Make your linux operating system more secure

BIOS Security
Remember to set a BIOS password in the BIOS settings and do not receive the boot from a floppy disk. This prevents malicious users from starting your Linux system with a dedicated boot disk, and prevents others from changing BIOS settings, such as changing the disk boot settings or directly starting the server without a password box.
LILO Security
In the "/etc/lilo. conf" file, add three parameters: time-out, restricted, and password. These options require a password when the start time (such as "linux single") is switched to start the reprint program.
Step 1
Edit the lilo. conf file (/etc/lilo. conf) and add and modify these three options:
QUOTE:
Boot =/dev/hda
Map =/boot/map
Install =/boot. B
Time-out = 00 # change this line to 00
Prompt
Default = linux
Restricted # add this line
Password = <password> # add this line and put your password
Image =/boot/vmlinuz-2.2.14-12
Label = linux
Initrd =/boot/initrd-2.2.14-12.img
Root =/dev/hda6
Read-only
Step 2
Because the password is not encrypted, the "/etc/lilo. conf" file is only readable to the root user.
[Root @ kapil/] # chmod 600/etc/lilo. conf (no longer global readable)
Step 3
After the above modification, update the configuration file "/etc/lilo. conf ".
[Root @ kapil/] #/sbin/lilo-v (update the lilo. conf file)
Step 4
Another way to make "/etc/lilo. conf" more secure is to use the chattr command to set it as unchangeable:
[Root @ kapil/] # chattr I/etc/lilo. conf
It will block any changes to the "lilo. conf" file, whether or not intentionally.
For more information about lilo security, see LILO.
Disable all dedicated accounts
Delete all default user accounts and group accounts that you do not use in systems such as lp, sync, shutdown, halt, news, uucp, operator, games, And gopher.
To delete a user account:
[Root @ kapil/] # userdel LP
To delete a group account:
[Root @ kapil/] # groupdel LP
Select an appropriate Password
Follow the following principles when selecting a password:
Password Length: the default minimum password length for Linux installation is 5 characters. This length is not enough. It should be increased to 8. To change the length to 8 characters, you must edit the login. defs file (/etc/login. defs ):
PASS_MIN_LEN 5
Changed:
PASS_MIN_LEN 8
"Login. defs" is the configuration file of the login program.
Enable blind zone password support
Enable the blind zone password function. To achieve this, use the "/usr/sbin/authconfig" utility. If you want to change the existing password and group in the system to the blind zone password and group, use the pwconv and kgconv commands respectively. Root Account
In UNIX systems, the root account has the highest permissions. If the system administrator forgets to log out of the root system when leaving the system, the system should be able to log out automatically from the shell. Then, you need to set a special Linux variable "TMOUT" to set the time.
Edit the "/etc/profile" file in
"HISTFILESIZE ="
Then add:
TMOUT = 3600
The value entered for "TMOUT =" represents the wonderful number of hours (60*60 = 3600 ).
After this line is added to the "/etc/profile" file, any user who uses the system has a one-hour pending status will automatically log out. If you want to set the variables separately, you can define the automatic logout time in the ". bashrc" file.
After this parameter is modified, you must exit and log on again (as the root account) to make the change take effect.
Prohibit normal users from accessing the Console
Normal users on the server should be prohibited from accessing console-level programs such as shutdown, restart, and suspension. Run the following command:
[Root @ kapil/] # rm-f/etc/security/console. apps where <servicename> is the name of the program that is not allowed to access.
Disable and Uninstall all unavailable services
Disable and uninstall services that are not used, which can be less troublesome. View the "/etc/inetd. conf" file, and add the "#" sign before the unwanted project line, that is, change it to the comment statement to disable them. Then, send a SIGHUP command to the inetd process to update the "inetd. conf" file. The procedure is as follows:
Step 1
Change the "/etc/inetd. conf" file license to 600 so that it can only be read and written to the root user.
[Root @ kapil/] # chmod 600/etc/inetd. conf
Step 2
Make sure that the owner of the "/etc/inetd. conf" file is the root user.
Step 3
Edit the inetd. conf file (/etc/inetd. conf) and disable the following services:
Ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, and so on.
If you do not plan to use these services, disabling these services can reduce risks.
