Security Protection for Linux server platforms

Source: Internet
Author: User
Tags md5 hash wrappers ftp access password protection perl script
Many enterprises and organizations on the Internet use Linux as the server platform. When these servers are connected to the Internet to provide application services, they will inevitably become the targets of attacks. This article discusses some basic knowledge about Linux System Security Configuration to help you protect the Linux system. Although Red Hat 6.0 is used as an example here, it should also be applicable to other Linux releases.

1. Installation

The first step in configuring system security is preferably at the beginning of the system-operating system security. Because the firewall is configured, you absolutely cannot trust any previous system installation and configuration. Instead, you must start with a new installation to truly ensure the integrity of system security.

Put your system in a separate (or isolated) network. Never allow unprotected systems to connect to other networks or the Internet for possible attacks. In my personal experience, a new installation system connected to the Internet can be scanned and infiltrated within 15 minutes to gain full control. You may need another machine to obtain important tools and security patches from the Internet, and then transfer them to a separate "configuration Network.

When you place the machines to be used as firewalls in an isolated network, you can start the next step.

The first step is to select the software package to be installed on the operating system. For red hat 6.0, three installation options are available: workstation, server, and m ). I personally strongly recommend "Custom", because this allows you to select which services and hard disk partitions to add. The installation policy is to "minimize" installation while maximizing efficiency. The less software the system has, the less potential security vulnerabilities it has. For example, if you do not need news or Real Audio Server, do not install it. One advantage of Linux is that if you change your mind later, you can easily add required software packages. No matter which installation method is selected, the manual page and howto document should be indispensable. Although it may increase the system risk, they are sometimes particularly useful.

If you select "Custom" for installation, you will be prompted to perform hard disk partitioning. I personally prefer to make the root partition as big as possible and put everything there. Then, we do need to create several partitions to protect the root partition. Because if the root partition is full of data such as system logs or emails, a denial of service may occur, or even cause a system crash.

Therefore, I always recommend setting a separate partition for/var. /Var is used to store all the logs and emails of the system. Separating/var partitions can effectively protect the root partition from being filled with the data. For many network environments, it is sufficient to set the/var partition to be at least MB. In addition, you can consider creating or retaining separate partitions for certain specific services or applications, especially sensitive log records. If users in the system cannot be fully trusted, they may need to create separate partitions for/home to avoid malicious attacks to/root partitions. For an independent server, the following is a partition instance:

/-Everything else

/Var-400 mb

Swap-(I normally go with 256 MB)

After the system is installed and restarted, install necessary security patches. For red hat, can the http://www.redhat.com/apps/suppo... Ω mg 13 finger lung? /A>

Bugtraq@securityfocus.com or redhat-watch-list-request@redhat.com is the best resource for getting the latest security vulnerability information. If you do not install these patches, your system may be vulnerable to intrusion. Remember to get these patches from another machine mentioned above, the firewall machine should still be in the isolated network. For the Red Hat system, downloading the RPM package will make the system update easier. For example, an instance that performs a security upgrade on WU-FTPd:

Rpm-uvh wu-ftpd-2.6.0-14.6x.i386.rpm

If the system is already on the Internet, you can install it directly on the Internet:

Rpm-uvh ftp://updates.redhat.com/6.1/i386/wu-ftpd-2.6.0-14.6x.i386.rpm

We recommend that you use autorpm to update the RPM software package. This command line tool analyzes and determines which. RPM packages need to be upgraded, and will automatically (if you want) download and install the upgrade files from the Red Hat website. This tool is flexible and simple to run in cron, so that your system will automatically check for updates on a regular basis, you can also send an email to the Administrator reminding the System of the upgrade.

2. Close the service

Once the installation package and patch of the system are installed and restarted, we can now configure security enhancement for the operating system. The security enhancement configuration mainly includes disabling the service, adding logs, adjusting several files, and configuring tcp wrappers. First, start by shutting down the service.

