Network setup, (network cards) Ubuntu interfaces. Guide to setting up an internet connection in Ubuntu Setting up network security in ubuntu

It can certainly be said that linux more safe(protected) than Windows. Safety in linux built-in, and not screwed somewhere on the side, as is implemented in Windows. Safety systems linux covers the area from the kernel to the desktop, but there are chances for hackers to damage your home directory (/home).

Your bytes of photos, home videos, documents, and credit card or wallet data are the most valuable piece of information on a computer. Of course, Linux is not susceptible to all sorts of Internet worms and viruses for Windows. But attackers can find a way to access your data in your home directory.

Having prepared your old computer or HDD before selling formatting, do you think it will be enough? There's a bunch modern instruments for data recovery. A hacker can easily recover your data from hard drive, regardless of the OS in which you worked.

On this topic, I recall the experience of one company repurchasing used computers and disks. In the course of their activities, they issued a verdict that 90% of the previous owners of their computer did not take proper care of cleaning their storage media before selling. And they were extracting very sensitive bytes of data. It’s even scary to imagine that somewhere in the bins of your hard drive there is information to enter your online bank or online wallet.

Start with Linux security basics

Let's step into the basics (), which will fit almost any
Linux distributions.

Encrypting the file system in Linux for more complete Linux security

Custom passwords won't solve the problem if you really want no one to be able to read your home directory (/home) or a certain byte size. You can do it so that even a user with the highest privileges of root cannot poke his nose.

Delete sensitive files so that no one else can recover them

If you decide to sell or donate your computer or storage media, don't assume that simple formatting will permanently delete your files. You can install the secure-delete tool on your Linux, which includes the srm utility to securely delete files.

Also, do not forget about the existing Linux kernel firewall. Included in all Linux distributions includes lptables, which is part of the kernel. Lptables allows you to filter network packets. Of course, you can configure this utility in the terminal. But this method is beyond the power of many, including me. So I install and configure as easily as if I were playing a game.

Like all operating systems, Linux is prone to the accumulation of junk when running various applications. And this is not Linux's fault, since various applications, such as browsers, text editors and even video players, work outside the kernel level and accumulate temporary files. You can install the BleachBit universal garbage disposal utility.

Anonymous surfing, hiding your IP - very important for the security of your identity under Linux OS

In conclusion, I want to tell you about anonymous web surfing. Sometimes it happens that it is necessary, as I do, when, secretly from my wife, I visit sites with erotic content. Of course I was joking.

It will be difficult for attackers to get to you if they cannot determine your location. We cover the tracks with a simple setup of two utilities working together called privoxy and tor.

In my opinion, following and setting up all these rules will secure you and your computer by 90%.

P.S. I'm using a cloud called dropbox. I keep my old and new, not yet published articles in it. It is convenient to have access to your files from anywhere in the world and on any computer. When writing articles for the site in text editor I keep my text documents with a password and only after that I upload it to the dropbox server. You should never neglect extra security, which will only play into your hands.

No doubt just installed system Linux is much more resistant to various malware, spyware and hackers than the same Windows version. However, most Linux systems use default settings that are not entirely secure in nature.

Some Linux distributions are designed to be as secure as possible out of the box, but they tend to cause a lot of trouble for newcomers, especially non-security experts.

Ubuntu is the most popular Linux distribution in use today. This is due to many factors, one of them is that it is the easiest for beginners. This has its positive aspects, but also for this reason there are several weaknesses in the system that the developers have left by choosing user convenience. In this article, we'll take a look at how Ubuntu 16.04 security is configured. These settings are not that complicated, but they will help you make your system more resistant to the most common attack methods.

The first thing you should know is to keep your system up to date and up to date. New vulnerabilities are constantly being discovered in the kernel and software, the same Drity COW can serve as an example. Developers fix these bugs very quickly, but in order to apply these fixes to your system, you need to update it in a timely manner.

