Comprehensively improve the security of Linux servers

Author：Eve Cole Update Time：2009-06-04 17:16:50

As we all know, Linux has more advantages over Windows in terms of security. However, no matter which Linux distribution you choose, you should make some necessary configurations after the installation is completed to enhance its security. Here are a few steps to harden a Linux server. At present, many small and medium-sized users constantly update or upgrade their networks due to business development, resulting in large differences in their own user environments. The entire network system platform is uneven. Most use Linux and Unix on the server side, and Windows and Mac on the PC side. Therefore, in enterprise applications, Linux, Unix and Windows operating systems often coexist to form heterogeneous networks.

1. Install and configure a firewall

A properly configured firewall is not only the first line of defense for the system to effectively respond to external attacks, but also the most important line of defense. Before the new system connects to the Internet for the first time, the firewall should be installed and configured. Configuring the firewall to deny receipt of all data packets, and then enable the reception of data packets, will be beneficial to the security of the system. Linux provides us with a very excellent firewall tool, which is netfilter/iptables (http://www.netfilter.org/). It's completely free and runs just fine on an old machine with low specs. For the specific setting method of firewall, please refer to the usage of iptables.

2. Close useless services and ports

Any network connections are made through open application ports. If we open as few ports as possible, we will make network attacks passive, thus greatly reducing the attacker's chance of success. Using Linux as a dedicated server is a smart move. For example, if you want Linux to become a web server, you can cancel all non-essential services in the system and enable only essential services. This can minimize backdoors, reduce hidden dangers, and rationally allocate system resources to improve overall machine performance. Here are a few less commonly used services:

1. fingerd (finger server) reports the personal information of the specified user, including user name, real name, shell, directory and contact information. It will expose the system to unwelcome intelligence gathering activities. You should avoid starting this service.

2. R services (rshd, rlogin, rwhod, rexec) provide various levels of commands. They can run on or interact with remote hosts, and log in in a closed network environment without requiring user names and passwords. It is quite convenient. However, problems will be exposed on public servers, leading to security threats.

3. Delete unused software packages

When planning the system, the general principle is to remove all unnecessary services. The default Linux is a powerful system running many services. But there are many services that are not needed and can easily cause security risks. This file is /etc/xinetd.conf, which specifies the services that /usr/sbin/xinetd will monitor. You may only need one of them: ftp, and other classes such as telnet, shell, login, exec, talk, ntalk, imap, finger, auth, etc., unless you really want to use them, turn them off.

4. Do not set a default route

In the host, setting the default route, that is, default route, should be strictly prohibited. It is recommended to set a route for each subnet or network segment, otherwise other machines may access the host through certain methods.

5. Password management

The length of the password should generally not be less than 8 characters. The composition of the password should be a combination of irregular uppercase and lowercase letters, numbers and symbols. Strictly avoid using English words or phrases to set passwords, and each user's password should be changed regularly. habits. In addition, password protection also involves the protection of the /etc/passwd and /etc/shadow files. Only system administrators can access these two files. Installing a password filtering tool and adding npasswd can help you check whether your passwords can withstand attacks. If you have not installed such a tool before, it is recommended that you install it now. If you are a system administrator and there is no password filtering tool installed in your system, please immediately check whether the passwords of all users can be searched exhaustively, that is, perform an exhaustive search attack on your /ect/passwd file. Using words as passwords cannot withstand brute force attacks. Hackers often use common words to crack passwords. An American hacker once said that just using the word "password" can open most computers in the United States. Other commonly used words include: account, ald, alpha, beta, computer, dead, demo, dollar, games, bod, hello, help, intro, kill, love, no, ok, okay, please, sex, secret, superuser , system, test, work, yes, etc. Password settings and principles:

1. It is long enough. Just move your finger to add one digit to the password, which can increase the attacker's effort tenfold;

2. Do not use complete words, include numbers, punctuation marks, special characters, etc. as much as possible;

3. Mix uppercase and lowercase characters;

4. Revise frequently.

6.Partition management

[Cut-Page]

A potential attack will first attempt a buffer overflow. In the past few years, buffer overflow-type security vulnerabilities have become the most common form. What's more serious is that buffer overflow vulnerabilities account for the vast majority of remote network attacks. This type of attack can easily give an anonymous Internet user the opportunity to gain partial or complete control of a host!

