Red Hat Linux Security Settings Method _linux

Source: Internet
Author: User
Tags aliases ftp login ftp site gopher syslog system log file permissions ftp access
Windows Server 2003 System configuration Scenario

Network security refers to the network system hardware, software and its system data is protected from accidental or malicious reasons to be destroyed, changed, leaked, the system continuously reliable normal operation, network services uninterrupted.

Network security is essentially the information security on the network. In a broad sense, all relevant technologies and theories related to the confidentiality, integrity, usability, authenticity and controllability of information on the network are the research fields of network security.

1, minimize the security system, remove unnecessary software, and turn off unnecessary services.

# NTSYSV
Only the services that need to be started are listed below, the services that are not listed are recommended for shutdown, and the services that are required to run are opened individually.
Atd
Crond
Irqbalance
Microcode_ctl
Network
Sshd
Syslog

2, remove the finger program, the specific method is as follows

#rpm –e Finger

3,bois Security Settings

4, account security settings

modifying/etc/login.def files
Pass_max_days 120? Set Password expiration date
Pass_min_days 0? Set Minimum password change date
Pass_min_len 10? Set Minimum Password length
Pass_warn_age 7? Set expired advance warning days
Make sure/etc/shadow is read root only
Make sure/etc/passwd is read as root

Regularly use password tool to detect user password strength

5,/etc/exports

If you share files through NFS, be sure to configure the "/etc/exports" file so that access restrictions are as stringent as possible. This means that you do not use wildcards, do not allow write access to the root directory, and read permissions as much as possible. In/etc/exports file add:
/dir/to/export host1.mydomain.com (Ro,root_squash)
/dir/to/export host2.mydomain.com (Ro,root_squash)
It is advisable not to use NFS.

6,inetd.conf or xinetd.conf
If it is inetd.conf to comment out all the R-start programs, exec, etc.

7,tcp_wrappers
Add the allowed service to the/etc/hosts.allow and join the line in/etc/hosts.deny All:all

8,/etc/aliases file

Aliases files can create a security risk if you manage errors or manage them carelessly. Delete the line that defines the alias "decode" from the aliases file.
Edit aliases, delete or annotate the following lines:
#games: Root
#ingres: Root
#system: Root
#toor: Root
#uucp: Root
#manager: Root
#dumper: Root
#operator: Root
#decode: Root
Run/usr/bin/nesaliases Reload.

9, prevent SendMail from being abused by unauthorized users

Edit SENDMAIL.CF
Put Privacyoptions=authwarnings
Change to Privacyoptions=authwarnings,noexpn,novrfy

10, do not respond to ping

Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

11, make TCP SYN cookie protection effective

Echo 1 >/proc/sys/net/ipv4/tcp_syncookies

12, delete unnecessary users and groups of users

Deleted users, such as Adm,lp,sync,shutdown,halt,news,uucp,operator,games,gopher, etc.
Deleted groups, such as adm,lp,news,uucp,games,dip,pppusers,popusers,slipusers, etc.
You can set the non-change bit
Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +i/etc/gshadow

13, to prevent anyone from being able to use the SU command as root

Edit the Su file (vi/etc/pam.d/su) and add the following two lines
Auth sufficient/lib/security/pam_rootok.so Debug
Auth required/lib/security/pam_wheel.so Group=wheel
Add a user who can Su-root to the wheel group
USERMOD-G10 username

14, make Control+alt+delete shutdown key invalid

Edit Inittab file, comment out
Ca:ctrlaltdel:/sbin/shutdown–t3–r now
Run/sbin/init Q to make the settings take effect

15, create a hard copy of all important log files

If the server is more important, you can consider ssh,mail, bootstrap information, and so on. Add a line to the/etc/syslog.conf file.:
authpriv.*;mail.*;local7.*;auth.*;d aemon.info/dev/lp0
Perform/etc/rc.d/init.d/syslog restart
or send the log to another server to save
Such as
authpriv.*/var/log/secure
To send it to 192.168.0.2, you can modify it like this
authpriv.* @192.168.0.2/var/log/secure

16, change the access permissions for script files in the/ETC/RC.D/INIT.D directory

Chmod–r 700/etc/rc.d/init.d/*
Note: Carefully modify this security setting

17,/etc/rc.d/rc.local

Comment All extraneous information in this file and keep no one from seeing any information about the host.
Delete the issue and issue.net under/ETC

18, with the S-bit program

Programs that can clear the s bit include but are not limited to:
A program that you never use;
Programs that do not want non-root users to run;
Occasionally, but don't mind using the SU command to root before running.
Find/-type f \ (-perm 04000–o–perm-02000 \)-print
chmod a-s Program Name

19, view system hidden files

Find/-name ". *" –print

20, find files and directories that anyone has write permission for

Find/-type f \ (-perm-2-o perm-20 \) ls
Find/-type f \ (-perm-2–o–perm-20 \) ls

21, find files in the system without the owner

Find/-nouser–o–nogroup

22, find the. rhosts file

Find/home-name ". Rhosts"
If so, please delete it.

23, take back the permissions of the system compiler or delete

such as: chmod 700/USR/BIN/GCC

One, disk partition

1, if the new installation system, the disk partition should consider security:

1 the root directory (/), User directory (/home), temporary directory (/tmp) and/var directory should be separated to separate disk partitions;

2 The above directories in the partition of the disk space should be fully considered, to avoid some of the reasons caused by the partition space used up to cause system crashes;

2, for the/TMP and/var directory partitions, most of the cases do not need to have the Suid property of the program, so you should add the Nosuid properties for these partitions;

Method One: Modify the/etc/fstab file and add the Nosuid property Word. For example:

/dev/hda2/tmp ext2 EXEC,DEV,NOSUID,RW 0 0

Method Two: If the/etc/fstab file operation is not familiar, recommended by the LINUXCONF program to modify.

Run linuxconf program;

Select "Access local Drive" under "File systems";

Select the disk partition for which you want to modify the property;

Select the "No setuid programs allowed" option;

Select other options as needed;

Normal exit. (You will typically be prompted to mount the partition again)

Second, the installation

1. For non-test hosts, you should not install too many packages. This reduces the likelihood that a security vulnerability may occur due to a package.

2. For non-test hosts, you should not select Non-essential services when you select a host to start the service. such as routed, Ypbind and so on.

Iii. Security Configuration and enhancements

Kernel upgrades. Upgrade to at least 2.2.16 version.

GNU libc shared library upgrade. (Warning: If you don't have experience, you can't try it easily.) can be postponed. )

Turn off the dangerous network services. Echo, Chargen, Shell, login, finger, NFS, RPC, etc.

Turn off Non-essential network services. Talk, Ntalk, pop-2, etc.

Common network Services Security Configuration and upgrades

Make sure that the network service is using the latest and safest version.

Canceling anonymous FTP access

Remove nonessential suid Programs

Using Tcpwrapper

Using the IPChains Firewall

Log System Syslogd

Some details:

1. The internal operating system log file is to detect whether there is an important clue to the network intrusion, of course, this assumes that your logfile is not damaged by intruders, if you have a server with a dedicated line directly connected to the Internet, which means that your IP address is a permanent fixed address, You'll find a lot of people doing telnet/ftp login attempts on your system and try running #more/var/log/secure grep refused to check it out.

2. Limit the number of programs with SUID permission flags, the program with that permission flag running as root is a potential security vulnerability, of course, some programs must have the logo, like the passwd program.

3.BIOS security. Setting the BIOS password and modifying the boot order prevents booting the system from the floppy disk.

4. User password. User password is a basic Linux security starting point, many people use the user password is simple ' passWord, which is tantamount to the intruder open the door, although theoretically there is no inaccurate user password, as long as there is enough time and resources available. A better user password is a string of characters that only he can remember and understand, and never write anywhere.