Another important note is the user's password. Do not use a user without a password. If you need to give access to the computer to other people, create new account, for example, guest. But always use passwords. operating room Linux system was originally built as a multi-user system with security for all users in mind, so you should not miss this opportunity. But that's all the advice you probably already know, let's look at really useful ways to increase the security of ubuntu.

1. Setting up shared memory

By default, the entire volume shared memory/run/shm is read/write and can run programs. This is considered a security hole and many exploits use /run/shm to attack running services. For most desktop, and especially server devices, it is recommended to mount this file in read-only mode. To do this, add the following line to /etc/fstab:

sudo vi /etc/fstab

none /run/shm tmpfs defaults,ro 0 0

But still, some programs won't work if /run/shm is read-only, one of them is Google Chrome. If you are using Google Chrome, then we must retain the ability to write, but we can prohibit the execution of programs, for this, add this line instead of the one suggested above:

none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0

2. Prevent non-administrators from using su

In addition to your account, Ubuntu also has a guest account. Account, which you can use to share your laptop with a friend. The su utility allows you to run programs as another user. This is very useful in system administration and vital if used correctly. But, nevertheless, everyone can access this utility. Linux users, and this is an abuse. To deny a guest account access to the su command, run:

sudo dpkg-statoverride --update--add root sudo 4750 /bin/su

3. Protect your home directory

Your default home directory will be available to every user on the system. So if you have a guest account, then the guest will be able to get full access to all your personal files and documents. But you can make it available only to you. Open a terminal and run the following command:

chmod 0700 /home/username

It sets the rights in such a way that the owner of the folder, that is, everything is available to you, and other users cannot even view the contents. Alternatively, you can set permissions to 750, which will grant read access to your folder for users in the same group as you:

chmod 0750 /home/username

Now the security of Ubuntu 16.04, and especially your personal data, will be a little higher.

4. Disable SSH login as root

By default in Ubuntu, you can SSH in as root. Although you set a password for the root user, this can be potentially dangerous, because if the password is very simple, an attacker can brute force it and take full control of the computer. The sshd service may not be installed on your system. To check run:

If you get a connection refused message, it means that the SSH server is not installed and you can skip this step. But if it is installed, then it needs to be configured with configuration file/etc/ssh/sshd_config. Open this file and replace the line:

PermitRootLogin yes

PermitRootLogin no

Done, now it will be harder to ssh into your system, but the security setup in ubuntu 16.04 is not yet complete.

5. Install a firewall

It is possible that not only the ssh server is installed on your computer, but also the database service and the apache or nginx web server. If this is a home computer, then chances are you don't want anyone else to be able to connect to your local website or database. To prevent this, you need to install a firewall. On Ubuntu it is recommended to use gufw as it is designed specifically for this system.

To install, run:

sudo apt install gufw

Then you need to open the program, enable protection and block all incoming connections. Allow only the necessary ports for the browser and other known programs. Read more in the instructions.

6. Protection against MITM attacks

The essence of the MITM attack or "Man in the middle" attack is that another person intercepts all the packets that you transmit to the server, thus, can get all your passwords and personal data. We cannot protect ourselves from all attacks of this kind, but a variety of MITM attacks, the ARP attack, is quite popular in public local networks. Using the features of the ARP protocol, an attacker pretends to be a router in front of your computer and you send all your data packets to him. You can very easily protect yourself from this using the TuxCut utility.

There is no program in the official repositories, so to install it, you need to download the package from GitHub:

wget https://github.com/a-atalla/tuxcut/releases/download/6.1/tuxcut_6.1_amd64.deb

Then install the resulting package:

sudo apt install tuxcut_6.1_amd64.deb

Before running the program, start its service:

sudo systemctl start tuxcutd

The main window of the utility looks like this:

It displays the IP addresses of all users connected to the network, as well as the corresponding MAC address for each of them. If you check the Protection Mode box, the program will protect against ARP attacks. You can use it on public networks, such as public wifi, where you fear for your safety.

conclusions

Well, that's it, now the Ubuntu 16.04 security setup is complete and your system is much more secure. We have covered the most common attack vectors and system penetration methods used by hackers. If you know other useful ways to improve security in Ubuntu, write in the comments!

