Debian ifconfig网络接口安全设置

Deprecated Status of ifconfig in Debian
The ifconfig command is obsolete in modern Debian releases and has been replaced by the ip command (from the iproute2 package), which offers enhanced functionality and better compatibility with current Linux kernel features. While ifconfig may still be available via the net-tools package, it is strongly recommended to migrate to ip for all network configuration tasks.

1. Install ifconfig (Optional, Not Recommended)
If you must use ifconfig (e.g., for legacy scripts), install it via:

sudo apt update && sudo apt install net-tools -y

However, avoid relying on it for production environments.

2. Disable ifconfig for Security Hardening
To prevent unauthorized use of ifconfig, remove the package or restrict access via sudoers:

• Uninstall net-tools:

  sudo apt remove --purge net-tools
  

• Restrict via sudoers: Use visudo to edit /etc/sudoers and add a line denying specific users/groups:

  Defaults:username !/sbin/ifconfig  # Replace 'username' with the target user
  

  This blocks the user from executing ifconfig even with sudo.

3. Migrate to the ip Command (Best Practice)
The ip command replaces most ifconfig functions with more robust options:

• View interfaces:

  ip addr show  # Equivalent to 'ifconfig -a'
  

• Assign IP address:

  sudo ip addr add 192.168.1.10/24 dev eth0  # Replace with your IP/interface
  

• Enable/disable interface:

  sudo ip link set eth0 up    # Enable
  sudo ip link set eth0 down  # Disable
  

• Set MTU: Adjust the Maximum Transmission Unit (e.g., 1400 for PPPoE):

  sudo ip link set eth0 mtu 1400
  

• Persistent configuration: Unlike ifconfig, ip commands are not persistent across reboots. Use /etc/network/interfaces or netplan (for Debian 18.04+) to make settings permanent.

4. Configure Static IP via /etc/network/interfaces
For persistent network settings, edit the interfaces file:

sudo nano /etc/network/interfaces

Add the following for a static IP (replace values with your network details):

auto eth0
iface eth0 inet static
    address 192.168.1.10
    netmask 255.255.255.0
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 8.8.4.4

Save the file and restart networking:

sudo systemctl restart networking

This ensures your configuration survives reboots.

5. Enhance Security with Additional Measures

• Use SSH key authentication: Disable root login and enforce key-based auth for secure remote access:

  sudo passwd -dl root  # Disable root password login
  sudo nano /etc/ssh/sshd_config  # Set 'PermitRootLogin prohibit-password' and 'PasswordAuthentication no'
  sudo systemctl restart sshd
  

• Update systems regularly: Patch known vulnerabilities by running:

  sudo apt update && sudo apt upgrade -y
  

• Configure a firewall: Use ufw to restrict access to essential ports (e.g., SSH):

  sudo apt install ufw -y
  sudo ufw enable
  sudo ufw allow 22/tcp  # Allow SSH
  sudo ufw deny open  # Deny all other incoming traffic by default
  

• Hide network interfaces: Modify /etc/network/interfaces to disable ICMP responses (ping) for a specific interface:

  auto eth0
  iface eth0 inet static
      address 192.168.1.10
      netmask 255.255.255.0
      pre-up echo 1 > /proc/sys/net/ipv4/conf/eth0/accept_source_route
      post-down echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route
  

  Restart networking to apply:

  sudo systemctl restart networking
  

  This prevents basic network discovery but should be combined with a firewall for comprehensive protection.