Linux security tips (1)

Article Title: Linux security tips (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
To study Linux security, you must first install the LINUX system securely.
1. Secure installation of LINUX servers (assuming that you already know your server hardware)
First, create a boot disk and boot Linux. (Before that, I suggest you download a special floppy disk image from the RedHat Linux website)
Open MS-DOS mode in windows (START | program | MS-DOS mode ):
C: $ # @ 62; d:
D: $ # @ 62; cd dosutils
D: dosutils $ # @ 62; rawrite
Enter disk image source file name:... imagesroot. img
Enter target diskette drive::
Please insert a formatted diskette into drive A: and press -- ENTER --:
D: dosutils $ # @ 62;
When rawrite.exe requires A floppy disk image, enter the complete path name of boot. img and insert the floppy disk into drive. When the program asks which floppy disk drive you want to write the image to, enter :.
Because we cannot start from CDROW, we use a soft drive to start. Insert the floppy disk into A: Drive and restart the computer. When "boot:" appears, press the Enter key to continue the boot.
* Select a language
* Select the keyboard type
* Select the mouse type
When selecting the installation type, we recommend that you select Custom installation.
Partitioning is a headache. We recommend that you back up your current system before partitioning.
(1) Use the Disk Druid partitioning tool
Disk Druid is a partition tool in RedHat Linux. Select "Add" to Add a new partition, "Edit" to change the partition, "Delete" to Delete the partition, and "Reset" to restore the original partition status. When you add a new partition, a window appears asking you to add necessary information about the partition. The required information is:
* Mount Point: the mount directory.
* Size: partition Size, in megabytes
* Partition Type: Partition Type. Linux file systems use native partitions. Linux Swap type is recommended for Linux Swap partitions.
If you have a SCSI hard disk, the device name will be "/dev/sda". If you have an IDE hard disk, the device name will be "/dev/hda ". If you are very concerned about the high performance and stability of the system, we recommend that you use a SCSI hard disk.
Linux partition naming is a combination of letters and numbers. This naming method is flexible and intuitive. The following is a summary:
* First two letters: The first two letters indicate the device type, "hd" indicates the IDE hard disk, and "sd" indicates the SCSI hard disk.
* The third letter indicates the device. For example, "/dev/hda" indicates the first IDE hard disk; "/dev/hdb" indicates the second IDE hard disk.
Remember this. In this way, it will be easier or confusing to partition Linux.
(2) Swap partitions
Swap partitions are used for virtual memory. If the computer memory is less than 16 MB, you must create swap partitions. Even if you have more memory, we recommend that you create swap partitions. The minimum swap partition must be equal to the computer's memory. If the memory is larger than 16 MB, the minimum is 16 Mb. The swap partition is about 1 GB at most (Linux 2.2 kernel now supports 1 GB of swap files, if more than 1 GB is a waste ). Note: You can create more than one swap partition, although this is necessary only when installing a large server. Try to place the swap partition at the starting position of the hard drive. Because the starting position of a disk is physically on the outermost cylinder, the head can cover a larger area for each lap.
After partitioning, You can see similar information on the screen:
Mount Point Device Requested Actual Type
/Boot sda1 5 M 5 M Linux Native
/Usr sda5 1000 M 1000 M Linux Native
/Home sda6 500 M 500 M Linux Native
/Chroot sda7 400 M 400 M Linux Native
/Cache sda8 400 M 400 M Linux Native
/Var sda9 200 M 200 M Linux Native
Swap sda10 150 M 150 M Linux Swap
/Tmp sda11 100 M 100 M Linux Native
/Sda12 316 M 315 M Linux Native
　　
Drive Geom [C/H/S] Total (M) Free (M) Used (%)
Sda [3079/64/32] 3079 M 1 M 3078 M 99%
Now, select "Next" to continue the installation. After the partition is created, the installer will allow you to format the partition. Select the partition to be formatted, select the "Check for bad blocks during format" option box, and press "Next" to continue. In this way, format the partition and activate the partition. Linux can use this partition.
　　
Next, if you choose to install LILO, you will see the configuration of LILO. You can choose to install LILO in the primary Boot Sector (MBR) or the first sector of the boot partition.
　　
In general, you should choose to install LILO in the primary Boot Sector. (If your computer is installed with NT, or multiple boot programs such as System Command, you 'd better read the LILO-HOWTO carefully to avoid unnecessary losses ). Then, configure the network and clock. Then, enter the root password and the Security Authentication configuration. Don't forget to choose:
* Enable MD5 passwords
* Enable MD5 passwords
There is no need to select Enable NIS because we do not install the NIS service on this server.
