Tangdouâs thoughtful reminder: This article on password management takes 8 minutes to read.
With the rise of the open-source system Linux, its application in medium and large enterprises is gradually becoming widespread. Many enterprise applications are built on it, such as web services, database services, cluster services, and more.
Therefore, the security of Linux has become a fundamental aspect of building secure applications for enterprises, and it is of utmost importance. How to protect it is a basic issue that enterprises need to address. Based on this, this article will present the top ten enterprise-level Linux server security protection points.
1. Strengthen: Password Management
Setting a login password is a very important security measure. If a userâs password is not set properly, it can be easily cracked, especially for users with superuser privileges. Without a good password, it can create significant security vulnerabilities in the system.
Currently, most password cracking programs use dictionary attacks and brute force attacks. If a userâs password is not set properly, it is highly susceptible to dictionary attacks. Many users like to use their English name, birthday, or account information to set passwords. In this way, hackers may crack the password through dictionary attacks or social engineering methods. Therefore, it is recommended that users use non-dictionary character combinations when setting passwords and adopt a password setting method that combines numbers and characters, as well as uppercase and lowercase letters, to increase the difficulty of password cracking by hackers. Additionally, regularly changing passwords and making them expire periodically can protect your login password.
In multi-user systems, forcing each user to choose a password that is difficult to guess will greatly improve system security. However, if the passwd program cannot force each user to use an appropriate password, ensuring password security can only rely on password cracking programs. In fact, password cracking programs are a tool in a hackerâs toolbox. They encrypt commonly used passwords or all possible words in an English dictionary into password words and then compare them with the Linux systemâs /etc/passwd password file or /etc/shadow shadow file. If a matching password is found, the plaintext can be obtained. Many password cracking programs can be found on the internet, with well-known programs being crack and john the ripper. Users can run password cracking programs themselves to find passwords that are easily cracked by hackers and correct them in advance, which is more beneficial than being cracked by hackers.
2. Limit: Network Service Management
In early versions of Linux, each different network service had a service program (daemon) running in the background. Later versions used a unified /etc/inetd server program to take on this responsibility. Inetd is short for Internet daemon, and it monitors multiple network ports simultaneously. Once it receives connection information from the outside, it executes the corresponding TCP or UDP network service. Due to the unified command of inetd, most TCP or UDP services in Linux are set in the /etc/inetd.conf file. Therefore, the first step to cancel unnecessary services is to check the /etc/inetd.conf file and add a â#â in front of unwanted services.
Generally speaking, except for http, smtp, telnet, and ftp, other services should be canceled, such as the trivial file transfer protocol tftp, the imap/ipop transfer protocol used for storing and receiving network mail, gopher used for finding and searching information, and daytime and time used for time synchronization. There are also some services that report system status, such as finger, efinger, systat, and netstat, which are very useful for system troubleshooting and finding users but also provide a convenient door for hackers. For example, hackers can use the finger service to find usersâ phone numbers, usage directories, and other important information. Therefore, many Linux systems cancel all or part of these services to enhance system security. In addition to using /etc/inetd.conf to set system service items, inetd also uses the /etc/services file to find the ports used by each service. Therefore, users must carefully check the settings of each port in this file to avoid security vulnerabilities.
In subsequent Linux versions (such as Red Hat Linux 7.2 and later), xinetd is used for network service management instead.
Of course, which services to cancel specifically cannot be generalized and needs to be determined based on actual application situations. However, system administrators need to be aware because once a security issue occurs in the system, they can conduct leak checks and remedial work in an orderly manner, which is quite important.
3. Strict Audit: System Login User Management
Before entering the Linux system, all users need to log in, which means users need to enter their user account and password. Only after they pass system verification can they enter the system.
Like other Unix operating systems, Linux generally encrypts passwords and stores them in the /etc/passwd file. All users on the Linux system can read the /etc/passwd file. Although the passwords stored in the file are encrypted, it is still not very secure. This is because ordinary users can use existing password cracking tools to guess passwords using brute force. A safer method is to set a shadow file /etc/shadow, which only allows users with special permissions to read the file.
