Measure the test taker's knowledge about Linux security management.

Article Title: Describes basic tips for Linux security management. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Introduction: For many system administrators who are used to UNIX and Windows, there are many new challenges to ensure the security and reliability of the Linux operating system.
　　
As a free open-source operating system, Linux is becoming more and more popular among users with its highly efficient and hidden quality. I believe that in the near future, Linux will be more and faster. Although Linux and Unix are very similar, there are still many important differences between them.
　　
For many system administrators who are used to UNIX and Windows, there are many new challenges to ensure the security and reliability of the Linux operating system. This article will introduce some basic Linux management security skills and hope to help you.
　　
First, I want to start from the security configuration of the system. I personally think that an administrator must be able to make full use of the security mechanisms provided by the system and explore the potential of the system to efficiently and securely maintain the server. I am not totally opposed to using firewalls and other tools, but just like people, We can disinfect and wear masks, but we are not as good as ourselves as we are physically strong and have antibodies.
　　
Linux is a free operating system with fully open source code. It has great potential for development. Competent administrators can even adapt their own Kernels to meet the needs of excellent server work. Of course, here we will only talk about some basic but practical configuration skills.
　　
　　 I. ILO Security Settings
　　
LILO is short for Linux Loader. It is the startup module of LINUX.
　　
You can modify the content in the "/etc/lilo. conf" file to configure it. Add the following two parameters to the file: restricted and password. These two parameters allow your system to require password verification when starting lilo.
　　
Boot =/dev/hda
　　
Map =/boot/map
　　
Install =/boot. B
　　
Prompt
　　
Timeout = 00 # Set this line to 00. In this way, the system starts LINUX directly instead of waiting.
　　
Message =/boot/message
　　
Linear
　　
Default = linux
　　
Restricted # Join this line
　　
Password = # Add this line and set your own password
　　
Image =/boot/vmlinuz-2.4.2-2
　　
Label = linux
　　
Root =/dev/hda6
　　
Read-only
　　
Because the "/etc/lilo. conf" file contains a plaintext password, set it to the root permission for reading.
　　
# Chmod 0600/etc/lilo. conf
　　
Use the "chattr" command to make the "/etc/lilo. conf" file unchangeable.
　　
# Chattr + I/etc/lilo. conf
　　
This protects the "/etc/lilo. conf" file. (This method can also be used to protect other files)
　　
To make the lilo. conf file take effect, use
　　
#/Sbin/lilo-v
　　
Update the system.
　　
　　 Ii. Password Security
　　
Passwords can be said to be the first line of defense of the system. At present, most system intrusions on the network start from password speculation or password interception. Therefore, password security is critical. First, you must prevent accounts without passwords. This can be found by viewing the/etc/passwd file. For example, if an account with the user name "test" does not have a password set, the following line appears in the/etc/passwd file:
　　
Test: 100: 9:/home/test:/bin/bash
　　
The second item is blank, indicating that the account test has no password, which is very dangerous! Delete or set a password for this type of account.
　　
Secondly, in the earlier version of linux, the/etc/passwd file contains an encrypted password, which brings great security risks to the system, the simplest method is to use brute force cracking to obtain passwords (for example, John or other tools ).
　　
You can use the command/usr/sbin/pwconv or/usr/sbin/kgconv to create the/etc/shadow or/etc/gshadow file, in this way, the/etc/passwd file does not contain the encrypted password, but is stored in the/etc/shadow file, which is only readable by the root user!
　　
The third point is to modify Shell variables of some system accounts, such as UCP, ftp, and news, and some accounts that only require FTP functions, do not set Shell variables such as/bin/bash or/bin/sh for them. You can leave their Shell variables blank in/etc/passwd, such as/bin/false or/dev/null, or use usermod! -S/dev/nullusername command to change the Shell of username to/dev/null. By using these accounts, you cannot remotely log on to the system through Telnet!
　　
The fourth step is to change the default password length: When you install linux, the default password length is 5 bytes. But this is not enough. Set it to 8. To change the shortest password length, edit the login. defs file (vi/etc/login. defs ).
　　
PASS_MIN_LEN 5
　　
Change
　　
PASS_MIN_LEN 8
　　
The login. defs file is the configuration file of the login program.
　　
At last, don't be too busy. Add a strong password for the root account, which is more than 8 characters. It is best to include special characters.