None of us wants to personal information fell into the wrong hands. But how to protect the system from attacks and data theft? Do you really have to read kilometer-long manuals on setting up and encryption algorithms? Not at all necessary. In this article, I will show you how to make a Linux system secure in just 30 minutes.

Introduction

We live in an age mobile devices and permanent online. We go to a cafe with a laptop and run web servers on the Internet on home machines. We register on hundreds of sites and use the same passwords for web services. We always have a smartphone in our pockets, which is stuffed with dozens of passwords, and stores the keys to several SSH servers. We have become so accustomed to the fact that third-party services take care of our privacy that we have already ceased to pay attention to it.

When I lost my smartphone, I was very lucky that the anti-theft installed on it turned out to be efficient and allowed me to remotely erase all data from the device’s memory. When I inadvertently opened an SSH port on my home machine with a user without a password (!) to the outside world (!!), I was very lucky that script-kiddies made their way to the machine, which, apart from the funny shell story, did not leave any serious traces of their stay in system. When I accidentally posted a listing on the Internet with my Gmail password, I was very lucky that I found kind person who warned me about it.

Maybe I'm gouging, but I firmly believe that such incidents have happened to many who read these lines. And it's good if these people, unlike me, seriously took care of protecting their car. After all, the anti-theft might not work, and instead of a script kiddy, serious people could get into the car, and I could lose not a smartphone, but a laptop, on which, apart from the user's password, there was no other protection. No, relying on one Google two-factor authentication and stupid passwords is definitely not worth it in our age, something more serious is needed.

This article is a paranoid unixoid's guide dedicated to the total protection of a Linux machine from anything and everything. I do not dare to say that everything described here is mandatory for use. Quite the contrary, it is a collection of recipes, the information from which can be used to protect yourself and data at those frontiers where it is needed in your particular situation.

Password!

It all starts with passwords. They are everywhere: in the login window in a Linux distribution, in registration forms on Internet sites, on FTP and SSH servers, and on the lock screen of a smartphone. The standard for passwords today is 8–12 mixed case characters with numbers included. Generating such passwords with your own mind is quite tedious, but there is an easy way to do it automatically:

$ openssl rand -base64 6

No external applications, no web browser extensions, OpenSSL is available on any machine. Although, if it is more convenient for someone, he can install and use pwgen for these purposes (they say that the password will be more resistant):

$ pwgen -Bs 8 1

Where to store passwords? Today, each user has so many of them that it is simply impossible to keep everything in your head. Trust the browser's autosave system? You can, but who knows how Google or Mozilla will treat them. Snowden said that it was not very good. Therefore, passwords must be stored on the machine itself in an encrypted container. The founding fathers recommend using KeePassX for this. The thing is graphical, which the founding fathers themselves do not much like, but it works everywhere, including the well-known Google Probe Android (KeePassDroid). All that remains is to transfer the database with passwords to the right place.

We encrypt

Encryption - how much there is in this word... Today, encryption is everywhere and nowhere at the same time. We are forced to use HTTPS versions of sites, but we don't care. They tell us: "Encrypt your home directory", and we say: "I'll set it up later." They tell us: “The favorite pastime of Dropbox employees is to laugh at the personal photos of users,” and we: “Let them laugh.” Meanwhile, encryption is the only absolute means of protection today. And it is very affordable and smoothes wrinkles.

In Linux, you can find tons of encryption tools for everything and everything, from hard disk partitions to single files. The three most well known and time tested tools are dm-crypt/LUKS, ecryptfs and encfs. The first encrypts entire disks and partitions, the second and third - directories with important information, each file separately, which is very convenient if you need to make incremental backups or use it in conjunction with Dropbox. There are also several lesser known tools, including TrueCrypt for example.

