Of Stack

Linux and Unix server security details

  • 2021-01-14 07:41:00
  • OfStack

Network security is a major topic of 10 points, and the server is the most important link in network security. Linux is considered to be a relatively secure Internet server. As an open source operating system, once a security flaw is detected in Linux system, Internet will be actively patched by willing users from all over the world. However, system maintainers are often unable to get the information and implement corrections in a timely manner, which gives hackers an opportunity. However, related to the security holes in these systems themselves, more security questions are caused by improper configuration and can be prevented by proper configuration. The more services running on the server, the more opportunities there are for improper configurations to be presented, and the greater the possibility of presenting security concerns.

As we all know, network security is a very important topic, and Linux and unix is a server running the most advertising operating system, the following article will strengthen some of the appropriate configuration to prevent some security problems, in order to enhance Linux/Unix server system security.

1. System safety record file

Operating system internal record file is an important clue to detect whether there is a network intrusion. If your system is directly connected to Internet and you find that many people are trying to log in to Telnet/FTP on your system, you can run "#more /var/log/secure grep refused" to check for attacks on your system and take countermeasures, such as using SSH instead of Telnet/rlogin, etc.

2. Startup and login security

1. BIOS security

Set the ES34en password and change the boot order to prohibit booting the system from a floppy disk.

2. User password

User password is a basic starting point of Linux security, many people use the user password is too simple, this is equal to open the door to the intruder, although in theory, as long as there is enough time and resources can be used, there is no can not crack the user password, but choose a proper password is difficult to crack. A good password is a string of characters that only the user can easily remember and understand, and that should never be written down anywhere.

3. The default account

This should be done the first time you install the system. ES44en provides many default accounts, and the more accounts you have, the more vulnerable your system is to attack.

You can delete the account with the following command. 


# userdel The user name

Or delete the group user account with the following command. 


# groupdel username

4. Password file

The chattr command prevents unauthorized users from gaining permissions by adding immutable attributes to the following files. 


# chattr +i /etc/passwd

# chattr +i /etc/shadow

# chattr +i /etc/group

# chattr +i /etc/gshadow

5. Disallow Ctrl+Alt+Delete restart machine command

Modify the /etc/inittab file to" ca::ctrlaltdel:/sbin/shutdown -t3 -r now "Comment out line 1. Then reset/etc/rc d/init d/directory permissions of all files, run the following commands: 


# chmod -R 700 /etc/rc.d/init.d/*

This allows only root to read, write, or execute all of the above script files.

6. Restrict the su command

If you don't want anyone to root su, can edit/etc/pam d/su file, add the following two lines: 


auth sufficient /lib/security/pam_rootok.so debug

auth required /lib/security/pam_wheel.so group=isd

At this point, only users in the isd group can use su as root. Thereafter, if you want user admin to be able to su as root, you can run the following command: 


# usermod -G10 admin

7. Delete login information

By default, login prompts include Linux distribution, kernel version name, and server hostname. That's too much information for a machine with high security requirements. . You can edit/etc rc d/rc local will output system information line commented out as follows. 


# This will overwrite /etc/issue at every boot. So .  make any changes you

# want to make to /etc/issue here or you will lose them when you reboot.

# echo "" > /etc/issue

# echo "$R" >> /etc/issue

# echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue

# cp -f /etc/issue /etc/issue.net

# echo >> /etc/issue

Then, do the following: 


# rm -f /etc/issue

# rm -f /etc/issue.net

# touch /etc/issue

# touch /etc/issue.net

3. Limit network access

1. NFS access

If you are using the NFS network file system service, you should ensure that your /etc/exports has the strictest access Settings, which means that you do not use any wildcards, do not allow root write permissions, and only install as a read-only file system. Edit the file /etc/exports and add the following two lines. 


/dir/to/export host1.mydomain.com(ro . root_squash)

/dir/to/export host2.mydomain.com(ro . root_squash)

ro means that mount is a read-only system. root_squash prevents root from writing to this directory. host.mydomain.com means that mount is a read-only system. To make the changes take effect, run the following command. 


# /usr/sbin/exportfs -a

2. Inetd Settings

First verify that the owner of /etc/ inetd. conf is root and the file permissions are set to 600. Once the setup is complete, you can use the" stat "Command to check. 


# groupdel username
0

Then, edit /etc/ inetd. conf to disable the following services. 


# groupdel username
1

If you have ssh/scp installed, you can also disable Telnet/FTP. To make the changes take effect, run the following command: 


# groupdel username
2

By default, most Linux systems allow all requests, and enhancing system security with TCP_WRAPPERS is a trivial task. You can modify /etc /hosts.deny and /etc/hosts.allow to increase access restrictions. For example, setting /etc/ hosts.deny to "ALL: ALL" will deny all access by default. Then add the allowed access in the file /etc/ hosts.allow. For example, "sshd: 192.168.1.10/255.255.255.0 gate. openarch. com" said allow 192.168.1.10 IP address and host name gate. openarch. com allowed through SSH connection.

After the configuration is complete, you can check with tcpdchk: 


# tcpdchk 

tcpchk is the TCP_Wrapper configuration check tool, which checks your tcp wrapper configuration and reports any potential/existing problems found.

3. Login Terminal Settings

The file /etc/securetty specifies the tty devices that allow root to log in. It is read by the program /bin/login as a list of allowed names. You can edit /etc/securetty and comment out the following lines. 


# groupdel username
4

At this time, root can only be logged on from the tty1 terminal.

4. Avoid displaying system and version information.

If you want to remote login user can't see the system and version information, can be operated by 1 change/etc/inetd conf file: 


# groupdel username
5

-h means that telnet does not display system information, but simply displays "login:".

4. Prevent attacks

1. Block ping If no one can get ping through to your system, security naturally increases. Therefore, can be in/etc/rc d/rc local file line increase 1 as follows: 


# groupdel username
6

2. Prevent IP spoofing

Edit the host.conf file and add the following lines to prevent IP spoofing attacks. 


# groupdel username
7

3. Prevent DoS attacks

Setting resource limits on all users of the system prevents DoS type attacks. Such as the maximum number of processes and the amount of memory used. For example, can be in/etc security/limits conf to add the following lines:

* hard core 0 * hard rss 5000 * hard nproc 20

Must then edit/etc/pam d/login file check below 1 row exists. 


session required /lib/security/pam_limits.so

The above command disallows debugging files, limits the number of processes to 50, and limits memory usage to 5MB.

After the above Settings, your Linux server has been able to the vast majority of known security problems and network attacks with immunity, but a good system administrator still must always pay attention to the network security dynamics, at any time has been exposed and potential security vulnerabilities to repair.

conclusion

Related articles: