Linux network security skills-network intrusion check
The log file in the operating system is an important clue for detecting network intrusion. Of course, this assumes that your logfile is not damaged by the intruders, if you have a server that uses a leased line to connect directly to the Internet, this means that your IP address is a permanent fixed address, you will find that many people try to telnet/ftp login to your system and try to run # more/var/log/secure | grep refused to check.
Linux network security tips: Limit the number of programs with the SUID permission flag
Programs with this permission flag run as root, which is a potential security vulnerability. Of course, some programs must have this flag, such as passwd programs.
Linux network security tips: BIOS security.
Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.
Linux network security skills-user password.
User passwords are the most basic starting point for Linux security. Many users use simple 'Password', which opens the door to intruders, although theoretically there is no uncertain user password, it can be used as long as there is enough time and resources. A good user password is a string of characters that can only be easily remembered and understood by himself, and should never be written anywhere.
Linux network security tips:/etc/exports file.
If you use the NFS Network File System Service, make sure that your/etc/exports has the strictest access permission settings. This means that you do not use any wildcards and do not allow root write permissions, mount the file to a read-only file system. Edit the/etc/exports file and add: for example:
- /dir/to/export host1.mydomain.com(ro,root_squash)
-
- /dir/to/export host2.mydomain.com(ro,root_squash)
/Dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs on to this directory, ro means to mount it into a read-only system, and root_squash prohibits root from writing to this directory.
To make the above changes take effect, run/usr/sbin/exportfs-
Linux network security tips: Be sure that the owner of/etc/inetd. conf is root and the File Permission is set to 600.
- [root@deep]# chmod 600 /etc/inetd.conf
-
- ENSURE that the owner is root.
-
- [root@deep]# stat /etc/inetd.conf
-
- File: "/etc/inetd.conf"
-
- Size: 2869 Filetype: Regular File
-
- Mode: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
-
- Device: 8,6 Inode: 18219 Links: 1
-
- Access: Wed Sep 22 16:24:16 1999(00000.00:10:44)
-
- Modify: Mon Sep 20 10:22:44 1999(00002.06:12:16)
-
- Change:Mon Sep 20 10:22:44 1999(00002.06:12:16)
Edit/etc/inetd. conf to disable the following services:
Ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. unless you really want to use it. In particular, prohibit those r commands. If you use ssh/scp, you can also disable telnet/ftp.
To make the change take effect, run # killall-HUP inetd. You can also run # chattr + I/etc/inetd. conf to make the file have unchangeable attributes. Only the root user can unbind it. Run the # chattr-I/etc/inetd. conf command.
Linux network security skills-TCP_WRAPPERS
By default, Redhat Linux allows all requests. Using TCP_WRAPPERS to enhance the security of your site is a breeze.
"ALL: ALL" to/etc/hosts. deny to prohibit ALL requests, and then put those explicitly allowed requests in/etc/hosts. allow, such:
Sshd: 192.168.1.10/255.255.255.0 gate.openarch.com
The IP address 192.168.1.10 and the host name gate.openarch.com can be connected through ssh. After the configuration is complete, use tcpdchk to check
[Root @ deep] # tcpdchk
Tcpchk is a TCP_Wrapper configuration check tool that checks your tcp wrapper configuration and reports all detected potential/existing problems.
The Linux network security skills will be shared with you here. In fact, there are still many methods that can effectively protect the security of Linux networks. We will introduce them in future articles.