5./etc/exports files. If you use the NFS Network File system service, then make sure that your/etc/exports has the strictest access permission settings, does not mean that you do not use any wildcard characters, do not allow root write permission, mount into a read-only file system. Edit File/etc/exports and add: for example:

/dir/to/export host1.mydomain.com (Ro,root_squash)

/dir/to/export host2.mydomain.com (Ro,root_squash)

/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs in to this directory,

Ro means mount into a read-only system, Root_squash prevents root from writing to the directory.

In order for the above change to take effect, run/usr/sbin/exportfs-a

6. Be sure that the owner of the/etc/inetd.conf is root and that the file permissions are set to 600.

[root@deep]# chmod 600/etc/inetd.conf
Ensure that's the owner is root.
[root@deep]# stat/etc/inetd.conf
File: "/etc/inetd.conf"
size:2869 Filetype:regular File
Mode: (0600/-RW ——-) Uid: (0/root) Gid: (0/root)
device:8,6 inode:18219 links:1
access:wed Sep 22 16:24:16 1999 (00000.00:10:44)
Modify:mon Sep 20 10:22:44 1999 (00002.06:12:16)
Change:mon Sep 20 10:22:44 1999 (00002.06:12:16)

Edit/etc/inetd.conf prohibits the following services:

FTP, Telnet, shell, login, exec, talk, Ntalk, IMAP, pop-2, pop-3, Finger,

Auth, etc unless you really want to use it.

In particular forbids those R-command. If you use SSH/SCP, you can also ban telnet/ftp.

In order for the change to take effect, run #killall-hup inetd

You can also run #chattr +i/etc/inetd.conf so that the file has properties that cannot be changed.

Only root can unlock it, use the command

#chattr-I./etc/inetd.conf

7. Tcp_wrappers

By default, Redhat Linux allows all requests, using tcp_wrappers to enhance the security of your site is raising your hand

The labor, you can put

"All:all" to/etc/hosts.deny to prohibit all requests, and then put those explicitly allowed requests to

In/etc/hosts.allow, such as:

sshd:192.168.1.10/255.255.255.0 gate.openarch.com

For IP address 192.168.1.10 and host name gate.openarch.com, allow connection via SSH.

After the configuration is finished, check with Tcpdchk

[root@deep]# Tcpdchk

Tcpchk is the Tcp_wrapper Configuration Check tool,

It checks your TCP wrapper configuration and reports all potential/existing problems found.

8. alias file aliases

Edit the alias file/etc/aliases (or possibly/etc/mail/aliases) and remove/comment out the line below.

# Basic System Aliases-these must be present.
Mailer-daemon:postmaster
Postmaster:root
# General redirections for pseudo accounts.
Bin:root
Daemon:root
#games: Root Remove or comment out.
#ingres: Root Remove or comment out.
Nobody:root
#system: Root Remove or comment out.
#toor: Root Remove or comment out.
#uUCp: Root Remove or comment out.
# well-known aliases.
#manager: Root Remove or comment out.
#dumper: Root Remove or comment out.
#operator: Root Remove or comment out.
# Trap decode to catch security attacks
#decode: Root
# who should get roots mail
#root: Marc

Don't forget to run/usr/bin/newaliases after the last update to make the change take effect.

9. Prevent your system from responding to any external/internal ping requests.

Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following line of command to/etc/rc.d/rc.local so that it runs automatically after each boot.

Echo 1 >; /proc/sys/net/ipv4/icmp_echo_ignore_all

10. Do not display the operating system and version information.

If you want someone to log on to your server without displaying the operating system and version information, you can change

A line in the/etc/inetd.conf looks like this:

Telnet stream TCP nowait ROOT/USR/SBIN/TCPD in.telnetd-h

The plus-h flag at the end makes Telnet background do not display system information, but only login:

11.the/etc/host.conf file

Edit the host.conf file (vi/etc/host.conf) and add the following line:

# Lookup names via DNS-then fall back to/etc/hosts.
Order Bind,hosts
# We dont have machines with multiple IP addresses on the same card
(like virtual Server,ip aliasing).
Multi off
# Check for IP address spoofing.
Nospoof on
IP spoofing:ip-spoofing is a security exploit which works by tricking
Computers in a trust relationship so you are someone this you really arent.