In the Linux system, if you want to use shadow files, you must recompile all public programs to support shadow files. This method is cumbersome, and a simpler method is to use the Pluggable Authentication Module (PAM). Many Linux systems come with the Linux tool program PAM, which is an authentication mechanism that can be used to dynamically change authentication methods and requirements without requiring recompilation of other public programs. This is because PAM uses a closed package method, hiding all logic related to authentication within the module, making it the best helper for using shadow files.
In addition, PAM has many security features: it can rewrite the traditional DES encryption method to other more powerful encryption methods to ensure that user passwords are not easily cracked; it can set the upper limit of computer resources used by each user; it can even set the userâs login time and location.
Linux system administrators only need to spend a few hours installing and setting up PAM to greatly improve the security of the Linux system and block many attacks outside the system.
4. Set: User Account Security Level Management
In addition to passwords, user accounts also have security levels. This is because each account on Linux can be assigned different permissions. Therefore, when creating a new user ID, the system administrator should assign different permissions to the account as needed and merge it into different user groups.
In some files in the Linux system, you can set lists of allowed and disallowed personnel. The list of allowed personnel is set in /etc/hosts.allow, and the list of disallowed personnel is set in /etc/hosts.deny. In addition, Linux will automatically record the results of allowed or disallowed entries in the /var/log/secure file, and system administrators can use this to find suspicious entry records.
Each account ID should have a dedicated person responsible. In enterprises, if an employee responsible for a certain ID leaves, the administrator should immediately delete the account from the system. Many intrusion incidents borrow accounts that have not been used for a long time.
Among user accounts, hackers prefer accounts with root privileges. This superuser has the right to modify or delete various system settings and can move freely within the system. Therefore, before granting root privileges to any account, careful consideration must be given.
The /etc/securetty file in the Linux system contains a set of terminal names that can log in with the root account. For example, in the RedHat Linux system, the initial value of this file only allows local virtual consoles (rtys) to log in with root privileges and does not allow remote users to log in with root privileges. It is best not to modify this file. If you must log in remotely as root, it is best to log in with a regular account first and then use the su command to upgrade to a superuser.
5. Use Cautiously: âr Seriesâ Remote Program Management
In the Linux system, there is a series of r-prefixed public programs, such as rlogin, rcp, etc. They are very easy for hackers to use to invade our system, making them very dangerous. Therefore, never open the root account to these public programs. Since these public programs are approved for entry using the .rhosts file or hosts.equiv file, it is important to ensure that the root account is not included in these files.
Since r and other remote commands are a good way for hackers to attack the system, many security tools are designed to address this security vulnerability. For example, the PAM tool can be used to effectively prohibit r-prefixed public programs. It adds a command in the /etc/pam.d/rlogin file that requires login approval first, preventing all system users from using their home directoryâs .rhosts file.
6. Restrict: Root User Privilege Management
Root has always been the focus of Linux protection. Because it has unlimited power, it is best not to easily authorize superuser privileges. However, some program installation and maintenance work must require superuser privileges. In this case, other tools can be used to give such users partial superuser privileges. Sudo is such a tool.
The sudo program allows ordinary users to log in again with their own password after configuration to obtain superuser privileges but can only execute a limited number of commands. For example, after applying sudo, it can allow the administrator responsible for tape backup to log in to the system on time every day, obtain superuser privileges to perform document backup work, but does not have the privilege to do other work that only superusers can do.
Sudo not only limits user privileges but also records every command executed using sudo, regardless of whether the command execution is successful or failed. In large enterprises, sometimes many people manage different parts of the Linux system simultaneously, and each administrator has the ability to authorize superuser privileges to certain users using sudo. From the sudo log, you can track who did what and what parts of the system were changed.
