How to Protect the Linux Server Security
The main consideration during the installation of Linux Operating System is the Operating System Security. How can we have a secure Linux server? Many new to Linux Network Administrators find it difficult from the point-and-click security configuration interface to another Based on the complex and subtle editing a text file interface.
Here are listed some simple steps to help the administrator to protect the security of Linux, and significantly reduce their risk. This article lists seven such steps, but you can also consult with Linux manuals and discussion forums to find out more content.
To Protect the Root Account
Linux on the system's root account (or super-user account) is like the Rolling Stones concert at the background of the pass, it allows you to access all the contents of the system. Therefore, it is worth it to take additional steps to protect them. First of all, to this account with the password command to set a password hard to guess and to make changes on a regular basis, and this password should be limited to a few key figures within the company (ideally, only two people) to know.
Then, /etc/security file for editing, qualified to carry out root access terminals. In order to avoid the user to the root terminal "open", you can set a local variable TMOUT activities of the root login to set up a non-use of time; and HISTFILESIZE local variable set to 0 to ensure that the root command log file (which may contain confidential information) in a forbidden state. Finally, the development of a mandatory policy that use this account only to perform specific management tasks; and prevent the root user by default log on user services.
Tip: After the closure of these loopholes, and then require that every one must be a normal user account to set up a password, and ensure that passwords are not easily identifiable revealing passwords, such as birthdays, user names or dictionary words can be found.
Install a Firewall
Firewall to help you filter out the server's data packets, and to ensure that only those with pre-defined rules for matching data packets in order to access the system. There are many excellent firewall for Linux, and firewall code can even be compiled directly into the system kernel. First, application of ipchains or iptables commands in and out of the definition of network data packets input, output and forwarding rules. Based on IP addresses, network interface, port, protocol, or a combination of these attributes to make rules. The rule also provides that should be taken to match the action (accept, reject, forward). After setting the rules, then the firewall to conduct a detailed inspection to ensure that no loopholes in it. The firewall is your security against distributed denial of service (DDoS) attacks against such common attack on the first line of defense.
Use OpenSSH Processing Network Services
The data transmitted on the network security is a client - server architecture to be dealt with an important issue. If the network services in plain text form, a hacker could "sniff" the network data transmission, in order to gain confidential information. You can use the OpenSSH Secure Shell-like application for the transfer of data to build an "encrypted" channel to close this loophole. In this form of connection is encrypted, unauthorized users is difficult to read the data transmitted between network hosts.
Disable Unnecessary Services
Most Linux system was installed, a variety of different services have been activated, such as FTP, telnet, UUCP, ntalk and so on. In most cases, we rarely use those services. So that they are in active state is like the window open so that thieves slipped into an opportunity to come to the same. You can / etc / inetd.conf or / etc / xinetd.conf file to remove these services, and then restart inetd or xinetd daemon to disable them. In addition, some services (such as database servers) may start during the boot process by default, you can edit the / etc / rc.d /* directory hierarchy to disable these services. Many experienced administrators disable all system services,
leaving only the SSH communication ports.
The use of Spam and Anti-virus Filters
Spam and virus interferes with the user, may sometimes cause serious network failures. Linux has strong anti-virus capability, but the client computer running Windows may be more vulnerable to virus attacks. Thus, in mail server to install a spam and virus filters, to "stop" suspicious information and reduce the risk of chain collapse would be a good idea.
First, install the SpamAssassin application of this technology to identify and mark spam-class open-source tool, the program supports user-based whitelisting and greylisting improve the accuracy. Then, according to regular expressions to install user-level filtering, this tool can receive e-mail inbox automatically filtered. Finally install Clam Anti-Virus, this free anti-virus tools are integrated with Sendmail and SpamAssassin, and supports the scanning of e-mail attachments.
Install an Intrusion Detection System
Intrusion Detection System (IDS) are some changes to help you understand the network of early warning systems. They are able to accurately identify (and proven) system, intrusion attempts, of course, in order to increase resource consumption and error leads to the price. You can try two kinds of fairly well-known IDS: tripwire, which trace file signatures to detect changes; snort, the instructions it uses rules-based real-time information packet analysis, search and identify the system attempts to detect or attack. Both systems can generate e-mail alerts (and other behavior), when you suspect that your network from security threats which require firm evidence, you can use them.