By default, Solaris is a high-performance operating system that provides many useful services. However, most of the services in the firewall are not required and may be a security risk. First, modify the/etc/inetd. conf file. This file defines the services that the/usr/sbin/inetd super daemon needs to listen. By default,/etc/inetd. conf will start 35 services. However, up to two services are required: FTP and telnet. Other services are not required. you can comment them out (close ). This is important because many services monitored by inetd have serious security threats, such as popd, imapd, and RSH. The following command lists the services that the inetd daemon will listen to. Make sure to comment out the line of the unnecessary services (Add "#" at the beginning of the line ):

Grep-V "^ #"/etc/inetd. conf

Next, modify the files in the/etc/rc2.d directory and/etc/rc3.d directory. Here you can find the startup script executed by the INIT process. Many of them are not needed. To cancel executing a script during startup, you only need to change the starting uppercase s of the corresponding file name to lowercase S. In addition, the Red Hat system has a good tool to disable the service. Enter "/usr/sbin/setup" in the command line, select "system services", and then select the script to be executed at system startup. Another method is to include the chkconfig tool in most releases. The following STARTUP script is installed by default, but is usually not required. If you are sure you do not need them, you should disable them from starting.

Note that the numbers are used to determine the execution sequence and may change in different release versions. The script starting with an uppercase key is used to kill services that are already running.

S05apmd (only for laptops)

S10xntpd (Network Time Protocol)

S11portmap (required if RPC service is running)

S15sound (save sound card settings)

S15netfs (NFS client, used to install a file system from an NFS server)

S20rstatd (excessive information leakage to remote users)

S20rusersd

S20rwhod

S20rwalld

S20bootparamd (not required for diskless clients)

S25squid (proxy server)

S34yppasswdd (this service is required if the system runs the NIS Server)

S35ypserv (this service is required if the system runs the NIS Server)

S35dhcpd (start the DHCP server daemon process)

S40atd (at service, similar to cron service, but not required by the system)

S45pcmcia (only for laptops)

S50snmpd (SNMP daemon, which exposes too much information to remote users)

S55named (DNS server. To run DNS, upgrade to the latest version)

S55routed (RIP, should be started only when required)

S60lpd (Print Service)

S60mars-nwe (Netware file and print server)

S60nfs (used for NFS servers. This service should not run unless required)

S72amd (automount daemon for automatic installation of Remote File Systems)

S75gated (used to run other routing protocols, such as OSPF)

S80sendmail (close if you do not need to receive or forward emails. At this time, you can still send an email)

S85httpd (Apache server, upgrade to the latest version)

S87ypbind (only required by the NIS client)

S90xfs (X Windows Font Server

S95innd (News Server)

S99linuxconf (Remote Linux system configuration through a browser)

To know how many services are running before modifying the startup script, enter:

PS aux | WC-l

Modify the startup script, restart the system, and enter the preceding command again to calculate the number of services reduced. The fewer services are running, the better the security. Run the following command to know how many services are running:

Netstat-na -- IP

3. log and System Adjustment

After canceling the service as much as possible, the next step is to configure the system log. All system logs are stored in the/var/log directory. Lack of time-saving, Linux has good log settings, except FTP. There are two methods to record FTP logs, configure the/etc/ftpaccess file or edit/etc/inetd. conf. We recommend that you use a relatively simple method to edit the/etc/inetd. conf file. You can edit the/etc/inetd. conf file as follows to record all logs of all FTP sessions.

Ftp stream tcp Nowait root/usr/sbin/tcpd in. ftpd-L-l-I-o

--- The following is from the FTP manual page ---

If the-l parameter is specified, syslog records every FTP session.

If the-l parameter is specified, the command log is activated once the FTP server is called. This causes the server to record all user commands. Note: If a user enters the password accidentally during user name input, the password will be recorded by Syslog!

If the-I parameter is specified, all files received by the FTPD server will be recorded in xferlog.

If the-O parameter is specified, all files sent by the FTPD server are recorded in xferlog.

--- Snip ---

The next step is system adjustment. This includes the management of multiple files. The first thing is to ensure the security of the/etc/passwd file. First, make sure that the system uses the/etc/shadow file. This file stores all user passwords in ciphertext format and only allows the root user to access it. This prevents the user password from being easily accessed and cracked. Red Hat 6.0 lacks the shadow password system, but it is necessary to check and determine. Run the following command to automatically convert the password system to the/etc/shadow password system:

Pwconv

Step 2: delete many default system accounts in the/etc/passwd file. Linux provides these accounts for many system operations that are rarely needed. If you do not need these accounts, delete them. The more accounts, the more likely the system will be infiltrated. For example, if the "news" account does not run the NNTP newsgroup server, you do not need this account (Be sure to update the/etc/cron. Hourly file because the script involves the "news" user ). In addition, you must delete the "ftp" account because this account is only used for anonymous ftp access.

We also need to modify the/etc/ftpusers file. Any account that has been included in the file will not be able to FTP to the system. It is usually used to restrict system accounts, such as root and bin, and prohibit FTP sessions of these accounts. The file has been created in Linux. Ensure that the root user is included in the file to prohibit the FTP session between the root user and the system. Check and confirm that all accounts requiring FTP to the firewall ** no ** are in the/etc/ftpusers file.

In addition, make sure that the root user root cannot telnet to the system. This forces users to log on to the system with their normal account, and then su becomes root. The/etc/securetty file lists the TTY terminals that the root user can connect. Add tty1 and tty2 to the file, so that the root user can only log on to the system from the local device. Ttyp1 and ttyp2 are pseudo (virtual) terminals, which allow the root user to remotely telnet to the system.

Finally, create the/etc/issue file. The ASCII text file is used to display all information displayed during Telnet logon. When you try to log on to the system, the warning information in this file will be displayed. In Linux, modify the/etc/rc. d/init. d/s99local script file to generate a fixed/etc/issue file.

Because the lack of time-saving Linux generates a new/etc/issue file every time it is started.

4. Connect to the firewall

It is also important to connect to the firewall through secure and controllable channels. Generally, we need to remotely access the firewall to manage or upload files. Security needs to be considered for these communications. Here we mainly discuss two methods: SSH and TCP Wrappers.

I personally recommend SSH because it encrypts communication between us and the firewall. TCP Wrappers cannot ensure that network communication is not eavesdropped, so that users may still capture Plaintext Passwords transmitted over the network. If you are worried about being intercepted by other users, we recommend using SSH instead of telnet or FTP. SSH sessions encrypt all network communication, making management and file upload on the firewall more secure. The similarities between SSH and TCP Wrappers are that they have their own log file functions and can limit which systems can create network connections. For more information about SSH and download SSH client and server source code, visit the http://www.ssh.org website. We recommend that you use the... permission system. For Windows 95/NT users, securecrt is recommended as the SSH client.

TCP Wrappers does not support encryption, but it provides the log function and controls who can access the system. It is usually used for inetd services, such as telnet or FTP, to add a limit. When TCP Wrappers is used, the system uses it to monitor connections created by the inetd process, record all connection requests, and then checks the request against an access control list (ACL. If the connection is allowed, TCP Wrappers passes the connection request to the corresponding real daemon, such as telnet. If the connection is disabled, TCP Wrappers discards the connection request. For Linux systems, TCP Wrappers is installed in the system without time. You only need to edit the/etc/hosts. Allow and/etc/hosts. Deny files. These files are used to determine who can and cannot access the system. The syntax of TCP Wrappers is relatively simple. You can add the IP addresses or networks that are allowed to connect to/etc/hosts. add the IP address or network to/etc/hosts. deny file. Linux allows all connections, so you need to modify these two files. TCP Wrappers has the following two suggestions:

Use an IP address instead of a system name or domain name.

Set the/etc/hosts. deny file to disable all connections (all), and then specify in the/etc/hosts. allow file to allow only specific hosts and networks.

5. stricter security configurations

The above discussion includes all the key points. By performing the preceding operations, you can significantly enhance system security. Unfortunately, your system is not 100% secure and never will. Therefore, we provide several stricter security configuration methods and steps.

First, create a whell user group. The wheel User Group contains a list of user accounts that can execute powerful commands (such as/usr/bin/su. You can enhance the security of the system by limiting user accounts with access permissions to these commands. To create a wheel group, use VI to edit the file/etc/group, create a wheel group, and add a system administrator account to it. Then determine important system programs, such as/usr/bin/Su.

