How to Enhance the Security of Linux and Unix Servers

1. System security record files

The record files inside the operating system are important clues to detect whether there is a network intrusion. If your system is directly connected to the Internet and you find that there are many people making telnet/ftp login attempts to your system, you can run "#more /var/log/secure grep refused" to check the attacks on the system so that you can take action Corresponding countermeasures, such as using ssh to replace telnet/rlogin, etc.

2. Startup and login security

1. bios security

Set the bios password and modify the boot sequence to prohibit booting the system from a floppy disk.

2. User password

User password is a basic starting point for Linux security. The user password used by many people is too simple, which opens the door to intruders. Although in theory, as long as there are enough time and resources, it can With the help of Internet Security, there is no user password that cannot be cracked, but a properly chosen password is difficult to crack. A better user password is a string of characters that only he can easily remember and understand, and should never be written out anywhere.

3. The default account

should prohibit all unnecessary accounts that are started by the operating system itself. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts there are, the better The more vulnerable the system becomes to attack.

You can use the following command to delete the account.

# userdel用户名

Or use the following command to delete the group user account.

# groupdel username

4. Password file

chattr command adds unchangeable attributes to the following file to prevent unauthorized users from gaining permissions.

# chattr +i /etc/passwd

# chattr +i /etc/shadow

# chattr +i /etc/group

# chattr +i /etc/gshadow

5. Disable the ctrl alt delete command to restart the machine

Modify the /etc/inittab file and comment out the line "ca::ctrlaltdel:/sbin/shutdown -t3 -r now". Then reset the permissions of all files in the /etc/rc.d/init.d/ directory and run the following command:

# chmod -r 700 /etc/rc.d/init.d/*

In this way, only root can read, write or execute all the above script files.

6. Restrict the su command

If you don’t want anyone to be able to su as root, you can edit the /etc/pam.d/su file and add the following two lines:

auth sufficient /lib/security/pam_rootok.so debug

auth required /lib/security/pam_wheel.so group=isd

At this time, only the isd group Users can su as root. Afterwards, if you want user admin to be able to su as root, you can run the following command:

# usermod -g10 admin

7. Delete login information

By default, the login prompt information includes the Linux distribution version, kernel version name, server host name, etc. For a machine with high security requirements, this leaks too much information. You can edit /etc/rc.d/rc.local to comment out the following lines that output system information.

# this will overwrite /etc/issue at every boot. so， make any changes you

# want to make to /etc/issue here or you will lose them when you reboot.

# echo "" > /etc/issue

# echo "$r" >> /etc/issue

# echo "kernel $(uname -r) on $a $(uname -m)" >> /etc/issue

# cp -f /etc/issue /etc/issue.net

# echo >> /etc/issue

Then, perform the following operations:

# rm -f /etc/issue

# rm -f /etc/issue.net

# touch /etc/issue

# touch /etc/issue.net

3. Restrict network access

1. nfs access

If you use the nfs network file system service, you should ensure that your /etc/exports has the most restrictive access permission settings, which means do not use any wildcards, do not allow root write permissions, and only Mounted as a read-only file system. Edit the file /etc/exports and add the following two lines.

/dir/to/export host1.mydomain.com(ro，root_squash)

/dir/to/export host2.mydomain.com(ro，root_squash)

/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine logged into this directory, ro means mount as a read-only system, and root_squash prohibits root from writing to the directory. In order for the changes to take effect, run the following command.

# /usr/sbin/exportfs -a

2. inetd settings

First make sure that the owner of /etc/inetd.conf is root and the file permissions are set to 600. After the settings are completed, you can use the "stat" command to check.

# chmod 600 /etc/inetd.conf

Then, edit /etc/inetd.conf to disable the following services.

ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth

If you have ssh/scp installed, you can also disable telnet/ftp. In order for the changes to take effect, run the following command:

#killall -hup inetd

By default, most Linux systems allow all requests, and using tcp_wrappers to enhance system security is a piece of cake. You can modify /etc /hosts.deny and /etc /hosts.allow to increase access restrictions. For example, setting /etc/hosts.deny to "all: all" denies all access by default. Then add allowed access in the /etc/hosts.allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" means that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to connect via ssh.

After the configuration is completed, you can use tcpdchk to check:

# tcpdchk　

tcpchk is a tcp_wrapper configuration checking tool, which checks your tcp wrapper configuration and reports all potential/existing problems found.

3. Login terminal settings

/etc/securetty file specifies the tty device that allows root login. It is read by the /bin/login program. Its format is a list of allowed names. You can edit /etc/securetty and Comment out the following lines.

# tty1

# tty2

# tty3

# tty4

# tty5

# tty6

At this time, root can only log in at the tty1 terminal.

4. Avoid displaying system and version information.

If you want remote login users not to see system and version information, you can change the /etc/inetd.conf file through the following operations:

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -

Add -h to indicate that telnet does not display system information. Instead, only "login:" is displayed.

4. Prevent attacks

1. Block ping If no one can ping your system, security is naturally increased. To do this, you can add the following line to the /etc/rc.d/rc.local file:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

2. Prevent IP spoofing

编辑host.conf文件并增加如下几行来防止ip欺骗攻击。

order bind，hosts

multi off

nospoof on　

3．防止dos攻击

对系统所有的用户设置资源限制可以防止dos类型攻击。如最大进程数和内存使用数量等。例如，可以在/etc/security/limits.conf中添加如下几行：

• * hard core 0

• * hard rss 5000

• * hard nproc 20

然后必须编辑/etc/pam.d/login文件检查下面一行是否存在。

session required /lib/security/pam_limits.so

上面的命令禁止调试文件，限制进程数为50并且限制内存使用为5mb。

The above is the detailed content of How to Enhance the Security of Linux and Unix Servers. For more information, please follow other related articles on the PHP Chinese website!