In order to prevent such attacks, we should pay attention when installing the system. If you use the root partition to record data, such as log files, a large number of logs or spam may be generated due to denial of service, causing the system to crash. Therefore, it is recommended to create a separate partition for /var to store logs and emails to prevent the root partition from overflowing. It is best to create a separate partition for special applications, especially programs that can generate a large amount of logs. It is also recommended to create a separate partition for /home so that they cannot fill up the / partition, thereby avoiding some Linux partition overflows. malicious attacks.

Many Linux desktop users often use Windows and Linux dual systems. It is best to use dual hard drives. The method is as follows: first remove the data cable of the main hard disk, find a hard disk of about 10GB and hang it on the computer, set the small hard disk as the slave disk, and install the Linux server version according to the usual operations, except that the startup boot program is placed in the MBR. , there is no other difference. After the installation is complete and the debugging comes out of the desktop, shut down the computer. Remove the data cable of the small hard disk, install the original hard disk, and set it as the main disk (this is so that the original hard disk and the small hard disk are connected to the same data cable at the same time), and then install the Windows software. Hang both hard disks on the data cable, which is the IDE 0 interface. Set the original hard disk as the master disk and the small hard disk as the slave disk. If you want to boot from the original hard disk, set the boot sequence in CMOS to "C, D, CDROM", or "IDE0 (HDD-0)". In this way, when the computer starts, it enters the Windows interface. If you want to boot from a small hard disk, change the boot sequence to "D, C, CDROM" or "IDE1 (HDD-1)". After booting, you will enter the Linux interface. Usually the two operating systems cannot access each other.

7. Prevent network sniffing:

Sniffer technology is widely used in network maintenance and management. It works like a passive sonar, silently receiving various information from the network. Through the analysis of these data, network administrators can gain in-depth understanding of The current health of the network in order to identify vulnerabilities in the network. Today, when network security is attracting more and more attention, we must not only use sniffers correctly, but also reasonably prevent the harm of sniffers. Sniffer can cause great security hazards, mainly because they are not easy to be discovered. For an enterprise with strict security requirements, it is necessary to use a secure topology, session encryption, and static ARP addresses.

8. Complete log management

Log files record the running status of your system for you at all times. When hackers come, they cannot escape the eyes of logs. Therefore, hackers often modify log files during attacks to hide their traces. Therefore, we need to restrict access to the /var/log file and prohibit users with general permissions from viewing the log file.

Also use a log server. It is a good idea to keep a copy of the client's log information, create a server specifically to store the log files, and check the logs to find problems. Modify the /etc/sysconfig/syslog file to accept remote logging.

/etc/sysconfig/syslog

SYSLOGD_OPTIONS="-mr 0"

You should also set up remote storage of logs. Modify the /etc/syslog.conf file to add the log server settings, and syslog will save a copy on the log server.

/etc/syslog.conf

*.* @log_server_IP

Colored log filters are available. Color log loco filter, the current version is 0.32. Use loco /var/log/messages | more to display colored logs, clearly marking the location of root and abnormal commands in the logs. This can reduce human omissions when analyzing logs. Regular checks of logs are also required. Red Hat Linux provides the logwatch tool, which automatically checks logs regularly and sends emails to the administrator's mailbox. You need to modify the /etc/log.d/conf/logwatch.conf file and add the administrator's email address after the MailTo = root parameter. Logwatch will regularly check logs and filter information related to login using root, sudo, telnet, ftp, etc. to assist administrators in analyzing daily security. Complete log management must include the correctness, validity, and legality of network data. Analysis of log files can also prevent intrusions. For example, if a user has 20 failed registration records within a few hours, it is likely that the intruder is trying the user's password.

[Cut-Page]

9. Terminate ongoing attacks

If you are checking log files and find a user logging in from a host unknown to you, and you are sure that this user does not have an account on this host, you may be under attack. First, you need to lock this account immediately (in the password file or shadow file, add an Ib or other characters before the user's password). If an attacker is already connected to the system, you should immediately physically disconnect the host from the network. If possible, you should further check the history of this user to see if other users have also been impersonated and whether the attacker has root permissions. Kill all processes of this user and add the IP address mask of this host to the file hosts.deny.

10. Use security tools and software:

Linux already has some tools to ensure server security. Such as bastille linux and Selinux.

Bastille linux is a very convenient software for users who are not familiar with Linux security settings. The purpose of bastille linux is to build a secure environment on the existing Linux system.

Security Enhanced Linux (SELinux) is a research and development project of the U.S. Department of Security. Its purpose is to enhance the Linux kernel of developed code to provide stronger protection measures to prevent some security-related applications from taking detours and mitigating malware. bring disaster. The security of ordinary Linux systems depends on the kernel, and this dependency is generated through setuid/setgid. Under the traditional security mechanism, some application authorization issues, configuration issues, or process running issues are exposed, causing security issues for the entire system. These problems exist in today's operating systems due to their complexity and interoperability with other programs. SELinux relies solely on the system's kernel and security configuration policies. Once you have configured the system correctly, improper application configuration or errors will only return errors to the user's program and its system daemons. The security of other user programs and their background programs can still run normally and maintain their security system structure. To put it simply: no program configuration error can cause the entire system to crash. Installing SELinux The SELinux kernel, tools, programs/toolkits, and documentation can be downloaded from the Enhanced Security Linux website. You must have an existing Linux system to compile your new kernel in order to access the unchanged System patch package.

11. Use reserved IP addresses:

---- The simplest way to maintain network security is to ensure that the hosts in the network are not exposed to the outside world. The most basic method is to isolate yourself from the public network. However, this security strategy through isolation is unacceptable in many situations. At this time, using reserved IP addresses is a simple and feasible method, which allows users to access the Internet while ensuring a certain degree of security. - RFC 1918 specifies the range of IP addresses that can be used by local TCP/IP networks. These IP addresses are not routed on the Internet, so there is no need to register these addresses. By assigning IP addresses in this range, network traffic is effectively restricted to the local network. This is a quick and effective way to deny access to external computers while allowing interconnection of internal computers. Reserve IP address range:

---- 10.0.0 .0 - 10.255.255.255

---- 172.16.0.0 - 172.31.255.255

--- 192.168.0.0 - 192.168.255.255

Network traffic from a reserved IP address does not pass through an Internet router, so any computer assigned a reserved IP address cannot be accessed from outside the network. However, this approach also does not allow users to access external networks. IP masquerading can solve this problem.

[Cut-Page]

12. Choose a Linux distribution reasonably:

For the Linux version used by the server, neither use the latest release version nor choose a version that is too old. A more mature version should be used: the last released version of the previous product, such as RHEL 3.0, etc. After all, security and stability come first for servers.

13. Deploy Linux anti-virus software

The Linux operating system has always been considered a strong rival to the Windows system because it is not only safe, stable, and low-cost, but also rarely found to spread viruses. But as more and more servers, workstations and PCs use Linux software, computer virus creators are also beginning to attack the system. The security and permission control of Linux systems, whether on servers or workstations, are relatively powerful. This is mainly due to its excellent technical design, which not only makes the operating system difficult to crash, but also makes it difficult to be abused. After more than 20 years of development and improvement, Unix has become very solid, and Linux has basically inherited its advantages. In Linux, if you are not a super user, it will be difficult for programs that maliciously infect system files to succeed. Although malicious programs such as Slammer, Blast, Sobig, Mimail, and Win32.Xorala viruses will not damage the Linux server, they will spread to people who access it. Windows system platform computer.

[Cut-Page]

Virus classification under Linux platform:

1. Executable file viruses: Executable file viruses refer to viruses that can parasitize in files and use files as their main infection targets. No matter what weapon virus makers use, assembly or C, it is easy to infect ELF files. Viruses in this area include Lindose.

2. Worm (worm) virus: After the Morris worm broke out in 1988, Eugene H. Spafford gave a technical definition of worm in order to distinguish worms from viruses. “Computer worms can run independently and can contain all the viruses in their own body.” The functional version is spread to other computers. "On the Linux platform, worms are extremely rampant, such as ramen, lion, Slapper, etc. that exploit system vulnerabilities to spread. These viruses have infected a large number of Linux systems and caused huge losses. .

3. Script viruses: Currently, there are more viruses written in shell script language. This type of virus is relatively simple to write, but its destructive power is equally astonishing. We know that there are many script files ending with .sh in the Linux system, and a shell script with just ten lines or so can traverse all the script files in the entire hard disk for infection in a short time.

4. Backdoor program: In the broad definition of virus, backdoor has also been included in the category of virus. The backdoor that is active in Windows systems, a weapon for intruders, is also extremely active on Linux platforms. From simple backdoors that add system superuser accounts to system service loading, shared library file injection, rootkit toolkits, and even loadable kernel modules (LKM), backdoor technology under the Linux platform is very mature, highly concealed, and difficult to remove. . It is an extremely troublesome problem for Linux system administrators.

Generally speaking, computer viruses pose little danger to Linux systems. However, due to various reasons, Linux and Windows operating systems often coexist in enterprise applications to form heterogeneous networks. Therefore, Linux’s anti-virus strategy is divided into two parts:

1. Prevention strategies for Linux itself (servers and computers that use it as a desktop).

The prevention of executable file viruses, worm viruses, and script viruses can basically be prevented by installing GPL virus checking and killing software. On the server side, you can use AntiVir (http://www.hbedv.com/), which works under the command line and takes up less system resources when running.

For backdoor program prevention, you can use LIDS (http://www.lids.org/) and Chkrootkit (http://www.chkrootkit.org/). LIDS is a Linux kernel patch and system administrator tool (lidsadm), which strengthens Linus kernel. Important files in the dev/ directory can be protected. Chkrootkit can detect system logs and files to see if any malicious programs have invaded the system, and look for signals associated with different malicious programs. The latest version of Chkrootkit0.45 can detect 59 types of sniffers, Trojans, worms, rootkits, etc.

2. Virus prevention strategies for Windows systems using Linux server backends.

Many companies use proxy servers to access the Internet. Many Windows users are infected with viruses when browsing HTTP web pages and downloading files. Therefore, you can add a virus filter to the proxy server to detect viruses on the HTTP web pages browsed by users. If it is found that a user is infected with a virus while browsing the web, the proxy server will block it, discard virus-containing requests, block unsafe processes in the proxy server, and prohibit virus-containing data from spreading to the client computer. Squid is a very excellent proxy server software, but it does not have a dedicated virus filtering function. You can consider using a Linux-based virus filtering proxy server developed by German open source enthusiasts - HAVP (http://www.server-side.de/). HAVP virus filtering proxy server software can be used independently or in series with Squid to enhance the virus filtering function of the Squid proxy server.

Providing email services is an important application in Linux servers. You can use ClamAV (http://www.clamwin.com/). The full name of ClamAV is Clam AntiVirus. Like Liunx, it emphasizes the concepts of open program code and free licensing. ClamAV can currently detect more than 40,000 viruses and worms. , Trojan horse programs, and update the database at any time. There is a group of virus experts distributed around the world who update and maintain the virus database 24 hours a day. Anyone who finds a suspicious virus can contact them at any time and update the virus code immediately. In a very short time Within a few days, mail servers using ClamAV on the network have completed the latest protective actions.

[Cut-Page]

14. Strengthen login security

By modifying the /etc/login.defs file, you can add settings such as login error delay, logging, login password length limit, and expiration limit.

