Common Security policy setting methods under Linux

1. Prevent the system from responding to any external/internal ping requests

An attacker usually first detects whether the host or IP is active by pinging it, and if it can ping a host or IP, the attacker considers the system active and then attacks or destroys it. If no one can ping the machine and receive a response, then can greatly enhance the security of the server, Linux can perform the following settings, prohibit ping request:

[root@localhost ~] #echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all

By default, the value of "Icmp_echo_ignore_all" is "0", which indicates a response to the ping operation.

You can add one line of the above command to the/etc/rc.d/rc.local file so that it runs automatically every time the system reboots.

2. Disable Control-alt-delete key combination reboot system

In the Linux default settings, press the Control-alt-delete key at the same time, the system will automatically reboot, which is very unsafe, so to prevent Control-alt-delete key combination reboot system, just modify the/etc/inittab file:

[root@localhost ~] #vi/etc/inittab

Find this row: Ca::ctrlaltdel:/sbin/shutdown-t3-r now

Before you add "#"

Then execute:

[root@localhost ~] #telinit q

3. Limit shell record history command size

By default, the bash shell holds up to 1000 command records in the file $home/.bash_history (depending on the system, the default number of record bars is different). There is one such file under the home directory of each user in the system.

So many historical command records, which are certainly unsafe, must limit the size of the file.

You can edit the/etc/profile file and modify the following options:

Histsize=30

Indicates that the most recent 30 history commands are recorded in the file $home/.bash_history. If you set "Histsize" to 0, you do not record history commands, then you cannot use the keyboard's up and down keys to find history commands.

4. Remove system default unnecessary users and groups

Linux provides a variety of system accounts, when the system is installed, if you do not need some users or groups, it is necessary to delete it immediately, because the more accounts, the more insecure the system, the more vulnerable to attack.

Remove system unnecessary users use the following command

[Root@localhost ~]# Userdel username

Remove unnecessary groups from the system with the following command:

[Root@localhost ~]# Groupdel GroupName

The default users and groups that can be removed from a Linux system are:

Deleted users, such as Adm,lp,sync,shutdown,halt,news,uucp,operator,games,gopher.

Deleted groups, such as Adm,lp,news,uucp,games,dip,pppusers,popusers,slipusers.