Teach you how to build a secure Linux server tutorial _linux

To establish a secure Linux server, you first need to understand the meaning of the configuration files that are related to the network service and how to configure them securely in the Linux environment. In a Linux system, TCP/IP networks are configured with several text files, and you may need to edit these files to complete networking, but most of these profiles can be configured with command Linuxconf (where the configuration of the network portion can be implemented through the netconf command). The basic TCP/IP network configuration files are described below.

*/etc/conf.modules File

This profile defines the various parameter information for modules that need to be loaded at activation time. The main focus here is on the configuration of the NIC. With Linux as a gateway, Linux servers need to configure at least two network adapters. To reduce the number of problems that may occur during activation, the Linux kernel does not automatically detect multiple network adapters. For a system that does not compile the driver of the NIC to the kernel but is dynamically loaded as a module, it should be configured in the "conf.modules" file if multiple network adapters need to be installed.

If the device driver is compiled as a module (kernel module): For PCI devices, the module will automatically detect all devices that have been installed on the system, and for the ISA card, you will need to provide an IO address to the module so that the module knows where to look for the card, which is provided in "/etc/conf.modules".

For example, we have two ISA bus 3c509 cards, one IO address is 0x300, and the other is 0x320. Edit the "conf.modules" file as follows: Alias eth0 3c509alias eth1 3c509options 3c509 This is to indicate that the driver of the io=0x300,0x320 should be loaded separately with the name of 3c509 or eth0 ( Alias Eth0,eth1), and they should be loaded with parameter io=0x300,0x320 to inform the driver where to look for the NIC, where 0x is indispensable.

For PCI cards, only the alias command is required to associate the ETHN with the appropriate driver module name, and the IO address of the PCI card will be automatically detected. For PCI cards, edit the "conf.modules" file as follows: Alias eth0 3c905alias eth1 3c905 If the driver has been compiled into the kernel: when the system is activated, the PCI detection program will automatically find all the relevant network cards. ISA cards can also be automatically detected, but in some cases the ISA card still needs to do the following configuration:

Add configuration information to the "/etc/lilo.conf" method by passing the activation parameter information to the kernel through the LILO program. For ISA card, edit the "lilo.conf" file to add the following: append= "ether=" 0,0,eth0 ether= "0,0,eth1" Note: Do not add activation parameters to "lilo.conf", test your ISA card, If it fails, then the activation parameter is used.

If you use a method that passes the activation parameters, eth0 and eth1 are set in the order in which they are discovered when they are activated.

*/etc/hostname File:

This file contains the host name of the system, including the full domain name, such as:

Deep.openarch.com

*/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-ETHN file:

In Redhat, the configuration file for the system network device is saved under the "/etc/sysconfig/network-scripts" directory, Ifcfg-eth0 contains the configuration information for the first network card, and the configuration information that contains the second network card.

The following is an example of a "/etc/sysconfig/network-scripts/ifcfg-eth0" file: device=eth0ipaddr=208.164.186.1netmask= 255.255.255.0network=208.164.186.0broadcast=208.164.186.255onboot=yesbootproto=noneuserctl=no

If you want to manually modify the network address or add a new network interface to the new interface, you can do so by modifying the corresponding file (IFCFG-ETHN) or by creating a new file.

Device=name name indicates the names of the physical devices

Ipaddr=addr addr represents the IP address assigned to the card

Netmask=mask Mask represents a network mask

NETWORK=ADDR addr represents the network address

Broadcast=addr addr Represents broadcast address

Whether the card is activated when onboot=yes/no is activated

None: No activation protocol required

BOOTP: Using BOOTP protocol

DHCP: Using DHCP protocol

Userctl=yes/no whether to allow non-root users to control the device

*/etc/resolv.conf file:

The file is a configuration file that is used by the domain name Parser (resolver, a library that resolves IP addresses based on the hostname), as shown in the following example:

Search Openarch.comnameserver 208.164.186.1nameserver 208.164.186.2

"Search domainname.com" means that when a host name is provided that does not include a full domain name, a domainname.com suffix is added after the host name; " NameServer "indicates that the host specified by this address when resolving a domain name is a domain name server. The domain name servers are queried in the order in which they appear in the file.
*/etc/host.conf file:

This file specifies how the host name is resolved. Linux uses the parser library to obtain the IP address of the host name. The following is an example of a "/etc/host.conf":

Order Bind,hosts

Multi on

Ospoof on

"Order Bind,hosts" specifies the sequence of host name queries, where DNS is used to resolve domain names before the "/etc/hosts" file (or vice versa) is queried.