I will make a reservation right away that encrypting the entire disk is a difficult task and, most importantly, useless. There is and cannot be anything particularly confidential in the root directory, but the home directory and swap are just a storehouse of information. Moreover, the second one is even larger than the first one, since data and passwords already decrypted can get there (normal programmers forbid the system from throwing such data into a swap, but such a minority). Setting up encryption for both is very simple, just install the ecrypts tools:

$ sudo apt-get install ecryptfs-utils

And, in fact, enable encryption:

$ sudo ecryptfs-setup-swap $ ecryptfs-setup-private

Next, just enter your password used for login and log in to the system. Yes, it's really that simple. The first command will encrypt and remount the swap by changing the necessary lines in /etc/fstab. The second one will create the ~/.Private and ~/Private directories, which will store the encrypted and decrypted files, respectively. When you log in, the PAM module pam_ecryptfs.so will be triggered, which will mount the first directory on the second with transparent data encryption. After unmounting, ~/Private will be empty, and ~/.Private will contain all files in encrypted form.

It is not forbidden to encrypt the entire home directory as a whole. Performance will not drop much, but all files will be protected, including the same ~/Dropbox network directory. It is done like this:

# ecryptfs-migrate-home -u vasya

By the way, there should be 2.5 times more disk space than vasya has data, so I recommend cleaning up in advance. After the operation is completed, you should immediately log in as the user vasya and check if it works:

$ mount | grep Private /home/vasya/.Private on /home/vasya type ecryptfs ...

If everything is OK, the unencrypted copy of the data can be overwritten:

$ sudo rm -r /home/vasya.*

We cover our tracks

OK, passwords are in a safe place, personal files too, now what? And now we have to make sure that some pieces of our personal data do not fall into the wrong hands. It's not a secret for anyone that when a file is deleted, its actual contents remain on the media even if formatting is done after that. Our encrypted data will be safe even after erasing, but what about flash drives and other memory cards? This is where the srm utility comes in handy, which not only deletes the file, but also fills the data blocks left after it with garbage:

$ sudo apt-get install secure-delete $ srm secret-file.txt home-video.mpg

# dd if=/dev/zero of=/dev/sdb

This command will erase all data on the sdb stick. Next, it remains to create a partition table (with one partition) and format it into the desired file system. It is recommended to use fdisk and mkfs.vfat for this, but you can also get by with the graphical gparted.

Preventing BruteForce Attacks

Fail2ban is a daemon that scans logs for attempts to guess passwords for network services. If such attempts are found, then the suspicious IP address is blocked by iptables or TCP Wrappers. The service is able to notify the host owner about the incident by email and reset the block via given time. Fail2ban was originally developed for SSH protection, today offered ready-made examples for Apache, lighttpd, Postfix, Exim, Cyrus IMAP, named and so on. Moreover, one Fail2ban process can protect several services at once.

In Ubuntu / Debian, to install, we type:

# apt-get install fail2ban

The configs are located in the /etc/fail2ban directory. After changing the configuration, restart fail2ban with the command:

# /etc/init.d/fail2ban restart

Threat from outside

Now let's take care of the threats coming from the bowels world wide web. This is where I should start talking about iptables and pf running on a dedicated machine running OpenBSD, but that's all redundant when there's ipkungfu. What it is? This is a script that will do all the dirty work of configuring the firewall for us, without having to make kilometer-long lists of rules. Install:

$ sudo apt-get install ipkungfu

Edit config:

$ sudo vi /etc/ipkungfu/ipkungfu.conf # The local network, if there is - we write the network address along with the mask, if not - we write the loopback address LOCAL_NET="127.0.0.1" # Our machine is not a gateway GATEWAY=0 # Close the necessary ports FORBIDDEN_PORTS="135 137 139" # Block pings, 90% kiddis will fall off at this stage BLOCK_PINGS=1 # Dropping suspicious packets (flooding of various kinds) SUSPECT="DROP" # Dropping "wrong" packets (some types of DoS) KNOWN_BAD="DROP" # Port scanning? Thrash! PORT_SCAN="DROP"

To enable ipkungfu, open the /etc/default/ipkungfu file and change the line IPKFSTART = 0 to IPKFSTART = 1. Run:

$ sudo ipkungfu

Additionally, we will make changes to /etc/sysctl.conf:

$ sudo vi /etc/systcl.conf # Drop ICMP redirects (against MITM attacks) net.ipv4.conf.all.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0 # Enable TCP syncookies mechanism net.ipv4 .tcp_syncookies=1 # Various tweaks (anti-spoofing, increasing the queue of "half-open" TCP connections, and so on) net.ipv4.tcp_timestamps=0 net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_max_syn_backlog=1280 kernel .core_uses_pid=1

Activate changes:

$ sudo sysctl -p

Detecting intrusions

Snort is one of the favorite tools for admins and a mainstay in all security guides. A thing with a long history and colossal possibilities, to which entire books are devoted. What does he do in our guide to quick setup safe system? And here is the place for him, Snort does not need to be configured:

$ sudo apt-get install snort $ snort -D

All! I am not kidding, default settings Snort is more than enough to protect typical network services if you have them, of course. You just need to look at the log from time to time. And in it you can find lines like these:

[**] MS-SQL probe response overflow attempt [**] http://www.securityfocus.com/bid/9407]

Oops. Someone tried to cause a buffer overflow in MySQL. There is also a link to the page with detailed description Problems. The beauty.

Someone inherited...

Someone especially smart was able to bypass our firewall, get past Snort, get root permissions in the system and now visits the system regularly using the installed backdoor. Not good, the backdoor needs to be found, removed, and the system updated. To search for rootkits and backdoors, use rkhunter:

$ sudo apt-get install rkhunter

We launch:

$ sudo rkhunter -c --sk

The software will check the entire system for rootkits and display the results. If the malware is still found, rkhunter will point to the place and it can be overwritten. A more detailed log is located here: /var/log/rkhunter.log. It is better to run rkhunter as a daily cron job:

$ sudo vi /etc/cron.daily/rkhunter.sh #!/bin/bash /usr/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Results" [email protected]

We replace Vasya's email address with our own and make the script executable:

$ sudo chmod +x /etc/cron.daily/rkhunter.sh

$ sudo rkhunter --update

By the way, it can be added before the check command in the cron script. Two more rootkit search tools:

$ sudo apt-get install tiger $ sudo tiger $ sudo apt-get install lynis $ sudo lynis -c

In fact, the same Faberge eggs from a bird's eye view, but they have different bases. Perhaps with their help it will be possible to reveal what rkhunter missed. Well, for starters, debsums is a tool for verifying file checksums, installed packages with a standard. We put:

$ sudo apt-get install debsums

We start the check:

$ sudo debsums -ac

As always? launch can be added to cron jobs.

Outside

Now let's talk about how to maintain your anonymity on the Web and gain access to sites and pages blocked at the request of various copyright organizations and other Mizulins. The easiest way to do this is to use one of the thousands of proxy servers around the world. Many of them are free, but often cut the channel to the speed of an ancient analog modem.

To safely navigate the sites and only turn on the proxy if necessary, you can use one of the many extensions for Chrome and Firefox, which are easily found in the proxy switcher directory. We install, drive in the list of necessary proxies and switch to the required one, seeing instead of the page the sign “Access to the page is limited at the request of Mr. Skumbrievich”.

