Author: style Linux regardless of function, price or performance has many advantages, however, as an open operating system, it inevitably there are some security implications.
About how to resolve these problems, applications provide a secure platform, this article will tell you some of the most basic, most common, at the same time, the most effective tricks. Linux is a Unix operating system. In theory, the design of Unix itself and no significant security flaws. Over the years, the majority found on the Unix operating system security problems exist in the individual program, so most of the Unix vendors have claimed to have the ability to solve these problems, providing security of Unix operating system. But Linux is somewhat different, because it does not belong to a company, not manufacturers claim that it provide security assurance, so users only have their address security issues. Linux is an open system, on the network can find many ready-made programs and tools, both convenience to users, but also facilitates the hacker, because they can easily find the programs and tools to dive into the Linux system, or on a Linux system to steal important information. However, as long as we carefully set Linux various system functions, and add the necessary security measures, you can let hackers inorganic. In General, on the Linux system security settings including the Elimination of unnecessary services, restrict remote access to important information, hide, patch security vulnerabilities, security tools, as well as regular safety inspections, etc. This article teaches you to ten improve Linux system security. Although the tricks, but carefully worked, you may wish to try. 1 tips: remove unnecessary services early Unix versions, each a different network services has a service that runs in the background, later version with unified/etc/inetd shouldered by the server program. Inetd is the abbreviation for that Internetdaemon simultaneously monitor multiple network port, once you receive the connection information from the outside world, on the implementation of the TCP or UDP network services. Due to the unified command of inetd, so most of the Linux TCP or UDP services is set in the/etc/inetd.conf file. So cancel unnecessary services in the first step is to check the/etc/inetd.conf file, not in service with the "#" sign. In General, in addition to http, smtp, telnet and FTP, and other services should be removed, such as simple file transfer protocol tftp, network message store and receive the imap/ipop transport protocol, search and search for information on the use of gopher and used for time synchronization of daytime and time, etc. There are also some reports about the State of the system services such as finger, efinger, systat netstat and although the system, such as error checking and search for users is very useful, but also to provide a door for hackers. For example, a hacker could use the finger service to find the user's phone, use the directory, and other important information. Therefore, many Linux system will these services be cancelled or part cancellation, to enhance the security of the system. Besides using Inetd/etc/inetd.conf setting system services, you use the/etc/services files search service uses port. Therefore, users should carefully check the file in the port setting to avoid security loopholes. In Linux there are two different types of service: one is only necessary to perform services such as finger service; the other is always executed never pause services. This class of service at system startup begins execution, and therefore cannot rely on modifying the inetd to stop the service, only from modifying/etc/rc.d/rc [n] .d/file or use the Run level editor to modify it. Provide file services for NFS server and provides NNTP news service news belongs to this class of service, if it is not necessary, it is best to cancel the services. 2 strokes: limit system access before entering the Linux system, all users will need to log in, that is, the user needs to enter a user account and password that only they pass system verification before users can enter the system. As with other Unix operating systems, Linux password encryption is generally kept at/etc/passwd file. Linux system and all users can read files, although/etc/passwd file saved password is encrypted, but still not very secure. Because normal users can use ready-made cryptanalytic tool to guess passwords by brute force. Safer way is to set the shadow file/etc/shadow, only special privileges to read the file. On Linux systems, if you want to use shadow file, you must set all of the common procedure to be recompiled in order to support shadow file. This approach is too much trouble, more convenient way is to use intrusive authentication module (PAM). Many Linux systems come with Linux utility, PAM, an authentication mechanism that can be used to dynamically change the authentication method and requirements without requiring recompilation other public programs. This is because PAM uses closed packages will all authentication-related logic all hidden in the module, so it is best used shadow file. In addition, there is a lot more PAM security features: it can be traditional DES encryption methods to other more powerful encryption methods to ensure that user passwords are not easily be deciphered; it can be set for each user using the computer resources of the CAP; it even can set a user's computer time and place. Linux system administrators only need to take several hours to install and set upPAM, you can greatly improve the security of a Linux system, many attack block of the system. 3 Tips: keep up-to-date system core because many Linux distribution channels, and regular updates of program and system patches appear, therefore, in order to enhance system security, be sure to regularly update the system kernel. Kernel is the core of the Linux operating system, it's permanent memory, used for loading the operating system of the other part, and the achievement of the basic functionality of the operating system. Since Kernel control computer and network capabilities, it security is critical to the overall system security. Kernel version in early existence many well known security holes, but also not very stable, only the 2.0.x versions are more stable and secure, a new version of the operating efficiency is greatly improved. In setting the Kernel functionality, just select the necessary functionality, do all functions accept according to the order, or you will make the Kernel becomes very large, both consume system resources, but also an opportunity for hackers to stay. On the Internet often has the latest security patches, Linux system administrator should be informed, infrequent security newsgroups, consult the new patch. 4 strokes: check the logon password set login password is a very important security measures, if a user's password is set, it is easy to decipher, in particular the superuser usage rights of users, if you do not have a good password, the system creates significant security vulnerability. On a multi-user system, if forced to each user to select not be easy to guess password, will greatly improve the security of the system. But if the passwd program cannot make every computer user to use the proper password, the password you want to ensure that the margin of safety, you can only rely on password cracking program. In fact, password crackers are hackers Toolbox-a tool that is commonly used passwords or English Dictionary all the possible to make the password of Word with Word passwords encrypted into the program, and then associate it with a Linux system/etc/passwd password file or the shadow file compare/etc/shadow, if you find a match in the password, you can get the codes. In the network can find many password-cracking programs, compare the famous program is the crack. Users can perform password-cracking programs, identify vulnerable to hacker passwords to correct than to be hackers cracked to be favourable. 5 tips: set user account security level in addition to the password, the user account has a security level, this is because in Linux each account can be assigned different permissions, create a new user ID, the system administrator should be based on the need to give the account the different permissions and merging to different user groups. On a Linux system, you can set in the tcpd allows computer and do not allow the computer list. Which allow computer list set in/etc/hosts.allow, does not allow the computer list in/etc/hosts.deny. After Setup is complete, you will need to restart the inetd process to take effect. In addition, Linux will automatically allow access or do not allow the entry of results records to/rar/log/secure file, system administrators can identify suspicious access to records. Each account ID should be responsible. In the enterprise, if you are responsible for a staff turnover ID, the administrator should immediately delete it from the system account. A lot of intrusion events are borrowed up those long unused accounts. In the user account, the hacker's favorite with root permissions to the account, the super user has the right to modify or delete various system settings, where it can be in the system. Therefore, to any account number given root privileges, you must carefully consider. Linux system/etc/securetty file contains a group able to root account login name of the Terminal. For example, on RedHatLinux system, the initial value of the file to only allow local virtual console (rtys) permission to login as root and not allow remote users to log in as root permissions. It is best not to modify the file, if you must log in from remote permissions for the root, it is best to log on as a normal account first, and then use the su command upgrades for power users. 6 strokes: eliminate hackers a hotbed of crime on a UNIX system, there are a series of public programs r-prefix, they are hackers to invade the weapon, very dangerous, so the absolute root account is not open to the public. These utilities are hosts.equiv file .rhosts file or enter the approval, so make sure the root account is not included in these files. As r-prefix directives are hotbeds of hackers, so many security tools are in response to this vulnerability. For example, PAM tools you can use to move the r-prefix utility power fail, it/etc/pam.d/rlogin file plus the login must be permitted by the directive, so that the whole system's user can use their own home directory of the .rhosts file. 7 tips to enhance security tools: SSH is short for Secure Sockets Layer, it is safe to use to replace the rlogin, rsh and rcp, and other utility set program group. SSH uses public-key technology on two hosts on the network between the communication information encrypted and used its key acts as an authentication tool. Since SSH is a network of information encrypted, so it can be used to securely log on to the remote host, and the two hosts between safe transmission of information. In fact, not only can protect SSH Linux secure communication between hosts, Windows users can securely connect via SSH to a Linux server. 8 tips to: limit the superuser powers we mentioned earlier, the root is the focus of the protection of Linux, as it powers the infinite, so it is best not to easily be hyper-User authorization. However, some programs of installation and maintenance work must require superuser privileges, in this case, you can use other tools let users some super user privileges. Sudo is such a tool. Sudo program allows general users go through after the configuration is set to user their password and login once, access permissions of the super user, but can only perform a limited number of instructions. For example, you can use sudo
No comments:
Post a Comment