Build LINUX System Security

 

1. LILO Security Settings

 

Vi/etc/lilo. conf. anaconda // modify the LILO file ==================================== ==================

......

Restricted // join this line

Password = 111111 // Add this line and set the password to 111111

......

========================================================== ==========

Chmod 600/etc/lilo. conf. anaconda // set as ROOT permission to read

/Sbin/lilo-v // update the system to make the above operations take effect

Chattr + I/etc/lilo. conf. anaconda // you can specify that the LILO file is not writable.

 

2. Set the default password and account length and Validity Period

 

Vi/etc/login. defs // modify login. defs file =================================================== ============

......

PASS_MAX_DAYS 99999

PASS_MIN_DAYS 0

PASS_MIN_LEN 8 // modify the default password length to 8 characters

PASS_WARN_AGE 7 // The password is valid for 7 days

 

3. Clear accounts without passwords

 

Vi/etc/passwd // modify the passwd file ============================ ==============================

......

Elain: 500: 501: elain:/home/elain:/bin/bash

......

// No password is set for elain. Because the second item is blank, it indicates that this account has no password, which is very dangerous. You should delete this account or set a password for it.

 

4. Special Account handling

 

Delete useless users and group users

The command is as follows:

Delete user: userdel username

Delete group user: groupdel groupname

Delete the following users:

Adm

Lp

Sync

Shutdown

Halt

Mail

--------------

News

Uucp

Operator

Games // can be deleted if there is no MAIL server

--------------

Gopher // Delete if no X Windows Server exists

Ftp // If anonymous access to FTP is not allowed, delete this account

 

5. permissions and file systems

 

Lsattr // list object attributes

Chattr // modify the attributes of a file

A // only attributes can be added

I // attributes cannot be changed

Modify the key files in the system as follows:

Passwd

Passwd ._

Shadow

Shadown ._

Xinetd. conf

Services

Lilo. conf, etc.

Example: chmod 600/etc/xinetd. conf // modify the file owner to root.

Chattr + (-) I/etc/xinetd. conf // It cannot be modified (canceled)

 

6. Restrict system resource usage

 

Vi/etc/security/limits. conf

========================================================== ==========

......

Add or modify the following lines:

* Hard core 0 // do not create a core File

* Hard rss 5000 // except root, the memory usage of other users is 5 MB

* Hard nproc 20 // The maximum number of processes allowed is 20

 

Vi/etc/pam. d/login

========================================================== ==========

......

Session required/lib/security/pam_limits.so

// Add the above line to the end of the file

 

7. Set automatic account logout

 

Vi/etc/profile

========================================================== ==============

......

HOSTNAME = '/bin/hostname'

HISTSIZE = 1000 // This is the number of historical records. The smaller the value, the better.

Tmout = 300 // Add this row, indicating that the system did not perform any operation within five minutes and the account is automatically logged out.

 

8./etc/securetty file Security Settings

 

Vi/etc/securetty

========================================================== ================

Tty1

# Tty2

......

# Tty11 // comment out all tty except tty1 in the default content, indicating that root can only log on to the tty1 Terminal

9. prohibit external PING requests to prevent completing attacks

 

Vi/etc/rc. d/rc. local

========================================================== ================

Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

// Add the preceding row to prevent the system from responding to any external PING requests.

 

10. Restrict display of System Version Information

 

When you enter the LINUX system, the system will tell you the LINUX version number, kernel version number, and server host name.

Vi/etc/rc. d/rc. local

========================================================== ==================

Add the following content to it:

......

# This will overwrite/etc/issue at every boot. So, make any changesyou

# Want to make to/etc/issue here oryou will lose them when you reboot.

# Echo "">/etc/issue

# Echo "$ R">/etc/issue

# Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue

#

# Cp-f/etc/issue/etc/issue.net

# Echo>/etc/issue

......

Then, execute the following commands:

# Rm-f/etc/issue

# Rm-f/etc/issue.net

# Touch/etc/issue

# Touch/etc/issue.net

You can also edit a single command (telnet), such as modifying/etc/inetd. conf.

Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h

In this way, when you TELNET the server, the system version information will not be displayed, and only "login:" will be displayed :".

 

11. Set the file/etc/host. conf to prevent IP spoofing.

 

Vi/etc/host. conf

========================================================== ==============

......

# Lookup names via DNS first then fall back to/etc/hosts.

Order bind, hosts

# We don't have machines with multipe IP addresses on the same card

(Likevirtual server, IP Aliasing ).

Multi off

# Chesk for IP address spoofing.

Nospoof on

IP Spoofing: IP-Spoofing is a security exploit that works by trichking

Computers in a trust relationship that you are someone that you really aren.

// Add the above lines to prevent IP spoofing attacks

 

12. Disable su as root.

 

Vi/etc/pam. d/su

========================================================== ====================

......

Auth sufficient/lib/security/pam_rootok.so debug

Auth required/lib/security/pam_wheel.so group = elain

Add the above two lines to the file, which indicates that only Members in the elain user group can use su as root.

If you want to use admin as the root user, run the following command:

# Usermod-G10 admin

 

13. Do not use CTRL + ALT + DEL to restart the server

 

Vi/etc/inittab

......

# Ca: ctrlaltdel:/sbin/shutdown-t3-r now // use "#" to comment out this line.

Then run:

#/Sbin/init-q

 

14. DELETE Command records when logging out

 

Vi/etc/skel/. bash_logout

========================================================== ================================

Rm-f $ HOME/. bash_history

 

15. Ensure the security of Enabled Services

 

Common service commands:

Grep-v "#"/etc/services // display services that have not been commented out

Ps-eaf | wc-l // count the total number of services opened by the current system

Netstat-na (an ip address can be added after a remote connection) // view the currently running service

Netstat-an | grep LISTEN // check whether a Suspicious Port is opened.

Of course, you can also execute the following command:

Shattr + I/etc/services // set to irrational attribute

When Linux is started, check the script file. in REDHAT, in/etc/rc. d/rc3.d (rc5.d) (graphical), The Script Name Is the startup sequence.

K indicates killing the process

S indicates the started service

If a service is disabled at startup, you only need to change the upper-case "S" of the script file of the Service to lower-case "s"

Note: There are many vulnerabilities in the following three services. We strongly recommend that you close them.

Yppasswdd (NIS Server)

Ypserv (NIS Server)

Nfs (NFS server)

 

16. LINUX Firewall Security Configuration

 

System-config-securitylevel

 

17. LINUX system security tools

 

Sxid: Check the suid, sgid, and files without a master in the system.

Skey: one-time password Tool

Logrotate: A log loop Tool

Logcheck: log management tool

Swatch: A log management tool that is more real-time than logcheck

Ssh (openssh): provides secure connection authentication.

Portsentry: an anti-scan tool that monitors udp and tcp ports.

Tripwire: Provides system integrity check

Gnupg: encrypts a single file and creates a digital signature.

Hostsentry: Host-Based Intrusion detection that records connections to logs

Ipchains Linux: package filtering Firewall provided by the release

Anti-sniff: Anti-sniffing tool to check whether there is a sniffer in the Network

Freeswan: a VPN tool in LINUX

Syslog-ng: a log file system that replaces syslog

Scandns: DNS check and Tracing Tool

Whisker: CGI Scanner

Snoopy: trace the execve system call record file command

Krnsniff: A kernel-based Listening Module

Iptable: Used to replace ipchains packet filtering Firewall

Imsafe: detects buffer overflow and other problems by tracking system calls.

Iplog: logs sent and received packets.

Solaris designer: kernel patch to prevent Buffer Overflow.

Stackguard: patch GCC to prevent Buffer Overflow

DTK: Honey port aggressive defense

Antiroute: blocks and records route-based Tracing

========================================================== ==============================

Note: All the above materials are collected on the Internet, and the copyright belongs to the original author. I just summarized the rules during my study and hoped to help LINUX security enthusiasts!

 

This article is from the "elain technical blog" blog