To establish a secure Linux server it is first necessary to understand the Linux environment and network services related to the configuration file mean and how to conduct a security configuration.
On Linux systems, TCP/IP network through several text files for configuration, maybe you need to edit these files to complete the networking, but these profiles are mostly can configure command linuxconf (where the network section of the configuration can be achieved through the netconf command). The following describes the basic TCP/IP network configuration file. */Etc/conf.modules file the configuration file defines various need to activate the modules loaded when the parameter information. The main focus here on the network card's configuration. Do you use Linux gateway, Linux server at least need to configure the two network cards. In order to reduce the number of active possible problem, the Linux kernel does not automatically detect multiple NICs. For the network card driver is not compiled into the kernel but rather as a module dynamically loaded system if you need to install multiple network cards, should "conf.modules" file for the appropriate configuration. If the device driver is compiled as a module (kernel module): for a PCI device, the module will automatically detect all installed devices on the system; for an ISA card, you will need to provide to the module to enable IO address module knows where to find the card that provides the "/etc/conf.modules". For example, we have two ISA bus 3c509 card, an IO address is 0x300, another is 0x320. Edit the file "conf.modules" as follows: aliaseth03c509 aliaseth13c509 options3c509io = 0x300, 0x320 this is the description of the driver should 3c509 respectively to eth0 or eth1 name are loaded (aliaseth0, eth1) and that they should be based on parameters io = 0x300, 0x320, are loaded to inform the driver where to look for the NIC that 0x is indispensable. For a PCI card, just need to make the alias command ethN and appropriate driver module name, IO address PCI card will be automatically detected. For a PCI card, edit the file "conf.modules" as follows: aliaseth03c905 aliaseth13c905 if driver has been compiled into the kernel: System activated PCI testing program will automatically find all the relevant network connection. ISA cards in General can also be detected automatically, but in some cases, ISA card remains to be done the following configuration: in the "add"/etc/lilo.conf configuration information through LILO will activate parameter information passed to the kernel. For ISA card, edit the lilo.conf file "," add the following content: append = "ether =" 0, 0, eth0ether = "0, 0, et1" Note: you do not add "lilo.conf" activation parameters, test your ISA card, if it fails then use the activation parameters. If you pass the activation parameters for methods, eth0 and eth1 will follow the activation was found in order to set up. */Etc/HOSTNAME file: this file contains the system's host name, including the full domain name, such as: deep.openarc.com */etc/sysconfig/network-scripts/ifcfg-ethN file: RedHat, system network device configuration file is saved in the "/etc/sysconfig/network-scripts" directory that contains the first NIC ifcfg-eth0 configuration information, the second block ifcfg-eth1 contains the network card's configuration information. The following is an example of/etc/sysconfig/network-scripts/ifcfg-eth0 "file: DEVICE = et0 IPADDR = 208.164.186.1 NETMASK = 255.255.255.0 NETWORK = 208.164.186.0 BROADCAST = 208.164.186.255 ONBOOT = yes BOOTPROTO = none USERCTL = no if you want to manually modify the network address or in the new interface to add new network interface, you can modify the corresponding file (ifcfg-ethN) or create a new file. DEVICE = namename represent a physical device name IPADDR = addraddr representation assigned to card IP address NETMASK = maskmask indicates the network mask for the NETWORK = addraddr represents the network address BROADCAST = addraddr represents the broadcast address ONBOOT = yes/no activated whether to activate the card agreement without activation none: bootp: use dhcp bootp protocols: using the DHCP protocol USERCTL = yes/no would allow non-root users to control the device */etc/resolv.conf file: this file is determined by the domain name resolver (resolver, a hostname resolution and IP address of the library), using the example of the configuration file, as follows: searchopenarc.com nameserver208.164.186.1 nameserver208.164.186.2 "searchdomainname.com" means that when a domain name does not include the full name of the host, the host name of the suffix after adding domainname.com; "nameserver" indicates that the domain name is resolved using that address specified hosts for domain name server. Which domain name server is in accordance with the order