Author: dingwei as unbreakable shields, no system is completely secure.
Also in the security field, or who can say that they are well equipped. System's safety relies on many predecessors of sweat and wisdom in return. System security aspects involved. Neither the Bank nor the telephone system, regardless of whether the public think insurance MSWindows of Unix systems, without exception have security issues. Security only focuses on system how many people are using. System users, the more the more critical security issues, vulnerabilities found by speed, the faster it needs. In addition, the scalability of the system, the better support of application service, the more security problems. Under the MSWindows systems will use the mouse for reference information on the Internet you can set up a system of safety or destruction of the system. Security settings is a double-edged sword, one side is to tear open system, destroy data, on the other is resist unlawful intrusions, protect the data. This boundary is the difference between the Nuker and Hacker. Linux is open source systems, security can be enhanced from the code-level, but for new Linux system, this is too complicated. Enterprises are to put Linux as a desktop operating system to use, set it and the server. The server may be used on the Internet, whether its firewall, proxy server or other application, the security settings on the key applications, and desktop application focus won't be the same. For the market common Mandrake, RedHat, SuSE, Debian, and how security settings are different, but the method is the same. Based on the Chinese market users a lot of RedHat, for example, the following will be 200 ~ 300 firms use RedHatLinux for desktop operating systems for the environment, step by step and sets the system security, which will mention the surrounding resource configurations. Hardware security chassis need locks. Any system once in physical contact with something, at least halving security. Because anyone can remove the hard drive, to other systems to read data, damage to safety. Therefore, desktops and servers, to avoid physical contact as much as possible. BIOS security although there are many tools you can read BIOS passwords, and many have a BIOS setting universal password, BIOS password protection is a necessary step. Use passwords to meet an 8-bit above, figures, symbols, and combinations of uppercase and lowercase letters, and you are not the same as with any system password. If you are worried about theft causes all machines reduce security, consider adding a personalized password. For example: use this machine's initials or a combination of unique numbering machine in front of a password, you can become more good memories, and meet the complexity and uniqueness of the requirements of the password. Start setting once the system installation is complete, start the hard disk, floppy disk, CD, or even USB Flash startup may have security problems. Therefore need to be banned in addition to the hard disk in the BIOS any device startup. System partition for the current hard disk can meet the requirements of the Linux on capacity. To 20 ~ 40GB hard drive, for example, require no extra partition, using RedHat's automatic partition can meet the requirements. Specific partition method for 40MB boot partition (/boot), 2 x the memory swap partition (swap), remaining for the root partition (/). Not be/home directory and/var directory out of reason: because it is a single-user use, the system partition is increased management complexity, such as/var partition full lead system exception. Simple partitions can satisfy users. Installation please avoid completely installed, i.e. Everything option. As mentioned earlier the services provided by the system, the more holes, the more secure and more poor. Installation as possible, use a non-interactive installation, such as making the installation floppy disk, or install scripts via NFS. Users of less directly involved, the more manageable. Host naming using the uniform rules, such as E-mail address and company phone number, this makes it easier to troubleshoot and positioning. IP addresses are also encouraged to use a static address or use DHCP MAC address bindings, so that any exception could be quickly ruled out to meet the requirements of the machine. Note use the ext3 file system, you can decrease because of the blackout caused the hard drive data loss could not be started. Account and the central control for the account and the central control using NIS maybe is good, but also the increase in management complexity of choice. If you use the environment is a single user login, file sharing by the server, then do not use the NIS and use single user native log is also a good choice. Of course, it is not just a centre NIS account management can choose. Native account requires the use of the user's E-mail