When installing linux, if you have a network card, the installer will prompt you to give the configuration parameters of tcp/ip network, such as the ip address of the computer, the ip address of the default gateway, and the ip address of DNS. According to these configuration parameters, the installer will automatically compile the driver of the network card (which linux system must support first) into the kernel. But you must understand the process of loading the network card driver, so you should change the network card in the future. When using multiple network cards, it will be easy for us to operate. The drivers of network cards are loaded into the kernel in the form of modules, and all network card drivers supported by linux are stored in /lib/modules/(linux version number) /net/ directory. For example, the driver of inter's 82559 series10100m adaptive boot network card is eepro 100.o, 3COM's 3C509 ISA network card is 3C509.o, and DLINK's pci 10 network card is via-rhine.o and ne2000. O. After understanding these basic drivers, we can change the network card or add the network card by modifying the module configuration file.

1. Modify the /etc/conf.modules file.

This configuration file is an important parameter file for loading the module. Let's look at a sample file first.

#/etc/conf.modules

Alias eth0 eepro 100

Alias eth 1 eepro 100

This file is the content of conf.modules in linux system with two inter 82559 series network cards. The alias command indicates the name of the driver that an Ethernet port (such as eth0) has. The alias eth0 eepro 100 means that the driver to be loaded on Ethernet port zero is eepro100.o. Then when using the modprobe eth0 command, the system will automatically load eepro100.o. For pci network cards, the system will automatically find the io address and interrupt number of the network card, so it is not necessary to use conf. However, for ISA network card, the io address or interrupt number of hardware must be specified in conf.modules. The following figure shows the conf.modules file of a NE ISA network card.

Alias eth0 ne

Option ne io=0x300 irq=5

After modifying the conf.modules file, you can use the command to load the module, for example, insert the second network card of interest:

# ins mod/lib/modules/2 . 2 . 14/net/eepro 100 . o

In this way, the eepro 100.o module can be loaded on the Ethernet port, and at the same time, you can also use the command to view the currently loaded module information:

[root@ice /etc]# lsmod

Module size used

Eepro 100 15652 2 (automatic cleaning)

The returned result means that the currently loaded module is eepro 100, the size is 15652 bytes, and there are two users. The method is automatic cleaning.

2. Modify the /etc/lilo.conf file.

In some newer versions of linux, there is no need to modify the /etc/lilo.conf file at this time because the operating system will automatically detect all related hardware. However, for ISA network cards and old versions, in order to initialize the newly added network cards during system initialization, the lilo.conf file can be modified. Add the following command to the /etc/lilo.conf file:

append="ether=5，0x240，eth0 ether=7，0x300，eth 1 "

This command means that the io address of eth0 is 0x240, the interrupt is 5, the io address of eth01is 0x300, and the interrupt is 7.

In fact, this statement comes from the parameters passed when the system boots the image file.

LILO: linux ether=5，0x240，eth0 ether=7，0x300，eth 1

This method can also make linux system configure two network cards. Similarly, the same method can be followed when using more than three network cards.

After configuring the network card, you should configure the parameters of TCP/IP. Under normal circumstances, you will be prompted to configure network parameters when installing linux system. However, if we want to modify the network settings in the future, we can use the following command:

#ifconfig eth0 A.B.C.D netmask E.F.G.H

A.B.C.D is the IP address of eth0 and E.F.G.H is the network mask.

In fact, in linux system, we can set multiple ip addresses for a network card, such as the following command:

# ifconfig eth0:1202.112.1.218 netmask 255.255.192.

Then, use the command #ifconfig -a to view the interfaces of all network interfaces:

Eth0 link encapsulation: Ethernet hwaddr 00: 90: 27: 58: af:1a.

Inet address: 202.112.13.204bast: 202.12.13.255 Mask: 255.255.

Uplink broadcast operation multicast MTU: 1500 metric: 1

Packet received: 4355 10 Error: 0 Discard: 0 Overflow: 0 Frame: 2

TX packet: 538988 Error: 0 Drop: 0 Overflow: 0 Carrier: 0

Conflict: 318683txqueuelen:100

Interrupt: 10 base address: 0xc000

Eth0: 1 link encapsulation: Ethernet hwaddr 00: 90: 27: 58: af:1a.

Inet address: 202.112.1.218bast: 202.112.

Uplink broadcast operation multicast MTU: 1500 metric: 1

Interrupt: 10 base address: 0xc000

Lo link encapsulation: local loopback

Inet address: 127.0.0. 1 mask: 255.0.0.0.

Uplink loopback operation MTU:3924 Metric: 1

RX packet: 2055 Error: 0 Drop: 0 Overflow: 0 Frame: 0

TX packet: 2055 Error: 0 Drop: 0 Overflow: 0 Carrier: 0

Conflict: 0 txqueuelen:0

We see that there are three network interfaces, eth0, eth0: 1, lo, eth0 are real Ethernet interfaces, eth0: 1 and eth0 are the same network card, but they are bound to another address, and lo will send the address. Eth0 and eth0: 1 can use ip addresses of different network segments, which is very useful when the same physical network segment uses different network addresses.

In addition, the network card has a promiscuous mode mode, and the network card will receive all data packets in the network. Some network monitoring tools under linux, such as tcpdump and snort, set the network card as promiscuous mode.

Ifconfig command can change the ip address of the network card during this running time, but if the system restarts, linux will still start the network interface according to the original default settings. At this point, you can use the netconfig or netconf command to reset the default network parameters. The netconfig command is used to reconfigure basic tcp/ip parameters, including whether it is configured to dynamically obtain ip addresses (dhcpd and bootp), ip addresses of network cards, network masks, default gateways and preferred domain name server addresses. Netconf command can configure all network parameters in detail, which is divided into three parts: client task, server task and other configuration. In the client configuration, it mainly includes the basic configuration of the host (host name, valid domain name, network alias, ip address of the corresponding network card, network mask, network device name, network device kernel driver), DNS address configuration, default gateway address configuration, NIS address configuration, ipx interface configuration, PPP/. In the server-side configuration, it mainly includes NFS configuration, DNS configuration, ApacheWebServer configuration, Samba configuration and Wu-ftpd configuration. Among other configuration options, one is about the host configuration in the /etc/hosts file, the other is about the network configuration information in the /etc/networks file, and finally, the information about using linuxconf configuration.

Network information can also be configured under the linuxconf command, but as you can see, the linuxconf program calls netconf to configure the network.

In addition, the system configuration files about the network are stored in the /etc/sysconfig/network-scripts directory. Examples are as follows:

:& ltbr & gt& ltbr & gt

if CFG-eth 0 * if down-post * ifup-aliases * ifup-PPP *

if CFG-eth 1 * if down-PPP * ifup-IPX * ifup-routes *

if CFG-lo * if down-sl * ifup-plip * ifup-sl *

Ifdown@ ifup@ ifup-post* Network-Function

Ifcfg-eth0 is the configuration information of Ethernet port eth0, and its contents are as follows:

DEVICE="eth0" /* indicates the name of the network device */

Ipaddr = "202.112.13.204"/* indicates the IP address of the network device */

Netmask = "255.255.255. 192"/* means netmask */

Network = 202.112.13.192/* Specify network address */

Broadcast = 202.112.13.255/* indicate the broadcast address */

ONBOOT="yes" /* indicates whether the network card is activated at system startup */

BootpROTO="none" /* indicates whether the BOOTP protocol is used */

So we can also modify this file to change the network parameters under linux. [/SIZE]

-

2. Configuration of network services

This part does not introduce the configuration of specific network servers (DNS, FTP, WWW, SENDMAIL) in detail (that will be a huge space), but introduces the files related to the configuration of linux network services.

1 air/pneumatic cushion

In linux system, there is a system boot program, lilo(linux loadin), which can be used to selectively start multiple operating systems. Its configuration file is/etc/lilo.conf. In this configuration file, the configuration parameters of lilo are mainly divided into two parts, one is global configuration parameters, including setting startup devices, and the other is local configuration parameters. Includes the configuration parameters of each boot image file. I won't introduce every parameter in detail here, especially only two important parameters: password and restricted options. The password option adds password protection to each boot image file.

As we all know, there is a single-user mode in linux system. In this mode, the user logs into the linux system as superuser. People can directly enter the single-user mode superuser environment by adding parameters (linux single or linux init 0) when booting lilo, and no password is needed, which will be very dangerous. Therefore, the password configuration option has been added to lilo.conf to enhance the password protection for each image file.

You can use the password option in global mode (add the same password for all image files) or add a password for each individual image file. In this way, the user will be asked to enter the password every time the system is started. Maybe you think it's troublesome to enter the password every time, so you can use the restriction option. It makes lilo check the password only when entering parameters (such as linux single) at Linux startup. These two options can greatly increase the security of the system, so it is recommended to set them in lilo.conf file.

Because passwords are stored in clear text in the /etc/lilo.conf file, the attribute of the /etc/lilo.conf file must be changed to read-only root (0400).

In addition, in the early version of lilo, there was a restriction that a boot sector had to be stored in the first 1024 cylinder, which was broken in the 2.5 1 version of lilo, and the boot interface became more intuitive. After downloading and decompressing the latest version, use the make command, and then use the make install command to complete the installation. Note: Physical security is the most basic security. Even with password protection in lilo.conf, if there is no physical security, malicious intruders can use the startup floppy disk to start the linux system.

2. Domain Name Service Profile

(1)/etc/HOSTNAME saves the host name and domain name of the linux system in this file. Sample file.

ice.xanet.edu.cn

This file indicates the host name ice and the domain name xanet.edu.cn.

(2)/etc/hosts and /etc/networks files have a host table mechanism in the domain name service system, and /etc/hosts and /etc/networks are developed from the host table. In /etc/hosts, you can store the ip address and host name of the host that does not need DNS system query. The following is a sample file:

# ip address hostname alias

127.0.0. 1 local host loopback

www.xjtu.edu.cn www

202. 1 17. 1.24 ftp.xjtu.edu.cn FTP

In /etc/networks, there is a one-to-one correspondence between network ip address and network name. Its file format is similar to /etc/hosts.

(3) The file /etc/resolv.conf is the main configuration file of DNS domain name resolver. Its format is very simple, and each line consists of a main keyword. /etc/resolv.conf keywords mainly include:

Domain represents the default local domain name,

Search represents the list of domain names to search when looking up host names.

Nameserver represents the ip address of the domain name server when domain name resolution is performed. An example file is given below:

#/etc/resolv.conf

Yu xjtu.edu.cn

Search xjtu.edu.cn edu.cn.

Name server 202. 1 17.0.20

Name server 202.117.1.9

(4)/etc/host.conf When both DNS domain name resolution and host table mechanism of /etc/hosts exist in the system, the file /etc/host.conf explains the query order of the resolver. The sample file is as follows:

#/etc/host.conf

Sort the hosts, bind the # parser query in the file /etc/hosts, followed by DNS.

Multi on # allows hosts to have multiple ip addresses.

Ip address spoofing is prohibited.

3. Configuration file of 3.DHCP

/etc/DHCPD.conf is the configuration file of DHCPD, and we can dynamically allocate ip addresses in the local area network through the configuration in /etc/dhcpd.conf file. The linux host is set as a dhcpd server, and the ip address is dynamically allocated by identifying the MAC address of the network card. The sample file is as follows:

Option domain name "chinapub.com";

Please close use-host-decl-names;

Subnet 2 10.27.48.0 netmask 255.255.255. 192

{

File name "/tmp/image";

Host dial-up server

{

Hardware Ethernet 00: 02: B3:11:F2: 30;

Fixed address 210.27.48.8;

File name "/tmp/image";

}

}

In this file, the most important thing is to identify the host in the LAN by setting the hardware address and assign it the specified ip address. Hardware Ethernet 00: 02: B3:11:F2: 30 Specify the MAC address of the host network card to dynamically assign ip, with a fixed address of 2 10.27.48. The file name "/tmp/image" is an image file obtained by the host through tftp service, which can be used to boot the host.

4. Configuration of super waiting process inetd

In linux system, there is a super waiting process inetd, which listens to the port of the service specified by the file /etc/services. Inetd calls the corresponding service process to respond to the request according to the network connection request. Here are two very important files, /etc/inetd.conf and /etc/services. The file /etc/services defines the names, protocol types, service ports and other information of all services in the linu system. /etc/inetd.conf is the configuration file of inetd, which specifies which services inetd can monitor and the calling commands of the corresponding service processes. Firstly, the file /etc/services is introduced. The file /etc/services is a database file corresponding to the service name and service port, as shown below:/.

(In fact, the above is only a part of /etc/services, and not all of them are written out due to space limitations. )

In this file, for the sake of security, we can modify the port addresses of some common services, such as changing the port address of telnet service to 52323, changing the port address of WWW to 8080, and changing the port address of FTP to 2 12 1. Therefore, we only need to modify the corresponding ports in the application to improve the security of the system.

The file /etc/inetd.conf is the configuration file of inetd. First, we need to know what services the linux server will provide. A good principle is to "prohibit all unnecessary services", so there is less chance for hackers to attack the system. /etc/inetd.conf sample file

As you can see, this file has been modified, and all services except telnet and ftp services are banned. After modifying /etc/inetd.conf, use the kill-hup command (the process number of inetd) to let inetd re-read the configuration file and restart.

5. Configuration of 5.IP routing

Using linux, an ordinary microcomputer can also realize a cost-effective router. First, let's take a look at the command of linux to view routing information:

[root@ice /etc]# route -n

Kernel IP routing table

Destination gateway Genmask flag metric reference uses I interface.

202. 1 12. 13.204

202. 1 17.48 . 43 0.0 . 0.0 255.255.255.255 UH 0 0 eth 1

202. 1 12. 13. 192 202. 12. 13.204 255 . 255 . 255 . 192 UG 0 0 eth 0

202. 1 12. 13. 192 0.0 . 0.0 255.255.255. 192 U 0 0 0 eth 0

202. 1 17.48 . 0 202. 1 17.48 . 43 255.255.255 . 0 UG 0 0 0 eth 1

202. 1 17.48 . 0 0.0 . 0.0 255.255.255.0 U 0 0 0 eth 1

127 . 0 . 0 . 0 . 0 0 . 0 255 . 0 . 0 . 0 . 0 U 0 0 lo

0 . 0 . 0 . 0 202. 1 17.48 . 1

Command netstat -r n to get the same output as route -n n, which is the routing table of operating linux kernel.

The output of the command cat /proc/net/route is a hexadecimal routing table.

[root @ ice/etc]# cat/proc/net/route

Iface target gateway flag RefCnt uses metric mask.

eth 0 cc 0d 70 ca 000000000005 0 0 0 FFFFFFF

eth 1 2b 3075 ca 00000000005 0 0 0 0 FFFFFFF

eth 0 c 00d 70 ca cc 0d 70 ca 0003 0 0 0 c 0 fffff

eth 0 c 00d 70 ca 00000000 000 1 0 0 0 0 c 0 fffff

eth 1 003075 ca 2b 3075 ca 0003 0 0 0 00 fffff

eth 1 003075 ca 00000000 000 1 0 0 0 0 00 fffff

lo 0000007 f 00000000 000 1 0 0 0 0 0000000 f

eth 1 00000000 0 13075 ca 0003 0 0 0 0000000

Through calculation, we can know that the following routing table (hexadecimal) is consistent with the previous routing table (decimal).

We can also use the command route add (del) to manipulate the routing table and add and delete routing information.

In addition to the above static routing, linux can also realize the dynamic routing of rip protocol through routed. We just need to turn on the routing and forwarding function of linux and add a character 1 to the file /proc/sys/net/ipv4/ip_forward.

Three. Network security settings

This part emphasizes once again that /etc/inetd.conf must be modified, and the security policy is to ban all unnecessary services. In addition, there are the following documents related to network security.

