【 Weak current college 】 ten tricks to help you easily protect Linux system

Whether you are an ordinary desktop Linux users or manage multiple server systems administrator, you are facing the same problem: a ever increasing threats. Linux is an open system, on the network can find many ready-made programs and tools, both convenience to users, but also facilitates the hacker, because they can easily find the programs and tools to dive into the Linux system, or on a Linux system to steal important information. However, as long as we carefully set Linux various system functions, and add the necessary security measures, you can let hackers inorganic.

In General, on the Linux system security settings including the Elimination of unnecessary services, restrict remote access to important information, hide, patch security vulnerabilities, security tools, as well as regular safety inspections, etc. This article teaches you to ten improve Linux system security. Although the tricks, but carefully worked, you may wish to try.

1. deploy the firewall

It sounds like the most obvious "recommendations" (just like with a strong password), but surprisingly, very few people actually go to the settings of the firewall. Even if you use a router might be built in firewall, but on a Linux system to deploy a software firewall is a very easy, you can benefit from it.

Graphical firewall, such as the recent more popular Firestarter, very suitable for defining the port forwarding and monitoring activities.

2. disable unnecessary network

So, in addition to http, smtp, telnet and FTP, and other services should be removed, such as simple file transfer protocol tftp, network message store and receive the imap/ipop transport protocol, search and search for information on the use of gopher and used for time synchronization of daytime and time, etc.

There are also some reports about the State of the system services such as finger, efinger, systat netstat and although the system, such as error checking and search for users is very useful, but also to provide a door for hackers. For example, a hacker could use the finger service to find the user's phone, use the directory, and other important information. Therefore, many Linux system will these services be cancelled or part cancellation, to enhance the security of the system.

3. use more secure transport alternatives

SSH is short for Secure Sockets Layer, it is safe to use to replace the rlogin, rsh and rcp, and other utility set program group. SSH uses public-key technology on two hosts on the network between the communication information encrypted and used its key acts as an authentication tool.

Since SSH is a network of information encrypted, so it can be used to securely log on to the remote host, and the two hosts between safe transmission of information. In fact, not only can protect SSH Linux secure communication between hosts, Windows users can securely connect via SSH to a Linux server.

4. to cancel the non-root access

You may feel some inconvenient, but you should ensure that normal users cannot access system tools — even if the fsck and ifconfig, almost "harmless". To achieve this effect, the best way is to use sudo, Sudo program allows general users go through after the configuration is set to user their password and login once, access permissions of the super user, but can only perform a limited number of instructions. For example, an application can make sudo, managing tape backup managers time every day to log on to the system, to obtain root privileges to perform document backup job, but there is no privilege to make other only the superuser can work. Sudo will not only limit the permissions of the user, but also per use sudo executes instructions recorded

Regardless of whether the instruction execution succeeded or failed.

5. always view and copy log

Network managers should always be alert to keep various suspicious condition and on time, examine the various system log file, including General information, logs, network connection log, file transfer logs and user logon log, etc. In reviewing these logs, it is necessary to pay attention to whether the time recorded anomalies. Hackers tend to modify the log has been covered up their traces, so in a non-regular place to save a copy of the log. It is best to separate the log house a remote server.

6. use password aging (passwordaging)

Password aging an enhanced system password aging authentication mechanisms, although it would certainly weaken the user use of convenience, but it ensures that the user's password is changed regularly, this is a very good security measures. Therefore, if an account is compromised by hackers and that they have not been found, but in the next password change cycle, he can no longer access the account.

7. to strictly limit root logins

Use the "log on as root" is not a good idea. Security practice is to you to log on as a normal user, and then use su or sudo to obtain superuser permissions, and then make the appropriate work.

8. physical protection of

Although the majority of attacks are relying on the network, and the hackers get physical access to your computer's opportunities are very slim, but this does not mean that you do not need protection.

To boot with password protection, make sure that you leave the computer when it is locked. And you should absolutely sure no one can start from an external deviceYour server.

9. install the latest security updates

All popular Linux distributions in addition to periodic issue updates, as long as a security vulnerability, the researchers will soon publish the corresponding get updates and patches, http://hexun.com/mayibk/default.html you need to do is often concerned with no security updates and patches, and timely installation.

10. keep open file

Many Linux distributions include some very small tools, lsof is one. Lsof lists the current system can open all files. In a Linux environment, everything exists as a file by file only has access to the General data, you can also access network connectivity, and hardware. By lsof tool to see which processes are using which ports, its process ID, and who is running it. If you find some exception, then you certainly deserves careful checking.