Red Hat Linux Security Settings

Source: Internet
Author: User
Tags ftp login ftp site gopher account security ftp access root access qmail

Windows Server 2003 system configuration Scheme

Network security means that the hardware, software, and data in the network system are protected from accidental or malicious damages, changes, and leaks, and the system runs continuously, reliably, and normally, the network service is not interrupted.

Network security is essentially information security on the network. Broadly speaking, all technologies and theories related to the confidentiality, integrity, availability, authenticity and controllability of information on the network are the fields of network security research.

1. Minimize the security system, delete unnecessary software, and disable unnecessary services.

# Ntsysv
Only services to be started are listed below. All services not listed are recommended to be closed, and services that need to be run are opened one by one.
Atd
Crond
Irqbalance
Microcode_ctl
Network
Sshd
Syslog

2. Delete the finger program as follows:

# Rpm-e finger

3. BOIS Security Settings

4. Account Security Settings

Modify the/etc/login. def File
PASS_MAX_DAYS 120? Set Password Expiration Date
PASS_MIN_DAYS 0? Set minimum password change date
PASS_MIN_LEN 10? Set Minimum Password Length
PASS_WARN_AGE 7? Set days of advance warning for expiration
Make sure that/etc/shadow is read-only as root.
Make sure/etc/passwd is root read/write

Periodically use password tools to check user password strength

5,/etc/exports

If you share files through NFS, you must configure the "/etc/exports" file to make the access restrictions as strict as possible. that is to say, do not use wildcards, do not allow write permission on the root directory, and try to only give read permission. add the following to the/etc/exports file:
/Dir/to/export host1.mydomain.com (ro, root_squash)
/Dir/to/export host2.mydomain.com (ro, root_squash)
We recommend that you do not use NFS.

6. inetd. conf or xinetd. conf
If it is inetd. conf, it is recommended to comment out all programs starting with r, exec, etc.

7, TCP_Wrappers
Add the allowed service to/etc/hosts. allow and add the line "ALL: ALL" to/etc/hosts. deny.

8,/etc/aliases file

If the Aliases file is incorrectly managed or carelessly managed, security risks may occur. Delete the line defining the "decode" alias from the aliases file.
Edit aliases and delete or comment out the following rows:
# Games: root
# Ingres: root
# System: root
# Toor: root
# Uucp: root
# Manager: root
# Dumper: root
# Operator: root
# Decode: root
Run/usr/bin/nesaliases to reload.

9. Prevent Unauthorized users from abusing sendmail.

Edit sendmail. cf
Set PrivacyOptions = authwarnings
Change to PrivacyOptions = authwarnings, noexpn, novrfy

10. ping is not responded.

Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

11. Enable tcp syn Cookie Protection

Echo 1>/proc/sys/net/ipv4/tcp_syncookies

12. Delete unnecessary users and group users

Deleted users, such as adm, lp, sync, shutdown, halt, news, uucp, operator, games, and gopher
Deleted groups, such as adm, lp, news, uucp, games, dip, pppusers, popusers, and slipusers.
You can set unchangeable bits.
Chattr + I/etc/passwd
Chattr + I/etc/shadow
Chattr + I/etc/group
Chattr + I/etc/gshadow

13. prevent anyone from using the su command to become the root user.

Edit the su file (vi/etc/pam. d/su) and add the following two lines:
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_wheel.so group = wheel
Add su root users to the wheel group
Usermod-G10 username

14. The Control + Alt + Delete key is invalid.

Edit and comment out the inittab file.
Ca: ctrlaltdel:/sbin/shutdown-t3-r now
Run/sbin/init q to make the settings take effect

15. Create hard copies of all important log files

If the server is important, you can print out ssh, mail, and boot information. Add a line to the/etc/syslog. conf file .:
Authpriv. *; mail. *; local7. *; auth. *; daemon.info/dev/lp0
Run/etc/rc. d/init. d/syslog restart.
Or Send Logs to other servers for storage.
For example
Authpriv. */var/log/secure
To send it to 192.168.0.2, you can modify it like this.
Authpriv. * @ 192.168.0.2/var/log/secure

16. Change the access permission for the script file under the/etc/rc. d/init. d directory.

Chmod-R 700/etc/rc. d/init. d /*
Note: Modify the security settings with caution.

