Linux regardless of function, price or performance has many advantages, however, as an open operating system, it inevitably there are some security implications.
About how to resolve these problems, applications provide a secure platform, this article will tell you some of the most basic, most common, at the same time, the most effective tricks. Linux is a Unix operating system. In theory, the design of Unix itself and no significant security flaws. Over the years, the majority found on the Unix operating system security problems exist in the individual program, so most of the Unix vendors have claimed to have the ability to solve these problems, providing security of Unix operating system. But Linux is somewhat different, because it does not belong to a company, not manufacturers claim that it provide security assurance, so users only have their address security issues. Linux is an open system, on the network can find many ready-made programs and tools, both convenience to users, but also facilitates the hacker, because they can easily find the programs and tools to dive into the Linux system, or on a Linux system to steal important information. However, as long as we carefully set Linux various system functions, and add the necessary security measures, you can let hackers inorganic. In General, on the Linux system security settings including the Elimination of unnecessary services, restrict remote access to important information, hide, patch security vulnerabilities, security tools, as well as regular safety inspections, etc. This article teaches you to ten improve Linux system security. Although the tricks, but carefully worked, you may wish to try. 1 tips: remove unnecessary services early Unix versions, each a different network services has a service that runs in the background, later version with unified/etc/inetd shouldered by the server program. Inetd is the abbreviation for that Internetdaemon simultaneously monitor multiple network port, once you receive the connection information from the outside world, on the implementation of the TCP or UDP network services. Due to the unified command of inetd, so most of the Linux TCP or UDP services is set in the/etc/inetd.conf file. So cancel unnecessary services in the first step is to check the/etc/inetd.conf file, not in service with the "#" sign. In General, in addition to http, smtp, telnet and FTP, and other services should be removed, such as simple file transfer protocol tftp, network message store and receive the imap/ipop transport protocol, search and search for information on the use of gopher and used for time synchronization of daytime and time, etc. There are also some reports about the State of the system services such as finger, efinger, systat netstat and although the system, such as error checking and search for users is very useful, but also to provide a door for hackers. For example, a hacker could use the finger service to find the user's phone, use the directory, and other important information. Therefore, many Linux system will these services be cancelled or part cancellation, to enhance the security of the system. Besides using Inetd/etc/inetd.conf setting system services, you use the/etc/services files search service uses port. Therefore, users should carefully check the file in the port setting to avoid security loopholes. In Linux there are two different types of service: one is only necessary to perform services such as finger service; the other is always executed never pause services. This class of service at system startup begins execution, and therefore cannot rely on modifying the inetd to stop the service, only from modifying/etc/rc.d/rc [n] .d/file or use it to modify Runleveleditor. Provide file services for NFS server and provides NNTP news service news belongs to this class of service, if it is not necessary, it is best to cancel the services. 2 strokes: limit system access before entering the Linux system, all users will need to log in, that is, the user needs to enter a user account and password that only they pass system verification before users can enter the system. As with other Unix operating systems, Linux password encryption is generally kept at/etc/passwd file. Linux system and all users can read files, although/etc/passwd file saved password is encrypted, but still not very secure. Because normal users can use ready-made cryptanalytic tool to guess passwords by brute force. Safer way is to set the shadow file/etc/shadow, only special privileges to read the file. On Linux systems, if you want to use shadow file, you must set all of the common procedure to be recompiled in order to support shadow file. This approach is too much trouble, more convenient way is to use intrusive authentication module (PAM). Many Linux systems come with Linux utility, PAM, an authentication mechanism that can be used to dynamically change the authentication method and requirements without requiring recompilation other public programs. This is because PAM uses closed packages will all authentication-related logic all hidden in the module, so it is best used shadow file. In addition, there is a lot more PAM security features: it can be traditional DES encryption methods to other more powerful encryption methods to ensure that user passwords are not easily be deciphered; it can be set for each user using the computer resources of the CAP; it even can set a user's computer time and place. Linux system administrators only need to take several hours to install and set up PAM, can greatly improve the security of a Linux system, many attack block of the system. 3 strokes: up-to-dateThe core of the system due to many Linux distribution channels, and regular updates of program and system patches appear, therefore, in order to enhance system security, be sure to regularly update the system kernel. Kernel is the core of the Linux operating system, it's permanent memory, used for loading the operating system of the other part, and the achievement of the basic functionality of the operating system. Since Kernel control computer and network capabilities, it security is critical to the overall system security. Kernel version in early existence many well known security holes, but also not very stable, only the 2.0.x versions are more stable and secure, a new version of the operating efficiency is greatly improved. In setting the Kernel functionality, just select the necessary functionality, do all functions accept according to the order, or you will make the Kernel becomes very large, both consume system resources, but also an opportunity for hackers to stay. On the Internet often has the latest security patches, Linux system administrator should be informed, infrequent security newsgroups, consult the new patch. 4 strokes: check the logon password set login password is a very important security measures, if a user's password is set, it is easy to decipher, in particular the superuser usage rights of users, if you do not have a good password, the system creates significant security vulnerability. On a multi-user system, if forced to each user to select not be easy to guess password, will greatly improve the security of the system. But if the passwd program cannot make every computer user to use the proper password, the password you want to ensure that the margin of safety, you can only rely on password cracking program. In fact, password crackers are hackers Toolbox-a tool that is commonly used passwords or English Dictionary all the possible to make the password of Word with Word passwords encrypted into the program, and then associate it with a Linux system/etc/passwd password file or the shadow file compare/etc/shadow, if you find a match in the password, you can get the codes. In the network can find many password-cracking programs, compare the famous program is the crack. Users can perform password-cracking programs, identify vulnerable to hacker passwords to correct than to be hackers cracked to be favourable.
No comments:
Post a Comment