Operation and Maintenance
Linux Operation and Maintenance
How to Enhance the Security of Linux and Unix Servers
How to Enhance the Security of Linux and Unix Servers
1. System security record files
The record files inside the operating system are important clues to detect whether there is a network intrusion. If your system is directly connected to the Internet and you find that there are many people making telnet/ftp login attempts to your system, you can run "#more /var/log/secure grep refused" to check the attacks on the system so that you can take action Corresponding countermeasures, such as using ssh to replace telnet/rlogin, etc.
2. Startup and login security
1. bios security
Set the bios password and modify the boot sequence to prohibit booting the system from a floppy disk.
2. User password
User password is a basic starting point for Linux security. The user password used by many people is too simple, which opens the door to intruders. Although in theory, as long as there are enough time and resources, it can With the help of Internet Security, there is no user password that cannot be cracked, but a properly chosen password is difficult to crack. A better user password is a string of characters that only he can easily remember and understand, and should never be written out anywhere.
3. The default account
should prohibit all unnecessary accounts that are started by the operating system itself. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts there are, the better The more vulnerable the system becomes to attack.
You can use the following command to delete the account.
# userdel用户名
Or use the following command to delete the group user account.
# groupdel username
4. Password file
chattr command adds unchangeable attributes to the following file to prevent unauthorized users from gaining permissions.
# chattr +i /etc/passwd # chattr +i /etc/shadow # chattr +i /etc/group # chattr +i /etc/gshadow
5. Disable the ctrl alt delete command to restart the machine
Modify the /etc/inittab file and comment out the line "ca::ctrlaltdel:/sbin/shutdown -t3 -r now". Then reset the permissions of all files in the /etc/rc.d/init.d/ directory and run the following command:
# chmod -r 700 /etc/rc.d/init.d/*
In this way, only root can read, write or execute all the above script files.
6. Restrict the su command
If you don’t want anyone to be able to su as root, you can edit the /etc/pam.d/su file and add the following two lines:
auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/pam_wheel.so group=isd
At this time, only the isd group Users can su as root. Afterwards, if you want user admin to be able to su as root, you can run the following command:
# usermod -g10 admin
7. Delete login information
By default, the login prompt information includes the Linux distribution version, kernel version name, server host name, etc. For a machine with high security requirements, this leaks too much information. You can edit /etc/rc.d/rc.local to comment out the following lines that output system information.
# this will overwrite /etc/issue at every boot. so, make any changes you # want to make to /etc/issue here or you will lose them when you reboot. # echo "" > /etc/issue # echo "$r" >> /etc/issue # echo "kernel $(uname -r) on $a $(uname -m)" >> /etc/issue # cp -f /etc/issue /etc/issue.net # echo >> /etc/issue
Then, perform the following operations:
# rm -f /etc/issue # rm -f /etc/issue.net # touch /etc/issue # touch /etc/issue.net
3. Restrict network access
1. nfs access
If you use the nfs network file system service, you should ensure that your /etc/exports has the most restrictive access permission settings, which means do not use any wildcards, do not allow root write permissions, and only Mounted as a read-only file system. Edit the file /etc/exports and add the following two lines.
/dir/to/export host1.mydomain.com(ro,root_squash) /dir/to/export host2.mydomain.com(ro,root_squash)
/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine logged into this directory, ro means mount as a read-only system, and root_squash prohibits root from writing to the directory. In order for the changes to take effect, run the following command.
# /usr/sbin/exportfs -a
2. inetd settings
First make sure that the owner of /etc/inetd.conf is root and the file permissions are set to 600. After the settings are completed, you can use the "stat" command to check.
# chmod 600 /etc/inetd.conf
Then, edit /etc/inetd.conf to disable the following services.
ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth
If you have ssh/scp installed, you can also disable telnet/ftp. In order for the changes to take effect, run the following command:
#killall -hup inetd
By default, most Linux systems allow all requests, and using tcp_wrappers to enhance system security is a piece of cake. You can modify /etc /hosts.deny and /etc /hosts.allow to increase access restrictions. For example, setting /etc/hosts.deny to "all: all" denies all access by default. Then add allowed access in the /etc/hosts.allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" means that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to connect via ssh.
After the configuration is completed, you can use tcpdchk to check:
# tcpdchk
tcpchk is a tcp_wrapper configuration checking tool, which checks your tcp wrapper configuration and reports all potential/existing problems found.
