Build LINUX system Security __linux

1, Lilo security settings

Vi/etc/lilo.conf.anaconda//Modify Lilo file ===============================================

......

Restricted//Join the line

password=111111//Join this line and set the password to 111111

......

================================================

chmod 600/etc/lilo.conf.anaconda//set to root permission read

/SBIN/LILO-V//update system to make the above operation effective

Chattr +i/etc/lilo.conf.anaconda//Set Lilo file is not writable

2, set the default password and account length and validity period

Vi/etc/login.defs//Modify Login.defs file ================================================

......

Pass_max_days 99999

Pass_min_days 0

Pass_min_len 8//Modify system default password length is 8 digits

Pass_warn_age 7//password is valid for 7 days

3, clear the password does not set the account number

VI/ETC/PASSWD//Modify passwd file =================================================

......

Elain::500:501:elain:/home/elain:/bin/bash

......

Account Elain does not have a password set. Because the second item is empty, this account does not have a password, which is very dangerous, should be deleted or set up a password for such account.

4, the Special Account processing

Delete unwanted users and groups of users

The order is as follows:

Delete User: Userdel username

Delete Group User: Groupdel groupname

Delete the following users:

Adm

Lp

Sync

Shutdown

Halt

Mail

————–

News

Uucp

operator

Games//If no mail server can be deleted

————–

Gopher//If no X Windows Server can be deleted

FTP//If anonymous access FTP is not allowed to delete this account

5, Permissions and file system

Lsattr//Listing properties of files

CHATTR//Changing the properties of a file

A//can only add attributes

I//non-change properties

Modify the key files in the system as follows:

passwd

Passwd._

Shadow

Shadown._

Xinetd.conf

Services

LILO.CONF, etc.

Example: chmod 600/etc/xinetd.conf//modify file owner as root

Chattr + (-) i/etc/xinetd.conf//set to Not (cancel) modify

6, limit the use of resources of the system

Vi/etc/security/limits.conf

=================================================

......

Add or modify the following lines:

*hard Core 0//Prohibit creation of core files

*hard RSS 5000//Except root, other user memory usage is 5M

*hard nproc 20//Limit Max process to 20

Vi/etc/pam.d/login

=================================================

......

Session required/lib/security/pam_limits.so

Add the above line to the end of the file

7, set the automatic cancellation account login

Vi/etc/profile

===================================================

......

Hostname= '/bin/hostname '

histsize=1000//This is the record number, the smaller the better

TMOUT=300//Add this line, indicating that the system does not have any operation within five minutes, will automatically log off the account