17,/etc/rc. d/rc. local

Comment out all irrelevant information in this file, so that no one can see any information about the host.
Delete issue and issue.net under/etc

18. Programs with S-bit

Programs that can clear s-bit include but are not limited:
Never used programs;
Programs that do not require non-root users to run;
It is used occasionally, but you don't mind changing it to root by using the su command before running it.
Find/-type f \ (-perm 04000-o-perm-02000 \)-print
Chmod a-s program name

19. view system hidden files

Find/-name ". *"-print

20. Search for files and directories with write permissions for anyone

Find/-type f \ (-perm-2-o perm-20 \) ls
Find/-type f \ (-perm-2-o-perm-20 \) ls

21. Search for files without a master in the system.

Find/-nouser-o-nogroup

22. search for the. rhosts file.

Find/home-name ". rhosts"
If yes, delete it.

23. revoke or delete the permissions of the system compiler.

Example: chmod 700/usr/bin/gcc

I. Disk partitioning

1. If the system is newly installed, consider the security of Disk Partitions:

1) the root directory (/), user directory (/home), temporary directory (/tmp), And/var directory should be separated to different disk partitions;

2) the disk space of the partitions where the directories are located should be fully taken into account to avoid system crash due to insufficient partition space due to some reasons;

2. For partitions in the/tmp and/var directories, programs with the suid attribute are not required in most cases, so the nosuid attribute should be added for these partitions;

Method 1: Modify the/etc/fstab file and add the nosuid attribute. For example:

/Dev/hda2/tmp ext2 exec, dev, nosuid, rw 0 0

Method 2: If you are not familiar with the operations on the/etc/fstab file, we recommend that you use the Linuxconf program.

Run the linuxconf program;

Select "Access local drive" under "File systems ";

Select the disk partition for which you want to modify the attribute;

Select "No setuid programs allowed;

Select other options as needed;

Exit normally. (The system will usually prompt you to re-mount the partition)

Ii. Installation

1. Too many software packages should not be installed on non-tested hosts. This reduces the possibility of security vulnerabilities caused by software packages.

2. For non-test hosts, do not select a non-essential service when selecting a host to start the service. Such as routed and ypbind.

Iii. Security Configuration and Enhancement

Kernel upgrade. Upgrade to 2.2.16 or later.

Upgrade the GNU libc shared library. (Warning: you cannot try it easily if you have no experience. Can be suspended .)

Disable dangerous network services. Echo, chargen, shell, login, finger, NFS, RPC, etc.

Disable non-essential network services. Talk, ntalk, pop-2, etc.

Security Configuration and upgrade of Common Network Services

Make sure that the version used by the network service is the latest and safest version.

Cancel anonymous FTP access

Unless necessary suid Program

Use tcpwrapper

Use ipchains Firewall

Syslogd

Some details:

1. the log file in the operating system is an important clue for detecting network intrusion. Of course, this assumes that your logfile is not damaged by the intruders, if you have a server that uses a leased line to connect directly to the Internet, this means that your IP address is a permanent fixed address, you will find that many people try to telnet/ftp login to your system and try to run # more/var/log/secure grep refused to check.

2. restrict the number of programs with the SUID permission flag. Programs with this permission flag run as root, which is a potential security vulnerability. Of course, some programs must have this flag, like the passwd program.

3. BIOS security. Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.

4. User Password. User passwords are the most basic starting point for Linux security. Many users use simple 'Password', which opens the door to intruders, although theoretically there is no uncertain user password, it can be used as long as there is enough time and resources. A good user password is a string of characters that can only be easily remembered and understood by himself, and should never be written anywhere.