in which they appear in the file to query. * The/etc/host.conf file: the file specifies how to resolve the host name. Linux through the parser library to obtain the host name of the corresponding IP address. The following is an example of the "/etc/host.conf": orderbind, osts multion ospoo on "hosts" specify orderbind, the host name query sequence, here provides first use DNS to resolve the domain name, and then search for "/etc/hosts" file (or vice versa). "Multion" specifies whether "/etc/hosts" file in the specified host can have more than one address, multiple IP addresses of hosts generally known as a multi-homed hosts. "Nospoofon" means not allowed on the server for IP address spoofing. IP spoofing is a way to attack the system security tools, by IP address masquerading as other calculator, to obtain the trust of the other calculators. */Etc/sysconfig/network file this file is used to specify the server's network configuration information, the following is an example: NETWORK = yes RORWARD_IPV4 = yes HOSTNAME = deep.openarc.com GAREWAY = 0.0.0.0 GATEWAYDEV = NETWORK = yes/no network has been configured; FORWARD_IPV4 = yes/no is turn on IP forwarding HOSTNAME = hostnamehostname indicates that the server's host name GAREWAY = gw-ipgw-ip indicates the network gateway IP address GAREWAYDEV = gw-devgw-dw represents a gateway device name, such as: eto, note: in order to and compatible with the old software, "/etc/HOSTNAME" file should be used and the same HOSTNAME = hostname a host name. */Etc/hosts file when the machine is active, you can query the DNS before the machine needs to query a number of host names to IP addresses that match. These match the information stored in the/etc/hosts file. In the absence of domain name servers, all network programs by querying the file to parse corresponds to a host name, IP address. The following is a "/etc/hosts" file example: IPAddressHostnameAlias 127.0.0.1LocalhostGate openarc.com 208.164.186.1gate.openarch.comGate ... ... ... ... ... ... ... ... ... ... ... The leftmost column is the host IP information, in the middle column is the host name. Any subsequent column is an alias for the host. Once you have configured network configuration file of the machine, you should reactivate the network to make the changes to take effect. Use the following command to activate the network: the/etc/inetd.conf file/etc/rc.d/init.d/networkrestart * well known, as the server, the service port is open, the more system stability, and to ensure safety. So to provide specific services server should be as open to provide services essential to the port and the Server service-independent service close, such as one as the www and FTP server machine, you should only open ports 80 and 25, and other related services such as: fingerauth services turned off to reduce system vulnerabilities. But, also called inetd "super server" refers to the monitoring network daemon, requested by network requests to invoke the appropriate service process to handle the connection request. Inetd.conf is the inetd configuration file. Inetd.conf file tell inetd listens to what network ports for each port which service is activated. In any network environment with Linux systems, the first thing to do is look at the server end to provide the services. You don't need those services should be prohibited, it is best to uninstall, so hackers less chance of some attack system. View "the/etc/inetd.conf file, look at" inetd which services provided. Use the Add method of the comment (in the beginning of a line with #), prohibits any unneeded services, then give the inetd process a SIGHUP signal. First step: the permissions of the file into 600 xiangai. Root @ deep] # chmod600/etc/inetd.con second step: the owner of that file is root. Root @ deep] # stat/etc/inetd.con step 3: Edit the file "inetd.conf" (vi/etc/inetd.conf), disable all unnecessary services, such as: ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, and so on. If you feel that some service useful, can not prohibit these services. However, the prohibition of these services, the possibility of an affected system will be much smaller. The altered "inetd.conf"The contents of the file are shown below: # Tore-readthisfileafterchanges, justdoa'killall-HUPinetd ' ## echostreamtcpnowaitrootinternal # echodgramudpwaitrootinternal # discardstreamtcpnowaitrootinternal # discarddgramudpwaitrootinternal # daytimestreamtcpnowaitrootinternal # daytimedgramudpwaitrootinternal # chargenstreamtcpnowaitrootinternal # chargendgramudpwaitrootinternal # timestreamtcpnowaitrootinternal # timedgramudpwaitrootinternal ## Thesearestandardservices. # #ftpstreamtcpnowaitroot/usr/sbin/tcpdin.ftpd-l-a #telnetstreamtcpnowaitroot/usr/sbin/tcpdin.telnetd # #Shell,login,exec,comsatandtalkareBSDprotocols. #
No comments:
Post a Comment