The Linux system has many advantages in terms of function, price, or performance. However, as an open operating system, it inevitably has some security risks. Regarding how to solve these hidden dangers and provide a safe operating platform for applications, this article will tell you some of the most basic, most commonly used, and at the same time the most effective tricks.
Linux is a Unix-like operating system. In theory, the design of Unix itself has no major security flaws. Over the years, most of the security problems found on Unix operating systems mainly exist in individual programs, so most Unix vendors claim to be able to solve these problems and provide a secure Unix operating system. But Linux is somewhat different, because it does not belong to a certain manufacturer, and no manufacturer claims to provide security guarantees for it, so users have to solve the security problems themselves.
Linux is an open system. Many ready-made programs and tools can be found on the Internet. This is not only convenient for users, but also for hackers, because they can easily find programs and tools to sneak into the Linux system or steal Linux. Important information on the system. However, as long as we carefully set the various system functions of Linux, and add the necessary security measures, hackers will be able to take advantage of it.
Generally speaking, the security settings for Linux systems include canceling unnecessary services, restricting remote access, hiding important information, patching security loopholes, using security tools, and regular security checks. This article teaches you ten ways to improve the security of Linux systems. Although the trick is not great, it works, you might as well give it a try.
No. 1: Cancel unnecessary services
In the early Unix versions, each different network service had a service program running in the background, and later versions used a unified /etc/inetd server program to take on this important task. Inetd is the abbreviation of Internetdaemon. It monitors multiple network ports at the same time. Once it receives the connection information from the outside world, it executes the corresponding TCP or UDP network service.
Due to the unified command of inetd, most of the TCP or UDP services in Linux are set in the /etc/inetd.conf file. So the first step to cancel unnecessary services is to check the /etc/inetd.conf file and add "#" before the unnecessary services.
Generally speaking, in addition to http, smtp, telnet, and ftp, other services should be cancelled, such as the simple file transfer protocol tftp, the imap/ipop transfer protocol used for network mail storage and reception, the gopher used to find and search data, and the use of Daytime and TIme etc. which are synchronized with time.
There are also some services that report system status, such as finger, efinger, systat, and netstat. Although they are very useful for system troubleshooting and finding users, they also provide a convenient way for hackers. For example, hackers can use the finger service to find the user's phone number, usage directory, and other important information. Therefore, many Linux systems cancel all or part of these services to enhance the security of the system.
Inetd not only uses /etc/inetd.conf to set system service items, but also uses the /etc/services file to find the ports used by various services. Therefore, the user must carefully check the settings of each port in the file to avoid security loopholes.
There are two different types of services in Linux: one is a service that is executed only when needed, such as a finger service; the other is a service that is executed all the time and never stops. This kind of service starts to execute when the system starts, so you can't stop its service by modifying inetd, you can only modify it by modifying the /etc/rc.d/rc[n].d/ file or using the Run level editor. NFS servers that provide file services and news that provide NNTP news services belong to this type of service. If it is not necessary, it is best to cancel these services.
No. 2: Restrict access to the system
Before entering the Linux system, all users need to log in, that is, the user needs to enter the user account and password, and only after they pass the system verification, the user can enter the system. Like other Unix operating systems, Linux generally encrypts the password and stores it in the /etc/passwd file. All users on the Linux system can read the /etc/passwd file. Although the password stored in the file has been encrypted, it is still not very secure. Because the average user can use the ready-made password breaking tools to guess the password by exhaustive methods. A safer method is to set the shadow file /etc/shadow, and only allow users with special permissions to read the file.
In the Linux system, if you want to use shadow files, you must recompile all utilities to support shadow files. This method is more troublesome, and the simpler method is to use a plug-in authentication module (PAM). Many Linux systems come with the Linux tool program PAM, which is an authentication mechanism that can be used to dynamically change the authentication methods and requirements without requiring recompilation of other public programs. This is because PAM uses a closed package method to hide all the logic related to authentication in the module, so it is the best helper for using shadow files.
In addition, PAM also has many security features: it can rewrite the traditional DES encryption method to other stronger encryption methods to ensure that user passwords will not be easily deciphered; it can set each user to use computer resources Upper limit; it can even set the user's time and place on the machine. Linux system administrators only need to spend a few hours to install and set up PAM, which can greatly improve the security of the Linux system and block many attacks from the system.
Tip 3: Keep the latest system core
Since there are many Linux distribution channels, and there are often updated programs and system patches, in order to strengthen system security, the system kernel must be updated frequently. Kernel is the core of the Linux operating system. It resides in memory and is used to load other parts of the operating system and implement the basic functions of the operating system. Because the Kernel controls various functions of the computer and the network, its security is very important to the security of the entire system.
The early Kernel version has many well-known security vulnerabilities and is not very stable. Only the version above 2.0.x is more stable and safe, and the operating efficiency of the new version has also been greatly improved. When setting the functions of the Kernel, select only the necessary functions. Do not accept all functions as they are. Otherwise, the Kernel will become very large, occupying system resources and leaving opportunities for hackers. There are often the latest security patches on the Internet. Linux system administrators should be well-informed and frequent security newsgroups to check for new patches.
Step 4: Check the login password
Setting a login password is a very important security measure. If the user's password is not set properly, it is easy to be deciphered, especially for users with super user access rights. If there is no good password, it will cause a lot of damage to the system. Security breaches.
