Talking about Linux security

Writing this article is for the use of Linux administrators, lovers, on linux security is concerned with colleagues, want to help, nonsense do not more, tacks.

Before the said security settings, I would like to talk about the release and install. For release, I believe most of them know, Linux distributions is too much I more than once in the many sites of the article, many books have seen talked about the release is the best, in fact, I personally think that, in the linux world, not the best of this argument, as long as your own habits, familiar a version, so I can say he is the best. Writing this article, I also try to find a lot of information, attempting to find the one that we all feel that common, familiar, and finally, I think redhatlinux really very good, although it's huge, but the kernel more efficiency does not make all of the release, but its universality, ease of use and software upgrade support, application software support is worth, which is a good Linux distribution needs. This article builds on the above, all redhatlinux7.3 Edition software settings in the version on the test passed. Here, may we ask, why should I use redhat7.3? now not many?, redhat, with redhat8.0, redhat9.0 what redhat advanced Enterprise Edition, and so on. So many new things so why not? "asked this question very well, that's exactly what I want to say that the installation and select the release is to be noted. 1, select the I use a version of redhat has for a long time, personally think that redhat versions of .0 large version upgrade of the first version, this version is often a lot of packages is not very stable, and prone to failure, for the vast majority of linux administrators who is used to serve as a server, then to most servers, the largest primary issue is stable, then the most important is security, so if you are an administrator, but non-fanatical enthusiasts, junkie, I suggest you choose redhat7.3. Redhat version number, followed by a small number of packages has many updates and modifications, although this update may not be up to date, but at least it is the latest stable version is the most stable, I do not know you understand this issue is not, I will detail what version of the upgrade issues, where I will explain this theory. 2. Select the installation method to install the release version, then we begin installation, installation of only a few caveats, one of which is the partition, the second is to install packages. Partition of stress that you need for your application to planning zones, last seen many expositions of linux is the best partition scheme, although many people have made a number of excellent partition scheme, but I think it needs more of their application for partition is the best of all, the following partition, partition scheme, but is recommended, or more to your needs. Personal opinion, standard server, at least-common partition, so it is recommended that the hard disk is divided into the following way:/bootswap//var/usr/home/tmp, size according to your own application to, or cannot be less than/usr 1G, and/var are larger, because most software in it, several other, more need to say to swap I think about the size of the area of dispute is relatively large, I integrated a lot of friends, summed up a rule, if your memory is less than 1G then divided into memory to 2 x, if it is greater than 1G points maximum swap 2 g, which is why? because swap as we all know, is a virtual memory space, small and does not play the role of the best has also waste of space, the size is a specific reason, large memory, then the application uses the virtual space is small, but in order to fully meet the server's memory needs, according to the experience of many friends, and my personal experience, this method can be said to be one of the best option, particularly for the database, and other large-scale application memory needs, but also a lot of server memory is 1G-2G. Installation package is installed, so the fewer concentrate better, but redhat installation begins, as a server, the following package groups need to choose: Networsupport (network support) Messagingandwebtools (you can choose to install, some networking tools such as ncftp) Router/Firewall (firewall software, you need to install, but he is not good to ipchian, iptables, ipwf are install, will explain how to delete) Networkmanagedworkstation (admin tool), Utilities (common tools, backup tools, etc.) while we now install is simple select the package group, in the following security settings will remove some unused package, it will be said later. 