The/etc/securetty file
This file specifies the TTY device that allows root login,/etc/securetty is read by the/bin/login program, and its
A format is a list of allowed names, such as you can edit/etc/securetty and annotate the following lines.

Tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8

means that root is only allowed to log on at the Tty1 terminal.

13. Special Account Number
Disable all default accounts that are not required by the operating system itself. When you first install the system should do this check, Linux provides a variety of accounts, you may not need, if you do not need this account, remove it, you have more accounts, the more vulnerable to attack.
To delete the users on your system, use the following command:

[root@deep]# Userdel username
To delete a group user account on your system, use the following command:
[root@deep]# Groupdel username
Enter the following command on the terminal to delete the user below.
[root@deep]# Userdel ADM
[root@deep]# Userdel LP
[root@deep]# Userdel Sync
[root@deep]# Userdel shutdown
[root@deep]# Userdel Halt
[root@deep]# Userdel Mail
If you do not use the SendMail server, PROCMAIL.MAILX, delete this account.
[root@deep]# Userdel News
[root@deep]# Userdel UUCP
[root@deep]# Userdel operator
[root@deep]# Userdel Games
If you don't use the X Windows Server, delete the account.
[root@deep]# Userdel Gopher
[root@deep]# Userdel FTP
If you do not allow anonymous FTP, delete this user account.
Delete group accounts by entering the following command
[root@deep]# Groupdel ADM
[root@deep]# Groupdel LP
[root@deep]# Groupdel Mail
If you do not need to SendMail server, delete this group account
[root@deep]# Groupdel News
[root@deep]# Groupdel UUCP
[root@deep]# Groupdel Games
If you do not use x Windows, delete this group account
[root@deep]# Groupdel Dip
[root@deep]# Groupdel Pppusers
[root@deep]# Groupdel Popusers
If you do not use the POP server, delete this group account
[root@deep]# Groupdel Slipusers
Use the following command to add the required user account
[root@deep]# useradd username
Change the user password with the following command
[root@deep]# passwd username

Use the chattr command to add a property to the following file that cannot be changed.
[root@deep]# chattr +i/etc/passwd
[root@deep]# chattr +i/etc/shadow
[root@deep]# chattr +i/etc/group
[root@deep]# chattr +i/etc/gshadow

14. Prevent anyone from Su as root.
If you don't want anyone to be able to su as root, you can edit/etc/pam.d/su plus the following line:

Auth sufficient/lib/security/pam_rootok.so Debug
Auth required/lib/security/pam_wheel.so GROUP=ISD

means that only users of the ISD group can be su as root.
Then, if you want the user admin to be able to su as root. Just run the following command.

[root@deep]# usermod-g10 Admin

16. Resource constraints
Setting resource limits on all users on your system can prevent DOS type attacks (denial of service attacks)
such as the maximum number of processes, memory quantity, and so on. For example, the restrictions for all users are as follows:

Edit/etc/security/limits.con:
* Hard Core 0
* Hard RSS 5000
* Hard Nproc 20

You must also edit the/etc/pam.d/login file to add/check the existence of this line.

