Linux SECURITY: Step by Step (1) (1)

Just as there is no unbreakable shield, no system is absolutely secure. No one in the security field can say that they are masters. The security of the system is exchanged by the sweat and wisdom of many predecessors. System security involves all aspects. Security problems exist in both banking and telephone systems, MS Windows systems, and Unix systems that are widely recognized as secure. The only focus of security is on how many users are using the system. The more users the system has, the more critical the security issues are. The faster the system discovers security vulnerabilities. In addition, the better the scalability of the system, the more application services supported, the more security problems. In MS Windows, the system can be set to security or damage to the system by using the mouse's staff to obtain online materials. Security Settings are a double-edged sword. One side is the ability to tear up undefended systems, destroy data, and block illegal intrusions and protect data. This boundary is the difference between Nuker and Hacker.
Linux is an open-source system, and its security can be enhanced at the code level. But it is too complicated for users who are new to Linux. If you want to use Linux as a desktop operating system, the settings must be different from those on the server. The server may be used on the Internet, whether it is its firewall, proxy server or other applications, Security Settings focus on key applications, and desktop applications focus on different.
For the commonly used Mandrake, Red Hat, SuSE, and Debian on the market, the security settings are different, but the methods are consistent. Taking Red Hat, which has many users in the Chinese market as an example, we will take the following section as an example ~ A 300-person Company uses Red Hat Linux as the desktop operating system and sets system security step by step. The configuration of surrounding resources will also be mentioned.
Hardware Security
The chassis must be locked. Any system may be physically exposed, reducing the security by at least half. This is because anyone can unload the hard disk and read data from other systems, undermining security protection. As a result, desktop and server should avoid physical access as much as possible.
BIOS Security
Although there are many tools to read the BIOS password and many BIOS have a common password, it is necessary to set the BIOS password protection. The password must be more than 8 characters long. It must be a combination of uppercase and lowercase numbers, symbols, and letters, and must not be the same as any system password. If you are worried that all machines will be compromised, you can consider adding a personalized password bit. For example, you can use the abbreviation of the person on the machine or the password in front of the unique machine number combination to become a password that is better remembered and meets the complexity and uniqueness requirements.
Startup settings
After the system is installed, apart from hard disk boot, the boot of floppy disks, optical disks, and even USB flash memory may bring security issues. Therefore, you must disable the startup of any device except the hard disk in the BIOS.
System Partition
The current hard disks can all meet the capacity requirements of Linux. Take 20 ~ For 40 Gb hard disk, there is no additional partitioning method. Using Red Hat's automatic partitioning can meet the requirements. The specific partitioning method is 40 MB boot partition/boot), 2 times the swap partition swap in the memory), and the remaining is the root partition /). The reason for not separating the/home directory and/var directory is that too many system partitions increase management complexity because it is used by a single user. For example, if the/var partition is full, the system exception occurs. Simple partitions can be used by users.
Install
Avoid full installation, that is, the Everything option. As mentioned above, the more services provided by the system, the more vulnerabilities, and the worse the security. Try to use non-interactive installation, such as creating an installation floppy disk, using NFS or installation script. The fewer users directly participate, the stronger the manageability. Uniform Rules are used for host naming, such as the company's e-mail address and extension number, to facilitate troubleshooting and locating. Try to use a static IP address or a DHCP address bound to the MAC address as much as possible, so that any exceptions can be quickly ruled out. Note that the ext3 file system can reduce hard disk data loss caused by power loss and cannot be started.
Account and center control
Using NIS for account and central control may be good, but it is also an option to increase management complexity. If the environment is a single user logon, and the files are shared by the server, it is also a good choice to log on to the server without using NIS. Of course, you can choose not only NIS but also central account management. The account on the local machine must use the company's email address as the login name. Of course, you must have an administrator account, but do not add the local account to the local administrator group. It is dangerous to have multiple root accounts on the local machine.
Start the loader
Start the loader and try to use GRUB instead of LILO. The reason is: although they can all be added with the Startup Password, LILO uses the plaintext password in the configuration file, while GRUB uses the md5 Algorithm for encryption. Password protection can prevent you from using the customized kernel to start the system, and set the startup wait time to 0 without other operating systems. LILO configuration in the/etc/lilo. conf file, GRUB configuration file

In/boot/grub. conf:/etc/lilo. confimage =/boot/2.4.18-vmlinuzlabel = Linuxread-only # password is plain text password = Clear-TextPassword # add protection restricted/boot/grub. conf # modify the start time to 0, that is, directly start timeout 0 # You can use the grub-md5-crypt to generate -- md5 encryption password -- md5 $1 $ LS8eV/$ mdN1bcyLrIZGXfM7CkBvU1