"Multi on" Specifies whether the host specified in the "/etc/hosts" file can have multiple addresses, and hosts with multiple IP addresses are generally referred to as multiple-homed hosts.

"Nospoof on" means that IP address spoofing is not allowed on this server. IP spoofing is a means of attacking system security by disguising the IP address as another calculator to gain the trust of other calculators.

*/etc/sysconfig/network file

This file is used to specify network configuration information on the server, and here is an example:

Whether the network=yesrorward_ipv4=yeshostname=deep.openarch.comgareway=0.0.0.0gatewaydev=network=yes/no network is configured; Forward_ipv4=yes/no whether IP forwarding is turned on hostname=hostname hostname represents the host name of the server Gareway=gw-ip GW-IP represents the IP address of the network gateway Garewaydev=gw-dev GW-DW indicates the device name of the gateway, such as: Etho, etc.

Note: In order to be compatible with older software, the "/etc/hostname" file should use the same hostname as hostname=hostname.

*/etc/hosts file

When the machine is activated, before DNS can be queried, the machine needs to query some host names to match the IP address. These matching information is stored in the/etc/hosts file. In the absence of a domain name server, all network programs on the system query the file to resolve the IP address corresponding to a host name.

The following is an example of a "/etc/hosts" file:

IP address Hostname Alias127.0.0.1 Localhost gate.openarch.com208.164.186.1 gate.openarch.com Gate

The leftmost column is host IP information, and the middle column is the host name. Any subsequent columns are aliases for that host. Once the network profile for the machine is configured, the network should be reactivated for the modifications to take effect. Use the following command to reactivate the network:/etc/rc.d/init.d/network restart

*/etc/inetd.conf File

As we all know, as a server, the more open the service port, the more difficult to guarantee the security stability of the system. So servers that provide specific services should be as open as possible to the ports that provide the service, and the services unrelated to the server will be shut down, for example, a machine that is a WWW and FTP server should open only 80 and 25 ports and turn off other unrelated services such as finger auth. To reduce system vulnerabilities.

And inetd, also called "Super Server", is to monitor some network request daemon, which calls the corresponding service process according to the network request to process the connection request. Inetd.conf is the inetd configuration file. The inetd.conf file tells inetd which network ports to monitor and which service to activate for each port. The first thing to do with Linux in any network environment is to find out what services the server is offering. Those services that are not needed should be banned, preferably unloaded, so that hackers are less able to attack the system. Check out the "/etc/inetd.conf" file to find out what services inetd offers. Use the Annotated method (plus the # number at the beginning of a line) to prohibit any unwanted service and send a sighup signal to the inetd process.

The first step is to change the file permission limit to 600.

[root@deep]# chmod 600/etc/inetd.conf

Step two: Be sure that the file owner is root.

[root@deep]# stat/etc/inetd.conf

Step three: Edit the "inetd.conf" file (vi/etc/inetd.conf) to prohibit all unwanted services, such as FTP, Telnet, shell, login, exec, talk, Ntalk, IMAP, POP-2, pop-3, Finger, auth, and so on. If you feel that some services are useful, you may not ban these services. However, by banning these services, the system is less likely to be attacked. The contents of the changed "inetd.conf" file are as follows:

# to re-read this file is changes, just do a ' killall-hup inetd ' # #echo stream tcp nowait root Internal#echo dgram UDP Wait root Internal#discard stream TCP nowait root internal#discard dgram udp wait root internal#daytime stream TCP nowait Root internal#daytime dgram udp wait root internal#chargen stream TCP nowait root Internal#chargen dgram udp wait root int Ernal#time stream TCP nowait root internal#time dgram udp Wait root internal## this are standard services.# #ftp stream TC P nowait ROOT/USR/SBIN/TCPD in.ftpd-l-a#telnet stream TCP nowait root/usr/sbin/tcpd in.telnetd## Shell, login, exec, c Omsat and talk are BSD protocols.