Session required/lib/security/pam_limits.so

The above command prohibits core files "core 0", limiting the number of processes to "Nproc 50" and limiting memory usage
Is 5M "RSS 5000".

the/etc/lilo.conf file

A) add:restricted
Add this line below each boot image, which means that if you are booting with a (Linux single), you need a password.

b) Add:password=some_password
When combined with restricted and normally boot, the user is required to enter the password, you also need to ensure that the lilo.conf
Files cannot be read by users who do not belong to root, nor can they see the plaintext of the password. Here is an example:

Edit/etc/lilo.conf:
Boot=/dev/sda
Map=/boot/map
install=/boot/boot.b
Prompt
Timeout=50
Default=linux
Restricted? Add this line.
Password=some_password? Add this line.
Image=/boot/vmlinuz-2.2.12-20
Label=linux
Initrd=/boot/initrd-2.2.12-10.img
Root=/dev/sda6
Read-only
[root@deep]# chmod 600/etc/lilo.conf (no longer readable by other users).
[root@deep]#/sbin/lilo-v (update lilo configuration).
[root@deep]# chattr +i/etc/lilo.conf (prevents the file from being modified)

18. Prohibit control-alt-delete reboot machine command

[root@deep]# Vi/etc/inittab
Ca::ctrlaltdel:/sbin/shutdown-t3-r now
To
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now
[root@deep]#/sbin/init Q

19. Re-set permissions for all files in the/etc/rc.d/init.d/directory
[root@deep]# chmod-r 700/etc/rc.d/init.d/*
Only root can read, write, and execute all of the script file above.

the/etc/rc.d/rc.local file
By default, when you login to the Linux server, it tells you the Linux version name, the kernel version name, and the server
Host name. It gives you too much information if you want to be prompted login:, edit/etc/rc.d/rc.local put # in front of the line below:

# This would overwrite/etc/issue at every boot. So, make no changes you
# Want to make to/etc/issue this or you'll lose them when you reboot.
#echo "" >; /etc/issue
#echo "$R" >;>; /etc/issue
#echo "Kernel $ (uname-r) on $a $ (uname-m)" >;>; /etc/issue
#
#cp-F/etc/issue/etc/issue.net
#echo >;>; /etc/issue

Then, do the following things:

[root@deep]# rm-f/etc/issue
[root@deep]# rm-f/etc/issue.net
[root@deep]# touch/etc/issue
[root@deep]# touch/etc/issue.net

21. Bits of the program owned by Root.

Remove the S-bit flags that are owned by the root program, and of course some programs need this, using the command ' chmod a-s ' to do this.

Note: Those programs with the front (*) number do not normally need to have an S-bit flag.

