Article Title: Linux Security Basics. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
1. SYSTEM INTRODUCTION
Linux is a real free operating system. It was originally written by Linus Torvalds out of personal interests in his spare time, later I moved to the INTERNET and gradually evolved into today's Linux. Today's Linux has attracted thousands of programmers around the world. They develop and improve this free operating system in different countries and regions. Linux inherits the characteristics of UNIX systems. Its Development embodies the painstaking efforts of countless developers around the world, and reflects the spirit of building, sharing, and sharing the information world.
Ii. Basic Concepts
1. Users and user groups
Linux has a strong user management mechanism, which is achieved through the concepts of users and user groups.
A user is an account that can log on to the system. Linux is a multi-user operating system that allows
Multiple users log on to the system at the same time. Linux gives each system account a user ID to differentiate
User.
In addition, Linux also uses user groups to assign permissions to users in the same group. Each group also has
Group ID to distinguish different groups.
2. file and directory permission
The object and directory attributes determine the object and directory access permissions, that is, who can access or execute the object.
Use the ls-l command to display the file type and file permission.
For example:
File Type
File owner (u) Permission
File Group owner (g) Permission
Other user (o) Permission
-Rwx 1 root 437428 Sep 15 21:21 vi
()
() The File Permission is indicated by the triple key. The first triple key is the user (u) who owns the file, and the second triple key is the group (g) that owns the file ), the third triple is another user (o ).
Linux manages the File Permission permission in this way. The system determines the operation permission of each user on each file based on the permission of each file.
One user in the system is not limited to this restriction, that is, the root user, the super user of the system, which can change the permission of any file. Normal users can also use chmod to change the permission for their own files and directories.
In addition to the three rwx permissions described above, there are two special permissions: s and t. S-bit appears in the third, that is, the x-bit of the group triplet or the owner triplet. It indicates that this file is an executable file, and when the file is executed, run with the ID of the file owner but not the ID of the user who runs the command. The executable script is set to s, which poses a potential risk, especially if the file owner or group owner is a root file. T indicates the third position in the productkey, devicename, and devicesecret of another user. Generally, if the execution and writeable permission are specified in the productkey, devicesecret, any user can delete any file in this directory regardless of their ownership and permission. This setting prevents users from deleting or modifying files in the directory rather than having permissions.
Iii. system authentication
Currently, Linux uses a new Authentication method, namely, plug-in Authentication module (PAM: Pluggable Authentication Modules ).
PAM is an authentication mechanism proposed by Sun. It provides dynamic link libraries and a set of unified APIs to separate the services provided by the system from the authentication methods of the service, this allows the system administrator to flexibly configure different authentication methods for different services as needed without changing the service program. It is also convenient to add new authentication methods to the system.
The system administrator uses the PAM Configuration File to create an authentication policy, that is, to specify the authentication method that the service should adopt; application developers call authentication methods by using PAM APIs in service programs, while PAM Service module developers use pam spi (service Module API) to compile the authentication module (mainly to introduce some functions pam_sm_xxxx () for libpam to call) and add different authentication mechanisms (such as traditional UNIX authentication methods and Kerberos) to the system; the PAM core library (libpam) reads the configuration file to associate the service program with the corresponding authentication method.
By using PAM Authentication, you can make the authentication of the entire system more flexible. The system administrator can adjust the authentication module as needed and configure the system environment according to different security levels.
4. Secure shell
In general system management, system administrators often log on to the system through telnet to manage system configurations. However, in this way, the user name and password of the system are transmitted in plain text throughout the network and are easily stolen. SSH (secure shell) is a client-server application, which is encrypted, provides secure communication through RSA-based Host Authentication and multiple options in user authentication. It provides replacement programs for rlogin, rsh, and rcp. It also provides encrypted X Window System connections and encrypted TCP session connections.
The following figure shows the entire ssh authentication connection process:
Ssh effectively ensures the security of user data throughout the communication process and the privacy of content.
5. Use ipchains to filter data packets
In general system installation, the system opens all service ports to the outside. We can use ipchains to configure the system as a host-based firewall, appropriate configuration can effectively restrict, protect the system, and control access within the LAN.
A firewall is a system that prevents unauthorized users from entering, leaving, and passing through the network. In Linux, The ipchains command can establish rules to provide optional restrictions for inbound, outbound, and cross-system data streams, thereby providing a safer firewall function.
Linux ipchains implements the packet filtering Firewall function. Each packet on the network is filtered according to rules. Use the kernel of ipchains to analyze each package and find the specified source and target IP addresses and ports, or the specified ICMP type and code.
The entire ipchains package filtering process is shown in:
Before each packet arrives, ipchains checks the packet header of each IP packet according to the rules and filters the packets effectively. At the same time, it also checks every packet that goes out from the local machine to ensure that every outgoing packet and incoming packet comply with the rules.
In addition to configuring ipchains as a host-based firewall, you can also configure ipchains as a network-based firewall and use ipchains to protect a network segment.
Vi. System Logs
Linux uses logs to record user actions and system error messages. Linux has two important log daemon: syslog and klogd.
Syslog is run by a daemon. at startup, it reads different options from the/etc/syslog. conf file and records relevant information to the corresponding log file according to different applications.
Klogd is a kernel logging program that records any Kernel errors and exceptions.
Is the process of log information flow.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.