(1)./etc/ftpusers ftp service is an insecure service, so /etc/ftpusers defines a list of users who are not allowed to access linux hosts through ftp. When an ftp request is sent to ftpd, ftpd first checks the user name. If the user name is in /etc/ftpusers, ftpd will not allow the user to continue connecting. The sample file is as follows:

# /etc/ftpusers-users are not allowed to log in via ftp.

root

chest

daemon

Aided decision-making (abbreviation for Aid in Decision Making)

Linear Programming (linear programming)

synchronize

switch an electrical device off

stop

e-mail

news

Copy program

operator

match

nobody

Nademin

(2)/etc/securety In the linux system, there are always * * * six terminal consoles. We can set which terminal allows root login in/etc/securety, and all other terminals that have not written files are not allowed to log in. The sample file is as follows:

# /etc/securetty-tty directory where root is allowed to log in.

tty 1

tty2

tty3

tty4

(3) Control the login files of 3)tcpd /etc/hosts.allow and/etc/hosts.deny..

In the process of tcpd service, external access to linux hosts is controlled by the access control rules in /etc/hosts.allow and /etc/hosts.deny, and their formats are both

Service List: Host List [:Command]

Name of the service process: an optional list of hosts, and actions when the rule is met.

Domain name or ip address can be used in the host table. ALL means to match all items except some items. PARANOID means to match the item when the ip address and domain name do not match (domain name masquerade).

The sample file is as follows:

#

# hosts.allow This file describes the names of the following hosts.

# According to the decision, local INET service is allowed.

# Through the "/usr/sbin/tcpd" server.

#

All: 202.112.13.0/255.255.0

ftpd:202. 1 17. 13. 196

Remote login: 202. 1 17.48.33

All: 127.0.0. 1

In this file, the network segment 202.112.13.0/24 can access all the network services in the linux system, while the host 202.117.438+03.190.

All other cases are prohibited in the /etc/hosts.deny file:

#/etc/hosts.deny

All: deny: spawn (/usr/bin/finger-LP @% h |/bin/mail-s "port refused to record in the %d-%h" root directory).

In /etc/hosts.allow, what linux should do in all other cases is defined. The spawn option allows the linux system to execute the shell command specified in the matching rule. In our example, when the linux system finds unauthorized access, it will refuse to send an e-mail to the superuser with the subject of "Port refused to be recorded in %d-%h". Let's introduce allow and allow first.

(4)/etc/issue and/etc/issue.net.

When we log in to the linux system, we can often see sensitive information such as the version number of our linux system. In today's network attacks, many hackers first collect the information of the target system, and the version number is very important information, so they usually hide this information in the linux system. /etc/issue and /etc/issue.net are files that store this information. We can modify these files to hide the version information.

In addition, each time linux is restarted, the above two files in the script /etc/rc.d/rc.local will be overwritten. An example of the file /etc/rc.d/rc.local is as follows:

# This script will be executed * after all other init scripts.

# If not, you can put your own initialization data here.

# Want to do a complete initialization of Sys V style.

if[-f/etc/red hat-release]； then

R=$ (caterpillar /etc/redhat-release)

arch=$(uname -m)

a="a "

Case "_$arch" in.

_ a *)a = " an "； ;

_ I *)a = " an "； ;

Environmental systems applications center environmental systems applications center

num proc = ' egrep-c " ^cpu[0-9]+ "/proc/stat '

if[" $ NUMPROC "-gt " 1 "]； then

Smp = "$ NUMBER proc-processor"

if[" $ num proc " = " 8 "-o " $ num proc " = " 1 1 "]； then

A= "Ann"

other

a="a "

The ship does not bear the loading fee.

The ship does not bear the loading fee.

# This will overwrite /etc/issue every time it is started. So, make any changes.

# I hope to generate /etc/issue here, or I will lose them when I restart.

# echo " " & gt/etc/issue

# echo " $ R " & gt& gt/etc/issue

# echo " Kernel $(uname-r)on $ a $ SMP $(uname-m)" >& gt/etc/issue

cp -f /etc/issue /etc/issue.net

echo & gt& gt/etc/issue

The bold part of the file is where the system version information is obtained. Be sure to comment them out.

(5) Other configurations

In an ordinary microcomputer, you can restart linux through the combination of ctl+alt+del. This is very unsafe, so you should record this function in the /etc/inittab file:

# trap CTRL-ALT-DELETE

# ca::ctrl altdel:/sbin/shut down-T3-r now