[root@deep]# Find/-type f \ (-perm-04000-o-perm-02000 \) \-exec ls–lg {} \;
-rwsr-xr-x 1 root root 33120 Mar 1999/usr/bin/at
*-rwsr-xr-x 1 root root 30560 Apr 20:03/usr/bin/chage
*-rwsr-xr-x 1 root root 29492 Apr 20:03/usr/bin/gpasswd
-rwsr-xr-x 1 root 3208 1999/usr/bin/disable-paste
-rwxr-sr-x 1 root man 32320 APR 9 1999/usr/bin/man
-r-s–x–x 1 root 10704 Apr 17:21/usr/bin/passwd
-rws–x–x 2 root root 517916 Apr 6 1999/usr/bin/suidperl
-rws–x–x 2 root root 517916 Apr 6 1999/usr/bin/sperl5.00503
-rwxr-sr-x 1 root mail 11432 APR 6 1999/usr/bin/lockfile
-rwsr-sr-x 1 root Mail 64468 APR 6 1999/usr/bin/procmail
-rwsr-xr-x 1 root root 21848 Aug 11:06/usr/bin/crontab
-rwxr-sr-x 1 root slocate 15032 APR 14:55/usr/bin/slocate
*-r-xr-sr-x 1 root TTY 6212 APR 11:29/usr/bin/wall
*-rws–x–x 1 root 14088 Apr 12:57/USR/BIN/CHFN
*-rws–x–x 1 root 13800 Apr 12:57/usr/bin/chsh
*-rws–x–x 1 root 5576 Apr 12:57/usr/bin/newgrp
*-rwxr-sr-x 1 root TTY 8392 APR 12:57/usr/bin/write
-rwsr-x-1 root squid 14076 Oct 7 14:48/usr/lib/squid/pinger
-rwxr-sr-x 1 root utmp 15587 June 9 09:30/usr/sbin/utempter
*-rwsr-xr-x 1 root root 5736 Apr 15:39/usr/sbin/usernetctl
*-rwsr-xr-x 1 Root bin 16488 June 6 09:35/usr/sbin/traceroute
-rwsr-sr-x 1 root root 299364 Apr 16:38/usr/sbin/sendmail
-rwsr-xr-x 1 root 34131 Apr 18:49/usr/libexec/pt_chown
-rwsr-xr-x 1 root 13208 Apr 14:58/bin/su
*-rwsr-xr-x 1 root 52788 Apr 15:16/bin/mount
*-rwsr-xr-x 1 root 26508 Apr 20:26/bin/umount
*-rwsr-xr-x 1 root root 17652 June 6 09:33/bin/ping
-rwsr-xr-x 1 root 20164 Apr 12:57/bin/login
*-rwxr-sr-x 1 root root 3860 Apr 15:39/sbin/netreport
-r-sr-xr-x 1 root 46472 Apr 16:26/sbin/pwdb_chkpwd
[root@deep]# chmod a-s/usr/bin/chage
[root@deep]# chmod a-s/usr/bin/gpasswd
[root@deep]# chmod a-s/usr/bin/wall
[root@deep]# chmod a-s/USR/BIN/CHFN
[root@deep]# chmod a-s/usr/bin/chsh
[root@deep]# chmod a-s/usr/bin/newgrp
[root@deep]# chmod a-s/usr/bin/write
[root@deep]# chmod a-s/usr/sbin/usernetctl
[root@deep]# chmod a-s/usr/sbin/traceroute
[root@deep]# chmod a-s/bin/mount
[root@deep]# chmod a-s/bin/umount
[root@deep]# chmod a-s/bin/ping
[root@deep]# chmod a-s/sbin/netreport

You can use the following command to find all the programs with S-bit flags:

[root@deep]# Find/-type f \ (-perm-04000-o-perm-02000 \) \-exec ls-lg {} \;

>; Suid-sgid-results

Output the results to the file suid-sgid-results.

To find all the writable files and directories, use the following command:

[root@deep]# Find/-type f \ (-perm-2-o-perm-20 \)-exec ls-lg {} \; >; Ww-files-results

[root@deep]# Find/-type d \ (-perm-2-o-perm-20 \)-exec ls-ldg {} \; >; Ww-directories-results

Use the following command to find files with no owners:

[root@deep]# Find/-nouser-o-nogroup >; Unowed-results

Use the following command to find all. rhosts files:

[root@deep]# find/home-name. Rhosts >; Rhost-results

Common Network Service applications recommended for replacement

Wuftpd

WUFTD has been a constant security vulnerability since 1994, and hackers can easily access remote root access, and many security vulnerabilities do not even require a valid account on the FTP server. Recently, WUFTP is also a frequent occurrence of security vulnerabilities.

Its best alternative program is PROFTPD. PROFTPD is easy to configure, and in most cases it is faster, and its source code is relatively clean (fewer buffer overflow errors). There are many important sites that use PROFTPD. SourceForge.net is a good example (this site has 3,000 open source projects, its load is not small ah!) )。 Some Linux distributors use PROFTPD on their primary FTP site, and only two major Linux publishers (SuSE and Caldera) use WUFTPD.

Another advantage of PROFTPD is that it can run both from inetd and as a separate daemon. This makes it easy to solve some of the problems that inetd brings, such as denial-of-service attacks (denial of service attack), and so on. The simpler the system, the easier it is to keep the system safe. WUFTPD either review all of the source code (very difficult), or rewrite the code completely, otherwise wuftpd must be replaced by PROFTPD.

Telnet

Telnet is very, very insecure, and it transmits passwords in plaintext. It's safe to replace the program is OpenSSH.

