Today, many small and medium users are constantly updating or upgrading their networks due to business growth, which leads to a large difference in their user environments. The entire network system platform is uneven, and most servers use Linux systems, the PC end uses the Windows system. Therefore, in enterprise applications, Linux/Unix and Windows operating systems coexist to form a heterogeneous network. Small and medium-sized enterprises often lack comprehensive considerations for network security due to lack of experienced Linux network administrators and security product procurement funds. I will solve the troubles of enterprises from the aspects of server security and network device security.
I. Server Security:
1. Disable useless ports
Any network connection is implemented through open application ports. If we open the port as few as possible, we will turn the network attack into the source water, which greatly reduces the chance of successful attackers.
First check your inetd. conf file. Inetd monitors certain ports to provide necessary services. If someone develops a special inetd daemon, there is a security risk. You should comment out the services that will never be used in the inetd. conf file (such as echo, gopher, rsh, rlogin, rexec, ntalk, and finger ). Note: Unless absolutely required, you must comment out rsh, rlogin, and rexec. telnet recommends that you use a more secure ssh instead and then kill the lnetd process. In this way, inetd no longer monitors the daemon on your machine, so that no one can use it to steal your application port. You 'd better download a port scanner to scan your system. If you find an open port that you don't know, immediately find the process using it to determine whether to close it.
2. delete unused software packages
During system planning, the general principle is to remove all unnecessary services. By default, Linux is a powerful system that runs many services. However, many services are not required and may cause security risks. This file is/etc/inetd. conf, which defines the services to be listened to by/usr/sbin/inetd. You may only need two of them: telnet and ftp, other classes such as shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, and auth are all disabled unless you really want to use it.
3. Do not set the default route
In the host, you must strictly disable the default route, that is, the default route. We recommend that you set a route for each Subnet or CIDR block. Otherwise, other machines may access the host in a certain way.
4. Password Management
Generally, the password length should not be less than 8 characters. The composition of the password should be a combination of uppercase and lowercase letters, numbers and symbols with no rules, and password should be strictly avoided using English words or phrases, in addition, the passwords of various users should be changed regularly. In addition, password protection also involves the protection of/etc/passwd and/etc/shadow files. Only the system administrator can access these two files. Installing a password filtering tool and npasswd can help you check whether your password can withstand attacks. If you have not installed such tools before, we recommend that you install them now. If you are a system administrator and you have not installed a password filtering tool in your system, please immediately check whether all users' passwords can be searched in full, that is, your/ect/passwd file is fully searched.
5. Partition Management
A potential attack first tries to buffer overflow. In the past few years, buffer overflow is the most common form of security vulnerabilities. More seriously, the buffer overflow vulnerability accounts for the vast majority of remote network attacks. Such attacks can easily give an anonymous Internet user the opportunity to gain some or all control over a host!
To prevent such attacks, we should pay attention to them when installing the system. If you use the root partition to record data, such as log files, a large number of logs or spam may be generated due to denial of service, resulting in system crash. Therefore, we recommend that you create separate partitions for/var to store logs and emails to avoid overflow of the root partition. It is best to separate a partition for a special application, especially for programs that can generate a large number of logs. We also recommend that you separate a partition for/home so that they cannot fill up/partition, this avoids some malicious attacks against Linux partition overflow.
6. Prevent Network sniffing:
Sniffer is widely used in network maintenance and management. It works like a passive sonar. It silently receives various information from the network and analyzes the data, the network administrator can gain an in-depth understanding of the current running status of the network to identify vulnerabilities in the network. Today, with increasing attention to network security, we must not only correctly use the sniffer, but also properly prevent the dangers of the sniffer, which can cause great security hazards, mainly because they are not easy to be discovered. For an enterprise with strict security performance requirements, it is necessary to use a secure topology, Session Encryption, and static ARP Address.
7. Complete Log Management
Log Files always record the running status of your system. The hacker cannot escape the log. Therefore, Hackers often modify log files to hide traces during attacks. Therefore, we need to restrict access to/var/log files and prohibit users with General permissions from viewing log files.
