A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1. Linux-based network security policies and protection measures
With the increasing popularity of Internet/Intranet networks, more and more users are using Linux network operating systems as servers. This is because Linux is a free and genuine open-source software, on the other hand, compared with Microsoft's Windows NT network operating system, Linux has better stability, efficiency and security. In a large number of Internet/Intranet applications, the security of the network itself is facing a major challenge, followed by information security issues are becoming increasingly prominent. Take the United States as an example. According to statistics released by the FBI, the annual economic losses caused by network security problems in the United States are as high as 7.5 billion US dollars, on average, an Internet computer hacker intrusion occurs every 20 seconds. Generally, the security threats of computer network systems come from hacker attacks and computer viruses. Why do hackers often succeed in attacks? The main reason is that many people, especially many network administrators, do not have a minimum awareness of network security and do not adopt effective security policies and security mechanisms for the network operating systems they use to give hackers a chance. In China, network security research started late, so network security technology and network security talents still need to be improved and developed as a whole. This article hopes to make a useful analysis and discussion on this issue.
We know that a network operating system is a system software used to manage various hardware and software resources in a computer network, share resources, and provide services to users in the network to ensure the normal operation of the network system. How to ensure the security of the network operating system is the root of network security. Only when the network operating system is secure and reliable can the security of the entire network be ensured. Therefore, it is necessary to analyze the security mechanism of the Linux system in detail, identify potential security risks, and provide corresponding security policies and protection measures.
2. Basic Security Mechanism of Linux Network Operating System
The Linux network operating system provides basic security mechanisms such as user accounts, file system permissions, and System Log Files. If these security mechanisms are improperly configured, the system may have certain security risks. Therefore, the network system administrator must carefully set these security mechanisms.
2.1 Linux User Account
In Linux, a user account is a user's identity sign, which consists of a user name and a user password. In Linux, the system stores the entered user name in the/etc/passwd file, and the entered password is encrypted in the/etc/shadow file. Under normal circumstances, these passwords and other information are protected by the operating system. Only root users and operating system applications can access these passwords. However, this information can be obtained by common users if it is improperly configured or when system operation errors occur. Then, malicious users can use a type of tool called "password cracking" to obtain the pre-encryption password.
2.2 Linux File System Permissions
Linux File System security is mainly achieved by setting file permissions. Each Linux file or directory has three sets of attributes, which define the owner of the file or directory respectively, user Group and other user permissions (read-only, writable, executable, SUID allowed, and SGID allowed ). Note that the executable files with the SUID and SGID permissions will be granted to the process owner during the running of the program. If they are discovered and exploited by hackers, the system may be compromised.
2.3 properly utilize Linux Log Files
Linux Log files are used to record the usage of the entire operating system. As a Linux Network Administrator, make full use of the following log files.
Record the information of the user that finally enters the system, including the logon time, logon success or not. In this way, you only need to use the lastlog command to check the last logon time of the account recorded in the/var/log/lastlog file, then compare it with your machine records to find out whether the account has been stolen by hackers.
Record the logon time and location of all users since the activation of the system. You can provide more reference to the system administrator.
Record the logon time, location, and logout Time of the current and historical users logging on to the system. You can run the last command to view the logs. To clear the system logon information, you only need to delete the file and the system generates new logon information.
3. Possible Linux network system attacks and security defense policies
The Linux operating system is a type of open-source operating system. Therefore, it is vulnerable to attacks from the underlying layer. The system administrator must be aware of security and take certain security measures for the system, in this way, the security of the Linux system can be improved. For system administrators, it is especially important to clarify possible attack methods for Linux network systems and take necessary measures to protect their systems.
3.1 possible types of attacks on Linux Network
3.1.1 "Denial of Service" Attack
The so-called "Denial of Service" attack means that hackers use destructive methods to block the resources of the target network, temporarily or permanently paralyze the network, so that the Linux network server cannot provide services for normal users. For example, hackers can simultaneously send a large number of consecutive TCP/IP requests to the target computer using a forged source address or multiple computers in a controlled place, thus paralyzing the target server system.