OpenSSH is already very mature and stable on Linux, and there are a lot of free client software on the Windows platform. Linux publishers should adopt a OpenBSD strategy: Install OpenSSH and set it to default, install Telnet but do not set it to default. For Linux publishers who are not in the United States, it is easy to add OpenSSH to Linux distributions. Linux publishers in the U.S. will have to think of something else (for example: Red hat has the latest openssh RPM packages on the German FTP server (ftp.redhat.de)).

Telnet is an incurable procedure. To ensure the security of the system, you must replace it with software such as OpenSSH.

Sendmail

In recent years, the security of SendMail has improved a lot (it used to be the hacker's key attack program). However, SendMail still has a very serious problem. In the event of a security breach (such as a recent Linux kernel error), SendMail is the program that the hacker focuses on, because SendMail is running as root and the code is large and prone to problems.

Almost all Linux distributors use SendMail as their default configuration, with only a handful of postfix or qmail as optional packages. However, few Linux distributors use SendMail on their mail servers. Both SuSE and red Hat use a qmail based system.

SendMail does not necessarily have to be completely replaced by other programs. But its two alternative programs, QMail and Postfix, are more secure, faster, and especially postfix than it is easy to configure and maintain.

Su

Su is used to change the ID of the current user and convert it to another user. You can log in as a regular user, and when you need to do something as root, just execute the "su" command and then enter the root password. Su itself is no problem, but it can make people develop bad habits. If a system has multiple administrators, it must give them the password of root.

An alternative to Su is sudo. This software is included in Red Hat 6.2. sudo allows you to set which users which group can perform which programs as root. You can also restrict them by the location of the user's login (if someone "breaks" a user's password and logs on to a remote computer with this account, you can restrict his use of sudo). Debian also has a similar program called Super, which has advantages and disadvantages compared to sudo.

Let the user form good habits. Using the root account and letting multiple people know the root password is not a good habit. This is why www.apache.org was invaded because it has multiple system administrators who have root privileges. A mess system is easy to invade.

Named

Most Linux publishers have solved this problem. Named used to run as root, so it's easy to hack into some very important computers and get root permissions when named new vulnerabilities occur. It is now possible to have named run as a user other than root by using some parameters of the command line. Also, most Linux distributors now let named run with the privileges of a normal user. The command format is usually: named-u; -G;

INN

It is clear from the inn's documentation that "this feature is prohibited (verifycancels) and will be eliminated". About one months ago, a hacker released a method of invading the inn when "verifycancels" came into effect. Red hat Sets the "verifycancels" to be valid. Any Setuid/setgid program or network Service program should be properly installed and checked to ensure that no security vulnerabilities are avoided.

Safety Code

1. Revoke all default accounts and passwords for the system.

2. Do not display company headers, online Help, and other information until the user's legality is validated.

3. The abolition of "hackers" can attack the system's network services.

4. Use alphanumeric passwords of 6 to 8 digits.

5. Limit the number of times a user attempts to log on to the system.

6. Record the security violations and review the security records.

7. For important information, the Internet must be encrypted before transmission.

8. Attach importance to the recommendations made by the experts and install their recommended system "patches".

9. Restrict access to host files without requiring a password.

10. Modify the network configuration file to limit the TCP connections from the external to the minimum number of ports. Protocols such as Tftp,sunrpc,printer,rlogin or rexec are not allowed.

11. Replace SendMail with Upas. SendMail has too many known vulnerabilities, and it's hard to fix them completely.

12. Remove the procedures that are not critical to the operation and are rarely used.

13. Use chmod to change all system catalogs to 711 mode. In this way, attackers will not be able to see what is in them, and the user can still execute.

14. Install the disk in read-only mode whenever possible. In fact, only a few directories require read-write status.

15. Upgrade the system software to the latest version. The old version may have been studied and successfully attacked, and the latest version generally includes a remedy for these problems.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.