How to enhance Linux and Unix server security

Network security is a very important topic, and the server is the most important link in network security. Linux is considered to be a relatively secure Internet server. As an open source operating system, once a security hole is found in the Linux system, volunteers from all over the world on the Internet will actively repair it. However, system maintainers often fail to obtain information and perform corrections in a timely manner, which provides hackers with an opportunity to take advantage. However, compared with the security vulnerabilities of these systems themselves, more security issues are caused by improper configuration and can be avoided through proper configuration. The more services running on a server, the more opportunities there are for improper configurations to appear, and the greater the possibility of security issues.

As we all know, network security is a very important topic, and Linux and Unix are the most popular operating systems running on servers. The following article will strengthen some appropriate configurations to prevent some security issues from occurring, in order to enhance the security of Linux/Unix server systems.

1. System security log files

The log files inside the operating system are important clues for detecting whether there is a network intrusion. If your system is directly connected to the Internet, and you find that many people are trying to log in to your system through Telnet/FTP, you can run "#more /var/log/secure grep refused" to check the attacks on the system so that you can take appropriate countermeasures, such as using SSH to replace Telnet/rlogin.

2. Startup and Login Security

1. BIOS Security

Set the BIOS password and modify the boot order to prohibit booting the system from a floppy disk.

2. User password

User passwords are a basic starting point for Linux security. Many people use user passwords that are too simple, which is equivalent to opening the door to intruders. Although theoretically, as long as there is enough time and resources available, there is no user password that cannot be cracked, but a properly selected password is difficult to crack. A good user password is a string of characters that only the user can remember and understand easily, and should never be written down anywhere.

3. Default Account

All default accounts that are started by the operating system itself and are unnecessary should be disabled. This should be done when you first install the system. Linux provides many default accounts, and the more accounts there are, the more vulnerable the system is to attacks.

You can delete the account using the following command.

#userdel username

Or use the following command to delete the group user account.

# groupdel username

4. Password File

The chattr command adds unchangeable attributes to the following files, thereby preventing unauthorized users from obtaining permissions.

# chattr +i /etc/passwd

# chattr +i /etc/shadow

# chattr +i /etc/group

# chattr +i /etc/gshadow

5. Disable Ctrl+Alt+Delete to restart the machine

Modify the /etc/inittab file and comment out the line " ca::ctrlaltdel:/sbin/shutdown -t3 -r now ". Then reset the permissions for all files in the /etc/rc.d/init.d/ directory and run the following command:

# chmod -R 700 /etc/rc.d/init.d/*

In this way, only root can read, write or execute all the above script files.

6. Restricting the su command

If you do not want anyone to be able to su as root, edit the /etc/pam.d/su file and add the following two lines:

auth sufficient /lib/security/pam_rootok.so debug

auth required /lib/security/pam_wheel.so group=isd

At this time, only users in the isd group can su as root. After this, if you want user admin to be able to su as root, you can run the following command:

# usermod -G10 admin

7. Delete login information

By default, the login prompt includes the Linux distribution, kernel version name, and server host name. For a machine with high security requirements, this leaks too much information. You can edit /etc/rc.d/rc.local and comment out the following line that outputs system information.

# This will overwrite /etc/issue at every boot. So, make any changes you

# want to make to /etc/issue here or you will lose them when you reboot.

# echo "" > /etc/issue

# echo "$R" >> /etc/issue

# echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue

# cp -f /etc/issue /etc/issue.net

# echo >> /etc/issue

Then, do the following:

# rm -f /etc/issue

# rm -f /etc/issue.net

# touch /etc/issue

# touch /etc/issue.net

3. Limit network access

1. NFS Access

If you use NFS network file system services, you should ensure that your /etc/exports has the most restrictive access permissions set, which means not using any wildcards, not allowing root write permissions, and can only be mounted as a read-only file system. Edit the file /etc/exports and add the following two lines.

/dir/to/export host1.mydomain.com(ro,root_squash)

/dir/to/export host2.mydomain.com(ro,root_squash)

/dir/to/export is the directory you want to export, host.mydomain.com is the name of the machine that logs into this directory, ro means to mount it as a read-only system, and root_squash prohibits root from writing to this directory. To make the changes take effect, run the following command.

# /usr/sbin/exportfs -a

2. Inetd settings

First, make sure that the owner of /etc/inetd.conf is root and the file permissions are set to 600. Once the settings are complete, you can check them using the " stat " command.

# chmod 600 /etc/inetd.conf

Then, edit /etc/inetd.conf to disable the following services.

ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth

If you have ssh/scp installed, you can also disable Telnet/FTP. To make the changes take effect, run the following command:

#killall -HUP inetd

By default, most Linux systems allow all requests, and it is easy to enhance system security with TCP_WRAPPERS. You can modify /etc/hosts.deny and /etc/hosts.allow to increase access restrictions. For example, setting /etc/hosts.deny to "ALL: ALL" can deny all access by default. Then add the allowed access in /etc/hosts.allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" means that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to connect via SSH.

After the configuration is complete, you can use tcpdchk to check:

# tcpdchk

tcpchk is a TCP_Wrapper configuration checking tool, it checks your tcp wrapper configuration and reports any potential/existing problems found.

3. Login terminal settings

The /etc/securetty file specifies the tty devices that allow root login. It is read by the /bin/login program and its format is a list of allowed names. You can edit /etc/securetty and comment out the following lines.

#tty1

#tty2

#tty3

#tty4

#tty5

#tty6

At this time, root can only log in at the tty1 terminal.

4. Avoid displaying system and version information.

If you want remote login users to not see the system and version information, you can change the /etc/inetd.conf file as follows:

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -

Adding -h means that telnet does not display system information, but only displays "login:".

4. Preventing Attacks

1. Block ping If no one can ping your system, security is naturally increased. To do this, add the following line to the /etc/rc.d/rc.local file:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

2. Prevent IP spoofing

Edit the host.conf file and add the following lines to prevent IP spoofing attacks.

order bind，hosts

multi off

nospoof on

3. Preventing DoS attacks

Setting resource limits for all users of the system can prevent DoS type attacks. Such as the maximum number of processes and memory usage. For example, you can add the following lines to /etc/security/limits.conf:

• * hard core 0
• * hard rss 5000
• * hard nproc 20

Then you must edit the /etc/pam.d/login file to check if the following line exists.

session required /lib/security/pam_limits.so

The above command disables debugging files, limits the number of processes to 50 and limits memory usage to 5MB.

After the above settings, your Linux server is already immune to most known security issues and network attacks, but a good system administrator still needs to pay attention to network security trends and patch exposed and potential security vulnerabilities at any time.

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. Thank you for your support of 123WORDPRESS.COM. If you want to learn more about this, please check out the following links