LinuxADSLMost of the Access Users are migrated from Windows, which is novel and unfamiliar with the Linux environment and operations. Linux has powerful network functions, however, if you do not know the security knowledge, such as walking in the downtown area with a Gold Hand, you will not be able to use the network function, but also have security risks. The following describes someADSLAccess users' security policies.
1. Disable useless ports
Any network connection is implemented through open application ports. If we open the port as few as possible, we will turn the network attack into the source water, which greatly reduces the chance of successful attackers.
First check your inetd. conf file. Inetd monitors certain ports to provide necessary services. If someone develops a special inetd daemon, there is a security risk. You should comment out the services that will never be used in the inetd. conf file (such as echo, gopher, rsh, rlogin, rexec, ntalk, and finger ).
Note: Unless absolutely required, you must comment out rsh, rlogin, and rexec. telnet recommends that you use a more secure ssh instead and then kill the lnetd process. In this way, inetd no longer monitors the daemon on your machine, so that no one can use it to steal your application port. You 'd better download a port scanner to scan your system. If you find an open port that you don't know, immediately find the process using it to determine whether to close it.
2. Install andConfigurationOne Firewall
Configuring an appropriate firewall is not only the first line of defense for the system to effectively respond to external attacks, but also the most important line of defense. The firewall should be installed and configured before the new system is connected to the Internet for the first time. The firewall is configured to reject all data packets and then enable the packets that can be received, which is conducive to system security. Linux provides us with a very good firewall tool, netfilter/iptables (http://www.netfilter.org /).
For details about how to set the firewall, refer to: How to Use the Linux firewall to protect yourADSLConnection
3. delete unused software packages
During system planning, the general principle is to remove all unnecessary services. By default, Linux is a powerful system that runs many services. However, many services are not required and may cause security risks. This file is/etc/inetd. conf, which defines the services to be listened to by/usr/sbin/inetd. You may only need two of them: telnet and ftp, other classes such as shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, and auth are all disabled unless you really want to use it.
4. Do not set the default route
In the host, you must strictly disable the default route, that is, the default route. We recommend that you set a route for each Subnet or CIDR block. Otherwise, other machines may access the host in a certain way.
5. Password Management
Generally, the password length should not be less than 8 characters. The composition of the password should be a combination of uppercase and lowercase letters, numbers and symbols with no rules, and password should be strictly avoided using English words or phrases, in addition, the passwords of various users should be changed regularly. In addition, password protection also involves the protection of/etc/passwd and/etc/shadow files. Only the system administrator can access these two files.
Installing a password filtering tool and npasswd can help you check whether your password can withstand attacks. If you have not installed such tools before, we recommend that you install them now. If you are a system administrator and you have not installed a password filtering tool in your system, please immediately check whether all users' passwords can be searched in full, that is, your/ect/passwd file is fully searched.
6. Partition Management
A potential attack first tries to buffer overflow. In the past few years, buffer overflow is the most common form of security vulnerabilities. More seriously, the buffer overflow vulnerability accounts for the vast majority of remote network attacks. Such attacks can easily give an anonymous Internet user the opportunity to gain some or all control over a host!
To prevent such attacks, we should pay attention to them when installing the system. If you use the root partition to record data, such as log files, a large number of logs or spam may be generated due to denial of service, resulting in system crash. Therefore, we recommend that you create separate partitions for/var to store logs and emails to avoid overflow of the root partition. It is best to separate a partition for a special application, especially for programs that can generate a large number of logs. We also recommend that you separate a partition for/home so that they cannot fill up/partition, this avoids some malicious attacks against Linux partition overflow.
7. Prevent Network sniffing
Sniffer is widely used in network maintenance and management. It works like a passive sonar. It silently receives various information from the network and analyzes the data, the network administrator can gain an in-depth understanding of the current running status of the network to identify vulnerabilities in the network. Today, with increasing attention to network security, we must not only correctly use the sniffer, but also properly prevent the dangers of the sniffer, which can cause great security hazards, mainly because they are not easy to be discovered. For an enterprise with strict security performance requirements, it is necessary to use a secure topology, Session Encryption, and static ARP Address.
8. Complete Log Management
Log Files always record the running status of your system. The hacker cannot escape the log. Therefore, Hackers often modify log files to hide traces during attacks. Therefore, we need to restrict access to/var/log files and prohibit users with General permissions from viewing log files.
In addition, we can install an icmp/tcp log manager, such as iplogger, to observe the suspicious multiple connection attempts (add icmp flood3 or similar situations ). Be careful with logon from unknown hosts. Complete Log management includes the correctness, validity, and validity of network data. Log File analysis can also prevent intrusion. For example, a user's 20 failed registration records within a few hours may be the attacker trying the user's password.
The typical format of the log configuration file is warning type. hazard level log file name. If the/etc/syslog. conf file contains auth. */var/log/secure and authpriv. */var/log/secure. Once recorded in the file/var/log/secure. These files can be checked later. If you want the system to notify you of such a sensitive event in time, you can change the log output file to the console:
Auth. */dev/console
In this way, you can get a warning immediately on the console as long as someone tries to log on to the system or switch users. After the log file configuration is complete, run the following command to make the configuration take effect:
Kill-HUP $ (cat/var/run/syslogd. pid)
In addition, the log viewing tool for the desktop user system is very intuitive. For the work interface, see.
System log working interface (click to view the big picture)
9. Stop ongoing attacks
If you find a user logging on from your unknown host while checking the log file, and you are sure that this user does not have an account on this host, you may be attacked. First, you need to lock the account immediately (in the password file or shadow file, add an Ib or other character before the user's password ). If the attacker has been connected to the system, you should immediately disconnect the physical connection between the host and the network. If possible, you need to further check the user's history to see if other users have been impersonated and whether the attacker has the root permission. Kill all processes of the user and add the IP address mask of the host to the file hosts. deny.
10. Use the security tool software:
Linux already has some tools to ensure the security of the server. Such as bastille linux. For users who are not familiar with linux security settings, it is quite convenient. bastille linux aims to build a secure environment on an existing linux system.
11. Use the reserved IP Address
The simplest way to maintain network security is to ensure that hosts in the network are exposed to different external sources. The most basic method is to isolate it from the public network. However, this isolation-based security policy is unacceptable in many cases. At this time, using reserved IP addresses is a simple and feasible method, which allows users to access the Internet while ensuring a certain degree of security.
RFC 1918 specifies the IP address range that can be used for local TCP/IP networks. These IP addresses are not routed over the Internet and therefore do not need to be registered. By assigning IP addresses in this range, you can effectively limit network traffic to the local network. This is a fast and effective way to allow computers to communicate with each other by rejecting access from external computers.
Reserved IP address range:
---- 10.0.0.0-10.20.255.255
---- 172.16.0.0-172.31.255.255
---- 192.168.0.0-192.168.255.255
The network traffic from the reserved IP address does not pass through the Internet router, so any computer assigned with the reserved IP address cannot access from the external network. However, this method also does not allow users to access external networks. IP spoofing can solve this problem.
12. Select the release version:
For Linux, neither the latest release version nor the old version is used. Mature versions should be used: the final release version of the previous product, such as RHEL 4.2. After all, security and stability are the top priority.
13. Focus on Backdoor programs and viruses
The prevention of executable file viruses, worms, and script viruses can be basically prevented by installing the GPL virus detection and removal software. Desktop Users can choose that tkantivir (http://www.sebastian-geiges.de/tkantivir/) is written in Tcl/Tk and can run in any X-Windows environment, such as KDE or Gnome.
Backdoor programs are thieves lurking in the system, and their harmful programs are definitely not under the virus. In Linux, backdoor programs can be very concealed and difficult to clean up. Therefore, the easiest way to guard against this problem is to not run any unknown applications. But these are not enough, and a cleanup program Chkrootkit (http://www.chkrootkit.org/) is also needed /). Chkrootkit can detect system logs and files, check whether malicious programs intrude into the system, and find