3.1.2 "password cracking" Attack
Password security is the first line of defense to protect your system security. Password cracking attacks aim to crack users' passwords and obtain encrypted information resources. For example, hackers can use a high-speed computer and a dictionary library to try a combination of various passwords until they finally find the password that can enter the system and open network resources.
3.1.3 "spoofing users" Attack
A "spoofing user" attack refers to a network hacker disguised as an engineering technician of a network company or computer service provider, who sends a call to the user and requires the user to enter a password when appropriate, this is one of the most difficult ways for users to deal with. Once a user's password is compromised, hackers can use the user's account to access the system.
3.1.4 "scanning program and network listener" Attacks
Many network intrusions start with scanning. Hackers can use scanning tools to identify various vulnerabilities on the target host and use them to launch system attacks.
Network listening is also a common method for hackers. After successfully logging on to a host on the network and obtaining the superuser control of the host, hackers can use network monitoring to collect sensitive data or authentication information, so as to seize control of other hosts on the network in the future.
3.2 Linux Network Security Protection Policies
Looking at the development history of the network, we can see that attacks on the network may come from illegal users or legal users. Therefore, as the administrator of a Linux network system, you must always be vigilant against external hacker attacks and strengthen management and education for internal network users. The following security policies can be used.
3.2.1 carefully set permissions for each internal user
To protect Linux network system resources, when setting up an account for an internal network user, you should carefully set the permissions for each internal user. Generally, the "minimum permission" principle should be followed, that is, only each user is granted the server access permissions required to complete their specific tasks. This will greatly increase the management workload of the system administrator, but this principle should be adhered to for the security of the entire network system.
3.2.2 ensure the security of the user password file/etc/shadow
For network systems, passwords are prone to problems. As a system administrator, users should be notified to use secure passwords when setting passwords (using non-letters in the password sequence, special characters such as numbers), and increase the password length (more than 6 characters ). The system administrator needs to protect the security of the files/etc/passwd and/etc/shadow, so that irrelevant persons are not allowed to obtain the files, in this way, hackers use programs such as John to conduct dictionary attacks on the/etc/passwd and/etc/shadow files to obtain user passwords. The system administrator should periodically use John and other programs to simulate dictionary attacks on the/etc/passwd and/etc/shadow files of the system. Once an insecure user password is found, force the user to modify it immediately.
3.2.3 strengthen monitoring and recording of system operations
The Linux network system administrator should monitor and record the running status of the entire network system, so that suspicious network activities can be found through analysis and record data, and take measures to prevent potential intrusion in advance. If the attack has been committed, you can track and identify hackers who intrude into the system using the recorded data.
3.2.4 reasonably divide subnets and Set firewall
If the internal network needs to enter the Internet, you must set a firewall at the interface between the internal network and the external network to ensure data security in the internal network. For the internal network itself, in order to facilitate management and rationally allocate IP Address Resources, the internal network should be divided into multiple subnets. This can also prevent or delay hacker intrusion into the entire internal network.
3.2.5 perform regular security checks on Linux Networks
The operation of the Linux network system is dynamic, so its security management is also changing. There is no fixed mode. as the administrator of the Linux network system, after a security protection policy is set for the system, the system should be regularly inspected for security and attacks should be attempted against the server managed by itself. If any vulnerability in the security mechanism is found, measures should be taken to remedy the problem immediately, hackers are not allowed to take the opportunity.
3.2.6 prepare appropriate data backup plans to ensure that the system is safe
No operating system is reliable, and no security policy is foolproof. Therefore, as a Linux system administrator, you must develop an appropriate data backup plan for the system, make full use of tape drives, disc recorders, dual-host hot backup and other technical means to save data backups for the system, so that once the system is damaged or paralyzed by hacker attacks, it can quickly restore the work, minimize the loss.
4. Strengthen the Management of Linux network servers and rationally use various tools
4.1 Use record tools to record access to Linux systems
Linux administrators can use the Recording files and recording tools described earlier to record events. They can view or scan Recording files every day, which record all information about system operation. If necessary, you can extract high-priority events and send them to relevant personnel for handling. If exceptions are found, you can take immediate measures.