5./etc/eXPorts file. If you use the NFS Network File System Service, make sure that your/etc/exports has the strictest access permission settings. This does not mean that you do not use any wildcards and do not allow root write permissions, mount the file to a read-only file system. Edit the/etc/exports file and add: for example:

/Dir/to/export host1.mydomain.com (ro, root_squash)

/Dir/to/export host2.mydomain.com (ro, root_squash)

/Dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs on to this directory,

Ro means to mount the file to a read-only system. root_squash prohibits root from writing data to this directory.

To make the above changes take effect, run/usr/sbin/exportfs-

6. Make sure that the owner of/etc/inetd. conf is root and the File Permission is set to 600.

[Root @ deep] # chmod 600/etc/inetd. conf
ENSURE that the owner is root.
[Root @ deep] # stat/etc/inetd. conf
File: "/etc/inetd. conf"
Size: 2869 Filetype: Regular File
Mode: (0600/-rw ---) Uid: (0/root) Gid: (0/root)
Device: 8, 6 Inode: 18219 Links: 1
Access: Wed Sep 22 16:24:16 1999 (00000.00: 10: 44)
Modify: Mon Sep 20 10:22:44 1999 (00002.06: 12: 16)
Change: Mon Sep 20 10:22:44 1999 (00002.06: 12: 16)

Edit/etc/inetd. conf to disable the following services:

Ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger,

Auth, etc. unless you really want to use it.

In particular, prohibit those r commands. If you use ssh/scp, you can also disable telnet/ftp.

To make the change take effect, run # killall-HUP inetd

You can also run # chattr + I/etc/inetd. conf to make the file unchangeable.

Only the root user can unlock it. Use the command

# Chattr-I/etc/inetd. conf

7. TCP_WRAPPERS

By default, Redhat Linux allows all requests and uses TCP_WRAPPERS to enhance the security of your site.

You can put

"ALL: ALL" to/etc/hosts. deny to deny ALL requests, and then put those explicitly allowed requests

/Etc/hosts. allow, for example:

Sshd: 192.168.1.10/255.255.255.0 gate.openarch.com

The IP address 192.168.1.10 and the host name gate.openarch.com can be connected through ssh.

After the configuration is complete, use tcpdchk to check

[Root @ deep] # tcpdchk

Tcpchk is the TCP_Wrapper configuration check tool,

It checks your tcp wrapper configuration and reports all detected potential/existing problems.

8. Alias file aliases

Edit the alias file/etc/aliases (or/etc/mail/aliases) and delete/comment the following line.

# Basic system aliases-these MUST be present.
MAILER-DAEMON: postmaster
Postmaster: root
# General redirections for pseudo do accounts.
Bin: root
Daemon: root
# Games: root? Remove or comment out.
# Ingres: root? Remove or comment out.
Nobody: root
# System: root? Remove or comment out.
# Toor: root? Remove or comment out.
# UUCp: root? Remove or comment out.
# Well-known aliases.
# Manager: root? Remove or comment out.
# Dumper: root? Remove or comment out.
# Operator: root? Remove or comment out.
# Trap decode to catch security attacks
# Decode: root
# Person who shocould get roots mail
# Root: marc

After the last update, do not forget to run/usr/bin/newaliases to make the change take effect.

9. Prevent your system from responding to any external/internal ping requests.

Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command to/etc/rc. d/rc. local to run automatically after each startup.

Echo 1>;/proc/sys/net/ipv4/icmp_echo_ignore_all

10. Do not display the operating system and version information.

If you want someone to remotely log on to your server without displaying the operating system and version information, you can change

The line in/etc/inetd. conf is as follows:

Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h

Add the-h sign to the end so that the telnet background does not display system information, but only login:

11. The/etc/host. conf file

Edit the host. conf file (vi/etc/host. conf) and add the following line:

# Lookup names via DNS first then fall back to/etc/hosts.
Order bind, hosts
# We dont have machines with multiple IP addresses on the same card
(Like virtual server, IP Aliasing ).
Multi off
# Check for IP address spoofing.
Nospoof on
IP Spoofing: IP-Spoofing is a security exploit that works by tricking
Computers in a trust relationship that you are someone that you really arent.

12. The/etc/securetty file
This file specifies the tty device that allows root login./etc/securetty is read by the/bin/login program.
The format is a list of permitted names. For example, you can edit/etc/securetty and comment out the following rows.

Tty1
# Tty2
# Tty3
# Tty4
# Tty5
# Tty6
# Tty7
# Tty8

This means that the root user is only allowed to log on to the tty1 terminal.

13. Special Account
Disable all accounts that are started by the operating system and do not need it by default. This check should be performed when you install the system for the first time. Linux provides various accounts, which you may not need, if you do not need this account, remove it. The more accounts you have, the more vulnerable you will be to attacks.
To delete users on your system, run the following command:

[Root @ deep] # userdel username
To delete a group user account on your system, run the following command:
[Root @ deep] # groupdel username
Run the following command on the terminal to delete the following users.
[Root @ deep] # userdel adm
[Root @ deep] # userdel lp
[Root @ deep] # userdel sync
[Root @ deep] # userdel shutdown
[Root @ deep] # userdel halt
[Root @ deep] # userdel mail
If you do not need the sendmail server, procmail. mailx, delete this account.
[Root @ deep] # userdel news
[Root @ deep] # userdel uuucp
[Root @ deep] # userdel operator
[Root @ deep] # userdel games
If you do not need X windows Server, delete this account.
[Root @ deep] # userdel gopher
[Root @ deep] # userdel ftp
If you do not allow anonymous FTP, delete this user account.
Run the following command to delete a group account:
[Root @ deep] # groupdel adm
[Root @ deep] # groupdel lp
[Root @ deep] # groupdel mail
If you do not need the Sendmail server, delete this group account.
[Root @ deep] # groupdel news
[Root @ deep] # groupdel uuucp
[Root @ deep] # groupdel games
If you do not need X Windows, delete this group account.
[Root @ deep] # groupdel dip
[Root @ deep] # groupdel pppusers
[Root @ deep] # groupdel popusers
If you do not need a POP server, delete this group account.
[Root @ deep] # groupdel slipusers
Use the following command to add the Required User Account
[Root @ deep] # useradd username
Use the following command to change the User Password
[Root @ deep] # passwd username

Use the chattr command to add unchangeable attributes to the following files.
[Root @ deep] # chattr + I/etc/passwd
[Root @ deep] # chattr + I/etc/shadow
[Root @ deep] # chattr + I/etc/group
[Root @ deep] # chattr + I/etc/gshadow

14. prevent anyone from using su as root.
If you don't want anyone to use su as the root user, you can edit/etc/pam. d/su and add the following lines:

Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_wheel.so group = isd

This means that only users in the isd group can use su as the root.
Then, if you want the user admin to su as root, run the following command.

[Root @ deep] # usermod-G10 admin

16. resource restrictions
Setting resource limits for all users on your system can prevent DoS attacks (denial of service attacks)
Such as the maximum number of processes and the number of memories. For example, the following restrictions apply to all users:

Edit/etc/security/limits. con plus:
* Hard core 0
* Hard rss 5000
* Hard nproc 20

You must also edit the/etc/pam. d/login file and check the existence of this row.

Session required/lib/security/pam_limits.so

The preceding command disables core files "core 0", limits the number of processes to "nproc 50", and limits the memory usage.
5 MB "rss 5000 ".

17. The/etc/lilo. conf file

A) Add: restricted
Add this line to each boot image. This indicates that if you use (linux single) during boot, a password is required.

B) Add: password = some_password
When used in conjunction with restricted, and normal boot, you need to enter the password, you also need to ensure lilo. conf
The file cannot be readable by a non-root user, and the password plaintext is not displayed. The following is an example:

Edit/etc/lilo. conf and add:
Boot =/dev/sda
Map =/boot/map
Install =/boot. B
Prompt
Timeout = 50
Default = linux
Restricted? Add this line.
Password = some_password? Add this line.
Image =/boot/vmlinuz-2.2.12-20
Label = linux
Initrd =/boot/initrd-2.2.12-10.img
Root =/dev/sda6
Read-only
[Root @ deep] # chmod 600/etc/lilo. conf (no longer readable by other users ).
[Root @ deep] #/sbin/lilo-v (update lilo configuration ).
[Root @ deep] # chattr + I/etc/lilo. conf (prevent this file from being modified)

18. Disable Control-Alt-Delete from restarting machine commands

[Root @ deep] # vi/etc/inittab
Ca: ctrlaltdel:/sbin/shutdown-t3-r now
To
# Ca: ctrlaltdel:/sbin/shutdown-t3-r now
[Root @ deep] #/sbin/init q

19. Reset the permission for all files in the/etc/rc. d/init. d/directory.
[Root @ deep] # chmod-R 700/etc/rc. d/init. d /*
Only the root user can read, write, and execute all the above script files.

20. The/etc/rc. d/rc. local file
By default, When you log in to the linux server, it tells you the linux version name, kernel version name, and server
Host Name. It gives you too much information. If you want to get the prompt login:, edit/etc/rc. d/rc. local to put # In front of the following line:

# This will overwrite/etc/issue at every boot. So, make any changes you
# Want to make to/etc/issue here or you will lose them when you reboot.
# Echo "">;/etc/issue
# Echo "$ R" >;>;/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ (uname-m)" >;>;/etc/issue
#
# Cp-f/etc/issue/etc/issue.net
# Echo >;>;/etc/issue

Then, do the following:

[Root @ deep] # rm-f/etc/issue
[Root @ deep] # rm-f/etc/issue.net
[Root @ deep] # touch/etc/issue
[Root @ deep] # touch/etc/issue.net

21. The bit of the program owned by the root user.

Remove the s-Bit Flag of programs owned by the root user. Of course, some programs need this. Run the 'chmod a-S' command to complete this operation.

Note: The programs with the (*) sign in front do not need the s-bit flag.

