The security of linux server has many advantages over Windows. No matter which version of linux we choose, we need to make some necessary configurations. Then we will discuss and learn the security knowledge of Linux server together.
1. Install and configure a firewall A properly configured firewall is not only the first line of defense for the system to effectively respond to external attacks, but also the most important line of defense. Before the new system connects to the Internet for the first time, the firewall should be installed and configured. The firewall is configured to refuse to receive all data packets, and then open the data packets that are allowed to be received, which will benefit the security of the system. Linux provides us with a very good firewall tool, it is netfilter/iptables (http://http://www.netfilter.org/). It is completely free and can run well on an old machine with low configuration. For the specific setting method of the firewall, please refer to the usage of iptables.
Second, close useless services and ports. Any network connection is achieved through open application ports. If we open up as few ports as possible, network attacks will become passive water, which greatly reduces the chances of the attacker's success. It is a smart move to use Linux as a dedicated server. For example, if you want Linux to become a Web server, you can cancel all non-essential services in the system and only enable necessary services. Doing so can minimize backdoors, reduce hidden dangers, and reasonably allocate system resources to improve overall machine performance. The following are a few not commonly used services:
- fingerd (finger server) reports the personal information of the specified user, including user name, real name, shell, directory and contact information. It will expose the system to unwelcome intelligence gathering activities. This service should be avoided.
-
- R services (rshd, rlogin, rwhod, rexec) provide various levels of commands, which can be run on or interact with remote hosts, and log in in a closed network environment without requiring a user name and password, which is quite convenient. However, problems will be exposed on public servers, leading to security threats.
3. Delete unused software packages. When carrying out system planning, the general principle is to remove all unnecessary services. The default Linux is a powerful system with many services running. But there are many services that are not needed and can easily cause security risks. This file is /etc/xinetd.conf, which defines the services that /usr/sbin/xinetd will monitor. You may only need one of them: ftp, and other classes such as telnet, shell, login, exec, talk, ntalk, imap, finger, auth, etc., unless you really want to use it, all are closed.
4. Do not set the default route In the host, it should be strictly prohibited to set the default route, that is, default route. It is recommended to set up a route for each subnet or network segment, otherwise other machines may access the host in a certain way.
5. Password management The length of the password is generally not less than 8 characters. The composition of the password should be a combination of irregular uppercase and lowercase letters, numbers and symbols. It is strictly avoided to use English words or phrases to set passwords, and each user's password should Get in the habit of changing regularly. In addition, the protection of the password also involves the protection of the /etc/passwd and /etc/shadow files. Only the system administrator can access these two files. Installing a password filtering tool plus npasswd can help you check whether your password can withstand attacks. If you have not installed such tools before, it is recommended that you install them now. If you are a system administrator and there is no password filtering tool installed in your system, please check whether the passwords of all users can be searched exhaustively, that is, perform exhaustive search attacks on your /ect/passwd file. Using a word as a password cannot stand up to brute force attacks. Hackers often use some common words to crack passwords. An American hacker once said that as long as the word "password" is used, most computers in the United States can be opened.
Other commonly used words include: account, ald, alpha, beta, computer, dead, demo, dollar, games, bod, hello, help, intro, kill, love, no, ok, okay, please, sex, secret, superuser , System, test, work, yes, etc. Password settings and principles:
1. Long enough, as long as you move your finger to add one bit to the password, you can increase the attacker's hard work tenfold;
2. Do not use complete words, include numbers, punctuation marks and special characters as much as possible
Etc .; 3. Mix upper and lower case characters;
4. Modify frequently.
5. Partition management The above is the security knowledge of Linux server, we can strengthen the Linux server through several steps. We mostly use Linux and Unix on the server side, and Windows and Mac on the PC side. Therefore, in enterprise applications, Linux, Unix and Windows operating systems often coexist to form a heterogeneous network.