In addition, we can install an icmp/tcp log manager, such as iplogger, to observe the suspicious multiple connection attempts (add icmp flood3 or similar situations ). Be careful with logon from unknown hosts.
Complete Log management includes the correctness, validity, and validity of network data. Log File analysis can also prevent intrusion. For example, a user's 20 failed registration records within a few hours may be the attacker trying the user's password.
8. Stop ongoing attacks
If you find a user logging on from your unknown host while checking the log file, and you are sure that this user does not have an account on this host, you may be attacked. First, you need to lock the account immediately (in the password file or shadow file, add an Ib or other character before the user's password ). If the attacker has been connected to the system, you should immediately disconnect the physical connection between the host and the network. If possible, you need to further check the user's history to see if other users have been impersonated and whether the attacker has the root permission. Kill all processes of the user and add the IP address mask of the host to the file hosts. deny.
9. Use security tool software:
With the emergence of Linux virus, there are already some anti-virus software for Linux servers, and it is very urgent to install the anti-virus software for Linux. Linux also has some tools to ensure server security, such as iplogger.
10. Use the reserved IP Address:
---- The simplest way to maintain network security is to ensure that hosts in the network are exposed to different external entities. The most basic method is to isolate it from the public network. However, this isolation-based security policy is unacceptable in many cases. At this time, using reserved IP addresses is a simple and feasible method, which allows users to access the Internet while ensuring a certain degree of security. -RFC 1918 specifies the range of IP addresses that can be used for local TCP/IP networks. These IP addresses are not routed over the Internet and therefore do not need to be registered. By assigning IP addresses in this range, you can effectively limit network traffic to the local network. This is a fast and effective way to allow computers to communicate with each other by rejecting access from external computers.
Reserved IP address range:
-- 10.0.0.0-10.255.255.255
---- 172.16.0.0-172.31.255.255
-- 192.168.0.0-192.168.255.255
The network traffic from the reserved IP address does not pass through the Internet router, so any computer assigned with the reserved IP address cannot access from the external network. However, this method also does not allow users to access external networks. IP spoofing can solve this problem.
11. Select the release version:
For the Linux version used by the server, neither the latest release version nor the old version is used. Mature versions should be used: the final release version of the previous product, such as Mandrake 8.2 Linux. After all, security and stability are the top priority for servers.
12. Patch issues
You should always go to the home page of the system publisher you have installed to find the latest patch.
Ii. Network Device Security:
1. vswitch Security
Enable VLAN technology: a VLAN is defined on a port of a vswitch. All terminals connected to this specific port are part of the virtual network, and the entire network can support multiple VLANs. VLAN uses a network firewall to minimize unnecessary data traffic and isolate transmission between VLANs and possible problems. This greatly increases network throughput and reduces network latency. In a virtual network environment, you can divide different virtual networks to control the communication between users in the same physical network segment. In this way, data confidentiality is effectively realized, and configuration is not troublesome. The network administrator can logically reconfigure the network to quickly, easily, and effectively balance load traffic, you can easily add, delete, and modify users without physically adjusting network configurations.
2. Router Security:
According to the routing principle, the security configuration of the router is the core and heart of the entire network. To protect the router security, the network administrator also needs to take corresponding security measures during the configuration and management of the router.
1. Block Security Vulnerabilities
Limiting system physical access is one of the most effective ways to ensure vro security. One way to restrict physical access to the system is to configure console and terminal sessions to automatically exit the system after a short period of idle time. It is also important to avoid connecting the modem to the secondary port of the router. Once physical access to the vro is restricted, you must ensure that the security patch of the vro is the latest.
2. Avoid identity crisis
Intruders often use weak passwords or default passwords for attacks. This vulnerability can be prevented by using a password extension and a password validity period of 30 to 60 days. In addition, once an important IT Employee Resign, the user should change the password immediately. You should enable the password encryption function on the vro.
3. disable unnecessary services
Recently, many security events have highlighted the importance of disabling services that do not require local services. Note that a user needs to consider timing. Timing is essential for effective network operations. Even if the user ensures time synchronization during deployment, the clock may gradually lose synchronization after a period of time. You can use a network name.