How to Enhance the Security of Linux and Unix Servers-Linux Operation and Maintenance-php.cn

Home

Operation and Maintenance

Linux Operation and Maintenance

How to Enhance the Security of Linux and Unix Servers

PHPz

May 19, 2023 pm 02:43 PM

linuxunix

1. System security record files

The record files inside the operating system are important clues to detect whether there is a network intrusion. If your system is directly connected to the Internet and you find that there are many people making telnet/ftp login attempts to your system, you can run "#more /var/log/secure grep refused" to check the attacks on the system so that you can take action Corresponding countermeasures, such as using ssh to replace telnet/rlogin, etc.

2. Startup and login security

1. bios security

Set the bios password and modify the boot sequence to prohibit booting the system from a floppy disk.

2. User password

User password is a basic starting point for Linux security. The user password used by many people is too simple, which opens the door to intruders. Although in theory, as long as there are enough time and resources, it can With the help of Internet Security, there is no user password that cannot be cracked, but a properly chosen password is difficult to crack. A better user password is a string of characters that only he can easily remember and understand, and should never be written out anywhere.

3. The default account

should prohibit all unnecessary accounts that are started by the operating system itself. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts there are, the better The more vulnerable the system becomes to attack.

You can use the following command to delete the account.

# userdel用户名

Or use the following command to delete the group user account.

# groupdel username

4. Password file

chattr command adds unchangeable attributes to the following file to prevent unauthorized users from gaining permissions.

# chattr +i /etc/passwd

# chattr +i /etc/shadow

# chattr +i /etc/group

# chattr +i /etc/gshadow

5. Disable the ctrl alt delete command to restart the machine

Modify the /etc/inittab file and comment out the line "ca::ctrlaltdel:/sbin/shutdown -t3 -r now". Then reset the permissions of all files in the /etc/rc.d/init.d/ directory and run the following command:

# chmod -r 700 /etc/rc.d/init.d/*

In this way, only root can read, write or execute all the above script files.

6. Restrict the su command

If you don’t want anyone to be able to su as root, you can edit the /etc/pam.d/su file and add the following two lines:

auth sufficient /lib/security/pam_rootok.so debug

auth required /lib/security/pam_wheel.so group=isd

At this time, only the isd group Users can su as root. Afterwards, if you want user admin to be able to su as root, you can run the following command:

# usermod -g10 admin

7. Delete login information

By default, the login prompt information includes the Linux distribution version, kernel version name, server host name, etc. For a machine with high security requirements, this leaks too much information. You can edit /etc/rc.d/rc.local to comment out the following lines that output system information.

# this will overwrite /etc/issue at every boot. so， make any changes you

# want to make to /etc/issue here or you will lose them when you reboot.

# echo "" > /etc/issue

# echo "$r" >> /etc/issue

# echo "kernel $(uname -r) on $a $(uname -m)" >> /etc/issue

# cp -f /etc/issue /etc/issue.net

# echo >> /etc/issue

Then, perform the following operations:

# rm -f /etc/issue

# rm -f /etc/issue.net

# touch /etc/issue

# touch /etc/issue.net

3. Restrict network access

1. nfs access

If you use the nfs network file system service, you should ensure that your /etc/exports has the most restrictive access permission settings, which means do not use any wildcards, do not allow root write permissions, and only Mounted as a read-only file system. Edit the file /etc/exports and add the following two lines.

/dir/to/export host1.mydomain.com(ro，root_squash)

/dir/to/export host2.mydomain.com(ro，root_squash)

/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine logged into this directory, ro means mount as a read-only system, and root_squash prohibits root from writing to the directory. In order for the changes to take effect, run the following command.

# /usr/sbin/exportfs -a

2. inetd settings

First make sure that the owner of /etc/inetd.conf is root and the file permissions are set to 600. After the settings are completed, you can use the "stat" command to check.

# chmod 600 /etc/inetd.conf

Then, edit /etc/inetd.conf to disable the following services.

ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth

If you have ssh/scp installed, you can also disable telnet/ftp. In order for the changes to take effect, run the following command:

#killall -hup inetd

By default, most Linux systems allow all requests, and using tcp_wrappers to enhance system security is a piece of cake. You can modify /etc /hosts.deny and /etc /hosts.allow to increase access restrictions. For example, setting /etc/hosts.deny to "all: all" denies all access by default. Then add allowed access in the /etc/hosts.allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" means that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to connect via ssh.

After the configuration is completed, you can use tcpdchk to check:

# tcpdchk

tcpchk is a tcp_wrapper configuration checking tool, which checks your tcp wrapper configuration and reports all potential/existing problems found.

3. Login terminal settings

/etc/securetty file specifies the tty device that allows root login. It is read by the /bin/login program. Its format is a list of allowed names. You can edit /etc/securetty and Comment out the following lines.