[Root @ deep] # find/-type f \ (-perm-04000-o-perm-02000 \) \-exec ls-lg {}\;
-Rwsr-xr-x 1 root 33120 Mar 21 1999/usr/bin/
*-Rwsr-xr-x 1 root 30560 Apr 15/usr/bin/chage
*-Rwsr-xr-x 1 root 29492 Apr 15/usr/bin/gpasswd
-Rwsr-xr-x 1 root 3208 Mar 22 1999/usr/bin/disable-paste
-Rwxr-sr-x 1 root man 32320 Apr 9 1999/usr/bin/man
-R-s-x 1 root 10704 Apr 14/usr/bin/passwd
-Rws-x 2 root 517916 Apr 6 1999/usr/bin/suidperl
-Rws-x 2 root 517916 Apr 6 1999/usr/bin/sperl5.00503
-Rwxr-sr-x 1 root email 11432 Apr 6 1999/usr/bin/lockfile
-Rwsr-sr-x 1 root mail 64468 Apr 6 1999/usr/bin/procmail
-Rwsr-xr-x 1 root 21848 Aug 27/usr/bin/crontab
-Rwxr-sr-x 1 root slocate 15032 Apr 19 14:55/usr/bin/slocate
*-R-xr-sr-x 1 root tty 6212 Apr 17/usr/bin/wall
*-Rws-x 1 root 14088 Apr 17/usr/bin/chfn
*-Rws-x 1 root 13800 Apr 17/usr/bin/chsh
*-Rws-x 1 root 5576 Apr 17/usr/bin/newgrp
*-Rwxr-sr-x 1 root tty 8392 Apr 17/usr/bin/write
-Rwsr-x-1 root squid 14076 Oct 7/usr/lib/squid/pinger
-Rwxr-sr-x 1 root utmp 15587 Jun 9 09:30/usr/sbin/utempter
*-Rwsr-xr-x 1 root 5736 Apr 19/usr/sbin/usernetctl
*-Rwsr-xr-x 1 root bin 16488 Jul 6/usr/sbin/traceroute
-Rwsr-sr-x 1 root 299364 Apr 19/usr/sbin/sendmail
-Rwsr-xr-x 1 root 34131 Apr 16/usr/libexec/pt_chown
-Rwsr-xr-x 1 root 13208 Apr 13/bin/su
*-Rwsr-xr-x 1 root 52788 Apr 17/bin/mount
*-Rwsr-xr-x 1 root 26508 Apr 17/bin/umount
*-Rwsr-xr-x 1 root 17652 Jul 6 09:33/bin/ping
-Rwsr-xr-x 1 root 20164 Apr 17/bin/login
*-Rwxr-sr-x 1 root 3860 Apr 19/sbin/netreport
-R-sr-xr-x 1 root 46472 Apr 17/sbin/pwdb_chkpwd
[Root @ deep] # chmod a-s/usr/bin/chage
[Root @ deep] # chmod a-s/usr/bin/gpasswd
[Root @ deep] # chmod a-s/usr/bin/wall
[Root @ deep] # chmod a-s/usr/bin/chfn
[Root @ deep] # chmod a-s/usr/bin/chsh
[Root @ deep] # chmod a-s/usr/bin/newgrp
[Root @ deep] # chmod a-s/usr/bin/write
[Root @ deep] # chmod a-s/usr/sbin/usernetctl
[Root @ deep] # chmod a-s/usr/sbin/traceroute
[Root @ deep] # chmod a-s/bin/mount
[Root @ deep] # chmod a-s/bin/umount
[Root @ deep] # chmod a-s/bin/ping
[Root @ deep] # chmod a-s/sbin/netreport

You can use the following command to find all programs with the s-Bit Flag:

[Root @ deep] # find/-type f \ (-perm-04000-o-perm-02000 \) \-exec ls-lg {}\;

>; Suid-sgid-results

Output the result to the suid-sgid-results file.

To find all Writable Files And Directories, run the following command:

[Root @ deep] # find/-type f \ (-perm-2-o-perm-20 \)-exec ls-lg {}\;>; ww-files-results

[Root @ deep] # find/-type d \ (-perm-2-o-perm-20 \)-exec ls-ldg {}\;>; ww-directories-results

Run the following command to find files without owners:

[Root @ deep] # find/-nouser-o-nogroup>; unowed-results

Run the following command to find all. rhosts files:

[Root @ deep] # find/home-name. rhosts>; rhost-results

Common network service applications recommended for replacement

WuFTPD

WuFTD has been prone to security vulnerabilities since 1994. Hackers can easily obtain Remote root Access permissions, in addition, many security vulnerabilities do not even require a valid account on the FTP server. Recently, WuFTP also frequently experienced security vulnerabilities.

Its best alternative is ProFTPD. ProFTPD is easy to configure. In most cases, it is faster, and its source code is also relatively clean (fewer buffer overflow errors ). Many important sites use ProFTPD. Sourceforge.net is a good example (this site has a total of 3,000 open-source projects, and its load is not small !). Some Linux Publishers also use ProFTPD on their main FTP site, and WuFTPD is only used by two major Linux Publishers (SuSE and Caldera.

Another advantage of ProFTPD is that it can run both from inetd and as a separate daemon. This can easily solve some problems caused by inetd, such as denial of service attack. The simpler the system, the easier it is to ensure system security. WuFTPD either review all source code (very difficult) or completely rewrite the code. Otherwise, WuFTPD must be replaced by ProFTPD.

Telnet

Telnet is very insecure. It uses plain text to send passwords. Its safe alternative is OpenSSH.

