How to set up a secure Linux server tutorial
- 2020-05-06 12:03:13
- OfStack
To set up a secure Linux server, you first need to understand the meaning of the configuration files related to network services in the Linux environment and how to configure them securely. In the Linux system, the TCP/IP network is configured with several text files that you may need to edit to complete networking, but most of these files can be configured with the linuxconf command (the network part can be configured with the netconf command). The basic TCP/IP network configuration file is described below.
* /etc/ conf.modules file
This configuration file defines the parameter information for the various modules that need to be loaded at activation time. The main focus here is to discuss the configuration of the network card. In the case of Linux as the gateway, the Linux server needs to be configured with at least two network CARDS. To minimize potential problems with activation, the Linux kernel does not automatically detect multiple network CARDS. For systems that do not compile the network card drivers into the kernel but are dynamically loaded as modules, if multiple network CARDS need to be installed, they should be configured in the "conf.modules" file.
If the device driver is compiled as a module (the module of the kernel) : for PCI devices, the module will automatically detect all devices installed on the system. For the ISA card, the IO address needs to be provided to the module so that the module knows where to find the card, which is provided in "/etc/ conf.modules".
For example, we have two ISA bus 3c509 CARDS, one IO address is 0x300, the other is 0x320. Edit the "conf.modules" file as follows: alias eth0 3c509alias eth1 3c509options 3c509options 3c509 es509 0x320 is loaded to inform the driver where to find the network card, of which 0x is indispensable.
For the PCI card, only the alias command is needed to associate ethN with the appropriate driver module name, and the IO address of the PCI card will be automatically detected. For the PCI card, edit the "conf.modules" file as follows: alias eth0 3c905alias eth1 3PCI detection program will automatically find all the relevant network CARDS if the driver has been compiled into the kernel: PCI detection program will automatically find all the relevant network CARDS when the system is activated. The ISA card is also generally detected automatically, but in some cases, the ISA card still needs to do the following configuration:
Add configuration information in "/etc/ lilo.conf" by passing activation parameter information to the kernel through the LILO program. For ISA card, edit "lilo.conf" and add the following: append=" ether=" 0,0, eth0 ether=" 0,0, eth1"
If you pass the activation parameters, eth0 and eth1 are set in the order in which they were discovered when activated.
* /etc/HOSTNAME
This file contains the host name of the system, including the full domain name, such as
deep. openarch. com
*/etc/sysconfig/ network-scripts/ifcfg-ethN
In RedHat, the configuration file of the system network device is saved in the directory "/etc/sysconfig/ network-scripts", ifcfg-eth0 contains the configuration information of the first network card, ifcfg-eth1 contains the configuration information of the second network card.
Here is an example of the file "/etc/sysconfig/ network-scripts/ifcfg-eth0" : DEVICE = eth0IPADDR = 208.164.186.1 NETMASK = 255.255.255.0 NETWORK = 208.164.186.0 BROADCAST = 208.164.186.255 ONBOOT = yesBOOTPROTO = noneUSERCTL = no
If you want to manually modify the network address or add a new network interface to the new interface, you can do so by modifying the corresponding file (ifcfg-ethN) or by creating a new file.
DEVICE=name name indicates the name of the physical device,
IPADDR=addr addr represents the IP address
assigned to the card
NETMASK=mask mask means network mask
NETWORK=addr addr means network address
BROADCAST=addr addr denotes the broadcast address
ONBOOT=yes/no whether to activate
card when activated
none: no activation of the protocol
is required
bootp: bootp protocol
is used
dhcp: dhcp protocol
is used
Does USERCTL=yes/no allow non-root users to control
*/etc/ resolv.conf
This file is a configuration file used by the domain name resolver (resolver, a library that resolves IP addresses by hostname), for example:
search openarch.comnameserver 208.164.186.1nameserver 208.164.186.2
"search domainname.com" means that when a hostname is provided that does not include the full domain name, the suffix domainname.com is added to the hostname; "nameserver" means that the host specified by this address when resolving the domain name is the domain name server. The domain name server is queried in the order that appears in the file.
*/etc/ host.conf
This file specifies how to resolve the hostname. Linux USES the parser library to get the IP address corresponding to the hostname. Here is an example of "/etc/ host.conf" :
order bind, hosts
multi on
ospoof on
"order bind, hosts" specifies the order in which the hostname is to be queried. It is required to use DNS to resolve the domain name, and then to query the file "/etc/hosts" (or vice versa).
"multi on" specifies whether the host specified in the "/etc/hosts" file can have multiple addresses. A host with multiple IP addresses is generally referred to as a multi-point host.
"nospoof on" means that the server is not allowed to be spoofed with the IP address. IP spoofing is a means of attacking system security by disguising the IP address as another calculator to gain the trust of other calculators.
* / etc sysconfig/
network file
This file is used to specify the network configuration information on the server. Here is an example:
NETWORK=yesRORWARD_IPV4=yesHOSTNAME= deep.openarch.comGAREWAY =0.0.0.0GATEWAYDEV=NETWORK=yes/no FORWARD_IPV4=yes/no whether to turn on IP forwarding HOSTNAME=hostname hostname Such as etho
Note: to be compatible with older software, the "/etc/HOSTNAME" file should have the same hostname as HOSTNAME=hostname.
* / etc/
hosts file
When the machine is active, the machine needs to look up some matches between the hostname and the IP address before it can query DNS. These matches are stored in the /etc/hosts file. In the absence of a DNS server, all network programs on the system query the file to resolve the IP address corresponding to a hostname.
Here is an example of a "/etc/hosts" file:
IP Address Hostname Alias127. 0.0.1 Localhost Gate. openarch. com208. 164.186.1 gate. openarch. com Gate
The leftmost column is the host IP information, and the middle column is the host name. Any subsequent columns are aliases for the host. Once the machine's network profile is configured, the network should be reactivated for the changes to take effect. Use the following command to activate the network: / etc/rc d/init d/network restart
* /etc/ inetd.conf
As we all know, as a server, the more open the service port is, the more difficult it is to guarantee the security and stability of the system. So provide the specified services server should be as open services essential to the port, and will have nothing to do with the server service service closed, such as: a www and Ftp server machine, should only open 80 and 25 ports, but not to other services such as: finger auth services such as turn off, in order to reduce system vulnerabilities.
inetd, also known as a "super server," is a daemon that monitors some network requests and invokes the corresponding service process to handle the connection request based on the network request. inetd.conf is the configuration file for inetd. The inetd.conf file tells inetd which network ports to listen on and which service to activate for each port. The first thing to do when using the Linux system in any network environment is to understand exactly what the server is offering. Unwanted services should be disabled, preferably uninstalled, so that hackers have less chance of attacking the system. Check out the "/etc/ inetd.conf" file to see what services inetd offers. Use the annotated method (# at the beginning of the line) to disable any unwanted services and send an SIGHUP signal to the inetd process.
Step 1: change the file limit to 600.
chmod 600 /etc/ inetd.conf
Step 2: make sure the owner of the file is root.
[root @ deep] # stat/etc/inetd conf
Step 3: edit the "inetd.conf" file (vi /etc/ inetd.conf) to disable all unwanted services such as: ftp, telnet, shell, login, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. If you find certain services useful, you may not ban them. However, by disabling these services, the system is much less vulnerable. The contents of the changed "inetd.conf" file are shown below:
To re-read this file after changes, just do killall HUP inetd'##echo tcp just internal# es5109en udp root internal#chargen dgram root internal stream tcp nowait root usr sbin l comsat and talk are BSD protocols
* /etc/ conf.modules file
This configuration file defines the parameter information for the various modules that need to be loaded at activation time. The main focus here is to discuss the configuration of the network card. In the case of Linux as the gateway, the Linux server needs to be configured with at least two network CARDS. To minimize potential problems with activation, the Linux kernel does not automatically detect multiple network CARDS. For systems that do not compile the network card drivers into the kernel but are dynamically loaded as modules, if multiple network CARDS need to be installed, they should be configured in the "conf.modules" file.
If the device driver is compiled as a module (the module of the kernel) : for PCI devices, the module will automatically detect all devices installed on the system. For the ISA card, the IO address needs to be provided to the module so that the module knows where to find the card, which is provided in "/etc/ conf.modules".
For example, we have two ISA bus 3c509 CARDS, one IO address is 0x300, the other is 0x320. Edit the "conf.modules" file as follows: alias eth0 3c509alias eth1 3c509options 3c509options 3c509 es509 0x320 is loaded to inform the driver where to find the network card, of which 0x is indispensable.
For the PCI card, only the alias command is needed to associate ethN with the appropriate driver module name, and the IO address of the PCI card will be automatically detected. For the PCI card, edit the "conf.modules" file as follows: alias eth0 3c905alias eth1 3PCI detection program will automatically find all the relevant network CARDS if the driver has been compiled into the kernel: PCI detection program will automatically find all the relevant network CARDS when the system is activated. The ISA card is also generally detected automatically, but in some cases, the ISA card still needs to do the following configuration:
Add configuration information in "/etc/ lilo.conf" by passing activation parameter information to the kernel through the LILO program. For ISA card, edit "lilo.conf" and add the following: append=" ether=" 0,0, eth0 ether=" 0,0, eth1"
If you pass the activation parameters, eth0 and eth1 are set in the order in which they were discovered when activated.
* /etc/HOSTNAME
This file contains the host name of the system, including the full domain name, such as
deep. openarch. com
*/etc/sysconfig/ network-scripts/ifcfg-ethN
In RedHat, the configuration file of the system network device is saved in the directory "/etc/sysconfig/ network-scripts", ifcfg-eth0 contains the configuration information of the first network card, ifcfg-eth1 contains the configuration information of the second network card.
Here is an example of the file "/etc/sysconfig/ network-scripts/ifcfg-eth0" : DEVICE = eth0IPADDR = 208.164.186.1 NETMASK = 255.255.255.0 NETWORK = 208.164.186.0 BROADCAST = 208.164.186.255 ONBOOT = yesBOOTPROTO = noneUSERCTL = no
If you want to manually modify the network address or add a new network interface to the new interface, you can do so by modifying the corresponding file (ifcfg-ethN) or by creating a new file.
DEVICE=name name indicates the name of the physical device,
IPADDR=addr addr represents the IP address
assigned to the card
NETMASK=mask mask means network mask
NETWORK=addr addr means network address
BROADCAST=addr addr denotes the broadcast address
ONBOOT=yes/no whether to activate
card when activated
none: no activation of the protocol
is required
bootp: bootp protocol
is used
dhcp: dhcp protocol
is used
Does USERCTL=yes/no allow non-root users to control
*/etc/ resolv.conf
This file is a configuration file used by the domain name resolver (resolver, a library that resolves IP addresses by hostname), for example:
search openarch.comnameserver 208.164.186.1nameserver 208.164.186.2
"search domainname.com" means that when a hostname is provided that does not include the full domain name, the suffix domainname.com is added to the hostname; "nameserver" means that the host specified by this address when resolving the domain name is the domain name server. The domain name server is queried in the order that appears in the file.
*/etc/ host.conf
This file specifies how to resolve the hostname. Linux USES the parser library to get the IP address corresponding to the hostname. Here is an example of "/etc/ host.conf" :
order bind, hosts
multi on
ospoof on
"order bind, hosts" specifies the order in which the hostname is to be queried. It is required to use DNS to resolve the domain name, and then to query the file "/etc/hosts" (or vice versa).
"multi on" specifies whether the host specified in the "/etc/hosts" file can have multiple addresses. A host with multiple IP addresses is generally referred to as a multi-point host.
"nospoof on" means that the server is not allowed to be spoofed with the IP address. IP spoofing is a means of attacking system security by disguising the IP address as another calculator to gain the trust of other calculators.
* / etc sysconfig/
network file
This file is used to specify the network configuration information on the server. Here is an example:
NETWORK=yesRORWARD_IPV4=yesHOSTNAME= deep.openarch.comGAREWAY =0.0.0.0GATEWAYDEV=NETWORK=yes/no FORWARD_IPV4=yes/no whether to turn on IP forwarding HOSTNAME=hostname hostname Such as etho
Note: to be compatible with older software, the "/etc/HOSTNAME" file should have the same hostname as HOSTNAME=hostname.
* / etc/
hosts file
When the machine is active, the machine needs to look up some matches between the hostname and the IP address before it can query DNS. These matches are stored in the /etc/hosts file. In the absence of a DNS server, all network programs on the system query the file to resolve the IP address corresponding to a hostname.
Here is an example of a "/etc/hosts" file:
IP Address Hostname Alias127. 0.0.1 Localhost Gate. openarch. com208. 164.186.1 gate. openarch. com Gate
The leftmost column is the host IP information, and the middle column is the host name. Any subsequent columns are aliases for the host. Once the machine's network profile is configured, the network should be reactivated for the changes to take effect. Use the following command to activate the network: / etc/rc d/init d/network restart
* /etc/ inetd.conf
As we all know, as a server, the more open the service port is, the more difficult it is to guarantee the security and stability of the system. So provide the specified services server should be as open services essential to the port, and will have nothing to do with the server service service closed, such as: a www and Ftp server machine, should only open 80 and 25 ports, but not to other services such as: finger auth services such as turn off, in order to reduce system vulnerabilities.
inetd, also known as a "super server," is a daemon that monitors some network requests and invokes the corresponding service process to handle the connection request based on the network request. inetd.conf is the configuration file for inetd. The inetd.conf file tells inetd which network ports to listen on and which service to activate for each port. The first thing to do when using the Linux system in any network environment is to understand exactly what the server is offering. Unwanted services should be disabled, preferably uninstalled, so that hackers have less chance of attacking the system. Check out the "/etc/ inetd.conf" file to see what services inetd offers. Use the annotated method (# at the beginning of the line) to disable any unwanted services and send an SIGHUP signal to the inetd process.
Step 1: change the file limit to 600.
chmod 600 /etc/ inetd.conf
Step 2: make sure the owner of the file is root.
[root @ deep] # stat/etc/inetd conf
Step 3: edit the "inetd.conf" file (vi /etc/ inetd.conf) to disable all unwanted services such as: ftp, telnet, shell, login, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. If you find certain services useful, you may not ban them. However, by disabling these services, the system is much less vulnerable. The contents of the changed "inetd.conf" file are shown below:
To re-read this file after changes, just do killall HUP inetd'##echo tcp just internal# es5109en udp root internal#chargen dgram root internal stream tcp nowait root usr sbin l comsat and talk are BSD protocols