Step 4
Send an HUP signal to the inetd process:
[Root @ kapil/] # killall-HUP inetd
Step 5
Set the "/etc/inetd. conf" file to unchangeable. The chattr command prevents anyone from modifying it:
[Root @ kapil/] # chattr I/etc/inetd. conf
Only the root user can set or clear this attribute. To modify the inetd. conf file, you must remove the unchangeable Tag:
[Root @ kapil/] # chattr-I/etc/inetd. confTCP_WRAPPERS
Through TCP_WRAPPERS, the server can better resist external intrusion. The best way is to reject all hosts: In "/etc/hosts. add "ALL: & nbspALL @ ALL, PARANOID" to the deny file, and then add "/etc/hosts. "allow" lists the allowed hosts. TCP_WRAPPERS is controlled by two files, and the search stops at the First Matching place.
/Etc/hosts. allow
/Etc/hosts. deny
Step 1
Edit the hosts. deny file (/etc/hosts. deny) and add the following lines:
# Deny access to everyone.
ALL: & nbspALL @ ALL, PARANOID
The statement indicates that all services and all hosts are denied unless access is permitted in the allow file.
Step 2
Edit the hosts. allow file (/etc/hosts. allow). For example, add the following lines to the file:
Ftp: 202.54.15.99 foo.com
For your client: 202.54.15.99 is the IP address, and foo.com is a client that allows ftp.
Step 3
The tcpdchk program is the check program configured by the tcpd wrapper. It checks the configuration of tcpd wrapper and reports the potential and actual problems found. After the configuration is complete, run the tcpdchk program:
[Root @ kapil/] # tcpdchk
Do Not Display System release files
When others log on remotely, the system release file should not be displayed. The method is to change the telnet option in the "/etc/inetd. conf" file:
Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd
Changed:
Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h
Add the "-h" mark at the end so that the background program does not display any system information, but only provides the user with a login: prompt.
Change the "/etc/host. conf" File
The "/etc/host. conf" file is used to specify how to resolve the name. Edit the host. conf file (/etc/host. conf) and add the following lines:
# Lookup names via DNS first then fall back to/etc/hosts.
Order bind, hosts
# We have machines with multiple IP addresses.
Multi on
# Check for IP address spoofing.
Nospoof on
The first option first parses the host name through DNS and then the host file. The multi option is used to determine whether the host in the "/etc/hosts" file has multiple IP addresses (multi-interface Ethernet ).
The nospoof option indicates that the machine does not allow false information.
It is immune to the "/etc/services" File
Disk immunity must be performed on the "/etc/services" file to avoid unauthorized deletion or addition of files. Run the following command:
[Root @ kapil/] # chattr I/etc/services
Root User Logon from different consoles is not allowed
The "/etc/securetty" file specifies the TTY device from which the "root" user is allowed to log on. Edit the "/etc/securetty" file and add "#" before the unwanted tty file to disable these devices. Prohibit anyone from using the su command
The su command (instead of the User) can make you an existing User of the system. If you do not want others to use su to enter the root account, or restrict some users to use the "su" command, go to "/etc/pam. add the following two lines of code at the top of the "su" configuration file in the d/"directory.
Edit the su file (/etc/pam. d/su) and add the following two lines at the top of the file:
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/Pam_wheel.so group = wheel
This means that only members of the "wheel" group can use the su command, which also includes logs. You can add users allowed to use this command in the wheel group.
Shell log
Shell can store 500 old commands in /. Bash_history "file (where" ~ /"Represents the main directory), so that you can easily repeat the previous long command. Each account user in the system has this ". bash_history" file in their home directories. For the sake of security, shell should store fewer commands and delete them when logging out of users.
Step 1
The HISTFILESIZE and HISTSIZE lines in the "/etc/profile" file determine the number of old commands that can be accommodated in the ". bash_history" file of all users in the system. We recommend that you set HISTFILESIZE and HISTSIZE In the "/etc/profile" file to a relatively small number, for example, 30.
Edit the profile file (/etc/profile) and change:
HISTFILESIZE = 30
HISTSIZE = 30
Step 2
The system administrator should also go to "/etc/skel /. in the bash_logout file, add "rm-f $ HOME /. bash_history ", so that you can delete". bash_history file.
Edit the. bash_logout file (/etc/skel/. bash_logout) and add the following lines:
Rm-f $ HOME/. bash_history
Disable the Control-Alt-Delete keyboard shutdown command
You only need to add "#" before the line and change it to the comment line. In the "/etc/inittab" file, find:
Ca: ctrlaltdel:/sbin/shutdown-t3-r now
Changed:
# Ca: ctrlaltdel:/sbin/shutdown-t3-r now
Then, to make the change take effect, enter:
[Root @ kapil/] #/sbin/init q
Modify the permission of the script file in the "/etc/rc. d/init. d" directory.
Modify the permissions of the script file.