System security: Linux Server Security Risks and prevention countermeasures _unix Linux

If your Linux server is exposed to unauthorized users (such as servers in the public room, public office), then its security will have serious problems.

Using Single-user mode to enter the system

Boot after Linux startup: When prompted, use a special command, such as Linuxsingle or Linux 1, to enter Single-user mode (single-user modes). This command is useful, such as forgetting the Super User (root) password. Reboot the system, in the boot: prompted to enter the Linux single (or Linux 1), the super user into the system, edit the passwd file, remove the root line of X.

Preventive measures:

To enter the system as Superuser (root), edit the/etc/inittab file, change the settings of the Id:3:initdefault, add one additional line (below), and allow the system to reboot into Single-user mode, prompting for a superuser password:

~~:s:walt:/sbin/sulogin

Then execute the command:/sbin/init Q to make this setting work.

Transferring dangerous parameters to the core when the system starts

The most common boot loader (boot loader) tool under Linux is Lilo, which manages the boot system (which can be added to other partitions and operating systems). But it is also dangerous for some illegal users to start Linux randomly or pass dangerous parameters to the core when the system starts.

Preventive measures:

Edit file/etc/lilo.conf, in which you add the restricted parameter, which must be used in conjunction with the following password parameter, indicating that you need to enter a password when passing the parameters to the Linux kernel at boot: prompt.

The password parameter can be used with restricted, or it can be used separately, as described below.

Use with restricted: You will need to enter a password only when you have to pass it to kernel parameters at startup, but in normal (default) mode, you do not need a password, you must pay attention to this.

Used alone (not used with restricted): means that no matter what startup mode, Linux will always require the password, if there is no password, there is no way to start Linux, in this case the security is higher, the equivalent of the periphery to add a layer of defensive measures. Of course it's bad-you can't reboot the system remotely unless you add restricted parameters.

Because the password is plaintext and is not encrypted, the/etc/lilo.conf file must be set to be read only by Superuser, and can be set using the following command:

chmod 600/ietc/lilo.conf

Then execute the command:/sbin/lilo-v, write it to the boot sector, and make the change effective.

To enhance the security of the/etc/liio.conf file, you can also set this file as an immutable property, using the command:

chattr 10 i/etc/lilo.conf

If you want to modify the/etc/liio.conf file later, use the chattr-i/etc/lilo.conf command to remove the attribute.

Use the "Ctrl+alt+del" key combination to reboot

For this, it is very important and very easy to ignore, if the illegal user can access the server's keyboard, he can use the key combination "Ctrl+ait+del" to make your server restart.

Preventive measures:

Edit the/etc/inittab file and add comments to Ca::ctrlaltdel:/sbin/shutdown-t3-r now # # #ca:: Ctrlaltdei:/sbin/shutdown-t3-r now.

Then execute the command:/sbin/init Q to make this change effective.