3. update the software although redhat7.3 is the updated version, but there are many software packages have vulnerabilities, one of the biggest vulnerability is a flaw 2.4.18, it causes the ext3 file system crashes, I met a few times (according to ext3 development team, this phenomenon is in specific actions and conditions, general user rarely this phenomenon), although many are now close to solve this problem, but if there is no update kernel 7.3 or unstable, there are two ways to update, a current in the update packages manually by using rpm-Uvh to update, another is what I recommend to use the up2date to update, it's a good thing, it is very easy to update your systemBut the more you installed packages to update, he will not update the bind9 bind8, will not update to redhat9.0 redhat7.3, this ensures that you are using the version of the stability and integrity that is specific to this version of the package was amended, the version number is generally become such as iptables, 7.3 RPM version 1.2.5 then updated is 1.2.8 fixed many vulnerabilities error, but does not make a big adjustment, ensure that your use of and and application compatibility. Up2date, before the automatic upgrade, it is recommended that several: * first, because the version with redhat7.3 up2date bug with SSL, therefore, need to be removed in a latest update up2date, download https://rhn.redhat.com/errata/rhsa-2003-267.tml * second, in General, we do not want to automatically update up2date kernel, and then the kernel updates directly address many major vulnerability, especially the newly installed redhat7.3 have ext3 crash vulnerabilities so I suggest that you first upgrade the kernel manually, of course, use the RPM package to upgrade, this saves a lot of time, I said that, although the redhat is the most efficient, but you sure do have the most widespread one system, RPM easy is entirely reflects this point advantage, redhat7.3 kernel download address: http://updates.redhat.com/7.3/en/os/i386/kernel-2.4.20-20.7.i386.rpm http://updates.redhat.com/7.3/en/os/i386/kernel-2.4.20-20.7.i586.rpm http://updates.redhat.com/7.3/en/os/i386/kernel-2.4.20-20.7.i686.rpm for your own system, you can use uname-a look at present is i386 or i686 then based on this to select the downloaded kernel upgrade package. It is recommended that you use rpm-ivh to upgrade, so you can keep the original kernel, make sure there are no problems and the kernel rpm-e, the RPM package is very simple and you don't have to modify your lilo.conf or grub.conf configuration files, it automatically gives you joined, you need to do is restart and then select the new kernel boots. Finished kernel upgrade, restart with the new kernel is up2date after. Feel free to sign up for a run rhn_register numbers (this must be kept secret, Oh, my own research, rhn network upgrade is actually the service fees, but a mailbox an account is free, but an account is only one upgrade system permissions, you can use rhn network to log in to modify the permissions to the other machine, but it's too much trouble and the upgrading basically stable redhat7.3, only need to install first upgrade it, so we just registered account number to upgrade: P) when you are prompted to do so, it is the default selection for your machine all packets as you upgrade, it doesn't matter, all the way to the final finish and then back to the next console, then there is the exciting upgrade, run the command: up2date-u on begin the upgrade, the process depends on your network, about 1 hour. It will automatically download and install for you, although not restart, it is recommended that you restart it, make sure the new kernel and new packages will be able to correctly use this point, the system updates the finished, the following is the more important security settings. 4, security settings, in fact, linux security have better, and we did a preliminary discussion of security, is nothing more than set off the service, certain firewalls, if everyone on the anti-hacker and advanced security settings are interested, then please pay attention to my next article, I will introduce the simple technique of IDS, and so on anti-black, thank you. Turn off unused services, the issue, and many articles are suggested, I personally think that the most effective close method as follows, we all know that Linux control services with chkconfig, ntsysv, etc, in fact, these tools control services are linux has sysV style saved service startup items, are actually/etc/rc.d/following things, for example, have been rc3.d 3 represents init3 need to do the project, there are a number of files, start at the beginning indicates that the S, K, so at the beginning of the said termination rc0.d inside Basic are K at the beginning, so you don't have to fear to think how mysterious Linux service, here are two simple ways to control the service. Run the service using ntsysv ntsysv control shutting down service only crond to define a scheduled task to generate a random number random network network for ssh session symmetric keys of generate sshdssh syslog system log on the server side service xinetd Super processes (here no service to use, can be turned off) in fact xinetd is similar to init the Super process a process, but you can turn it off entirely, because the following are some useless services listener, for general server, basically just above the service ntsysv, others are closed, and, of course, if you want to start httpd web course. Services close out later, that is, remove some unused user, use vipw # adm: x: 3: 4: adm:/var/adm:/sbin/nologin # lp: x:4:7:lp:/var/spool/lpd:/sbin/nologin　　#sync:x:5:0:sync:/sbin:/bin/sync　　#news:x:9:13:news:/var/spool/news:　　#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin　　#operator:x:11:0:operator:/root:/sbin/nologin　　#games:x: