Article Title: explains basic tips for Linux security management. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
5. Service Security
Cancel and reinstall all unused services, so you will be less worried. Check the "/etc/inetd. conf" file and annotate it to cancel all services you do not need (Add a "#" before the service project). Run the "sighup" command to upgrade the "inetd. conf" file.
Step 1:
Change the "/etc/inetd. conf" permission to 600. Only the root user is allowed to read and write the file!
# Chmod 600/etc/inetd. conf
Step 2:
Make sure that the owner of the "/etc/inetd. conf" file is root.
Step 3:
Edit/etc/inetd. conf file (vi/etc/inetd. conf), cancel the following services (which you do not need): ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth and so on. Disabling unnecessary services can significantly reduce the risk of the system.
Step 4:
Send an HUP signal to the inetd process:
# Killall-HUP inetd
Step 5:
Use the chattr command to set the/ec/inetd. conf file as unchangeable, so that no one can modify it:
# Chattr + I/etc/inetd. conf
This prevents any modifications to inetd. conf (unexpected or otherwise ). Only root users can cancel this attribute. If you want to modify the inetd. conf file, you must first cancel the unmodifiable nature:
# Chattr-I/etc/inetd. conf
Modify the attributes of the "/etc/services" file to prevent unauthorized deletion or addition of services:
# Chattr + I/etc/services
Don't forget to change their nature to modifiable in the future.
6. Other Comprehensive Security Settings
1. TCP_WRAPPERS uses TCP_WRAPPERS to protect your system against external intrusion. The best policy is to stop all hosts ("/etc/hosts. add "ALL: ALL @ ALL, PARANOID") to the deny file, and then add it to "/etc/hosts. add a list Of all allowed hosts to the allow file.
Step 1: edit the hosts. deny file (vi/etc/hosts. deny) and add
# Deny access to everyone.
ALL: ALL @ ALL, PARANOID
This indicates that all services and addresses are blocked unless the address package is in the list of hosts allowed to access.
Step 2:
Edit the hosts. allow file (vi/etc/hosts. allow) and add it to the list of allowed hosts, for example:
Ftp: 202.54.15.99 foo.com
202.54.15.99 and foo.com are IP addresses and host names that allow access to the ftp service.
Step 3:
The tcpdchk program is the tepd wrapper setting check program. It is used to check your tcp wrapper settings and report potential and real problems found. After setting, run the following command:
# Tcpdchk
2. Modify the "/etc/host. conf" file.
"/Etc/host. conf" describes how to resolve the address. Edit the "/etc/host. conf" file (vi/etc/host. conf) and add the following line:
# Lookup names via DNS first then fall back to/etc/hosts.
Order bind, hosts
# We have mach!
Ines with multiple IP addresses.
Multi on
# Ch!
Eck
IP address spoofing.
Nospoof on
The first setting first resolves the IP address through DNS and then the hosts file. The second setting checks whether the host in the "/etc/hosts" file has multiple IP addresses (for example, multiple Ethernet interfaces ). The third setting indicates that you should pay attention to unauthorized electronic spoofing on the local machine.
3. Shell logging Bash
Shell in /. Bash_history "(" ~ /"Indicates the user directory.) The file saves 500 used commands, which makes it easy to enter the used long commands. Each user with an account in the system has a ". bash_history" file in his directory. Bash shell should save a small number of commands and delete these historical commands every time the user logs out.
Step 1:
The "HISTFILESIZE" and "HISTSIZE" lines in the "/etc/profile" file determine the number of old command lines that can be saved in the ". bash_history" file of all users. We strongly recommend that you set the values of "HISTFILESIZE" and "HISTSIZE" in the "/etc/profile" file to a smaller number, such as 30. Edit the profile file (vi/etc/profile) and change the following line:
HISTFILESIZE = 30
HISTSIZE = 30
This means that each user's ". bash_history" file can only save 30 old commands.
Step 2:
In the "/etc/skel/. bash_logout" file, add the following line "rm-f $ HOME/. bash_history ". In this way, the ". bash_history" file will be deleted every time you log out.
Edit the. bash_logout file (vi/etc/skel/. bash_logout) and add the following line:
Rm-f $ HOME/. bash_history
4. Disable the Control-Alt-Delete command on the keyboard.
Comment out the following line in the "/etc/inittab" file (use #):
Ca: ctrlaltdel:/sbin/shutdown-t3-r now
Changed:
# Ca: ctrlaltdel:/sbin/shutdown-t3-r now
To make this change take effect, enter the following command:
#/Sbin/init q
5. Set permissions for the script file under "/etc/rc. d/init. d ".
Set permissions for script files of programs executed during execution or shutdown.
# Chmod-R 700/etc/rc. d/init. d /*
This indicates that only the root user can read, write, and execute script files in this directory.
6. Hide System Information
By default, When you log on to the linux system, it will tell you the name, version, kernel version, and server name of the linux release. This information is sufficient for hackers to intrude into your system. You should show it only one!
"Login:" prompt.
Edit
/Etc/rc. d/rc. local"
File, add "#" in front of the lines shown below to comment out the command for output information.
# This will overwrite/etc/issue at every boot. So, make any changes you
# Want to make to/etc/issue here or you will lose them when you reboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue
#
# Cp-f/etc/issue/etc/issue.net
# Echo>/etc/issue
Delete the "isue.net" and "issue" files under the "/etc" directory:
# Rm-f/etc/issue
# Rm-f/etc/issue.net
7. Disable unused SUID/SGID programs
If a program is set to SUID root, normal users can run the program as root. The Network Management should use SUID/SGID programs as little as possible to prohibit all unnecessary SUID/SGID programs.
Find the programs that use the s-bit in the root-owned program:
# Find/-type f (-perm-04000-o-perm-02000)-exec ls-lg {};
Use the following command to disable the selected program with s-bit:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
