host via the network.
/etc/syslog.conf file Format explanation
Service name. Record Level storage location
The service name includes commonly used services such as HTTPD,FTPD.
Record level info (information) notice (recommended information to follow) warning or warn (warning information) error (error message) special level such as debug (display debug information)

where syslog is stored
Absolute path:/var/log
Printer:/dev/lp0
Remote host: @192.168.0.10
Simultaneous remote host to turn on-r option/etc/sysconfig/syslog
(Focus on the implementation method)
Security property settings for Syslog
Chattr +a/var/log/messages
Lsattr/var/log/message
Data can only be added, but cannot be deleted. (only root can be modified, but not necessarily we can use LCAP to let root can not be deleted and modified later to explain)
Log format
Selection criteria

The selection criteria itself is divided into two fields, separated by a decimal (.). The previous field is a service, and the latter field is a priority. The choice condition is actually a sort of message type, which makes it easy for people to send different types of messages to different places. More than one selection condition is allowed on the same syslog configuration line, but you must separate them with semicolons (;). In the example given above, there is only one selection condition "mail". You can see the configuration lines with multiple selection criteria in the complete syslog configuration file example given later. Table 1 lists the selection criteria that most Linux variants can recognize.

Priority level
The priority is the second field of the selection criteria, which represents the urgency of the message. For an application, which messages it emits are prioritized by the programmer who originally wrote it, and the user of the application can only accept such an arrangement-unless it intends to recompile the system application. Table 2 lists all possible priorities in order of severity from low to high.

Save location
Log information can be recorded in multiple files, and can also be sent to named pipes, other programs, or even another machine. The syslog configuration file is not complex and is easy to read and easy to use. The comments in this file are very useful and should be read well.

Professional log analysis software
Swatch
: http://swatch.sourceforge.net/
Interested friends install and test themselves.
X. File policy of Linux server security
Permission mode for files
-r-xr-xr-x

Change the permission mode of a file
chmod command

Understanding Suid,sgid and sticky bits
Suid,sgid Introduction
SUID is intended to allow the general user to temporarily have the permission of the program owner when executing certain programs.
Sgid further, if the permission of S is in the user group, then it is set GID, referred to as Sgid. Sgid can be used in two ways.
File: If Sgid is set on a binary file, its effective user group (effective group) will become the user group owner (group ID) of the program, regardless of who the user is, when the program is executed.
Directory: If Sgid is set to a directory, then the user group of the file or directory created within that directory will be the user group of this a directory.
In general, Sgid is used in project development for a specific multi-person team and is used less in the system.

Sticky bit (t-bit)
This sticky bit is currently only valid for the directory and has no effect on the file. Sbit the role of the Directory is: "In the directory with Sbit, if the user has W and x permissions in the directory, then when the user in this directory to establish a file or directory, only the file owner and Root have the right to delete." In other words: When a user has a group or other item in the A directory and has W permissions, this means that a user can "delete/rename/move" The directory or file created by anyone in the directory. However, if the a directory is added to the sticky bit permissions, a can only be deleted/renamed/moved for the file or directory you have created.

Suid,sgid,t bit examples
File permissions for suid,sgid,t bits
Suid (4) Execute permissions for the user who owns the file when other users execute the file
Sgid (2) Execute permissions for this filegroup when other users execute files
T (1)/tmp detailed
Description: There is no point in setting the Suid on the directory. The same t (1) setting is meaningless on the file.

Find the above attribute with the Find command
Find SUID Programs
Find/-perm-4000–ls
Find Sgid Programs
Find/-perm-2000–ls
Find the T-bit program (because it is only valid for the directory, view the directory)
Find/-type D-perm-1000-ls

Cancel Suid,sgid or T-bit effects demo
/bin/ping/bin/su and other programs cancel Suid effect

/tmp cancels the directory's T-bit effect

File extension Properties
File extension Properties
aka File hiding properties hidden properties are a great help to the system. Especially in terms of system security, it is very important.

File Extension Properties Tool
Chattr
Lsattr
LCAP
XI. Linux Server Security Pam module

12. SSH Security Configuration of Linux server security
13, the Linux Server Web security Chapter

① compile the original code to modify the default banner
② Modify the default HTTP status response code 404,503 and other default pages.
③ access to special directories requires a password. htaccess
④ closing the index directory Options-includes
⑤ Close the CGI execution program options–execcgi
⑥ viewing and closing some system modules Httpd–l enumeration
⑦ let a special directory execute PHP, do not let images or other files directory to execute PHP
Mod_rewrite URL
Discuz php?id= Discuz nt! 2.5 aspx?id=
14. DNS configuration of Linux server security

DNS Security Tools
1.DNS Flood Detector
2. DNSSEC
3. Dnstop
The FTP security of Linux server security
Common FTP clients and servers
Common FTP Clients
CuteFTP, LEAPFTP and the FTP program that comes with Windows.

Common FTP servers:
PROFTPD,PUREFTPD,VSFTPD,WU-FTPD for Linux platforms
SERV-U,GEN6 for Windows platforms

Common FTP Server comparisons
The PROFTPD feature is powerful and the configuration syntax is similar to Apache.
WU-FTPD is now largely obsolete because of the poor security, with a very large number of remote overflow attacks
VSFTPD small and safe, very famous sites are in use.
Ftp.redhat.com ftp.suse.com
ftp.debian.org ftp.openbsd.org Ftp.freebsd
FTP-specific attacks
1.DDOS attack
2. Remote Overflow Vulnerability
3. Local rights loopholes
4. Brute Force attack
5. Be sniffer to plaintext password Dsniff
Ettercap-ng
16, the Linux server security VPN

17, Linux server security firewall iptables
Common software firewalls iptables, IPFW

18, server security server monitoring
Ngaios Configuration
19. server File Backup
File backup
Directories that should be backed up
/home/etc/var/spool/mail/usr/local
Site content + Database backup
Tar DD Dump Cpio

Dedicated backup software
Linux Backup
Hubackup
Pdumpfs
20. Use CDN to accelerate websites while protecting websites
CDN Operators in China
ChinaCache
Fastcache
Web Homestay
Cdnunion Free

Common Software CDN
Squid
Haproxy
Varnish
21. End Weapon Upgrade kernel

###########################
Linux system security
1. Close the unwanted ports
2.linux Physical Security
3. Network Security information Collection
4. Network Security port Scan
5. Install and configure Intrusion detection system
6.linux Log Analysis
7.linux Server Security File policy
8.Linux Server Security Pam module
9. SSH security configuration for Linux server security
Web Security for 10.Linux servers
DNS configuration of 11.linux server security
FTP Security for 12.linux server security
VPN for 13.Linux server security
14.linux Server Security Firewall iptables
15 Server security Server monitoring
16. Server Backup of server files
17. Use CDN to accelerate websites while protecting websites
18. End the weapon upgrade kernel

Linux Network security Incomplete notes