In those situations when the entire site fell under the filter and its address was blacklisted on the side of the providers' DNS servers, you can use free DNS servers whose addresses are published. Just take any two addresses you like and add to /etc/resolv.conf:

Nameserver 156.154.70.22 nameserver 156.154.71.22

To prevent various kinds of DHCP clients and NetworkManagers from overwriting the file with addresses received from the provider or router, we make the file unwritable using extended attributes:

$ sudo chattr +i /etc/resolv.conf

After that, the file will become write-protected for everyone, including root.

To further anonymize your browsing experience, you can also use the dnscrypt daemon, which will encrypt all requests to the DNS server in addition to the proxy server used to connect to the site itself. Install:

$ wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.3.2.tar.bz2 $ bunzip2 -cd dnscrypt-proxy-*.tar.bz2 | tar xvf - $ cd dnscrypt-proxy-* $ sudo apt-get install build-essential $ ./configure && make -j2 $ sudo make install

Specify the loopback address in /etc/resolv.conf:

$ vi /etc/resolv.conf nameserver 127.0.0.1

Let's start the daemon:

$ sudo dnscrypt-proxy --daemonize

By the way, there are versions of dnscrypt for Windows, iOS and Android.

Onion Routing

What is onion routing? This is Tor. And Tor, in turn, is a system that allows you to create a completely anonymous network with Internet access. The term "onion" is used here in relation to the work model, in which any network packet will be "wrapped" in three layers of encryption and will pass through three nodes on the way to the addressee, each of which will remove its own layer and transmit the result further. Everything, of course, is more complicated, but for us the only important thing is that this is one of the few types of networking that allows you to maintain complete anonymity.

However, where there is anonymity, there are connection problems. And Tor has at least three of them: it's horrendously slow (thanks to encryption and passing through a chain of nodes), it will create a load on your network (because you yourself will be one of the nodes), and it is vulnerable to traffic interception. The latter is a natural consequence of the ability to access the Internet from the Tor network: the last node (the exit) will remove the last layer of encryption and can access the data.

However, Tor is very easy to install and use:

$ sudo apt-get install

Everything, now on the local machine there will be a proxy server leading to the Tor network. Address: 127.0.0.1:9050, you can drive it into the browser using the same extension, or add it through the settings. Keep in mind that this is SOCKS, not an HTTP proxy.

INFO

The Android version of Tor is called Orbot.

To put in command line the password has not been saved in history, you can use a clever trick called "add a space at the beginning of the command."

It is ecryptfs that is used to encrypt the home directory in Ubuntu.

The fight against flood

Here are a few commands that can help with flooding your host.

Counting the number of connections on a specific port:

$ netstat -na | grep ":port\" | wc -l

Counting the number of "half-open" TCP connections:

$ netstat -na | grep ":port\" | grep SYN_RCVD | wc -l

Viewing the list of IP addresses from which connection requests are made:

Analyzing suspicious packets with tcpdump:

# tcpdump -n -i eth0 -s 0 -w output.txt dst port port and host of the IP server

We drop the attacker's connections:

# iptables -A INPUT -s attacker's ip -p tcp --destination-port port -j DROP

We limit the maximum number of "half-open" connections from one IP to a specific port:

# iptables -I INPUT -p tcp --syn --dport port -m iplimit --iplimit-above 10 -j DROP

Disable responses to ICMP ECHO requests:

# iptables -A INPUT -p icmp -j DROP --icmp-type 8

conclusions

That's all. Without going into details and without the need to study manuals, we have created a Linux-box that is protected from outside intrusion, from rootkits and other infections, from direct human intervention, from traffic interception and surveillance. All that remains is to regularly update the system, disable password login via SSH, remove unnecessary services and avoid configuration errors.

At the annual LinuxCon conference in 2015, the creator of the GNU / Linux kernel Linus Torvalds shared his opinion about the security of the system. He emphasized the need to mitigate the effect of the presence of certain bugs with competent protection, so that if one component fails, the next layer covers the problem.

