Strengthen management and proper use of Linux network servers

LinuxThe network server management tools are described as follows:

Use record tools to record access to Linux systems

Linux administrators can use the Recording files and recording tools described earlier to record events. They can view or scan Recording files every day, which record all information about system operation. If necessary, you can extract high-priority events and send them to relevant personnel for handling. If exceptions are found, you can take immediate measures.

Use the Telnet service with caution

In Linux, when using Telnet for remote login, the user name and user password are transmitted in plaintext, which may be intercepted by other users who listen online. Another danger is that hackers can use Telnet to log on to the system. If they obtain another Superuser password, the harm to the system will be disastrous. Therefore, do not enable the Telnet service if you do not need it. To enable the Telnet service, you must use special tools and software to remotely log on. In this way, you can transmit encrypted user passwords on the Internet, this prevents the password from being intercepted by hackers during transmission.

Reasonably set NFS and NIS services

The NetworkFileSystem service allows workstations to share the file system output by one or more servers over the network. However, for a poorly configured NFS server, users can read or modify files stored on the NFS server without logging on, making the NFS server vulnerable to attacks. If you must provide the NFS service, make sure that the Linux-based NFS server supports SecureRPC (SecureRemoteProcedureCall) to use the DES (DataEncryptionStandard) encryption algorithm and exponential Key Exchange (ExponentialKeyExchange) technology verifies the identity of each NFS request user.

The NetworkInformationSystem (NIS) service is a distributed data processing system that allows computers on the network to share passwd files, group files, host table files, and other shared system resources over the network. Using the NIS and NFS services, you can operate data on workstations in the network as if you were operating and using resources in a single computer system, in addition, this operation process is transparent to users. However, the NIS Service also has a vulnerability. In the NIS system, malicious users can use their own programs to simulate the ypserv in the Linux system to respond to the ypbind request and intercept the user's password. Therefore, NIS users must use the secure Option of ypbind and do not accept the ypserv response with the port number smaller than 1024 (non-privileged port.

Configure FTP service with caution

The FTP service is the same as the Telnet service mentioned earlier. The user name and password are also transmitted in plaintext. Therefore, to ensure system security, special users such as root, bin, daemon, and adm must be prohibited from Remotely accessing the FTP server by configuring the/etc/ftpusers file, by setting/etc/ftphosts, some hosts cannot be connected to the FTP server. If the anonymous FTP service is enabled, anyone can download files (and sometimes upload files). Therefore, anonymous FTP services should be prohibited unless otherwise required.

Properly set up POP-3, Sendmail, and other email services

For the POP-3 service, the password of the email user is transmitted to the network in plaintext mode, and hackers can easily intercept the user name and password. To solve this problem, you must install the POP-3 server that supports the encrypted transfer password (that is, the AuthenticatedPOP command is supported), so that you can encrypt the password before sending it to the network.

The Sendmail server program of the old version has security risks. To ensure the security of the mail server, install the latest version of Sendmail server software that has eliminated security risks as much as possible.

Strengthen Management of WWW servers and provide secure WWW services

After a Website Based on Linux is built, most users access the network through the Web server using the WWW browser. Therefore, the security of Web servers must be paid special attention, regardless of the HTTP-based Web server software, pay special attention to CGI scripts (CommonGatewayInterface), these CGI scripts are executable programs, typically stored under the Web server's CGI-BIN directory, when configuring the Web server, ensure that the CGI executable script is only stored in the CGI-BIN Directory, which can ensure the security of the script without affecting the security of other directories.

It is best to disable the finger service.

In Linux, the finger command can display the details of logged-on users in the local or remote system. Hackers can exploit this information to increase the chance of intruding into the system. For system security, it is best to disable the finger service, that is, to delete the finger command from/usr/bin. If you want to retain the finger service, replace the finger file or change the permission to allow only the root user to execute the finger command.

Summary of Linux Network Service Security

Because the Linux operating system is widely used and the source code is made public, it is the most thorough operating system researched by many computer users, and the configuration of Linux itself is quite complicated, according to the preceding security policies and protection mechanisms, the system risks can be minimized, but security vulnerabilities cannot be completely eliminated.

The management tools for Linux network servers have been introduced to you. I hope you can understand them. As a Linux system administrator, you must be aware of Security and perform regular security checks on the system, immediately take measures to discover the vulnerability and do not give hackers a chance ..