Author: Cao Jiang Hua Linux networking capabilities are very powerful, it is the most advanced TCP/IP code.
Linux provides for current TCP/IP protocol is fully supported and include a next generation Internet Protocol IPv6 support. Internet access in the machine, there is a large part of using the Linux operating system. But Linux is a multiuser system, hackers to hide themselves in the attack, often choose Linux system as the first attack of the object, and then use it to do some illegal activities, such as: for DOS (denial of service) attacks, run, IRCbot, publishing, illegal software, etc. As a Linux user at all times to prevent attacks, the following ten recommendations can make your Linux system more secure. Close unused ports of any network connection is via an open application port. If we minimize open ports, enable network attacks into water, which greatly reduces the chances of success of the attacker. First check your inetd.conf file. Inetd will wait on certain ports, ready for you to provide the necessary services. If someone developed a special inetd daemon, here there is a security risk. You should be in the inetd.conf file, comment out those who never used services (such as echo, gopher, rsh, rlogin, rexec, talk, ntalk, pop-2, finger, etc.). Comments unless absolutely necessary, you must comment out the rexec rsh, rlogin and telnet, and recommended that you use the more secure ssh instead, and then kill lnetd process. This machine is no longer monitor your inetd daemons, thereby eliminating some people use it to steal your application port. You'd better download a port scanner to scan your system, if you find that you do not know the open port and immediately found is using its process to determine whether or not to close them. Remove unused packages in the system of planning, the general principle is that the service is not required, will be removed. The default Linux is a powerful system, running a lot of services. But there are many services are not needed and easily pose a security risk. This file is the/etc/inetd.conf, it has developed a service that will be listening/usr/sbin/inetd, you may only need two: telnet and FTP, and other classes such as shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc., unless you really want to use it, or completely closed. Need to remind you of the following three-of-service vulnerability in many, it is strongly recommended that you close them: S34yppasswdd (NIS server), S35ypserv (NIS server) and S60nfs (NFS server). Do not set the default route in the host, you should set the default route is strictly prohibited, namely defaultroute. Recommendations for each subnet or network settings a route or other machines may access via certain ways. Password management password General not less than eight characters, password composition shall take no rules of uppercase and lowercase letters, numbers, and symbols, strictly avoid the use of English words or phrases, such as setting passwords and the user password should cultivate the habit of regularly replaced. In addition, the password protection also involves/etc/passwd and/etc/shadow file protection, you must do so only the system administrator can access the 2 files. Install a password filter tool plus npasswd, can help you check your password whether or not to withstand attacks. If you have not installed this tool, it is recommended that you install now. If you are a system administrator, your system has no installed password filtering tools, please immediately check whether all the user's password can be exhaustive search, that is on your file implementation exhaustive search/ect/passwd. On those bad password, forcing their masters to modify it, or simply to lock their account. Partition management a potential attack, it first attempts to buffer overflows. In the past few years, a buffer overflow is a type of vulnerability is the most common form. More seriously, buffer overflow vulnerability accounted for the vast majority of remote network attack, the attacker can easily make an anonymous Internet users have access to a host of part or all of the control power! in order to prevent such an attack, we installed the system should be aware of. If you use root partition record data such as log files and email, it may cause a denial of service produced a large number of logs or spam, causing the system to crash. It is recommended for the/var partition separately opened, used for storing logs and messages to avoid root partition to be overrun. The best for the particular application to open a separate partition, especially can produce excessive log program, it is also recommended as a separate Division/home, so they can't fill the/partition, which avoids some of the Linux partition overflow against malicious attacks. Caution using .rhosts file .rhosts file storage can be direct remote access to this system of host and user name. When you use the telnet command or r * commands (such as rlogin, rcp, etc) to remotely access the system, the system first checks whether the .rhosts file as you are now on the host name and user name. When you find your host name and user name, it will allow you to directly access it at any time without the need to enter the password. When hackers once you break your system, he will bring to your system in a future free from him forIn the back door. As long as he will own hostname and username in the .rhosts file, you achieve this objective. So we should always check our orhosts file, once you have found a strange hostname and username and immediately delete them. And report them to their service provider, warned their behavior. Log management log file for your records into your system. When hackers to come, nor can they escape the log method. So hackers tend to attack, to modify the log file, to hide the traces. Therefore we want to restrict access to files,/var/log prohibit general permissions users view the log file. In addition, we can also install an icmp/tcp log management program, such as to observe those iplogger, suspicious of multiple connection attempts (plus icmpflood3 or similar circumstances). Also be careful some from unknown hosts to log in. Terminate the ongoing attacks if you examine the log file, found a user from your unknown host login and you determine that a user in this host does not have an account, you may be attacked. The first thing to do is to lock the account immediately (in the password file or shadow files, this user's password with an Ib or other characters). If an attacker is already connected to the system, you should immediately disconnect from the host is a physical connection with the network. If possible, you should also further view this user's history, view other users are also being fake, attack code that you have the root privileges. Kill all processes for this user and the host's IP address mask to hosts.deny file. Prevention of attacks if you hide an attack to be on their guard against even more difficult. Because they even can use the following methods to obtain your root permissions: the attacker first boot disk to start the system, and then mount your hard drive, get rid of the root password, and then restart the machine. At this point the attacker have a root password, but as an administrator while you are away. To prevent this, the easiest way is to change the BIOS configuration in the machine, the machine's boot order to sequence the hard drive first, and for your BIOS setting a password. Fix problems you should always to your installed Linux system publishers home page looks to find the latest patches. For example: for Redhat system, can be found at: http://www.redhat.com/corp/support/errata/patch. In later versions with Redhat6.1 an automated upgrade tools up2date, it can automatically detect which RPM packages you need to upgrade, and then automatically from Redhat's site to download and complete the installation.
No comments:
Post a Comment