Due to the outstanding functions and reliable stability of the Linux operating system, more and more users are now starting to learn and use Linux. In the process of learning and using Linux, the author has also collected and organized some tips for security management of Linux. Now he contributed them. I would like to ask all netizens to continue to supplement and improve them.
1. Make a complete backup of the system
In order to prevent the system from running normally due to other situations during use, we should back up the Linux system intact. It is best to back up the entire system after completing the installation task of the Linux system. In the future, we can verify the integrity of the system based on this backup, so that we can find out whether the system files have been illegally modified. If the system files have been corrupted, you can also use system backup to restore to normal state. When backing up information, we can back up the complete system information on the CD-ROM disc. In the future, we can regularly compare the system with the disc content to verify whether the integrity of the system has been damaged. If the security level is particularly high, the disc can be set to bootable and verification work can be made as part of the system startup process. As long as it can be started through the CD, it means that the system has not been destroyed yet.
2. Improve login server
Moving the system's login server to a separate machine will increase the system's security level, and using a more secure login server to replace Linux's own login tool can also further improve security. In large Linux networks, it is best to use a separate login server for syslog services. It must be a server system that can meet all system login needs and has sufficient disk space, and there should be no other service running on this system. A more secure login server will greatly weaken the intruder's ability to tamper with logging in the system.
3. Create read-only attributes for key partitions
The Linux file system can be divided into several main partitions, each partition is configured and installed separately. Generally, at least partitions such as /, /usr/local, /var and /home must be established. /usr can be installed as read-only and can be considered non-modified. If any files in /usr have changed, the system will immediately issue a security alarm. Of course this does not include the user changing the content in /usr itself. The same is true for installation and settings of /lib, /boot, and /sbin. They should be set as read-only as possible during installation, and any modifications to their files, directories, and properties will cause system alarms.
Of course, it is impossible to set all major partitions to read-only. Some partitions such as /var, etc., have their own properties that cannot be set to read-only, but they should not be allowed to have execution permissions.
4. Improve the internal security mechanism of the system
We can prevent buffer overflow by improving the internal functions of the Linux operating system, thereby achieving the purpose of enhancing the internal security mechanism of the Linux system and greatly improving the security of the entire system. But buffer overflow is quite difficult to implement, because the intruder must be able to tell when a potential buffer overflow will occur and where it appears in memory. It is also very difficult to prevent buffer overflow. System administrators must completely remove the conditions for buffer overflow to prevent this type of attack. Because of this, many people, even Linux Torvalds, think this secure Linux patch is important because it prevents all attacks using buffer overflow. But it should be noted that these patches can also lead to dependency issues on certain programs and libraries that execute the stack, which also bring new challenges to system administrators.
5. Set up traps and honey cans
The so-called trap is software that can trigger an alarm event when activated, while the honey pot program refers to a trap program designed to lure attempters to trigger a special alarm. By setting up trap and honeypot programs, the system can quickly issue an alarm if an intrusion occurs. In many large networks, special trap programs are generally designed. Trap procedures are generally divided into two types: one is to only detect the intruder without taking retaliation against them, and the other is to take retaliation at the same time.
6. Eliminate invasion in the bud
One of the most common things that intruders do before attacking is to scan the terminal number. If the intruders' terminal number scanning behavior can be discovered and blocked in a timely manner, the incidence of intrusion events can be greatly reduced. The reaction system can be a simple state check packet filter, or a complex intrusion detection system or a configurable firewall. We can use professional tools such as Abacus Port Sentry to monitor network interfaces and interact with the firewall, and ultimately achieve the purpose of closing the port scan attack. When an ongoing port scan occurs, Abacus Sentry can quickly prevent it from continuing execution. But if configured improperly, it may also allow hostile outsiders to install denial of service attacks in your system. Using this software correctly will be able to effectively prevent a large number of parallel scans of peers and prevent all such intruders.