3. Login terminal settings
/etc/securetty file specifies the tty device that allows root login. It is read by the /bin/login program. Its format is a list of allowed names. You can edit /etc/securetty and Comment out the following lines.
# tty1 # tty2 # tty3 # tty4 # tty5 # tty6
At this time, root can only log in at the tty1 terminal.
4. Avoid displaying system and version information.
If you want remote login users not to see system and version information, you can change the /etc/inetd.conf file through the following operations:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -
Add -h to indicate that telnet does not display system information. Instead, only "login:" is displayed.
4. Prevent attacks
1. Block ping If no one can ping your system, security is naturally increased. To do this, you can add the following line to the /etc/rc.d/rc.local file:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
2. Prevent IP spoofing
编辑host.conf文件并增加如下几行来防止ip欺骗攻击。
order bind,hosts multi off nospoof on
3.防止dos攻击
对系统所有的用户设置资源限制可以防止dos类型攻击。如最大进程数和内存使用数量等。例如,可以在/etc/security/limits.conf中添加如下几行:
* hard core 0
* hard rss 5000
* hard nproc 20
然后必须编辑/etc/pam.d/login文件检查下面一行是否存在。
session required /lib/security/pam_limits.so
上面的命令禁止调试文件,限制进程数为50并且限制内存使用为5mb。
The above is the detailed content of How to Enhance the Security of Linux and Unix Servers. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What computer configuration is required for vscode
Apr 15, 2025 pm 09:48 PM
VS Code system requirements: Operating system: Windows 10 and above, macOS 10.12 and above, Linux distribution processor: minimum 1.6 GHz, recommended 2.0 GHz and above memory: minimum 512 MB, recommended 4 GB and above storage space: minimum 250 MB, recommended 1 GB and above other requirements: stable network connection, Xorg/Wayland (Linux)
Linux Architecture: Unveiling the 5 Basic Components
Apr 20, 2025 am 12:04 AM
The five basic components of the Linux system are: 1. Kernel, 2. System library, 3. System utilities, 4. Graphical user interface, 5. Applications. The kernel manages hardware resources, the system library provides precompiled functions, system utilities are used for system management, the GUI provides visual interaction, and applications use these components to implement functions.
How to run java code in notepad
Apr 16, 2025 pm 07:39 PM
Although Notepad cannot run Java code directly, it can be achieved by using other tools: using the command line compiler (javac) to generate a bytecode file (filename.class). Use the Java interpreter (java) to interpret bytecode, execute the code, and output the result.
vscode cannot install extension
Apr 15, 2025 pm 07:18 PM
The reasons for the installation of VS Code extensions may be: network instability, insufficient permissions, system compatibility issues, VS Code version is too old, antivirus software or firewall interference. By checking network connections, permissions, log files, updating VS Code, disabling security software, and restarting VS Code or computers, you can gradually troubleshoot and resolve issues.
How to check the warehouse address of git
Apr 17, 2025 pm 01:54 PM
To view the Git repository address, perform the following steps: 1. Open the command line and navigate to the repository directory; 2. Run the "git remote -v" command; 3. View the repository name in the output and its corresponding address.
Can vscode be used for mac
Apr 15, 2025 pm 07:36 PM
VS Code is available on Mac. It has powerful extensions, Git integration, terminal and debugger, and also offers a wealth of setup options. However, for particularly large projects or highly professional development, VS Code may have performance or functional limitations.
How to use VSCode
Apr 15, 2025 pm 11:21 PM
Visual Studio Code (VSCode) is a cross-platform, open source and free code editor developed by Microsoft. It is known for its lightweight, scalability and support for a wide range of programming languages. To install VSCode, please visit the official website to download and run the installer. When using VSCode, you can create new projects, edit code, debug code, navigate projects, expand VSCode, and manage settings. VSCode is available for Windows, macOS, and Linux, supports multiple programming languages and provides various extensions through Marketplace. Its advantages include lightweight, scalability, extensive language support, rich features and version
vscode terminal usage tutorial
Apr 15, 2025 pm 10:09 PM
vscode built-in terminal is a development tool that allows running commands and scripts within the editor to simplify the development process. How to use vscode terminal: Open the terminal with the shortcut key (Ctrl/Cmd). Enter a command or run the script. Use hotkeys (such as Ctrl L to clear the terminal). Change the working directory (such as the cd command). Advanced features include debug mode, automatic code snippet completion, and interactive command history.
