Ipchain pool
Publish: 2021-05-06 15:18:45
1. If the virtual machine system uses NAT mode, it is equivalent to a private network. The external network does not know the existence of the private network and has no routing. It can only initiatively initiate access to the external public network, and let the NAT server map the virtual machine address to the host address. You cannot initiate a connection from an external public network address first. So both of your virtual systems are in NAT mode, and Ping must be different.
2. As a desktop operating system, the human-computer interface of Linux is really not flattering. However, as a network operating system, its ease of use (for NOS) and high performance are hard to be compared. Of course, this is not to say that its operation is very simple, but that if you can master some skills, both system setting and network management can become easy and free. The display in terminal mode is forbidden to save energy automatically. After Linux is installed on most PCs, the display can be automatically turned off in terminal mode. However, if we want to display some information on the display, such as network traffic, packet analysis, etc., this function will become very annoying. It can't be solved by modifying CMOS and system properties. The solution is to use setterm to set terminal commands, such as setterm -- blank, to turn off the feature of automatic energy saving. The position of man is very important in Linux, which is much better than help in windows. But the information it displays is not ordinary text. If you direct these text to a text file, you will find that the highlighted text in man becomes two, and there are countless tab characters, which makes our printing and editing very inconvenient. However, you can get the general help text of the tcsh command by using the following statement: man tcsh col - B & gt; Tcsh.txt, there won't be those annoying plicate characters any more. The optimization of IDE hard disk Linux may pay more attention to data security rather than performance, which is absolutely necessary for NOS, but it should not be harmful to open some useful optimization of IDE hard disk. Look at this command: hdparm. Its function is to display and set the parameters of hard disk (including optical drive). We can first use hdparm - I / dev / HDA to check the parameter settings of the hard disk HDA, and then modify them according to the situation. For example, hdparm - C1 can change the I / O read / write support of the hard disk from 16 bits to 32 bits, and hdparm - M16 is the multicount to turn on the hard disk. Before executing this command, it is better to use the - I parameter to determine the maximum number of multicounts your hard disk can support. The main optimization is these two, the other is not sure also don't mess. Hdparm - t / dev / had can be used to test the performance of hard disk before and after optimization. The default security setting of allowing root to log in from remote Linux is that root cannot log in from remote workstation, which causes us a lot of trouble in remote management of Linux server. / etc / security is the key file to control this mechanism. Just add PTS / 0, PTS / 1 and other terminal names that you want root to log in to in the root section of this configuration file. Restore the Linux bootloader Lilo of the MBR (main boot sector) that has been covered. If Lilo is installed in the MBR, install Linux first and then install windows, and Lilo will be covered. At this time, we cannot boot Linux from the hard disk. What should we do? We can start to windows command line mode, loadlin.exe and vmlinuz files from Linux CD to Windows partition, and then execute loadlin vmlinuz root = / dev / had? rw The function of this command is to start Linux from the specified partition, and set the root partition (1) to read-write mode, so that you can modify most of the Linux settings or restore Lilo. It should be noted that Linux started in this case is not complete, such as MSDOS, VFAT file system support, network and so on, but it doesn't matter. As long as it can be started in this way, we can use mkbootdisk to create Linux boot disk, and use this boot disk to start Linux, then we can use Linux completely. After starting Linux, just set the first item of the / etc / Lilo. Conf file boot = / dev / HDA? Change it to boot = / dev / HDA, and then execute Lilo to restore Linux booting from MBR. Most of the control of Linux system is based on configuration files, and understanding these configuration files is more concive to the use of Linux. Add Linux to the Startup menu of win NT / 2000. The Startup menu of Linux is good, but it can't display Chinese, and you can't choose whether to start nt or win 98. So I think it's better to use NT Series for the Startup menu. In fact, it's very simple. After installing all the