当你在一台机器上安装Linux时,如果才能够让你的机器变得更加坚固,以减少被攻击的风险?或者,如果你已经有相当数量的机器,如何能够在它们身上执行一致性的配置?
答案:那当然是Bastille Linux
就像它的名字(Bastille Linux可翻译为城堡Linux)一样,Bastille Linux能够帮助你加固你的机器。坚固是增强机器防御攻击能力的过程,通常依靠以下几种手段来实现:
关闭不必要的服务
保证只有适当的用户才有执行程序的权限
设置文件访问的许可限制
您可能会问:“为什么说加固机器非常重要?我的机器看起来并不会遭到攻击,因为我们只是一个小公司(或者是一个小的非盈利组织等)。”确实,在 这种环境下,你的组织看起来并不是攻击者的目标。然而,许多攻击并不是针对特定的目标进行,许多攻击者在攻击时并没有进行过思考,它们只是运行自动化的脚 本,找到防御薄弱的机器就实施攻击。
实质上,此类攻击通常由一些使用自动化程序的人发起(通常这不复杂,也不需要太多的技术知识),它们使用这些程序扫描一定范围内的 Internet地址。如果你的机器刚好在这个范围内,就变得非常脆弱,它将可能被攻击或者被破坏。之后你会发现,你现在要进行令人头疼的恢复操作——恢 复通常比防御需要花费更多的工作量。因此,加固机器对于任何组织的安全计划来说,都是至关重要的。
和你想像的一样,正确的加固一台机器对系统管理员来说,是一项烦琐而又耗费时间的过程。在此过程中,很容易漏掉一个或多个重要步骤,这不仅会为机器留下漏洞,还可能会创建一个错误的安全策略,将机器置于风险之中。
Bastille Linux使大规模的加固机器成为可能,并且还能够防止遗漏某个步骤的问题。而让加固机器的过程更加有效也是它的功能之一。Bastille Linux通过GUI界面和交互式的处理过程完成这一切。
Bastille Linux在加固系统方面可以解决的问题有:
File Permissions(文件权限)
Account Security(账户安全)
Book Security(卷安全)
Inetd Security(端口监视程序安全)
Miscellaneous Daemons(其它后台进程)
Sendmail
DNS(域名解析服务)
Apache
Printing(打印)
FTP
Firewall(防火墙)
如果需要,上述所有的项目都是可用的,但多使用一条,就会增加一份受攻击的机会。Bastille Linux会帮助你处理,决定那种功能是必需的,当然,如果不需要某种服务器,它会配置它使之不可用。
需要注明的是,一旦使用Bastille对机器加以配置,机器将被漏洞扫描软件,如Nessus探测。漏洞扫描软件将确定保留的服务和存在的端口是否被正确配置,并且是否正确的为软件打上了补丁。
Bastille的优势不仅仅是局限于一台机器,若是这样,即使是使用Bastille,在配置众多的机器时,还是要耗费大量的时间。同时,总 是执行同样重复性的工作,很容易导致粗心的现像产生。虽然Bastille Linux在帮助你防止遗漏一个或多个重要步骤上有非常好的优势,但如果是加固大量的机器,还是难保会发生这样的你问题。
不过,Bastille Linux还是解决了这一难题,你能够在一台机器上创建一个Bastille Linux的策略文件,然后将其作用在其它所有的机器上面,策略文件可以通过一个交互式的会话自动创建,因此整个过程非常简单,并且应用起来也很容易。将 其应用的方法是在命令行下输入以下命令:
#scp /etc/Bastille/config root@anotherhost:/etc/Bastille
ssh root@anotherhost "bastille -b"
显然,你必需将上述命令中的“anotherhost”替换为目标机器的名字。同样,Bastille Linux也必需已经安装在你想自动配置的机器上。任何事情都不是那么容易的,不是吗?即使你只有另外的一台机器,你也需要如此配置,因为使用 Bastille Linux的这一特点是非常没有头脑的。
Bastille Linux使用Perl编写,因此扩展起来非常容易。许多实际的功能(例如改变文件权限)能够通过简单的声明设置建立,Bastille Linux将这些声明设置作为它配置工作的一部分。
如果你对这些有直接的反应,当你意识到此产品对加固机器有很大的好处时,你已经在一系列机器上安装了它们,并且不确定该怎么设置它们。你将很高 兴的直到,即将到来的新版Bastille Linux将具有审计能力,这将让你很方便的获得已经安装Bastille Linux的你的基础设施的信息。
简而言之,Bastille Linux是每个系统管理员都应该收藏的安全领袖级工具,它能够让你的生活变得更加容易。
主页:http://bastille-linux.sourceforge.net/
来自:开源中国社区
jlds123 于 2013-03-05 14:55:19发表:
顶 不错
abafan158 于 2012-10-26 14:13:06发表:
BEIJING as tall as China said Tuesday that its stance all around the Syria remains "consistent and clear."
"We've been recently closely following going to be the no matter whether relating to the situation, and we are strongly worried about the escalating hard times that has caused civilian casualties and affected peace and stability as part of your region," Foreign Ministry spokesman Hong Lei said.
Hong made going to be the remarks during a multi function regular press briefing in response for more information regarding an all in one question about whether China has changed all its stance all around the going to be the Syria a problem.
He well-advised they all are relevant parties to learn more about immediately launch all inclusive political dialogue minus preconditions and jointly talk about a multi function all - encompassing political reform plan.
Hong said China can hold going to be the take a look at that the international blog network need to the full respect and love Syria's sovereignty, independence,oneness territorial integrity and going to be the independent for you to decide to do with the Syrian it is certainly plausible as in that case as the risks and side effects concerning the political dialogue among a lot of unique parties in Syria.
"We have to worry about by no means approve an armed intervention or at best forcing an all in one so-called 'regime change' upon Syria,the spokesman reiterated.
Hong said China supports Arab countries' calls to immediately cease violence,help look after Syrian civilians,bring to the table humanitarian aid to learn more about Syria and resist external military intervention, adding that China goals going to be the problems are sometimes decided from start to finish political dialogue within the framework having to do with going to be the Arab League (AL).
"China not only can they go hand in hand allowing you to have going to be the international blog network and play a multi function self-assured and constructive a segment throughout the appropriately resolving going to be the the problem with batteries all over the Syria,this is because Hong said.
The spokesman also confirmed the party regarding one or more invitation and for China to explore participate upon a multi functional"Friends having to do with Syria" meeting ordered too in the next week on Tunis. He has been doing do not ever say whether China not only can they attend.
"China welcomes most of them are efforts that can be conducive to understand more about a multi function peaceful resolution to learn more about going to be the Syria concern Hong said, noting that going to be the main and mechanism relating to the"Friends concerning Syria" meeting simply further examination.
Related articles: