Linux Server-Security (1)

BKJIA exclusive Article] security is crucial for linux/unix production servers and is also the basic task of every system administrator. This article is the fourth article in the series of Linux servers. Everything listed below is about the basic settings of Linux servers, we strive to use the simplest language to describe the basic security settings of Linux servers, especially for new users. If you have higher security requirements for Linux servers, we recommend that you use the hardware firewall for operations.

I. hardware protection for Linux servers

During the project implementation and my website setup, I found that anti-DDOS and SQL injection, cross-site scripting, worms, hacker scans and attacks, and other good solutions include:

① Huasai layer-3 firewall + Tiantai web firewall;

② Juniper series firewalls;

If your Linux or FreeBSD front-end does not have any hardware protection, enable the iptables or ipfw firewall. Although they do not defend against DDOS attacks, they are more or less helpful in security protection. If it is a windows2003 server, we recommend that you enable its built-in system firewall and disable ping.

We recommend that you use a 64-bit Linux operating system, such as CentOS 5.4. If it is UNIX, we recommend that you use FreeBSD 8.0 (also 64-bit ). Pay more attention to the server kernel vulnerabilities. Now many linux attacks are targeted at the kernel and ensure that the kernel version is 2.6.9 or later.

2. Remotely connect to your Linux Server

For remote connections, we recommend that you only allow ssh operations on the Intranet, but deny Internet control. This is safer (this step may be performed with the company's network engineers ).

If you have to perform ssh operations from the Internet, we recommend that you configure the public key and private key of the remote connection tool such as x-shell and Putty correctly. I usually set the root password to 28 or more characters. We recommend that you use a combination of letters and numbers, for example, p @ sSw0rdyuhongchun027nagios. In addition, only a few important servers must know the root password, this is set based on the company's permissions. If a company's system administrator leaves, the root password must be changed. Anyone who has been playing linux For A Long Time should know that, changing the root password does not affect linux crontab scheduled tasks in windows2003. Changing the administrator password will directly affect the running of the scheduled tasks ).

Iii. How to Prevent ssh Brute force cracking on Linux servers

My Nagios Internet monitoring server, whose password was redhat at the beginning of the test, was changed one day after being put into the public network; after mature environment deployment, I found that many Internet ip addresses are still being scanned and tested. It seems that I don't need to use any tools. I am trying to use DenyHosts, which is recommended by everyone, it is a program written in Python2.3. It will analyze log files such as/var/log/secure, when you find that the same IP address is used for multiple SSH password attempts, the IP address is recorded in/etc/hosts. deny file to automatically block the IP address. DenyHosts Official Website: http://denyhosts.sourceforge.net

① Check installation conditions

1. First, determine whether the sshd installed in the system supports tcp_wrappers by default)

# ldd /usr/sbin/sshdlibwrap.so.0 => /usr/lib/libwrap.so.0 (0x0046e000)

2. Determine the Python version installed by default.

# python -VPython 2.3.4

3. If you have installed Python or a later version, you can directly install DenyHosts.

# cd /usr/local/src# wget http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz# tar zxf DenyHosts-2.6.tar.gz# cd DenyHosts-2.6# python setup.py install 

The program script is automatically installed in/usr/share/denyhosts.

Library files are automatically installed in/usr/lib/python2.3/site-packages/DenyHosts

Denyhosts. py is automatically installed in/usr/bin.

② Set the Startup Script

# cd /usr/share/denyhosts/# cp daemon-control-dist daemon-control# chown root daemon-control# chmod 700 daemon-control
# grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg
# vi denyhosts.cfg

Modify as needed

Denyhosts. cfg

SECURE_LOG =/var/log/secure # RedHat/Fedora Core analyze the log file # For other linux versions, select according to the prompt in denyhosts. cfg-dist. PURGE_DENY = 30 m # How long will it take to clear DENY_THRESHOLD_INVALID = 1 # Allow invalid users/etc/passwd not listed) Number of Logon failures DENY_THRESHOLD_VALID = 5 # Allow valid common) number of user logon failures DENY_THRESHOLD_ROOT = 3 # Number of root logon failures HOSTNAME_LOOKUP = NO # whether domain name resolution is performed

If you need to enable the DenyHosts automatically when the system restarts, you also need to make the following settings:

# vi /etc/rc.local

Add the following command

/usr/share/denyhosts/daemon-control start

③ Start

# /usr/share/denyhosts/daemon-control start

If You Want To Enable Automatic startup of DenyHosts after each restart, you also need to make the following settings:

# cd /etc/init.d# ln -s /usr/share/denyhosts/daemon-control denyhosts# chkconfig --add denyhosts# chkconfig --level 345 denyhosts on

Then you can start it:

service denyhosts start

DenyHosts configuration file:

vi /etc/denyhosts.cfg

SECURE_LOG =/var/log/secure # ssh log file, which is determined based on this file. HOSTS_DENY =/etc/hosts. deny # control the user's login file PURGE_DENY = 5 m # How long will it take to clear the blocked BLOCK_SERVICE = sshd # The service name DENY_THRESHOLD_INVALID = 1 # The number of times DENY_THRESHOLD_VALID = 10 # number of failed login attempts allowed by common users DENY_THRESHOLD_ROOT = 5 # number of failed root login attempts HOSTNAME_LOOKUP = NO # whether domain name anti-solution DAEMON_LOG =/var/log/denyhosts # Your own log files admin_e-mail = yuhongchun027@163.com # administrator email address, it sends an email to the Administrator.

The following is a small script for Fully Automatic download and installation (recommended). Of course, you must manually adjust the configuration file after installation. The content of the install_denyhosts.sh script is as follows:

#!/bin/bashcd /usr/local/srcwget http://jaist.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gztar zxf DenyHosts-2.6.tar.gzcd DenyHosts-2.6python setup.py installcd /usr/share/denyhosts/cp daemon-control-dist daemon-controlchown root daemon-controlchmod 700 daemon-controlgrep -v "^#" denyhosts.cfg-dist > denyhosts.cfgecho "/usr/share/denyhosts/daemon-control start" >>/etc/rc.localcd /etc/init.dln -s /usr/share/denyhosts/daemon-control denyhostschkconfig --add denyhostschkconfig --level 345 denyhosts onservice denyhosts start

The following is an example of hostsdeny:

Connection to 192.168.0.154 closed.[root@autolemp ~]# ssh 192.168.0.154root@192.168.0.154's password:Permission denied, please try again.root@192.168.0.154's password:Permission denied, please try again.root@192.168.0.154's password:Permission denied (publickey,gssapi-with-mic,password)

The last line is valid.

Voting Survey: Which of the most important measures do you think is server security?