Linux operating system as open-loved by many programmers, many programmers prefer to write high-level Linux operating system software. This makes the Linux operating system has a wealth of software support, as well as numerous technical staff as the technical backing and support, which makes Linux more and more popular programmers.
But this open operating system has one of the biggest drawbacks is the level of each programmer ranging, did not pay attention to their own loopholes in the program after the preparation of related software. No unified vulnerability checks, making Linux the software will be a lot of loopholes, and software developers to write programs are difficult to detect their own vulnerability, but the hackers will be very attention to these vulnerabilities and will exploit these vulnerabilities to achieve their purpose. It is not a Linux system is not safe yet? In fact, no need to worry about the security of Linux systems or safer than window system. As long as peace of mind to make the following points can use Linux systems. To experience a different kind of operating experience.
First, eliminate unnecessary service
The early Unix versions, each has a different network service a service running in the background, the later version undertake this task with a unified / etc / inetd server program. Inetd is Internetdaemon Abbreviation, while monitoring a plurality of network ports that, upon receiving the connection information transmitted from the outside, on the implementation of the corresponding TCP or UDP network services.
Due to the unified command inetd, so most of the Linux TCP or UDP services are set in the /etc/inetd.conf file. So the first step in eliminating unnecessary service is to check /etc/inetd.conf file before the service do not add "#" sign.
In general, in addition to http, smtp, telnet and ftp, other services should be eliminated, such as simple file transfer protocol tftp, imap / ipop mail storage and network transport protocol used to receive, find and search information using the gopher and the use daytime and time equal to the time synchronization.
There are also reports the system state services, such as finger, efinger, systat and netstat, etc., although the system is very useful troubleshooting and finding the user, but also provide the door to hackers. For example, a hacker can use finger to find the user's telephone service, use the directory as well as other important information. Therefore, many Linux system will cancel all or part of those services canceled in order to enhance the security of the system.
In addition to using Inetd /etc/inetd.conf set the system service items, but also using the / etc / services file to find the port used by the service. Therefore, the user must carefully check the file settings of each port, in order to avoid security loopholes.
In Linux, there are two different type of service: one is the only service performed only when necessary, such as finger services; the other is a non-stop service has been performed. Such service is started when the system starts, it can not rely modify inetd to stop their service, but only to modify the file or modify /etc/rc.d/rc[n].d/ with Runleveleditor it. NFS servers to provide file services and NNTP news service providing news belong to such services, if not necessary, it is best to cancel these services.
Second, limit access to the system
Before entering the Linux system, all users need to log in, that is, users need to enter a user ID and password, and only after they pass verification system, users can enter the system.
After As with other Unix operating systems, Linux will generally be password encrypted, stored in / etc / passwd file. All users on the Linux system can read / etc / passwd file, although the saved file password has been encrypted, but still not safe. Because the general users can use existing code-breaking tools to guess the password brute-force method. Safer method is to set the shadow file / etc / shadow, only allows the user to have special permission to read the file.
In the Linux system, if you want to adopt the shadow file, all utilities must be recompiled to support the shadow file. This method is cumbersome, relatively simple method is to use Pluggable Authentication Module (PAM). Many Linux systems come with the Linux utility PAM, it is an authentication mechanism can be used to dynamically change the authentication methods and requirements, without requiring recompilation of other utilities. This is because the PAM uses a closed package of the way, all the authentication-related logic all hidden in the module, so it is the best helper using shadow files.
In addition, PAM there are many security features: it can rewrite the traditional DES encryption method for other more powerful encryption features to ensure that the user password will not easily Zaoren decipher; it can be set for each user to use computer resources the upper limit; it can even set up the user's time and place machine.
Linux system administrators only need to spend a few hours to install and set the PAM, can greatly improve the security of Linux systems, to block many attacks outside the system.
Third, to date the core of the system
Since many Linux distribution channels, often for updated procedures and system patches appear, therefore, in order to enhance system security, be sure to regularly update the system kernel.
Kernel is the core of the Linux operating system, which permanent memory, used to load other parts of the operating system and the basic functions of the operating system. As the Kernel control various functions of computers and networks, therefore, its security is critical to overall system security.
Kernel versions earlier there are many well-known security vulnerabilities, but also less stable, only the 2.0.x version is rather more stable and secure, the new version of the operating efficiency is also greatly improved. Kernel functions in the set, only select the necessary functions, do not accept everything all the features, otherwise it would become very large Kernel, not only takes up system resources, but also give hackers an opportunity to leave.
On the Internet often have the latest security patches, Linux system administrator should be informed, frequented by security news groups, access to new patches.
Fourth, to enhance security tools
SSH is referred to as the Secure Sockets Layer, it can be safely used in place of a utility program group rlogin, rsh and rcp like. SSH using public key encryption technology tools for communication information between two hosts on the network, and which serves as an authentication key used.
Because SSH encrypted information on the network, so it can be used to securely log in to a remote host, and send a message securely between two hosts. In fact, SSH can not only protect the safety of communications, Windows users between the Linux host can also be connected to a Linux server via SSH safely.
Fifth, limit the power of super-users
We mentioned earlier, root is the Linux the focus of protection, due to the unlimited power it, so it's best not to go out easily be super-user authorization. However, some installation and maintenance work procedures must require super user privileges, in this case, you can use other tools to allow such users some superuser privileges. Sudo is one such tool.
Sudo allows the average user program after configuration settings to the user's own password and then log on once, to obtain super-user privileges, but only a limited number of instruction execution.
Sixth, set the security level of user account
In addition to the password, user accounts also have the security level, because each account on Linux can be given different permissions, so when you create a new user ID, the system administrator should assign different permissions to the account as needed, and integrated into different user groups.
In tcpd on a Linux system, you can set the machine on the list of allowed and not allowed on the crew. Wherein, allowing the crew list provided /etc/hosts.allow not allowed on the list provided in /etc/hosts.deny crew. After the setup is complete, you need to restart the inetd program to take effect. In addition, Linux will automatically allowed to enter or not allowed to enter the results recorded / rar / log / secure file, the system administrator could then identify suspicious incoming record.
Each account ID should have the person responsible. In business, if an employee responsible ID's departure, the administrator should immediately remove the account from the system. Many intrusion events are borrowed from those accounts unused for a long time.
Among the user account, the hacker favorite account with root privileges, this super-user the right to modify or delete a variety of system settings, you can pass unimpeded in the system. Therefore, before giving root privileges to any account, it must be carefully considered.
/ Etc / securetty file Linux system contains a set of terminal name can log in to the root account. For example, in RedHatLinux system, the initial value of the file allows only the local virtual consoles (rtys) Login to root privileges, but does not allow remote users to log in as root. Best not to modify the file, if you must, from the remote login as root privileges, it is best to first log on general account, and then use the su command to upgrade to super-user.
Do the six, you can safely swim in the Linux system, a good experience personalized operating system