# tty1

# tty2

# tty3

# tty4

# tty5

# tty6

At this time, root can only log in at the tty1 terminal.

4. Avoid displaying system and version information.

If you want remote login users not to see system and version information, you can change the /etc/inetd.conf file through the following operations:

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -

Add -h to indicate that telnet does not display system information. Instead, only "login:" is displayed.

4. Prevent attacks

1. Block ping If no one can ping your system, security is naturally increased. To do this, you can add the following line to the /etc/rc.d/rc.local file:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

2. Prevent IP spoofing

编辑host.conf文件并增加如下几行来防止ip欺骗攻击。

order bind，hosts

multi off

nospoof on

3．防止dos攻击

对系统所有的用户设置资源限制可以防止dos类型攻击。如最大进程数和内存使用数量等。例如，可以在/etc/security/limits.conf中添加如下几行：

* hard core 0
* hard rss 5000
* hard nproc 20

然后必须编辑/etc/pam.d/login文件检查下面一行是否存在。

session required /lib/security/pam_limits.so

上面的命令禁止调试文件，限制进程数为50并且限制内存使用为5mb。

The above is the detailed content of How to Enhance the Security of Linux and Unix Servers. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:亿速云. If there is any infringement, please contact admin@php.cn delete

What is Maintenance Mode in Linux? ExplainedApr 22, 2025 am 12:06 AM

MaintenanceModeinLinuxisaspecialbootenvironmentforcriticalsystemmaintenancetasks.Itallowsadministratorstoperformtaskslikeresettingpasswords,repairingfilesystems,andrecoveringfrombootfailuresinaminimalenvironment.ToenterMaintenanceMode,interrupttheboo

Linux: A Deep Dive into Its Fundamental PartsApr 21, 2025 am 12:03 AM

The core components of Linux include kernel, file system, shell, user and kernel space, device drivers, and performance optimization and best practices. 1) The kernel is the core of the system, managing hardware, memory and processes. 2) The file system organizes data and supports multiple types such as ext4, Btrfs and XFS. 3) Shell is the command center for users to interact with the system and supports scripting. 4) Separate user space from kernel space to ensure system stability. 5) The device driver connects the hardware to the operating system. 6) Performance optimization includes tuning system configuration and following best practices.

Linux Architecture: Unveiling the 5 Basic ComponentsApr 20, 2025 am 12:04 AM

The five basic components of the Linux system are: 1. Kernel, 2. System library, 3. System utilities, 4. Graphical user interface, 5. Applications. The kernel manages hardware resources, the system library provides precompiled functions, system utilities are used for system management, the GUI provides visual interaction, and applications use these components to implement functions.

Linux Operations: Utilizing the Maintenance ModeApr 19, 2025 am 12:08 AM

Linux maintenance mode can be entered through the GRUB menu. The specific steps are: 1) Select the kernel in the GRUB menu and press 'e' to edit, 2) Add 'single' or '1' at the end of the 'linux' line, 3) Press Ctrl X to start. Maintenance mode provides a secure environment for tasks such as system repair, password reset and system upgrade.

Linux: How to Enter Recovery Mode (and Maintenance)Apr 18, 2025 am 12:05 AM

The steps to enter Linux recovery mode are: 1. Restart the system and press the specific key to enter the GRUB menu; 2. Select the option with (recoverymode); 3. Select the operation in the recovery mode menu, such as fsck or root. Recovery mode allows you to start the system in single-user mode, perform file system checks and repairs, edit configuration files, and other operations to help solve system problems.

Linux's Essential Components: Explained for BeginnersApr 17, 2025 am 12:08 AM

The core components of Linux include the kernel, file system, shell and common tools. 1. The kernel manages hardware resources and provides basic services. 2. The file system organizes and stores data. 3. Shell is the interface for users to interact with the system. 4. Common tools help complete daily tasks.

Linux: A Look at Its Fundamental StructureApr 16, 2025 am 12:01 AM

The basic structure of Linux includes the kernel, file system, and shell. 1) Kernel management hardware resources and use uname-r to view the version. 2) The EXT4 file system supports large files and logs and is created using mkfs.ext4. 3) Shell provides command line interaction such as Bash, and lists files using ls-l.

Linux Operations: System Administration and MaintenanceApr 15, 2025 am 12:10 AM

The key steps in Linux system management and maintenance include: 1) Master the basic knowledge, such as file system structure and user management; 2) Carry out system monitoring and resource management, use top, htop and other tools; 3) Use system logs to troubleshoot, use journalctl and other tools; 4) Write automated scripts and task scheduling, use cron tools; 5) implement security management and protection, configure firewalls through iptables; 6) Carry out performance optimization and best practices, adjust kernel parameters and develop good habits.

See all articles