Teach you 10 ways to improve Linux system security _unix Linux

Source: Internet
Author: User
Tags configuration settings system log versions ssh file transfer protocol

Linux has many advantages in function, price or performance, however, as an open operating system, it inevitably has some security problems. about how to solve these hidden dangers, to provide a safe operation platform for the application, this article will tell you some of the most basic, most commonly used, but also the most effective tricks.

Linux is a UNIX-like operating system. In theory, there is no significant security flaw in the design of UNIX itself. For years, the vast majority of security problems found on Unix operating systems exist primarily in individual programs, so most UNIX vendors claim to be able to solve these problems and provide a secure UNIX operating system. But Linux is a bit different because it doesn't belong to a single vendor, and no vendor claims to provide security, so users only have to solve their own security problems.

Linux is an open system that can find a lot of off-the-shelf programs and tools on the Web, which is convenient for both users and hackers, because they can easily find programs and tools to sneak into Linux or steal important information on Linux systems. However, as long as we carefully set a variety of Linux system functions, and with the necessary security measures, we can allow hackers inorganic to multiply.

In general, security settings for Linux systems include eliminating unnecessary services, restricting remote access, hiding important information, patching security vulnerabilities, adopting security tools, and regular safety checks. This article teaches you 10 ways to improve the security of your Linux system. Although the trick is not big, but the recruit works, you may as well try.

1th Recruit: Eliminate unnecessary service

In earlier versions of UNIX, each of the different network services had a service program running in the background, and later versions were tasked with a unified/ETC/INETD server program. INETD is the abbreviation for Internetdaemon, which monitors multiple network ports and executes the appropriate TCP or UDP network service once the incoming connection information is received.

Because of the unified command of the inetd, most TCP or UDP services in Linux are set in/etc/inetd.conf files. So the first step in eliminating the need for a service is to check the/etc/inetd.conf file and add the "#" number before the service.

In general, in addition to HTTP, SMTP, Telnet, and FTP, other services should be canceled, such as Simple File Transfer Protocol TFTP, network mail storage and reception of the Imap/ipop transport Protocol, Find and search for data gopher and daytime and time for synchronization.

There are also reports of system State services, such as finger, Efinger, systat, and Netstat, which are useful for system error checking and search for users, but also for hackers. For example, a hacker can use the finger service to look up a user's phone, use a directory, and other important information. As a result, many Linux systems cancel or partially cancel these services to enhance the security of the system.

In addition to using/etc/inetd.conf to set up system service items, inetd uses/etc/services files to find the ports used by each service. Therefore, users must carefully check the settings of each port in the file to avoid a security vulnerability.

There are two different service types in Linux: one that is performed only when necessary, such as the finger service, and the Non-stop service that has been performed. Such services start when the system starts, so it is not possible to modify inetd to stop the service, and only modify it from/etc/rc.d/rc[n].d/files or runleveleditor. Server for NFS that provides file services and news that provide NNTP news services are part of this service and, if not necessary, it is best to cancel these services.

2nd strokes: Restricting access to the system

Before entering the Linux system, all users need to log in, that is to say, users need to enter the user account and password, only after they are authenticated by the system, users can enter the system.

Like other Unix operating systems, Linux typically encrypts passwords and stores them in/etc/passwd files. All users on a Linux system can read the/etc/passwd file, although the password saved in the file is encrypted, but still unsafe. Because the general user can use the ready-made password deciphering tool, the exhaustive method guesses the password. A more secure approach is to set shadow file/etc/shadow, allowing only users with special permissions to read the file.

In a Linux system, if you want to use shadow files, you must recompile all the utilities to support shadow files. This approach is more cumbersome, and the simpler approach is to use the plug-in validation module (PAM). Many Linux systems have Linux toolkit Pam, an authentication mechanism that can be used to dynamically change authentication methods and requirements without requiring recompiling other utilities. This is because Pam hides all authentication-related logic in the module in a closed package, so it is the best helper to use shadow files.

In addition, Pam also has a lot of security features: it can rewrite the traditional des encryption method to other more powerful encryption methods to ensure that the user's password is not easily deciphered, it can set the limit on the use of computer resources per user, it can even set the user's time and location of the machine.

The Linux system administrator spends only a few hours installing and setting Pam, which can greatly improve the security of the Linux system, blocking many attacks outside the system.

3rd recruit: Maintain the latest system core

Due to the many Linux channels, and often updated procedures and system patches appear, so in order to enhance the system security, it is necessary to constantly update the system kernel.

Kernel is the core of the Linux operating system, which resides in memory for loading other parts of the operating system and implementing the basic functions of the operating system. Because kernel controls the various functions of the computer and the network, its security is critical to the security of the system as a whole.

Earlier versions of the kernel had many well-known security vulnerabilities, and were less stable, and only more than 2.0.x was more stable and secure, and the efficiency of the new version was greatly improved. In setting the function of kernel, only select the necessary function, do not have all the functions according to the full collection, otherwise it will make the kernel become very large, both occupy the system resources, but also to leave the opportunity for hackers.

With the latest security patches on the Internet, Linux system administrators should be well-informed and often patronize security newsgroups to review new patches.

4th recruit: Check the login password

Setting the login password is a very important security measure, if the user's password settings are not appropriate, it is very easy to decipher, especially the user with the power of superuser, if there is no good password, will give the system a great security hole.

In multi-user system, if each user is forced to choose a password which is not easy to guess, it will greatly improve the security of the system. However, if the passwd program can not force each user to use the appropriate password, to ensure the security of the password, you can only rely on password cracking program.

