Most of the financial system business systems to UNIX / XENIX operating system platform, TCP / IP as the network platform.How to strengthen the security of UNIX network systems management, the author of SCO UNIX 3.2V4.2, for example, to mention a few views, and the majority of my colleagues open to question.
Security mentioned here mainly refers to the unit or this website by preventing unauthorized intrusion, access to reliable information to protect the system, normal operation, this article only discussed in this context, on the other side not be considered.
A good grasp of the host within the network management, network security management is a prerequisite
User and password management is always the safety management system, one of the most important aspects, any attack on the network, can not be no legitimate user and password (the background to open the back door web application exception).But most of the system administrator to focus only on the privileged user management, to the neglect of the ordinary user management.Mainly in the easy way to set user convenience, random set user permissions (ID), group (GROUP) and the file permissions for unauthorized users to steal information and damage the system leaving gaps.
UNIX users of the financial system are the end user, they only work in specific applications, completion of certain fixed tasks, under normal circumstances without the implementation of the system (SHELL) command.
Normal user login, if you press the interrupt key to delete, turn off the power supply terminal, or while typing "Ctrl" "", then the user will enter SHELL (command) state. For example, users can continue to create their own sub-directoryâ… system directory and run out of the node number, or yes> aa create junk files with a huge hard disk space and so may lead to depletion of the collapse of the system, paralysis; if the file system permissions are not tight, you can runpeep or even modify the file system permissions; can also steal the su command a higher authority, etc.; can also log on to the other host up trouble ... ... to make you very hard to imagine danger. It all problems with the user settings.So try not to make the user set the forms, if we must, according to actual needs, see if you can put into a restricted user sh sh, such as rsh and so on, into the following form:
dzhd: x: 200:50:: / usr / dzhd / obj: / bin / rsh
Or the following form:
dzhd: x: 200:50:: / usr / dzhd:. / main
In the main (. Profile) first add the following line:
tarp''0 1 2 3 5 15
So all the above problems are avoided.
In addition, regular check / etc / passwd file to see whether the unknown user and the user's permission; periodic revision of user passwords, especially uucp, bin, which are not commonly used in the user's password, to prevent some activity in this open skylight- a free access to the user window; remove all sleep users.
So I believe that a reasonable set user management is the key to the host.
Second, set up their own network environment is an effective way to prevent unauthorized access
Online access to frequently used tools are telnet, ftp, rlogin, rcp, rcmd and other network operations command, must be limited.The easiest way is to modify / etc / services in the corresponding service port number.This would have any access outside the network is denied, even if legal access.I do not advocate the practice of this inward-looking, because it does not make this site and off-compatible, will bring their own inconvenience.On UNIX systems analysis, I think there may be certain restrictions (allow) Internet access.
1) Establish / etc / ftpuser file: unwanted ftp user table.Configuration is as follows:
# User name
dgxt
dzhd
...
These are some of the users of the machine.Intruder even if more than one user name and ftp access to this site will be turned away.Related command is ftp.
2) Confidentiality. Netre: Remote up data files.Contains up to the network for file transfer from the remote ftp host data.Usually reside in the user's current directory, file permissions must be 0600.
3) Create an anonymous ftp: the so-called anonymous ftp, other users can host or anyones ftp users to send and receive data, but not any password.
4) limit. Rhosts user equivalent document, also known as user files trustee, relating to commands rlogin, rcp, rcmd and so on.
The so-called user equivalence, that is, users do not enter a password, the same user information to log on to another host.User equivalent file name. Rhosts, stored in the root or the user's home directory.
5) limit the equivalent hosts.equiv hosts file, also known as trusted hosts file.The command rlogin, rcp, rcmd and so on.Host equivalence is similar to the user equivalence, than the root directory on both computers effectively in all regions outside the host is equivalent to file hosts.equiv, stored in / etc under.
Control method is as follows:
When the remote access to the system using ftp, UNIX system first validate the user name and password, is correct to view ftpusers file contains the login if the user name will automatically reject all connections, so as to achieve limiting.Therefore, as long as the machine in addition to all users other than anonymous ftp included in the ftpusers file, even if the intruder access to the machine the correct user information, the machine can not open the door.For information released outside, into the / usr / ftp / pub, the so far obtained through anonymous ftp.Anonymous ftp, no password, not the local system's security threat, because it can not change the directory will not be able to obtain additional information within the machine.Use. Netrc configuration, should pay attention to confidentiality, to prevent the disclosure of other information related to the host.
Equivalence is equivalent to the user and host such visits because users do not like any other valid user password and log on to the remote system, like, so it has a serious insecurity, must be strictly controlled or in the very reliable environment.Remote users can log in directly without using the rlogin password, can use the rcp command to copy files or from the local host can also use the rcmd remote execution of the orders to the machine.When users need to frequently log into another system, can effectively increase the login speed, running on the remote system to reduce the number of processes to prevent the Internet, such as eavesdropping.
UNIX system does not provide direct control of telnet.But / ctc / profile is the default SHELL variable files, all users must first log on to execute it.If the file is first increase in several SHELL command, even if unauthorized users a legitimate user name and password, can not be used remotely.System administrator regularly read the journal file, pay attention to the console information, you can get unauthorized access to the case, to take timely measures.If you use the C language to achieve the above process, to accept the password into a non-show, the better.
Third, pay attention to the confidentiality of important data
Including hosts table, X.25 address, routing, connection Modem phone number and the type of communication software used, such as the user name within the network, these data should take some security measures to prevent the free diffusion.As may apply to the telecommunications sector, telecommunications-specific phone number is not published, not for inquiries.The public or common intervention switching equipment of Posts and Telecommunications, information through the device can be tampered with or compromised.
Set a reasonable route, can effectively prevent the disclosure of information.
Fourth, pay attention to the management of important network equipment
Routers in the network security plan is a very important part.Most routers are now some of the features already have a firewall.Telnet access such as the prohibition to prohibit illegal access to other segments.The right to access the router from the network is to limit external access filtering simple and effective means.
Local conditions can also set the gateway, will be isolated from this site and his network, the gateway does not store any business data, delete, in addition to the normal operation of the system necessary for the user other than the user, can also enhance network security.
In short, as long as from now, network security awareness training, and pay attention to the accumulation of experience and learning, entirely possible to ensure the normal operation of the security of information systems.