OpenSSH is very mature and stable on Linux, and there are also a lot of free client software on Windows platform. Linux publishers should adopt the OpenBSD policy: install OpenSSH and set it to the default one. Install Telnet but do not set it to the default one. For Linux Publishers not in the United States, it is easy to add OpenSSH to the Linux release. For Linux publishers in the United States, there are some other approaches (for example, Red Hat has the latest OpenSSH rpm package on the FTP server in Germany (ftp.redhat.de ).

Telnet is a hopeless program. To ensure system security, software such as OpenSSH must be used instead.

Sendmail

In recent years, the security of Sendmail has improved a lot (in the past, it was usually a program that hackers attacked ). However, Sendmail still has a serious problem. Once a security vulnerability is discovered (for example, a Linux kernel error occurs recently), Sendmail is a program that has been attacked by hackers, because Sendmail runs with root permission and the code is huge and prone to problems.

Almost all Linux publishers use Sendmail as the default configuration, and only a few use Postfix or Qmail as optional software packages. However, few Linux publishers use Sendmail on their own mail servers. Both SuSE and Red Hat use Qmail-based systems.

Sendmail is not necessarily replaced by other programs. However, its two alternatives, Qmail and Postfix, are safer and faster than it, and especially Postfix, is easier to configure and maintain than it.

Su

Su is used to change the ID of the current user and convert it to another user. You can log on as a common user. When you need to do something as root, you only need to execute the "su" command and then enter the root password. Su itself is no problem, but it will make people develop bad habits. If a system has multiple administrators, you must give them the root password.

An alternative to su is sudo. Red Hat 6.2 contains the software. Sudo allows you to set which user group can execute programs as root. You can also restrict the user's logon location (if someone breaks a user's password and uses this account to log on from a remote computer, you can restrict the user's use of sudo ). Debian also has a similar program called super, which has advantages and disadvantages compared with sudo.

Let users develop good habits. Using the root account and letting multiple people know the root password is not a good habit. This is why www.apache.org was infiltrated because it has multiple system administrators who have root privileges. A messy system is easy to intrude.

Named

Most Linux publishers solve this problem. Named was previously run as root. Therefore, when a new vulnerability occurs in named, it is easy to intrude into some important computers and obtain the root permission. Now, you only need to use some command line parameters to run named as a non-root user. In addition, most Linux publishers now allow named to run with the permissions of common users. Command Format: named-u;-g;

INN

The INN documentation clearly states that "disabling this function (verifycancels) is useless and will be removed ". About a month ago, a hacker issued a method to intrude into the INN when "verifycancels" takes effect. Red Hat sets verifycancels as valid. Any setuid/setgid programs or network service programs must be correctly installed and checked to ensure that security vulnerabilities are not detected.

Security code

1. Abolish all default accounts and passwords of the system.

2. Do not display company headers, online help, or other information before your legality is verified.

3. Abolish the network services that hackers can attack the system.

4. Use a 6-to 8-digit alphanumeric password.

5. restrict the number of times a user attempts to log on to the system.

6. Record security violations and review security records.

7. Encryption must be performed before important information is transmitted over the Internet.

8. Pay attention to the suggestions made by experts and install the system "patches" they recommend ".

9. Restrict host files that can be accessed without a password.

10. Modify the network configuration file to limit the number of TCP connections from outside to the minimum number of ports. Protocols such as tftp, sunrpc, printer, rlogin, and rexec are not allowed.

11. Use upas instead of sendmail. Sendmail has many known vulnerabilities and is difficult to completely fix.

12. Remove programs that are not critical to the operation and are rarely used.

13. Use chmod to change all system directories to the 711 mode. In this way, attackers will not be able to see what is in them, and users can still execute.

14. If possible, install the disk in read-only mode. In fact, only a few directories need to be read and written.

15. upgrade the system software to the latest version. The old version may have been researched and successfully attacked. The latest version generally includes the remedy for these problems.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.