Linux security preliminary settings

Source: Internet
Author: User
Article Title: Linux security preliminary settings. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Not long ago, I downloaded the latest kernel version with great patience, but it was done through the dial-in connection. Throughout the download process, I am eager to use high-speed Internet connections at home one day. The arrival of xDSL and cable cat makes it possible, but this does not include price factors.
At the same time I wrote this article, somewhere in the world, maybe someone was installing and releasing Linux for the first time on his home computer. A new Linux administrator sets an account for his/her family and friends to run the system. In a short period of time after the initial installation, the Linux system may be connected to the Internet with a high-speed DSL that is stimulating.
Still vulnerable to attacks
Today, almost all available linux releases have security vulnerabilities, most of which are easily attacked. However, unfortunately, they are open by Convention and practice. When a typical Linux installation is started for the first time, it provides a variety of services that can be attacked, such as SHELL, IMAP, and POP3. These services are often used by idle users as a starting point for system breakthrough as needed. This is not only a limitation of Linux-the well-experienced commercial UNIX also provides such services, it will also be broken through.
There is no need to complain or blame, and the locking of the new system (professional statement of strong system) is very important. Believe it or not, the robust process of a Linux system does not require too much system security expertise. In fact, you can block 90% of the unreliable factors within five minutes.
Let's get started.
Before starting a solid system, ask yourself about the role of your machine and the comfort of accessing the Internet. You need to carefully determine the services you want to provide to the whole world. If you are not sure yet, it is best not to do anything. It is very important to clarify your own security policies. You need to decide which applications are acceptable and which are unacceptable on your system.
In this article, the goal of the example machine is to use it as a workstation to send and receive mail, read news, and browse Web pages.
Establish Network Service Security
First, log on to the system as a Super User (root) and run the netstat command (this is a standard network tool for most Linux systems) to check the current network status. The output result is as follows:
Root @ percy/] # netstat-
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp 0 0 *: imap2 *: * LISTEN
Tcp 0 0 *: pop-3 *: * LISTEN
Tcp 0 0 *: linuxconf *: * LISTEN
Tcp 0 0 *: auth *: * LISTEN
Tcp 0 0 *: finger *: * LISTEN
Tcp 0 0 *: login *: * LISTEN
Tcp 0 0 *: shell *: * LISTEN
Tcp 0 0 *: telnet *: * LISTEN
Tcp 0 0 *: ftp *: * LISTEN
Tcp 0 0 *: 6000 *: * LISTEN
Udp 0 0 *: ntalk *:*
Udp 0 0 *: talk *:*
Udp 0 0 *: xdmcp *:*
Raw 0 0 *: icmp *: * 7
Raw 0 0 *: tcp *: * 7
As you can see, the initial installation does not listen to a certain number of services, and most of these services are troublesome manufacturers in the configuration file/etc/inetd. conf.
Open this file in your text editor and log out of the services you don't want to provide. You only need to add a ''#'' before the lines that contain the service content ''#'', all the services in this example have been canceled. Of course, if you decide to provide some of these services, it is up to you to decide.
Now, restart inetd to make the changes take effect. There are multiple methods depending on the system. An example is as follows:
Killall-HUP inetd
Re-use netstat to check the open socket and pay attention to the changes.
Next, check which processes are running. Generally, sendmail, lpd, and snmd are waiting for access requests. Therefore, machines do not provide services for any such requests, so they should terminate the operation.
Generally, these services are started by the system initialization script, which may vary depending on the release, and can be found in/etc/init. d or/etc/rc. d. If you are not sure, please refer to the document you used for release. The goal is to prevent scripts from starting these services when the system starts.
If you use a packaging system for Linux release, take some time to remove the services you don't need. In this example, the machine includes sendmail and r header service processes (rwho, rwall, etc.), lpd, ucd-snmp, and apache. This is the easiest way to ensure that such services are not activated accidentally.
X solid means
Most recent releases support logging in to the X Window when the machine is started for the first time, such as xdm for management. Unfortunately, this is also the main attack point. By default, a machine allows any host to request a login window, even if only one user can log on directly from the console, this feature also needs to be blocked.
The configuration file changes according to the logon manager you use. Xdm is used on the local machine. Therefore, the/usr/X11R6/lib/X11/Xaccess file needs to be modified and a ''#'' symbol is added to prevent the service from being started. My Xaccess settings are as follows:
# * # Any host can get a login window
# * # Any indirect host can get a chooser
This setting is valid when xdm is started again.
Software Upgrade
Now some basic solid measures have been completed, so you must always pay attention to the release upgrades and enhancements of publishers. Lack or even absence of maintenance is a major factor endangering system security.
One of the safeguards for open-source software is its continuous development. Many people spend a lot of time constantly looking for security defects. This directly leads to the continuous maintenance process of Linux release, and frequent guidance on upgrading programs, bug patches, and security appear on the webpage. Check the publisher's webpage several days or weeks to see if any patch or upgrade program is installed.
Follow-up work
Now, the processed machines are more secure than the ones installed for the first time, but it is never an attack, but there is no obvious attack. The method listed here is like locking your car or house. Average-level thieves will be shaken by such measures, realize that this is a lock and turn to other systems that are not protected.
If you believe that these measures do not provide sufficient security performance, you may want to provide some network services over the Internet. It takes some time to find more advanced security technologies before proceeding.
Unfortunately, many Linux publishers assume that their customers are familiar with these services and want to use them. But this is not the case for initial users. Of course, there are still a lot of undeveloped fields before the Linux system's security is fully guaranteed. These steps are the most basic security protection for known system vulnerabilities.
Today, most protection measures that compromise system and network security are relatively weak. With the popularity of Linux and the gradual implementation of high-speed Internet access, attacks that flood into unprotected Linux systems will increase.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.