In a multi-user system, if each user is forced to choose a password that is not easy to guess, the security of the system will be greatly improved. But if the passwd program cannot force every user on the computer to use an appropriate password, to ensure the security of the password, you can only rely on a password cracking program.
In fact, the password cracking program is a tool in the hacker toolbox. It encrypts the commonly used passwords or all the words in the English dictionary that may be used as passwords with the program, and then combines them with the Linux system/ Compare the etc/passwd password file or the /etc/shadow shadow file. If you find a password that matches, you can get the clear code.
Many password cracking programs can be found on the Internet. The more well-known program is crack. Users can execute the password cracking program by themselves to find out the passwords that are easy to be cracked by hackers. It is better to correct them first than to be cracked by hackers.
Step 5: Set the security level of the user account
In addition to passwords, user accounts also have security levels. This is because each account on Linux can be assigned different permissions. Therefore, when creating a new user ID, the system administrator should give the account different permissions as needed, and Incorporate into different user groups.
In tcpd on the Linux system, you can set the list of persons who are allowed to board and those who are not allowed to board. Among them, the list of persons allowed to board is set in /etc/hosts.allow, and the list of persons not allowed to board is set in /etc/hosts.deny. After the setting is completed, the inetd program needs to be restarted to take effect. In addition, Linux will automatically record the results of allowing or not allowing access to the /rar/log/secure file, and the system administrator can find out suspicious access records based on this. Each account ID should have someone responsible. In an enterprise, if the employee responsible for a certain ID leaves, the administrator should immediately delete the account from the system. Many intrusions have borrowed accounts that have not been used for a long time.
Among the user accounts, hackers like accounts with root privileges the most. This super user has the right to modify or delete various system settings, and can be unimpeded in the system. Therefore, you must carefully consider before granting root privileges to any account.
The /etc/securetty file in the Linux system contains a set of terminal names that can be logged in with the root account. For example, in the RedHatLinux system, the initial value of the file only allows the local virtual console (rtys) to log in with root privileges, and does not allow remote users to log in with root privileges. It is best not to modify the file. If you must log in remotely as root, it is best to log in as a normal account first, and then use the su command to upgrade to a super user.
The sixth measure: eliminate the hotbed of hacker crime
In the Unix system, there are a series of public programs with the prefix r. They are weapons used by hackers to invade and are very dangerous. Therefore, never open the root account to these public programs. Because these utilities are used. The rhosts file or hosts.equiv file is approved for entry, so make sure that the root account is not included in these files.
Since the r prefix is ​​a hotbed for hackers, many security tools are designed for this security hole. For example, the PAM tool can be used to abolish the power of the r prefix utility program. It adds an instruction that must be approved before login in the /etc/pam.d/rlogin file, so that users of the entire system cannot use their own home Under the directory. rhosts file.
No. 7 measure: Enhance safety protection tools
SSH is the abbreviation of Secure Socket Layer, which is a set of programs that can be safely used to replace rlogin, rsh, and rcp. SSH uses public key technology to encrypt communication information between two hosts on the network, and uses its key as a tool for identity verification.
Since SSH encrypts information on the network, it can be used to log in to a remote host securely and transfer information securely between two hosts. In fact, SSH can not only guarantee the secure communication between Linux hosts, but Windows users can also connect to the Linux server securely through SSH.
No. 8: Restrict the power of super users
As we mentioned earlier, root is the focus of Linux protection. Because of its unlimited power, it is best not to authorize super users easily. However, the installation and maintenance of some programs must require super user permissions. In this case, other tools can be used to allow such users to have partial super user permissions. Sudo is such a tool.
The Sudo program allows general users to log in again with the user's own password after configuration settings, to obtain the authority of the super user, but can only execute a limited number of commands. For example, after applying sudo, the administrator who manages tape backup can log in to the system on time every day and obtain super user authority to perform document backup work, but has no privilege to do other tasks that only super users can do. Sudo not only restricts the user's authority, but also uses it. I hope that the above tricks to improve the security of the Linux system will be useful to everyone.
Product name: B85 Ethereum Mining Rig
Motherboard Model: B85
CPU Model: Celeron 1840 Dual-Core 2.8GHz
Memory Model: DDR3 4G 1600 16 Particles
Hard Disk Model: Solid State 64G/128G Msata
Fan Model: 5500 rpm double ball violent fan
Chasis Size: 720mm*360mm*185mm
Card Distance: 55mm
This product is a graphics mining machine. Suitable for ETH, ZEC, SC, HSR and etc coin mining.
There can be 8 graphics cards,which can be installed according to customer needs.
Ultra- strong heat dissipation/ ultra-high computing power/ ultra-low energy consumption/ strong compatibility.
Feature:
No need to use pcie riser, which is more stable and money saving
65mm distance between each pcie slot, easier to dissipate heat. Suitable for almost all of video cards
Specially designed for Ethereum mixing, easy to use
Support for up to 8 pcs GPU
Very low power consumption
Stable and durable
No need to change BIOS settings, default BIOS setting is already perfect for mining
All hardware and modules can be recognized by Windows 10 and Linux based Mining OS such as Simplemining, HiveOS, no need to install additional driver manually for motherboard
Supports all popular mining video cards such as Nadia RTX 3060 3070 3080 3090, AMD RX 580 RX 5700 RX 6700 RX6900 and more.
gpu mining rig for sale,rig miner,cryptocurrency mining rigs,buy mining rig,buy ethereum miner
Easy Electronic Technology Co.,Ltd , https://www.yxpcelectronicgroups.com