Pay attention to security issues when connecting to the ADSL network in Linux

Article title: pay attention to security issues when connecting to the ADSL network in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Linux ADSL access users mostly migrate from Windows, which is novel and unfamiliar with the Linux environment and operations. Linux has powerful network functions, however, if you do not know the security knowledge, such as walking in the downtown area with a gold hand, you will not be able to use the network function, but also have security risks. The following describes some security policies suitable for Linux ADSL access users.

1. Disable useless ports

Any network connection is implemented through open application ports. If we open the port as few as possible, we will turn the network attack into the source water, which greatly reduces the chance of successful attackers.

First check your inetd. conf file. Inetd monitors certain ports to provide necessary services. If someone develops a special inetd daemon, there is a security risk. You should comment out the services that will never be used in the inetd. conf file (such as echo, gopher, rsh, rlogin, rexec, ntalk, and finger ).

Note: Unless absolutely required, you must comment out rsh, rlogin, and rexec. telnet recommends that you use a more secure ssh instead and then kill the lnetd process. In this way, inetd no longer monitors the Daemon on your machine, so that no one can use it to steal your application port. You 'd better download a port scanner to scan your system. if you find an open port that you don't know, immediately find the process using it to determine whether to close it.

2. install and configure a firewall

Configuring an appropriate firewall is not only the first line of defense for the system to effectively respond to external attacks, but also the most important line of defense. The firewall should be installed and configured before the new system is connected to the Internet for the first time. The firewall is configured to reject all data packets and then enable the packets that can be received, which is conducive to system security. Linux provides us with a very good firewall tool, netfilter/iptables (http://www.netfilter.org /).

For more information about how to set the firewall, see: how to use the Linux firewall to protect your ADSL connection

3. delete unused software packages

During system planning, the general principle is to remove all unnecessary services. By default, Linux is a powerful system that runs many services. However, many services are not required and may cause security risks. This file is/etc/inetd. conf, which defines the services to be listened to by/usr/sbin/inetd. you may only need two of them: telnet and ftp, other classes such as shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, and auth are all disabled unless you really want to use it.

4. do not set the default route

In the host, you must strictly disable the default route, that is, the default route. We recommend that you set a route for each subnet or CIDR block. otherwise, other machines may access the host in a certain way.

5. password management

Generally, the password length should not be less than 8 characters. the composition of the password should be a combination of uppercase and lowercase letters, numbers and symbols with no rules, and password should be strictly avoided using English words or phrases, in addition, the passwords of various users should be changed regularly. In addition, password protection also involves the protection of/etc/passwd and/etc/shadow files. only the system administrator can access these two files.

Installing a password filtering tool and npasswd can help you check whether your password can withstand attacks. If you have not installed such tools before, we recommend that you install them now. If you are a system administrator and you have not installed a password filtering tool in your system, please immediately check whether all users' passwords can be searched in full, that is, your/ect/passwd file is fully searched.

[1] [2] [3] Next page