windows operating systems, install Linux. During installation, choose to install Lilo to the partition where Linux is located instead of MBR. Then use the boot disk to start Linux and mount the Windows partition as / MNT / DOS; Then execute DD if = / dev / HDA? BS = 512 count = 1 of = / MNT / DOS / bootect.lin, so there is a bootect.lin file in the Windows partition, which records the boot information of the Linux partition, and then adds C: bootsec.lin = & quot; to the boot configuration file boot.ini of Windows NT; Red Hat Linux 7.0 & quot;, When starting the computer again, we found that the option of "Red Hat Linux 7.0" was added in the Windows NT Startup menu, so we can start our Linux by selecting it. It should be noted that NT only recognizes 8.3 format files at startup, so do not change boot.lin to a long file name. One of the advantages of using squid to control the access of file types is that Linux can easily route IP networks. Many linux systems are specially used as Internet access routers. However, package filtering software such as iptables or ipchain can only control which sites users visit, but not which files users visit. This can be easily done by using squid, the proxy server software under Linux. The urlpath in squid.conf file_ Regex is used to control the access of each registered mime file. For example, the following statement: # give the type of mime file (access control list, namely ACL) ACL denymine urlpath_ Regex. Exe. Zip # forbids such files from accessing http_ In this way, all users after this statement are forbidden to access the corresponding site zip and exe files. Of course, you can add other file types, such as MP3. By using the redirection function of direct such as iptables, users can be forced to surf the Internet through squid proxy, which is called "transparent proxy", and then they can completely control the access of users to the site. It's very convenient to let the system use the default color file to display the color display of different types of files under the Linux terminal, but sometimes we may accidentally lose this function and add alias LS = & quot in the configuration file; ls --color -F -N" Can ensure the normal use of this function. Use cron to keep some partitions active. Cron is equivalent to the scheled task of win 98. It can execute some commands regularly according to the user's requirements. If you mount some NTFS partitions and visit this partition frequently (such as the access of web server to some files), you may not be able to read and write data correctly e to too long time. At this time, you can use cron's timed access function to ensure that the partition is always activated. According to personal experience, it's better for cron to access NTFS partition every 15 minutes. Otherwise, Mount failure may occur when the partition data is needed[# page_#][# page_#] Note: RedHat Linux shall prevail in all cases not specified in this article.
3. Linux security configuration steps
1. Disk partition
1. If the system is newly installed, the security of disk partition should be considered:
1) the root directory (/), user directory (/ home), temporary directory (/ tmp) and / var directory should be separated into different disk partitions
2) the size of the disk space of the partition where the above directories are located should be fully considered to avoid the system crash caused by running out of partition space for some reasons
2. For the partition of / TMP and / var directory, the program with suid attribute is not needed in most cases, so the nosuid attribute should be added to these partitions
method 1: modify the / etc / fstab file and add the nosuid attribute word. For example:
/ dev / hda2 / tmp ext2 exec, dev, nosuid, rw0 0
^ ^ ^ ^ ^ ^ ^ ^ ^
method 2: if you are not familiar with the operation of / etc / fstab file, it is recommended to modify it through linuxconf program
* run linuxconf program
* select & quot; File systems" & quot; Access local drive"
* select the partition whose attributes need to be modified
* select & quot; No setuid programs allowed" Options
* select other options as needed
* exit normally Generally, you will be prompted to re mount the partition)
2. Install
1. For non test hosts, you should not install too many software packages. This can rece the possibility of security vulnerabilities caused by software packages
2. For non test hosts, non essential services should not be selected when selecting host startup services. For example, routed, ypbind, etc< Third, security configuration and enhancement
kernel upgrade. At least upgrade to 2.2.16 or above
GNU libc shared library upgrade Warning: if you have no experience, don't try it easily. It can be postponed.)
shut down dangerous network services. Echo, chargen, shell, login, finger, NFS, RPC, etc.
shut down unnecessary network services. Talk, talk, pop-2, etc.
common network service security configuration and upgrade
ensure that the version used by the network service is the latest and most secure version
cancel anonymous FTP access
remove unnecessary suid programs
use tcpwrapper
use ipchains firewall
log system syslogd
some details:
1. The log file inside the operating system is an important clue to detect whether there is a network intrusion. Of course, this assumes that your log file is not destroyed by the intruder, If you have a server directly connected to the Internet by a dedicated line, it means that your IP address is permanently fixed. You will find that many people try to log in to your system by telnet / FTP, and try to run # more / var / log / secure | grep reused to check
2. It is a potential security vulnerability to limit the number of programs with suid permission flag, which can be run as root. Of course, some programs must have this flag, such as passwd program
3. BIOS security. Setting the BIOS password and modifying the boot order prevents the system from booting from the floppy disk
4. User password. User password is the most basic starting point of Linux security. The user password used by many people is simply "password & # 39;";, This is like opening the door to intruders, although theoretically there is no user password that cannot be solved, as long as there is enough time and resources to use. A better user password is a string of characters that only he can easily remember and understand, and never write it anywhere
5. / etc / exports file. If you use the NFS network file system service, make sure that your / etc / exports has the most stringent access permission settings, which does not mean that you do not use any wildcards, root write permission is not allowed, and mount a read-only file system. Edit the file / etc / exports and add: for example:
/ dir / to / export host1.mydomain.com (RO, root_ squash)
/dir/to/export host2.mydomain.com(ro,root_ Square)
/ dir / to / export is the directory you want to output, host.mydomain.com is the name of the machine that logs into this directory,
ro means mount is a read-only system, root_ Square prevents root from writing to the directory
to make the above changes take effect, run / usr / SBIN / exportfs - a
6. Make sure that the owner of / etc / inetd.conf is root and the file permission is set to 600< br />[ root@deep ]# chmod 600 /etc/inetd.conf
ENSURE that the owner is root.
[ root@deep ]# stat /etc/inetd.conf
File: "/ etc/inetd.conf" < br />Size: 2869 Filetype: Regular File
Mode: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 8, 6 Inode: 18219 Links: 1
Access: Wed Sep 22 16:24:16 1999(00000.00:10:44)
Modify: Mon Sep 20 10:22:44 1999(00002.06:12:16)
C hange:Mon Sep 20 10:22:44 1999 (00002.06:12:16)
Edit / etc / inetd.conf prohibit the following services:
FTP, Telnet, shell, login, exec, talk, talk, IMAP, pop-2, pop-3, finger,
auth, Unless you really want to use it< If you use SSH / SCP, you can also disable telnet / FTP
to make the changes take effect, run # kill - HUP inetd
you can also run # chattr + I / etc / inetd.conf to make the file have unchangeable properties
only root can unlock it. Use the command
? Chattr - I / etc / inetd. Conf
7. TCP_ Wrappers
by default, RedHat Linux allows all requests, using TCP_ Wrappers can enhance the security of your site by raising your hand. You can put
"all: all" into / etc / hosts.deny to prohibit all requests, and then put those explicitly allowed requests into
/ etc / hosts.allow, such as:
sshd: 192.168.1.10/255.255.255.0 gate.openarch.com
for IP address 192.168.1.10 and host name gate.openarch.com, Allow SSH connection
after configuration, use tcpdchk to check
[ root@deep ]#Tcpdchk
tcpchk is TCP_ Wrapper configuration checking tool,
it checks your TCP wrapper configuration and reports any potential / existing problems found
8. Alias file aliases
edit the alias file / etc / aliases (or / etc / mail / aliases), and move / comment out the following line< br />
# Basic system aliases -- these MUST be present.
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
#games: root ? remove or comment out.
#ingres: root ? remove or comment out.
nobody: root
#system: root ? remove or comment out.
#toor: root ? remove or comment out.
#uucp: root ? remove or comment out.
# Well-known aliases.
#manager: root ? remove or comment out.
#mper: root ? remove or comment out.
#operator: root ? remove or comment out.
