Linux as an open operating system for many programmers, many like advanced programmers write Linux operating system software.
This makes the Linux operating system has a wealth of software support, there are numerous technical staff as technical support and technical support, this makes Linux more and more programmers are welcome. But this kind of open operating systems have a biggest drawbacks is the level of each programmer, write software did note a vulnerability in your own programs. There is no unified vulnerability check, this makes Linux software in many of the vulnerabilities, and software developers are difficult to detect vulnerabilities in their own programming, but hackers are very aware of these vulnerabilities, and use to achieve their purposes. It is not a Linux system is not safe?, in fact, can do not need to worry about the security of a Linux system, or better than Windows system to secure. As long as you do the following points will be at ease of use of Linux systems. To experience the emotion of operation experience. First, remove unnecessary services early Unix versions, each a different network services has a service that runs in the background, later version with unified/etc/inetd shouldered by the server program. Inetd is the abbreviation for that Internetdaemon simultaneously monitor multiple network port, once you receive the connection information from the outside world, on the implementation of the TCP or UDP network services. Due to the unified command of inetd, so most of the Linux TCP or UDP services is set in the/etc/inetd.conf file. So cancel unnecessary services in the first step is to check the/etc/inetd.conf file, not in service with the "#" sign. In General, in addition to http, smtp, telnet and FTP, and other services should be removed, such as simple file transfer protocol tftp, network message store and receive the imap/ipop transport protocol, search and search for information on the use of gopher and used for time synchronization of daytime and time, etc. There are also some reports about the State of the system services such as finger, efinger, systat netstat and although the system, such as error checking and search for users is very useful, but also to provide a door for hackers. For example, a hacker could use the finger service to find the user's phone, use the directory, and other important information. Therefore, many Linux system will these services be cancelled or part cancellation, to enhance the security of the system. Besides using Inetd/etc/inetd.conf setting system services, you use the/etc/services files search service uses port. Therefore, users should carefully check the file in the port setting to avoid security loopholes. In Linux there are two different types of service: one is only necessary to perform services such as finger service; the other is always executed never pause services. This class of service at system startup begins execution, and therefore cannot rely on modifying the inetd to stop the service, only from modifying/etc/rc.d/rc [n] .d/file or use the Run level editor to modify it. Provide file services for NFS server and provides NNTP news service news belongs to this class of service, if it is not necessary, it is best to cancel the services. Second, restrictions on access in the system into the Linux system, all users will need to log in, that is, the user needs to enter a user account and password that only they pass system verification before users can enter the system. As with other Unix operating systems, Linux password encryption is generally kept at/etc/passwd file. Linux system and all users can read files, although/etc/passwd file saved password is encrypted, but still not very secure. Because normal users can use ready-made cryptanalytic tool to guess passwords by brute force. Safer way is to set the shadow file/etc/shadow, only special privileges to read the file. On Linux systems, if you want to use shadow file, you must set all of the common procedure to be recompiled in order to support shadow file. This approach is too much trouble, more convenient way is to use intrusive authentication module (PAM). Many Linux systems come with Linux utility, PAM, an authentication mechanism that can be used to dynamically change the authentication method and requirements without requiring recompilation other public programs. This is because PAM uses closed packages will all authentication-related logic all hidden in the module, so it is best used shadow file. In addition, there is a lot more PAM security features: it can be traditional DES encryption methods to other more powerful encryption methods to ensure that user passwords are not easily be deciphered; it can be set for each user using the computer resources of the CAP; it even can set a user's computer time and place. Linux system administrators only need to take several hours to install and set up PAM, can greatly improve the security of a Linux system, many attack block of the system. Third, keep the latest system core because many Linux distribution channels, and regular updates of program and system patches appear, therefore, in order to enhance system security, be sure to regularly update the system kernel. Kernel is the core of the Linux operating system, it's permanent memory, used for loading the operating system of the other part, and the achievement of the basic functionality of the operating system. Since Kernel control computer and network capabilities, it security is critical to the overall system security. Early KernEl version has many well known security holes, but also not very stable, only the 2.0.x versions are more stable and secure, a new version of the operating efficiency is greatly improved. In setting the Kernel functionality, just select the necessary functionality, do all functions accept according to the order, or you will make the Kernel becomes very large, both consume system resources, but also an opportunity for hackers to stay. On the Internet often has the latest security patches, Linux system administrator should be informed, infrequent security newsgroups, consult the new patch.
No comments:
Post a Comment