In fact, a password-cracking program is a tool in the hacker's toolbox, which encrypts the commonly used password or all the words in the English dictionary that might be used as a password, and then compares it to the/etc/passwd password file or/etc/shadow Shadow file of the Linux system. If you find a matching password, you can obtain the code.

On the network can find a lot of password cracking procedures, the more famous program is crack. Users can perform their own password-cracking procedures, to find the password is easy to hack, the first correction is better than being hacked to the advantage.

5th recruit: Set the security level of the user account

In addition to passwords, user accounts have a security level, because each account on Linux can be given different permissions, so in the establishment of a new user ID, the system administrator should give the account according to different permissions, and merged into different user groups.


In TCPD on Linux systems, you can set up a list of people who are allowed to go on and are not allowed to go to the computer. Among them, allow the list of personnel on the machine set in the/etc/hosts.allow, do not allow the list of personnel on the machine set in/etc/hosts.deny. After the setup is complete, you need to restart the INETD program before it takes effect. In addition, Linux will automatically log the results that are allowed in or disallowed into the/rar/log/secure file, and the system administrator can detect suspicious entry records accordingly.

Each account ID should be assigned to someone. In an enterprise, an administrator should remove the account from the system immediately if the employee who is responsible for an ID leaves the office. Many intrusions are borrowed from accounts that have been unused for a long time.

In the user account, the hacker likes the account with root permission most, this kind of super user has the right to modify or delete various system settings, can unimpeded in the system. Therefore, before giving any account root permissions, it must be considered carefully.

The/etc/securetty file in the Linux system contains a set of terminal names that can be logged in with the root account. For example, in a redhatlinux system, the initial value of the file allows only the local Virtual Console (Rtys) to log on as root, and not allow remote users to log on as root. It is best not to modify the file, if you must be from Telnet to root permissions, it is best to first log on as a regular account, and then use the SU command to upgrade to Superuser.

6th recruit: Eliminate the hotbed of hacker crime

In a UNIX system, there is a series of R-header utilities that are dangerous for hackers to invade, so never open the root account to these utilities. Because these utilities are approved for use with. rhosts files or hosts.equiv files, make sure that the root account is not included in these files.

Since R is a hotbed of hackers, many security tools are designed to address this security vulnerability. For example, the PAM tool can be used to discard the ability of the R-header utility, which in the/etc/pam.d/rlogin file adds instructions that the login must first approve, so that users of the entire system cannot use the. rhosts file in their home directory.

7th recruit: Enhance the safety protection tool

SSH is the acronym for a Secure Sockets Layer, which is a set of programs that can be safely used to replace common programs such as Rlogin, rsh, and RCP. SSH uses public key technology to encrypt communication information between two hosts on the network and uses its key to act as an authentication tool.

Because SSH encrypts information on the network, it can be used to securely log on to a remote host and securely transfer information between the two hosts. In fact, ssh not only protects the secure communication between Linux hosts, but Windows users can also securely connect to Linux servers via SSH.

8th: Restricting power to super users

As we mentioned earlier, Root is the focus of Linux protection, because it has unlimited power, so it is best not to easily authorize superuser. However, some programs must be installed and maintained with Superuser privileges, and in this case, other tools can be used to give such users some power over some superuser. Sudo is such a tool.

Sudo program allows the general user after configuration settings, with the user's own password to log in again, to obtain the power of the superuser, but only a limited number of instructions to execute. For example, when sudo is applied, managers who manage tape backups can log on to the system on a daily basis, gain superuser privileges to perform a document backup, but have no privileges to do other work that only superuser can do.

sudo not only restricts the user's permissions, but also records each instruction that is executed with sudo, regardless of whether the instruction succeeds or fails. In large enterprises, there are times when many people manage different parts of the Linux system at the same time, each manager has the ability to authorize certain users to have superuser privileges in sudo, from the sudo log, who can be traced to the  case of the ┎.

It is worth noting that sudo does not limit all user behavior, especially when some simple instructions are not set to limit, it is possible to be abused by hackers. For example, a/ETC/CAT directive, typically used to display the contents of a file, can be used by hackers to modify or delete important files if they have the privileges of a superuser.

9th trick: Tracking the trail of hackers

When you carefully set up a variety of Linux-related configuration, and installed the necessary security tools, the Linux operating system security is indeed greatly improved, but it does not guarantee that the art of the bold network hackers to prevent the invasion.

In peacetime, network management personnel should be constantly vigilant, always pay attention to all kinds of suspicious conditions, and timely inspection of various system log files, including general information log, network connection log, file transfer log, and user login log. When checking these logs, pay attention to whether there is an unreasonable time record. For example:

• Normal user login in midnight;

• Abnormal logging, such as logging only half of the log was cut off, or the entire log file was deleted;

• User access to the system from unfamiliar URLs;

• Due to password error or user account error is abandoned outside the log records, especially those who repeatedly try to enter the failure, but there is a certain mode of trial and error;

• Illegal use or improper use of super user rights Su's instructions;

• Reboot or restart the records for each service.

10th recruit: Common defense, ensure safety

From the point of view of computer security, there is no absolute airtight, 100% security computer system in the world, Linux system is no exception. Adoption of the above safety code, although can make the security of the Linux system greatly improved, so that the shoplifting hackers and computer players can not easily intrude, but not necessarily can block those skilled martial arts master, therefore, enterprise users also need to use the firewall and other security tools, common defense hacker invasion, To ensure that the system is foolproof.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.