/etc/login.defs #Login password is valid for 90 days

PASS_MAX_DAYS 90 #The minimum modification time of login password to prevent illegal users from changing it multiple times in a short period of time

PASS_MIN_DAYS 0 #The minimum length of the login password is 8 characters

PASS_MIN_LEN 8 #Prompt to change the login password 7 days in advance when it expires

PASS_WARN_AGE 7 #Waiting time 10 seconds when login error occurs

FAIL_DELAY 10 #Login error recorded to log

FAILLOG_ENAB yes #Use when restricting super users to manage logs

SYSLOG_SU_ENAB yes #Use when limiting super user group management logs

SYSLOG_SG_ENAB yes #Use when using md5 as the password encryption method

15. Use OPENSSH instead of FTP and Telnet

The network transmission programs we usually use, such as FTP and Telnet, are inherently unsafe because they transmit passwords and data in plain text on the network. It is very easy for hackers to intercept these passwords and data using sniffers. The full English name of SSH is Secure SHell. By using SSH, users can encrypt all transmitted data, so that even if a hacker on the network can hijack the data transmitted by the user, if it cannot be decrypted, it will not pose a real threat to the data transmission. In addition, the transmitted data is compressed, so the transmission speed can be accelerated. SSH has many functions. It can not only replace Telnet, but also provide a secure "transmission channel" for FTP. In an insecure network communication environment, it provides a strong authentication mechanism and a very secure communication environment. SSH (Secure Shell) was originally developed by a company in Finland, but due to restrictions on copyright and encryption algorithms, many people turned to the free alternative software OpenSSH. Using OPENSSH from the command line is troublesome. Here we introduce gFTP and OPENSSH integrated together to provide a graphical encrypted transmission solution. gFTP is very easy to use like CuteFtp under Windows, and almost all Linux distributions come with gFTP, which can be used without installation. There are many client software that support SSH under Windows, and Putty and Filezilla are recommended.

16. Back up important files

Many Trojans, worms and backdoors hide themselves by replacing important files. It is a good habit to back up the most important and commonly used commands. Prepare a set of read-only media, CDs or USB flash drives, or even download them online. In short, use original commands when necessary rather than commands that may be infected in the system. Things to note about backup are as follows:

/bin/su

/bin/ps

/bin/rpm

/usr/bin/top

/sbin/ifconfig

/bin/mount

17. Patch issues

You should always go to the home page of the publisher of the system you are installing to look for the latest patches. The operating system is the soul of the computer system, maintaining the bottom layer of the system and managing and scheduling subsystems such as memory and processes. If there is a vulnerability in the operating system itself, the impact will be fatal. The kernel of the operating system is crucial to network security. Currently, kernel maintenance is mainly divided into two modes: for private operating systems, such as Windows/Solaris, etc., since individual users cannot directly access their source code, their code is maintained by the company's internal developers, and its security is guaranteed by the same team. Kernel fixes are released in patch/SP packages just like other applications. For an open system like Linux, it is an open structure. It should be said that the open model is a double-edged sword. Mechanically speaking, developers all over the world can obtain the source code and find out the loopholes in it. It seems that security should be better; but at the same time, if network managers cannot update the kernel in time, security risks will also be left. Moreover, there are many factors that affect operating system security. From the compilation level to the user's usage level, etc., they will all affect the security of the system. Security problems cannot be fundamentally solved simply by opening or closing source code. If you are a Linux network administrator, you often need to go to the corresponding website to see whether there are patches, whether there are bug fixes, and whether upgrades are needed. Don't take chances, otherwise a Shell script may take down your website. To paraphrase a famous saying: your server can always be taken over by hackers the next day.

The software running on the Linux server mainly includes: Samba, Ftp, Telnet, Ssh, Mysql, Php, Apache, Mozilla, etc. Most of these software are open source software, and they are constantly upgraded, with stable versions and beta versions appearing alternately. On www.samba.org and www.apache.org, the latest ChangeLog says: bug fix, security bug fix. Therefore, Linux network administrators should always pay attention to bug fixes and upgrades of relevant websites, and upgrade or add patches in a timely manner.

Summarize:

Just as there is no unbreakable shield, no system is completely secure. Likewise in the security field, no one can say that they are a master. The security of the system is achieved through the sweat and wisdom of many predecessors.

[Cut-Page]

7. Prevent network sniffing:

8. Complete log management

/etc/sysconfig/syslog

SYSLOGD_OPTIONS="-mr 0"

You should also set up remote storage of logs. Modify the /etc/syslog.conf file to add the log server settings, and syslog will save a copy on the log server.

/etc/syslog.conf

*.* @log_server_IP