address for the company login name, of course, there must be an administrator account, but do not use local accounts to the local Administrators group. There are multiple native root permissions the account itself is dangerous behavior. The boot loader boot loader to use GRUB instead of the LILO. Reason: while they can join a startup password, but LILO in the configuration file is to use a clear text password, GRUB is encrypted using the MD5 algorithm. Password protection prevents the use of a custom kernel to boot the system, and in no other operating system, will launch the wait time set to 0. LILO configuration in/etc/lilo.conf file, GRUB configuration file in/boot/grub/grub.conf:/etc/lilo.con image =/boot/2.4.18-vmlinuz label = Linux read-only # password as clear text password = Clear-TextPassword # joined protection restrictEd/boot/grub/grub.con # modify the start time of 0, which is the direct starting timeout0 # can use grub-md5-crypt afterlife--md5 encrypted password after password--md5 $/$ 1 $ LS8eV mdN1bcyLrIZGXfM7CkBvU1 use sudo user sometimes use some need root permissions command, then you need to use sudo. Sudo is a way to limit in the command in the configuration file as a basis for a limited time to users and logging tools. Its configuration in/etc/sudoers file. When users use sudo, you need to enter your password to verify the user identity, and the next time you can use the predefined command, when you use a configuration file does not have a command will report their records. /Etc/sudoers sudo [-bhHpV] [-s] [-u] [instruction] or sudo [-klv]-b in the background command-h Displays help-H will HOME environment variable is set to the new identity of the HOME environment variable-k password validity period ends, the next time you will need to enter password-l list the current user can use the change of command-p asked the password prompt symbol-s to execute the specified sell-u to the specified user to new status, do not use the default extension for root-password validity v 5 minutes-V show version information and limit the number of the previously mentioned su user native new users do not have root privileges, so you need to use su switch users, Linux can increase to switch to the root user. Use PAM (PluggableAuthenticationModules) can be forbidden except wheel groups to su to root, modify the file, remove the shielding/etc/pam.d/su identification #. Use this account the bjecadm/usr/sbin/usermodG10bjecadm joined the group gid to 10 is the wheel group. /Etc/pam.d/su # use password authentication authsufficient/lib/security/pam_wheel.sodebug # limit wheel groups users can switch to root authrequired/lib/security/pam_wheel.souse_uid enhanced login security by modifying the/etc/login.defs file can increase on login error delay, log, login, password length limits, expiration, and other settings. /Etc/login.des # login password is valid for 90 days PASS_MAX_DAYS90 # login password minimum modification time, increase can prevent illegal user short-term change repeatedly PASS_MIN_DAYS0 # login password minimum length of 8-bit PASS_MIN_LEN8 # login password expired early 7 days prompt modifications PASS_WARN_AGE7 # login error wait time 10 seconds FAIL_DELAY10 # to log errors to the log FAILLOG_ENAByes # when qualified super user management log using SYSLOG_SU_ENAByes # when qualified super user group management log using SYSLOG_SG_ENAByes # when using md5 for password encryption method is used to limit root logins MD5_CRYPT_ENAByes terminal window modify/etc/securetty file to prevent login exhaustive method of breaking through security lines. Once the root cannot directly login only through su to switch user, and subject to the restrictions, the pam.d through that way the chance of a breakthrough. /Etc/securetty 1 vc/vc/vc/vc 2 3/4 5 vc/vc/vc/vc 6 7/8 9 vc/vc/vc/10 11 # shield terminal window of root login, and you can limit the number of simultaneously open Terminal. # Tty1 # tty2 # tty7 # tty8 # tty9 in addition, you should limit the Terminal window's history. Modify/etc/profile file, if necessary, change the user profile directory. /Etc/proile # limit type the command history in 20, this is similar to the doskey features HISTSIZE = 20 # limit the records, type the command history file size HISTFILESIZE = 20 # set terminal window without any operation 600 seconds after exit, this setting does not apply to all Windows TMOUT = 600 backup important files many Trojans, worms and backdoor will replace important files to hide themselves, will be the most important and commonly used command backup is a good habit. Prepare a set of read-only media, CD or USB flash drives, and even online download. In sum, if necessary, use the original command instead of the system may be infected. Note that the backup are as follows:/bin/su/bin/ps/bin/rpm/usr/bin/top/sbin/ifconig/bin/mount
No comments:
Post a Comment