　　
　　
Research on Linux SECURITY (2)
Author: Feardark
Release date: 28/3/2002
We have installed the Linux system above, because RedHat Linux will install some preset software by default, and during the installation process, you cannot choose not to install it. Therefore, you must uninstall the following software after installation: isapnptools, redhat-logos, pump, apmd, kernel-pcmcia-cs, mt-st, setserial
, Eject, gd, kudzu, linuxconf, getty_ps, pciutils, mailcap, gnupg, and setconsole.
Use command: [root @ deep] # rpm-e softwarenames
Apmd, kudzu, and sendmail are daemon processes. You 'd better stop them before detaching them.
To stop these processes, run the following command:
[Root @ deep] #/etc/rc. d/init. d/apmd stop
[Root @ deep] #/etc/rc. d/init. d/sendmail stop
[Root @ deep] #/etc/rc. d/init. d/kudzu stop
As this article focuses on security issues, we will not introduce the functions of these software.
We have uninstalled a series of software, and we also need to install some necessary software. To compile software on your server, you must install the following RPM software package. This part of installation is very important and requires you to install all the software packages described below. All of these software is in the/RedHat/RPMS directory on the first disk of RedHat 6.1, and it is necessary for your Linux system to compile programs.
First, mount the CD-ROM drive to the RPMS subdirectory. Mount the CD-ROM drive and go to the RPMS directory, use command:
[Root @ deep] # mount/dev/cdrom/mnt/cdrom/
[Root @ deep] # cd/mnt/cdrom/RedHat/RPMS/
　　
We need these softwares:
　　
Autoconf-2.13-5.noarch.rpm
M4-1.4-12.i386.rpm
Automake-1.4-5.noarch.rpm
Dev86-0.14.9-1.i386.rpm
Bison-1.28-1.i386.rpm
Byacc-1.9-11.i386.rpm
Cdecl-2.5-9.i386.rpm
Cpp-1.1.2-24.i386.rpm
Cproto-4.6-2.i386.rpm
Ctags-3.2-1.i386.rpm
Egcs-1.1.2-24.i386.rpm
ElectricFence-2.1-1.i386.rpm
Flex-2.5.4a-7.i386.rpm
Gdb-4.18-4.i386.rpm
Kernel-headers-2.2.12-20.i386.rpm
Glibc-devel-2.1.2-11.i386.rpm
Make-3.77-6.i386.rpm
Patch-2.5-9.i386.rpm
PS: The best choice is install these software in same time because its always made something wrong when you installing the RPM
Second: Install these software you can use command that is;
[Root @ deep] # rpm-Uvh autoconf-2.13-5.noarch.rpm m4-1.4-12.i386.rpm automake-1.4-5.noarch.rpm dev86-0.14.9-1.i386.rpm bison-1.28-1.i386.rpm byacc-1.9-11.i386.rpm cdecl-2.5-9.i386.rpm cpp-1.1.2-24.i386.rpm cproto-4.6-2.i386.rpm ctags-3.2-1.i386.rpm egcs-1.1.2-24.i386.rpm ElectricFence-2.1-1.i386.rpm flex-2.5.4a-7.i386.rpm gdb-4.18-4.i386.rpm kernel-headers-2.2.12-20.i386.rpm
Third: to make these changes take effect, you must exit and then log on to the system. command:
[Root @ deep] # exit
After installing and compiling all the software required on the server, it is best to uninstall the software packages installed in the previous steps unless there is any special need. One of the reasons for this is that if a hacker successfully intrude into your server, he cannot use the above software to compile the software or change the binary program. At the same time, detaching them also releases a lot of disk space, so that when you perform system security and consistency checks, you can speed up scanning all files (fewer files ).
Because we choose to customize and install our Linux system, the following is a list of installed programs on the server. This list must be consistent with the install. log file in the/tmp directory. Otherwise, you will not be fully installed. The software mentioned above is required.
Keep your software up to date
　　
To keep your software updated, check the RedHat Linux website at http://www.redhat.com/corp/support/errata/index.html. Web pages can solve 90% RedHat Linux system problems. In addition, after receiving the Security Vulnerability notification, RedHat will release the solution within 24 hours on the errata website. You must check this location frequently. The software that must be updated on the RedHat Linux server is:
Groff-1_15-1_i386.rpm
Sysklogd-1_3_31-14_i386.rpm
Inits cripts-4_70-1_i386.rpm
E2fsprogs-1.17-1.i386.rpm
Pam-0_68-10_i386.rpm
L