Linux Server Security Configuration summary (GO)

As we all know, network security is a very important topic, and server is the most critical link in network security. Linux is considered a more secure Internet server, and as an open-source operating system, volunteers from around the world will be eager to patch it up once a security breach is found in the Linux system. However, system administrators often do not have timely access to information and corrections, which gives hackers an opportunity. Compared to the security vulnerabilities of these systems themselves, more security issues are caused by improper configuration and can be prevented by proper configuration. The more services running on the server, the more opportunities for improper configuration to occur, and the greater the likelihood of security problems. For this, some knowledge of enhancing the security of the Linux/unix server system is described below.

First, the system security record file
The log files inside the operating system are important clues to detect network intrusion. If your system is connected directly to the Internet, you find that many people do telnet/ftp login attempts on your system and can run \ "#more/var/log/secure | grep refused\ "To check for attacks on the system in order to take appropriate countermeasures, such as using SSH to replace Telnet/rlogin and so on.

II. Boot and login security
1. BIOS security
Setting the BIOS password and modifying the boot order disables booting the system from the floppy disk.
2. User password
User password is a basic starting point of Linux security, many people use the user password is too simple, which is tantamount to open the door to intruders, although theoretically, as long as there is enough time and resources available, there is no user password can not be cracked, but the choice of proper password is difficult to crack. A good user password is a string of characters that is easy for him to remember and understand, and never to be written anywhere.
3. Default Account
You should disable all default and unnecessary accounts that are initiated by the operating system itself, which you should do when you first install the system, Linux provides a lot of default accounts, and the more accounts you have, the more vulnerable the system is to be attacked.
You can use the following command to delete an account.
# Userdel User Name
or delete the group user account with the following command.
# Groupdel Username
4. Password file
The chattr command adds an immutable attribute to the following file, preventing unauthorized users from gaining access.
# chattr +I/ETC/PASSWD
# chattr +i/etc/shadow
# chattr +i/etc/group
# chattr +i/etc/gshadow
5. Disable Ctrl+alt+delete Restart machine command
Modify the/etc/inittab file to comment out the \ "Ca::ctrlaltdel:/sbin/shutdown-t3-r now\" line. Then reset the permissions for all files in the/etc/rc.d/init.d/directory and run the following command:
# Chmod-r 700/etc/rc.d/init.d/*
This allows only root to read, write, or execute all of the above script files.
6. Restricting the SU command
If you do not want anyone to be able to su as root, you can edit the/etc/pam.d/su file to add the following two lines:
Auth sufficient/lib/security/pam_rootok.so Debug
Auth required/lib/security/pam_wheel.so GROUP=ISD
At this point, only users of the ISD group can be su as root. Thereafter, if you want user admin to be able to use Su as root, you can run the following command:
# USERMOD-G10 Admin
7. Deletion of login information
By default, logon prompt information includes Linux distributions, kernel version names, and server hostname. This leaks too much information for a machine with high security requirements. You can edit the/etc/rc.d/rc.local to comment out the following lines of the output system information.
# This would overwrite/etc/issue at every boot. So, do any changes
# want to make to/etc/issue here or you'll lose them when you reboot.
# echo \ "\" >/etc/issue
# echo \ "$R \" >>/etc/issue
# echo \ "Kernel $ (uname-r) on $a $ (uname-m) \" >>/etc/issue
# cp-f/etc/issue/etc/issue.net
# echo >>/etc/issue
Then, do the following:
# rm-f/etc/issue
# rm-f/etc/issue.net
# touch/etc/issue
# touch/etc/issue.net

Third, restricting network access
1. NFS Access
If you use the NFS Network File system service, you should ensure that your/etc/exports has the most restrictive access settings, meaning that you do not use any wildcard characters, do not allow root write permissions, and can only be installed as a read-only file system. Edit the file/etc/exports and add the following two lines.
/dir/to/export host1.mydomain.com (Ro,root_squash)
/dir/to/export host2.mydomain.com (Ro,root_squash)
/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine to log in to this directory, RO means mount into a read-only system, Root_squash prevents root from writing to the directory. For the change to take effect, run the following command.
#/usr/sbin/exportfs-a
2. inetd settings
First make sure that the owner of the/etc/inetd.conf is root and that the file permissions are set to 600. After Setup is complete, you can use the \ "stat\" command to check.
# chmod 600/etc/inetd.conf
Then, edit/etc/inetd.conf prohibits the following services.
FTP telnet Shell login exec talk ntalk IMAP pop-2 pop-3 finger auth
If you have SSH/SCP installed, you can also disable telnet/ftp. To make the change effective, run the following command:
#killall-hup inetd
By default, most Linux systems allow all requests, and tcp_wrappers enhances system security with no effort, and you can modify/etc/hosts.deny and/etc/hosts.allow to increase access restrictions. For example, set/etc/hosts.deny to \ "All:all\" to deny all access by default. Then add the allowed access in the/etc/hosts.allow file. For example, \ "sshd:192.168.1.10/255.255.255.0 gate.openarch.com\" means that the IP address 192.168.1.10 and host name gate.openarch.com are allowed to connect via SSH.
After the configuration is complete, you can check with Tcpdchk:
# Tcpdchk
Tcpchk is the Tcp_wrapper configuration Checker, which examines your TCP wrapper configuration and reports any potential/existing problems that are found.
3. Login Terminal Settings
The/etc/securetty file specifies a TTY device that allows root login, read by the/bin/login program, and is formatted as a list of allowed names, and you can edit the/etc/securetty and comment out the following lines.
#tty1
# Tty2
# Tty3
# Tty4
# Tty5
# Tty6
At this point, root can only log on at the Tty1 terminal.
4. Avoid displaying system and version information.
If you want remote login users to not see the system and version information, you can change the/etc/inetd.conf file by doing a bit:
Telnet stream TCP nowait ROOT/USR/SBIN/TCPD in.telnetd-h
Plus-H indicates that Telnet does not display system information, but only displays \ "Login:\"

Iv. prevention of attacks
1. Block Ping If no one can ping your system, security naturally increases. To do this, you can add the following line to the/etc/rc.d/rc.local file:
Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
2. Prevent IP spoofing
Edit the host.conf file and add the following lines to prevent IP spoofing attacks.
Order Bind,hosts
Multi off
Nospoof on
3. Prevent Dos attacks
Setting resource limits on all users of the system can prevent DOS type attacks. such as the maximum number of processes and memory usage. For example, you can add the following lines in/etc/security/limits.conf:
* Hard Core 0
* Hard RSS 5000
* Hard Nproc 20
You must then edit the/etc/pam.d/login file to check if the following line exists.
Session required/lib/security/pam_limits.so
The above command prohibits debugging files, restricts the number of processes to 50 and limits memory usage to 5MB.

With the above settings, your Linux server can already be immune to the vast majority of known security issues and cyber attacks, but a good system administrator still has to keep an eye on the security dynamics of the network and fix any exposed and potential security vulnerabilities at any time.

Linux Server Security Configuration summary (GO)