Article Title: Ten Tips to ensure Linux security. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Linux has many advantages in terms of functionality, price, and performance. However, as an open operating system, it inevitably has some security risks. This article will tell you how to solve these hidden dangers and provide a secure operation platform for applications. It is also the most basic, common, and effective method.
Linux is a Unix-like operating system. Theoretically, the design of Unix itself has no major security defects. For many years, the vast majority of security problems found on Unix operating systems mainly exist in individual programs. Therefore, most Unix vendors claim to be able to solve these problems and provide secure Unix operating systems. But Linux is somewhat different, because it does not belong to a vendor, and no vendor claims to provide security assurance for it. Therefore, users only have to solve security problems by themselves.
Linux is an open system that allows you to find many ready-made programs and tools on the network. This facilitates both users and hackers, because they can also easily find programs and tools to sneak into the Linux system, or steal important information from the Linux system. However, as long as we carefully set various Linux system functions and add the necessary security measures, hackers will be able to win.
In general, security settings for Linux systems include canceling unnecessary services, restricting remote access, hiding important information, fixing security vulnerabilities, using security tools, and regular security checks. This article teaches you ten ways to improve Linux system security. Although the number of moves is not big, the moves work. You might as well try.
1st tips: Cancel unnecessary services
In earlier versions of Unix, each different network service had a service program running in the background. Later versions used a uniform/etc/inetd server program. Inetd is short for Internetdaemon. It monitors multiple network ports at the same time. Once it receives connection information from the outside, it executes the corresponding TCP or UDP network service.
Due to the unified command of inetd, Most TCP or UDP services in Linux are set in the/etc/inetd. conf file. Therefore, the first step to cancel unnecessary services is to check the/etc/inetd. conf file and add the "#" before the unwanted services.
In general, all services except http, smtp, telnet, and ftp should be canceled, such as the simple File Transfer Protocol tftp, the imap/ipop transport protocol used for network mail storage and receiving, the gopher for data searching, and the daytime and time used for time synchronization.
There are also some services that report system status, such as finger, efinger, systat, and netstat. Although it is very useful for system error detection and user searching, it also provides a convenient portal for hackers. For example, hackers can use the finger service to find users' phones, directories, and other important information. Therefore, many Linux systems cancel all or partially cancel these services to enhance system security.
In addition to setting system service items using/etc/Inetd. conf, inetd also uses the/etc/services file to find the ports used by various services. Therefore, you must carefully check the settings of ports in the file to avoid security vulnerabilities.
In Linux, there are two different service-type states: one is a service that is executed only when necessary, such as the finger service, and the other is a service that is continuously executed and never paused. This type of service starts to be executed when the system is activated. Therefore, you cannot stop the service by modifying inetd. Instead, you can only modify/etc/rc. d/rc [n]. d /? N or use Runleveleditor to modify it. NFS servers that provide file services and news that provide NNTP news services belong to such services. If not necessary, it is best to cancel these services.
2nd tips: Restrict System Access
Before entering the Linux system, all users need to log on, that is, users need to enter the user account and password. Only after they pass system verification can users enter the system.
Like other Unix operating systems, Linux stores the password in/etc/passwd after encryption? N. Can all users in Linux read/etc/passwd? N, although the password stored in the file has been encrypted, it is still not safe. Generally, users can use the ready-made password cracking tool to guess the password. The safer method is to set the shadow file/etc/shadow and only allow users with special permissions to read the file.
In Linux, to use the shadow file, you must recompile all the utilities to support the shadow file. This method is troublesome. A simple method is to use the plug-in verification module (PAM ). Many Linux systems use Linux tool PAM, which is an identity authentication mechanism that can be used to dynamically change the authentication methods and requirements without re-compiling other utilities. This is because PAM uses a closed package to hide all authentication-related logic in the module, so it is the best helper for using shadow files.
In addition, PAM has many security features: it can rewrite the traditional DES encryption method to other more powerful encryption methods to ensure that user passwords are not easily decrypted; it can set the upper limit for each user to use computer resources; it can even set the user's computer time and location.
Linux administrators can install and set PAM in just a few hours to greatly improve the security of the Linux system and block many attacks outside the system.
3rd tips: Keep the latest system core
Because there are many channels for Linux distribution, and there are often updated programs and system patches, We must update the system kernel frequently to enhance system security.
Kernel is the core of the Linux operating system. It is used to load other parts of the operating system and implement the basic functions of the operating system. As Kernel controls various functions of the computer and network, its security is crucial to the security of the entire system.
Many well-known security vulnerabilities exist in earlier versions of Kernel, which are also unstable. Only versions 2.0.x and later are stable and secure, and the running efficiency of the new versions is greatly improved. When setting the Kernel function, you only need to select the necessary functions. Do not accept all functions as per your order. Otherwise, the Kernel will become large, occupying both system resources and leaving hackers with an opportunity.
There are often the latest security patches on the Internet. Linux administrators should be well-informed and often patronize Security newsgroups to check new patches.
4th tips: Check the logon Password
Setting a logon password is a very important security measure. If a user's password is not properly set, it will be easily deciphered, especially for users with super user permissions, if you do not have a good password, it will cause a large security vulnerability to the system.
In a multi-user system, if you force each user to select a password that is difficult to guess, the security of the system will be greatly improved. However, if the passwd program cannot force each user on the machine to use the appropriate password, to ensure the security of the password, you can only rely on the password to crack the program.
In fact, the password cracking program is a tool in the hacker toolbox. it encrypts common passwords or all words in the English dictionary that may be used as passwords into a password code word, then compare it with the/etc/passwd password file or/etc/shadow file in Linux. If there is a matched password, you can obtain the clear code.
Many password cracking programs can be found on the network. The most famous program is crack. You can first execute a password cracking program to find the password that is easy to be cracked by hackers. It is better to correct the password first than to be cracked by hackers.
[1] [2] Next page