4.2 Use the Telnet service with caution
In Linux, when using Telnet for remote login, the user name and user password are transmitted in plaintext, which may be intercepted by other users who listen online. Another danger is that hackers can use Telnet to log on to the system. If they obtain another Superuser password, the harm to the system will be disastrous. Therefore, do not enable the Telnet service if you do not need it. To enable the Telnet service, you must use special tools and software to remotely log on. In this way, you can transmit encrypted user passwords on the Internet, this prevents the password from being intercepted by hackers during transmission.
4.3 reasonably set NFS and NIS services
Network File System (NFS) service allows workstations to share one or more File systems output by servers over the Network. However, for a poorly configured NFS server, users can read or modify files stored on the NFS server without logging on, making the NFS server vulnerable to attacks. If you must provide the NFS service, make sure that the Linux-based NFS server supports Secure RPC (Secure Remote Procedure Call) to use DES (Data Encryption Standard) the encryption algorithm and Exponential Key Exchange technology verify the identity of the user for each NFS request.
Network Information System (NIS) is a distributed data processing System that allows computers on the Network to share passwd files, group files, host table files, and other shared System resources over the Network. Using the NIS and NFS services, you can operate data on workstations in the network as if you were operating and using resources in a single computer system, in addition, this operation process is transparent to users. However, the NIS Service also has a vulnerability. In the NIS system, malicious users can use their own programs to simulate the ypserv in the Linux system to respond to the ypbind request and intercept the user's password. Therefore, NIS users must use the secure Option of ypbind and do not accept the ypserv response with the port number smaller than 1024 (non-privileged port.
4.4 Configure FTP service with caution
The FTP service is the same as the Telnet service mentioned earlier. The user name and password are also transmitted in plaintext. Therefore, to ensure system security, special users such as root, bin, daemon, and adm must be prohibited from Remotely accessing the FTP server by configuring the/etc/ftpusers file, by setting/etc/ftphosts, some hosts cannot be connected to the FTP server. If the anonymous FTP service is enabled, anyone can download files (and sometimes upload files). Therefore, anonymous FTP services should be prohibited unless otherwise required.
4.5 properly set up POP-3, Sendmail, and other email services
For the POP-3 service, the password of the email user is transmitted to the network in plaintext mode, and hackers can easily intercept the user name and password. To solve this problem, you must install the POP-3 server that supports the encrypted transfer password (that is, the Authenticated POP command is supported), so that you can encrypt the password before sending it to the network.
The Sendmail server program of the old version has security risks. To ensure the security of the mail server, install the latest version of Sendmail server software that has eliminated security risks as much as possible.
4.6 Strengthen the Management of WWW servers and provide secure WWW services
After a Website Based on Linux is built, most users access the network through the Web server using the WWW browser. Therefore, the security of Web servers must be paid special attention, regardless of the HTTP-based Web server software, pay special attention to CGI scripts (Common Gateway Interface), which are executable programs, generally stored in the Web server CGI-BIN directory, in the configuration of the Web server, to ensure that CGI executable scripts are only stored in the CGI-BIN directory, this can ensure the security of the script, it does not affect the security of other directories.
4.7 it is best to disable the finger service
In Linux, the finger command can display the details of logged-on users in the local or remote system. Hackers can exploit this information to increase the chance of intruding into the system. For system security, it is best to disable the finger service, that is, to delete the finger command from/usr/bin. If you want to retain the finger service, replace the finger file or change the permission to allow only the root user to execute the finger command.
Because the Linux operating system is widely used and the source code is made public, it is the most thorough operating system researched by many computer users, and the configuration of Linux itself is quite complicated, according to the preceding security policies and protection mechanisms, the system risks can be minimized, but security vulnerabilities cannot be completely eliminated. As a Linux system administrator, you must be aware of security, conducts regular security checks on the system and immediately takes measures to detect vulnerabilities, so that hackers are not allowed to take the opportunity. The security measures described in this article have been verified on red-flag Linux 1.0 and blue-point Linux, and are actually applied to the Computer Integrated Management System of our library, it ensures the safe and stable operation of the integrated computer management system of the library in our hospital.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service