# trap decode to catch security attacks
#decode: root
# Person who should get root' S mail
? Root: Marc
after the last update, don't forget to run / usr / bin / newaliases to make the change take effect
9. Prevent your system from responding to any external / internal Ping requests
since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command to / etc / RC. D / RC. Local to make it run automatically after each startup< br />
echo 1 > / proc/sys/net/ipv4/icmp_ echo_ ignore_ All
10. Do not display the operating system and version information
if you want someone to log on to your server remotely without displaying the operating system and version information, you can change the line in
/ etc / inetd.conf, such as the following:
telnet stream TCP nowait root / usr / SBIN / TCPD in. Telnetd - H
Add - H flag to make telnet background not display the system information, However, only login:
11. The / etc / host.conf file
edit the host.conf file (VI / etc / host. CONF) and add the following line:
? Lookup names via DNS first then fall back to / etc / hosts.
order bind, hosts
? We don & 39; t have machines with multiple IP addresses on the same card
(like virtual server,IP Aliasing).
multi off
# Check for IP address spoofing.
nospoof on
IP Spoofing: IP-Spoofing is a security exploit that works by tricking
computers in a trust relationship that you are someone that you really aren' t.
12. The / etc / securetty file
specifies the TTY device that allows root to log in, / etc / securetty is read by the / bin / login program, and its
format is a list of allowed names, such as you can edit / etc / securetty and comment the following lines
tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
- means that root is only allowed to log in at tty1 terminal
13. Special accounts
prohibit all accounts that are started by the operating system itself and are not needed by default. You should do this check when you first install the system. Linux provides various accounts that you may not need. If you don't need this account, remove it. The more accounts you have, the more vulnerable you are to attack
to delete users from your system, use the following command:
[ root@deep ]#Userdel username
to delete a group user account on your system, use the following command:
[ root@deep ]#Groupdel user name
enter the following command on the terminal and delete the following user< br />[ root@deep ]# userdel adm
[ root@deep ]# userdel lp
[ root@deep ]# userdel sync
[ root@deep ]# userdel shutdown
[ root@deep ]# userdel halt
[ root@deep ]#Userdel mail
if you don't use the sendmail server, procmail.mailx, delete the account< br />[ root@deep ]# userdel news
[ root@deep ]# userdel uucp
[ root@deep ]# userdel operator
[ root@deep ]#Userdel games
if you don't use the X windows server, delete this account< br />[ root@deep ]# userdel gopher
[ root@deep ]#Userdel FTP
if you don't allow anonymous FTP, delete the user account
= = =
type the following command to delete the group account
[ root@deep ]# groupdel adm
[ root@deep ]# groupdel lp
[ root@deep ]#Groupdel mail
If sendmail server is not used, delete this group account
[ root@deep ]# groupdel news
[ root@deep ]# groupdel uucp
[ root@deep ]#Groupdel games
if you don't use x windows, Delete this group account
[ root@deep ]# groupdel dip
[ root@deep ]# groupdel pppusers
[ root@deep ]#Groupdel popusers
if you don't use pop servers, Delete this group account
[ root@deep ]#Groupdel slipusers
= = =
add the required user account with the following command
[ root@deep ]#Useradd username
use the following command to change the user password
[ root@deep ]# passwd username
1. Disk partition
1. If the system is newly installed, the security of disk partition should be considered:
1) the root directory (/), user directory (/ home), temporary directory (/ tmp) and / var directory should be separated into different disk partitions
2) the size of the disk space of the partition where the above directories are located should be fully considered to avoid the system crash caused by running out of partition space for some reasons
2. For the partition of / TMP and / var directory, the program with suid attribute is not needed in most cases, so the nosuid attribute should be added to these partitions
method 1: modify the / etc / fstab file and add the nosuid attribute word. For example:
/ dev / hda2 / tmp ext2 exec, dev, nosuid, rw0 0
^ ^ ^ ^ ^ ^ ^ ^ ^
method 2: if you are not familiar with the operation of / etc / fstab file, it is recommended to modify it through linuxconf program
* run linuxconf program
* select & quot; File systems" & quot; Access local drive"
* select the partition whose attributes need to be modified
* select & quot; No setuid programs allowed" Options
* select other options as needed
* exit normally Generally, you will be prompted to re mount the partition)
2. Install
1. For non test hosts, you should not install too many software packages. This can rece the possibility of security vulnerabilities caused by software packages
2. For non test hosts, non essential services should not be selected when selecting host startup services. For example, routed, ypbind, etc< Third, security configuration and enhancement
kernel upgrade. At least upgrade to 2.2.16 or above
GNU libc shared library upgrade Warning: if you have no experience, don't try it easily. It can be postponed.)
