Ten Key Points for building enterprise-level Linux Server Security (1)

With the prevalence of open-source Linux, its applications in large and medium-sized enterprises are gradually becoming more popular. Many enterprise application services are built on it, such as Web services, database services, and cluster services. Therefore, the security of Linux has become a foundation for enterprises to build secure applications and a top priority. How to protect it is a fundamental problem that enterprises need to solve. Based on this, this article provides the key points for enterprise-level Linux server security protection.

1. enhancement: Password Management

Setting a logon password is a very important security measure. If a user's password is not properly set, it will be easily deciphered, especially for users with super user permissions, if you do not have a good password, it will cause a large security vulnerability to the system.

Currently, most password cracking programs use dictionary attacks and brute-force attacks. improper user passwords are vulnerable to dictionary attacks. Many users prefer to use their English names, birthdays, accounts, and other information to set passwords. In this way, hackers may use dictionary attacks or social engineering techniques to crack passwords. Therefore, it is recommended that you use combinations of non-dictionary characters and password settings that combine numbers and characters, in combination with uppercase and lowercase Characters During password setting, increase the difficulty of password cracking. In addition, you can also use regular password changes and regularly invalidate the password to protect your logon password.

In a multi-user system, if you force each user to select a password that is difficult to guess, the security of the system will be greatly improved. However, if the passwd program cannot force each user on the machine to use the appropriate password, to ensure the security of the password, you can only rely on the password to crack the program. In fact, the password cracking program is a tool in the hacker toolbox. it encrypts common passwords or all words in the English dictionary that may be used as passwords into a password code word, then compare it with the/etc/passwd password file or/etc/shadow file in Linux. If there is a matched password, you can obtain the clear code. Many password cracking programs can be found on the network. the famous ones are crack and john the ripper. You can first execute a password cracking program to find the password that is easy to be cracked by hackers. It is better to correct the password first than to be cracked by hackers.

2. Limitation: Network Service Management

In earlier Linux versions, each different network service has a Daemon process, later versions used the unified/etc/inetd server program to undertake this task. Inetd is short for Internetdaemon. It monitors multiple network ports at the same time. Once it receives connection information from the outside, it executes the corresponding TCP or UDP network service. Due to the unified command of inetd, Most TCP or UDP services in Linux are set in the/etc/inetd. conf file. Therefore, the first step to cancel unnecessary services is to check the/etc/inetd. conf file and add the "#" sign before the unwanted services.

In general, all services except http, smtp, telnet, and ftp should be canceled, such as the simple File Transfer Protocol tftp, the imap/ipop transport protocol used for network mail storage and receiving, the gopher for data searching, and the daytime and time used for time synchronization. There are also some services that report system status, such as finger, efinger, systat, and netstat. Although it is very useful for system error detection and user searching, it also provides a convenient portal for hackers. For example, hackers can use the finger service to find users' phones, directories, and other important information. Therefore, many Linux systems cancel all or partially cancel these services to enhance system security. In addition to setting system service items using/etc/Inetd. conf, inetd also uses the/etc/services file to find the ports used by various services. Therefore, you must carefully check the port settings in the file to avoid security vulnerabilities.

In subsequent Linux versions, such as after Red Hat Linux7.2), xinetd is used for network service management.

Of course, the specific services to be canceled cannot be generalized and should be determined based on the actual application situation, but the system administrator must be aware of them, because once the system has security problems, it is important to carry out the investigation and remedy work step by step and methodically.