Linux security configuration, linux System Security Settings suggestions, you may encounter linux system security problems when learning the linux operating system, here we will introduce the solution to Linux system security problems, including technologies such as canceling unnecessary services and restricting system access.
Recently I have been using linux ........ I personally like it. Share it.
Now I only open two ports: WEB and SSH.
LearningLinux operating systemYou may encounterLinuxSecurity issues. Here we will introduce the solution to Linux system security issues, including technologies such as canceling unnecessary services and restricting system access.
As an open operating system, Linux is favored by many programmers. Many senior programmers prefer to write software related to the Linux operating system. This makes the Linux operating system rich in software support, and countless technical staff as technical support, which makes Linux more and more popular for programmers.
However, one of the biggest drawbacks of this open operating system is that each programmer has a different level. After writing the relevant software, you did not pay attention to the vulnerabilities in your own program. There is no unified vulnerability check, which makes it difficult for software developers to detect vulnerabilities in their own programming. However, hackers will pay close attention to these vulnerabilities, these vulnerabilities are used to achieve their own goals. Is the Linux system insecure? In fact, you don't have to worry about it. Linux is more secure than windows. As long as you do the following, you can use the Linux system with peace of mind. Experience different operations.
I. Cancel unnecessary services
In earlier versions of Unix, each different network service had a service program running in the background. Later versions used a uniform/etc/inetd server program. Inetd is short for Internetdaemon. It monitors multiple network ports at the same time. Once it receives connection information from the outside, it executes the corresponding TCP or UDP network service. Due to the unified command of inetd, Most TCP or UDP services in Linux are set in the/etc/inetd. conf file. Therefore, the first step to cancel unnecessary services is to check the/etc/inetd. conf file and add the "#" sign before the unwanted services.
Generally, except http, smtp, and teLnEt andFtpOther services, such as simple file transfer protocols, should be canceled.TftpImap/ipop transmission protocol for network mail storage and receiving, gopher for searching and searching materials, and day for Time SynchronizationTimeAnd time.
There are also some services that report system status, suchFinger, Efinger, syStatAndNetstatAlthough it is very useful for system error detection and user searching, it also provides a convenient way for hackers. For example, hackers can use the finger service to find users' phones, directories, and other important information. Therefore, many Linux systems cancel all or partially cancel these services to enhance system security. In addition to setting system service items using/etc/Inetd. conf, inetd also uses the/etc/services file to find the ports used by various services. Therefore, you must carefully check the port settings in the file to avoid security vulnerabilities.
In Linux, there are two different service-type states: one is a service that is executed only when necessary, for example, the finger service; and the other is two different service-type states in Linux: one is a service that is executed only when needed. Such services start to be executed when the system starts. Therefore, you cannot modify inetd to stop the service, instead, you can only modify/etc/rc. d/rc [n]. d/file or Run? Level?EdItor to modify it. NFS servers that provide file services and news that provide NNTP news services belong to such services. If not necessary, it is best to cancel these services.
Ii. Restrict System Access
Before entering the Linux system, all users need to log on, that is, users need to enter the user account and password. Only after they pass system verification can users enter the system.
Like other Unix operating systems, Linux stores the encrypted password in/etc/PasswdFile. All users in Linux can read the/etc/passwd file. Although the password stored in the file has been encrypted, it is still not secure.
All. Generally, users can use the ready-made password cracking tool to guess the password. The safer method is to set the shadow file/etc/shadow and only allow users with special permissions to read the file.
3. recompile the program
In Linux, to use a shadow file, you must recompile all the utilities to support the shadow file. This method is troublesome. A simple method is to use the plug-in verification module (PAM ). Many Linux systems use Linux tool PAM, which is an identity authentication mechanism that can be used to dynamically change the authentication methods and requirements without re-compiling other utilities. This is because PAM uses a closed package to hide all authentication-related logic in the module, so it is the best helper for using shadow files.
Iv. Enhanced security protection tools
SSH is short for Secure Sockets Layer, which can be safely used to replace rlogin, rsh, and rCpA set of program groups. SSH uses public key technology to encrypt the communication information between two hosts on the network, and uses its key as an authentication tool. Because SSH encrypts information on the network, it can be used to securely log on to a remote host and transmit information between the two hosts securely. In fact, SSH not only ensures secure communication between Linux Hosts, but also allows Windows users to Securely connect to Linux servers through SSH.
5. restrict the power of Super Users
As we mentioned above, root is the focus of Linux protection. Because it has unlimited power, it is best not to authorize super users easily. However, the installation and maintenance of some programs must require Super User Permissions. In this case, other tools can be used to grant these users the permissions of some super users. Sudo is such a tool. The Sudo program allows a general user to log on again with the user's own password after the configuration is set, to obtain the permissions of the Super User, but only a limited number of commands can be executed.
6. Set the security level of the user account
In addition to passwords, user accounts also have security levels, because each account on Linux can be assigned different permissions. Therefore, when a new user ID is created, the system administrator should grant different permissions to the Account as needed and merge them into different user groups.