In this article we will try to reveal this topic from a practical point of view:

7. Install firewalls

Recently there was a new vulnerability that allows DDoS attacks on servers under Linux control. A bug in the system core has appeared since version 3.6 at the end of 2012. The vulnerability allows hackers to inject viruses into download files, web pages and expose Tor connections, and it does not take much effort to hack - the IP spoofing method will work.

The maximum harm for encrypted HTTPS or SSH connections is connection interruption, but an attacker can put new content into unsecured traffic, including malware. To protect against such attacks, a firewall is suitable.

Block access with Firewall

Firewall is one of the most important tools for blocking unwanted incoming traffic. We recommend that you allow only the traffic you really need to pass through and completely block all other traffic.

For packet filtering, most Linux distributions have an iptables controller. It is usually used by advanced users, and for simplified configuration, you can use the UFW utilities on Debian/Ubuntu or FirewallD on Fedora.

8. Disable unnecessary services

Specialists from the University of Virginia recommend turning off all services that you do not use. Some background processes are set to autoload and run until the system shuts down. To configure these programs, you need to check the initialization scripts. Services can be started via inetd or xinetd.

If your system is configured via inetd, then in the /etc/inetd.conf file you can edit the list of “daemons” background programs, to disable the loading of the service, just put a “#” sign at the beginning of the line, turning it from an executable into a comment.

If the system uses xinetd, then its configuration will be in the /etc/xinetd.d directory. Each directory file defines a service that can be disabled by specifying the disable = yes clause, as in this example:

Service finger ( socket_type = stream wait = no user = nobody server = /usr/sbin/in.fingerd disable = yes )
It's also worth checking for persistent processes that are not managed by inetd or xinetd. You can configure startup scripts in the /etc/init.d or /etc/inittab directories. After the changes have been made, run the command under the root account.

/etc/rc.d/init.d/inet restart

9. Protect the server physically

It is not possible to fully protect against attacks by an attacker with physical access to the server. Therefore, it is necessary to secure the room where your system is located. Data centers take security seriously, limiting access to servers, installing security cameras, and appointing constant guards.

To enter the data center, all visitors must go through certain authentication steps. It is also strongly recommended to use motion sensors in all areas of the center.

10. Protect the server from unauthorized access

An unauthorized access system, or IDS, collects data about system configuration and files and then compares this data with new changes to determine if they are harmful to the system.

For example, the Tripwire and Aide tools collect a database of system files and protect them with a set of keys. Psad is used to track suspicious activity through firewall reporting.

Bro is designed to monitor the network, track suspicious activity patterns, collect statistics, execute system commands and generate alerts. RKHunter can be used to protect against viruses, most often rootkits. This utility scans your system against a database of known vulnerabilities and can detect unsafe settings in applications.

Conclusion

The tools and settings listed above will help you partially protect the system, but security depends on your behavior and understanding of the situation. Without attention, caution and constant self-learning, all protective measures may not work.

In this article we will try to reveal this topic from a practical point of view:

7. Install firewalls

Recently there was a new vulnerability that allows DDoS attacks on servers running Linux. A bug in the system core has appeared since version 3.6 at the end of 2012. The vulnerability allows hackers to inject viruses into download files, web pages and expose Tor connections, and it does not take much effort to hack - the IP spoofing method will work.

The maximum harm for encrypted HTTPS or SSH connections is connection interruption, but an attacker can put new content, including malware, into unprotected traffic. To protect against such attacks, a firewall is suitable.

Block access with Firewall

8. Disable unnecessary services

/etc/rc.d/init.d/inet restart

9. Protect the server physically

To enter the data center, all visitors must go through certain authentication steps. It is also strongly recommended to use motion sensors in all areas of the center.

10. Protect the server from unauthorized access

An unauthorized access system, or IDS, collects data about system configuration and files and then compares this data with new changes to determine if they are harmful to the system.

For example, the Tripwire and Aide tools collect a database of system files and protect them with a set of keys. Psad is used to track suspicious activity through firewall reporting.