shut down dangerous network services. Echo, chargen, shell, login, finger, NFS, RPC, etc.
shut down unnecessary network services. Talk, talk, pop-2, etc.
common network service security configuration and upgrade
ensure that the version used by the network service is the latest and most secure version
cancel anonymous FTP access
remove unnecessary suid programs
use tcpwrapper
use ipchains firewall
log system syslogd
some details:
1. The log file inside the operating system is an important clue to detect whether there is a network intrusion. Of course, this assumes that your log file is not destroyed by the intruder, If you have a server directly connected to the Internet by a dedicated line, it means that your IP address is permanently fixed. You will find that many people try to log in to your system by telnet / FTP, and try to run # more / var / log / secure | grep reused to check
2. It is a potential security vulnerability to limit the number of programs with suid permission flag, which can be run as root. Of course, some programs must have this flag, such as passwd program
3. BIOS security. Setting the BIOS password and modifying the boot order prevents the system from booting from the floppy disk
4. User password. User password is the most basic starting point of Linux security. The user password used by many people is simply "password & # 39;";, This is like opening the door to intruders, although theoretically there is no user password that cannot be solved, as long as there is enough time and resources to use. A better user password is a string of characters that only he can easily remember and understand, and never write it anywhere
5. / etc / exports file. If you use the NFS network file system service, make sure that your / etc / exports has the most stringent access permission settings, which does not mean that you do not use any wildcards, root write permission is not allowed, and mount a read-only file system. Edit the file / etc / exports and add: for example:
/ dir / to / export host1.mydomain.com (RO, root_ squash)
/dir/to/export host2.mydomain.com(ro,root_ Square)
/ dir / to / export is the directory you want to output, host.mydomain.com is the name of the machine that logs into this directory,
ro means mount is a read-only system, root_ Square prevents root from writing to the directory
to make the above changes take effect, run / usr / SBIN / exportfs - a
6. Make sure that the owner of / etc / inetd.conf is root and the file permission is set to 600< br />[ root@deep ]# chmod 600 /etc/inetd.conf
ENSURE that the owner is root.
[ root@deep ]# stat /etc/inetd.conf
File: "/ etc/inetd.conf" < br />Size: 2869 Filetype: Regular File
Mode: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 8, 6 Inode: 18219 Links: 1
Access: Wed Sep 22 16:24:16 1999(00000.00:10:44)
Modify: Mon Sep 20 10:22:44 1999(00002.06:12:16)
C hange:Mon Sep 20 10:22:44 1999 (00002.06:12:16)
Edit / etc / inetd.conf prohibit the following services:
FTP, Telnet, shell, login, exec, talk, talk, IMAP, pop-2, pop-3, finger,
auth, Unless you really want to use it< If you use SSH / SCP, you can also disable telnet / FTP
to make the changes take effect, run # kill - HUP inetd
you can also run # chattr + I / etc / inetd.conf to make the file have unchangeable properties
only root can unlock it. Use the command
? Chattr - I / etc / inetd. Conf
7. TCP_ Wrappers
by default, RedHat Linux allows all requests, using TCP_ Wrappers can enhance the security of your site by raising your hand. You can put
"all: all" into / etc / hosts.deny to prohibit all requests, and then put those explicitly allowed requests into
/ etc / hosts.allow, such as:
sshd: 192.168.1.10/255.255.255.0 gate.openarch.com
for IP address 192.168.1.10 and host name gate.openarch.com, Allow SSH connection
after configuration, use tcpdchk to check
[ root@deep ]#Tcpdchk
tcpchk is TCP_ Wrapper configuration checking tool,
it checks your TCP wrapper configuration and reports any potential / existing problems found
8. Alias file aliases
edit the alias file / etc / aliases (or / etc / mail / aliases), and move / comment out the following line< br />
# Basic system aliases -- these MUST be present.
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
#games: root ? remove or comment out.