Set the group users of these program files to wheel, and only allow the owner and group users of the program to execute (ensure that the required suid or GUID bit is retained ). For example, for/usr/bin/Su, run the following command:

/Usr/bin/chgrp wheel/usr/bin/su

/Usr/bin/chmod 4750/usr/bin/su

Then, we need to restrict the use of the. rhosts,. netrc, and/etc/hosts. equiv files. The r commands use these files to access the system. To lock these files, first create them, and then modify its attribute to zero. In this way, no other user except the root user can create or modify them.

For example:

/Usr/bin/touch/. rhosts/. netrc/etc/hosts. equiv

/Usr/bin/chmod 0/. rhosts/. netrc/etc/hosts. equiv

Third, configure/etc/shadow to use the MD5 Hash function instead of the crypt function as the encryption algorithm. This makes the encrypted password file more difficult to crack. This can be done by modifying the PAM module configuration. Pam (Pluggable Authentication Modules) is a shared library suite that can be used to select how the application authenticates users. For more information about Pam, visit:

Ftp://ftp.us.kernel.org/pub/linu...-Pam-html/pam.html.

In earlier versions, you must manually modify the PAM module to use the MD5 Hash function. However, in Red Hat 6.0 and later versions, you can use the setup tool to select MD5 hash. Enter "setup" in the command line and select "authentication configuration", from which you can select MD5 hash. However, the MD5 hash does not take effect until the user enters the password again. If you do not use the setup tool for some reason, you can also manually modify the PAM module.

As a bash user, I am reluctant to use the. bash_history file because I don't want others (including root) to know which commands I have run. Therefore, in the. bash_profile file, I added a line so that the command will not be recorded in the. bash_history file:

Histfilesize = 0

The last thing is to protect the system from being physically accessed by attackers. One is to set a password for the bios, and the other is to configure the password protection (Password = xxx) System Startup Process in the/etc/Lilo. conf file. However, remember that once the system is completely physically exposed by intruders, there is no way to ensure the absolute security of the system.

6. ipchains

Discussing Linux security is not possible without discussing ipchains. Ipchains is the package filtering firewall software integrated into the 2.2.x kernel. If you have run Red Hat 6.0 or later, ipchains is already in the Linux installation package. Similar to the Cisco access control lists (Access Control List), ipchains can control which packets can be imported into and out of the Linux system. As a firewall software, ipchains can be used to protect Linux systems. To protect an independent server system, you can configure ipchains to only allow outbound TCP connections. If the external host tries to initiate any TCP connection, the connection cannot be created. Because ipchains are not based on status filtering, all UDP and ICMP connections are usually allowed. Finally, we should record all the prohibited connections to detect possible attack attempts. However, broadcast and multicast data packets should be discarded because these data packets may soon be filled with system logs. The following is an example of ipchains configuration (protecting the independent server system ):

Bash # ipchains-l
Chain input (Policy deny ):
Target prot opt source destination ports
Deny all ------ 0.0.0.0 anywhere N/
Deny all ------ anywhere 255.255.255.255 N/
Deny all ------ anywhere BASE-ADDRESS.MCAST.NET/8 N/
Accept TCP! Y ---- anywhere Anywhere any-> Any
Accept UDP ---- L-anywhere Anywhere any-> Any
Accept ICMP ---- L-anywhere Anywhere any-> Any
Deny all ---- L-anywhere Anywhere N/
Chain forward (Policy accept ):
Chain output (Policy accept ):

7. Conclusion

This article describes how to securely configure a Linux system (Red Hat release. The key to making a system secure is to minimize installation. You can use TCP Wrappers, ipchains, and other software, and use the shadow password to increase security protection. There are also some additional steps, such as tripwire (Monitoring System File changes) and Swatch (log monitoring and alarm tools ). In addition, we recommend a Perl script that automatically configures the security of the newly installed Linux system to Linux beginners: Bastille. Remember, no system is truly 100% secure. However, the operation steps listed above can greatly reduce security risks.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.