It is worth noting that sudo cannot restrict all user behaviors, especially when some simple commands are not set with restrictions, they may be abused by hackers. For example, the /etc/cat command, which is generally used to display file content, if it has superuser privileges, hackers can use it to modify or delete some important files.
7. Track Hacker Traces: Log Management
When users carefully set various Linux-related configurations (most commonly log management options) and install necessary security protection tools, the security of the Linux operating system is indeed greatly improved, but it cannot guarantee to prevent the intrusion of more skilled network hackers.
In normal times, network administrators should always be vigilant, pay attention to various suspicious situations at all times, and regularly check various system log files, including general information logs, network connection logs, file transfer logs, and user login logs. When checking these logs, pay attention to whether there are unreasonable time records. For example:
Normal users logging in at three in the morning;
Abnormal log records, such as logs being cut off halfway or the entire log file being deleted;
Users entering the system from unfamiliar URLs;
Log records of being rejected due to incorrect passwords or user accounts, especially those that repeatedly attempt to enter and fail but have a certain pattern of trial and error;
Illegal or improper use of the superuser privilege su command;
Records of rebooting or restarting various services.
These issues require system administrators to always pay attention to the status of system login users and check the corresponding log files. Many clues that deviate from normal behavior should be given high attention.
8. Horizontal Expansion: Comprehensive Defense Management
Firewall, IDS, and other protection technologies have been successfully applied to various fields of network security, and there are very mature products.
For the Linux system, there is a built-in Netfilter/Iptables firewall framework, which can also serve as a host firewall through reasonable configuration. The Linux system also has corresponding lightweight network intrusion detection systems such as Snort and host intrusion detection systems like LIDS (Linux Intrusion Detection System), which can be used for quick and efficient protection.
It is important to note that in most application scenarios, we need to use these two technologies comprehensively because the firewall is equivalent to the first layer of security protection. It only filters network traffic by simply comparing IP address/port pairs, while IDS is more specific. It needs to filter network traffic through specific data packets (part or all), serving as the second layer of security protection. Using them comprehensively can complement each other and play to their respective advantages, ultimately achieving comprehensive defense.
9. Evaluation: Vulnerability Tracking and Management
As an excellent open-source software, Linux itself is constantly evolving, and its existing problems will gradually be exposed in future applications. Hackersâ attention to new technologies is, to some extent, higher than that of our protection personnel. Therefore, to be in a favorable position in the network attack and defense war and protect the security of the Linux system, we must maintain a high level of vigilance and attention to new technologies. Users, especially system administrators who use Linux as a critical business system, need to quickly obtain information about new technologies and new system vulnerabilities related to the system through authoritative Linux websites and forums, conduct vulnerability scanning, penetration testing, and other systematic related supporting work, to prevent problems before they occur, take early action, and block system vulnerabilities in the shortest time after or even before they appear, and continuously improve security protection skills in practice. This is a relatively good solution and way out.
10. Keep Updated: Patch Management
As an excellent open-source software, Linux has extremely reliable guarantees of stability, security, and availability. The worldâs Linux experts jointly maintain this excellent product, so there are many circulation channels, and there are often updated programs and system patches. Therefore, to enhance system security, it is necessary to frequently update the system kernel.
The kernel is the core of the Linux operating system. It resides in memory, loads other parts of the operating system, and implements the basic functions of the operating system. Since the kernel controls various functions of the computer and network, its security is crucial to the security of the entire system. Early kernel versions had many well-known security vulnerabilities and were not very stable. Only versions above 2.0.x are relatively stable and secure (generally speaking, kernel version numbers with even numbers are relatively stable, while those with odd numbers are generally test versions, and users should pay more attention when using them). The running efficiency of new versions has also greatly improved. When setting kernel functions, only select necessary functions, and do not accept all functions, otherwise, the kernel will become large, occupy system resources, and leave opportunities for hackers.
There are often the latest security patches on the Internet. Linux system administrators should be well-informed, frequently visit security newsgroups, and check for new patches.