#ingres: root ? remove or comment out.
nobody: root
#system: root ? remove or comment out.
#toor: root ? remove or comment out.
#uucp: root ? remove or comment out.
# Well-known aliases.
#manager: root ? remove or comment out.
#mper: root ? remove or comment out.
#operator: root ? remove or comment out.
# trap decode to catch security attacks
#decode: root
# Person who should get root' S mail
? Root: Marc
after the last update, don't forget to run / usr / bin / newaliases to make the change take effect
9. Prevent your system from responding to any external / internal Ping requests
since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command to / etc / RC. D / RC. Local to make it run automatically after each startup< br />
echo 1 > / proc/sys/net/ipv4/icmp_ echo_ ignore_ All
10. Do not display the operating system and version information
if you want someone to log on to your server remotely without displaying the operating system and version information, you can change the line in
/ etc / inetd.conf, such as the following:
telnet stream TCP nowait root / usr / SBIN / TCPD in. Telnetd - H
Add - H flag to make telnet background not display the system information, However, only login:
11. The / etc / host.conf file
edit the host.conf file (VI / etc / host. CONF) and add the following line:
? Lookup names via DNS first then fall back to / etc / hosts.
order bind, hosts
? We don & 39; t have machines with multiple IP addresses on the same card
(like virtual server,IP Aliasing).
multi off
# Check for IP address spoofing.
nospoof on
IP Spoofing: IP-Spoofing is a security exploit that works by tricking
computers in a trust relationship that you are someone that you really aren' t.
12. The / etc / securetty file
specifies the TTY device that allows root to log in, / etc / securetty is read by the / bin / login program, and its
format is a list of allowed names, such as you can edit / etc / securetty and comment the following lines
tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
- means that root is only allowed to log in at tty1 terminal
13. Special accounts
prohibit all accounts that are started by the operating system itself and are not needed by default. You should do this check when you first install the system. Linux provides various accounts that you may not need. If you don't need this account, remove it. The more accounts you have, the more vulnerable you are to attack
to delete users from your system, use the following command:
[ root@deep ]#Userdel username
to delete a group user account on your system, use the following command:
[ root@deep ]#Groupdel user name
enter the following command on the terminal and delete the following user< br />[ root@deep ]# userdel adm
[ root@deep ]# userdel lp
[ root@deep ]# userdel sync
[ root@deep ]# userdel shutdown
[ root@deep ]# userdel halt
[ root@deep ]#Userdel mail
if you don't use the sendmail server, procmail.mailx, delete the account< br />[ root@deep ]# userdel news
[ root@deep ]# userdel uucp
[ root@deep ]# userdel operator
[ root@deep ]#Userdel games
if you don't use the X windows server, delete this account< br />[ root@deep ]# userdel gopher
[ root@deep ]#Userdel FTP
if you don't allow anonymous FTP, delete the user account
= = =
type the following command to delete the group account
[ root@deep ]# groupdel adm
[ root@deep ]# groupdel lp
[ root@deep ]#Groupdel mail
If sendmail server is not used, delete this group account
[ root@deep ]# groupdel news
[ root@deep ]# groupdel uucp
[ root@deep ]#Groupdel games
if you don't use x windows, Delete this group account
[ root@deep ]# groupdel dip
[ root@deep ]# groupdel pppusers
[ root@deep ]#Groupdel popusers
if you don't use pop servers, Delete this group account
[ root@deep ]#Groupdel slipusers
= = =
add the required user account with the following command
[ root@deep ]#Useradd username
use the following command to change the user password
[ root@deep ]# passwd username
4. I don't know what you are asking? A bunch of strange numbers. I can't answer your question correctly.
Hot content