Classic Tutorial: Ultimate Guide to Linux Security Configuration

Source: Internet
Author: User
Tags ftp login ftp access
Article Title: Classic Tutorial: Ultimate Guide to Linux security configuration. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

I. Disk partitioning

1. If you are installing a new Linux system, consider the security of Disk Partitions:
1) the root directory (/), user directory (/home), temporary directory (/tmp), And/var directory should be separated to different disk partitions;
2) the disk space of the partitions where the directories are located should be fully taken into account to avoid system crash due to insufficient partition space due to some reasons;

2. For partitions in the/tmp and/var directories, programs with the suid attribute are not required in most cases, so the nosuid attribute should be added for these partitions;

Method 1: Modify the/etc/fstab file and add the nosuid attribute. For example:
/Dev/hda2/tmp ext2 exec, dev, nosuid, rw 0 0
Method 2: If you are not familiar with the operations on the/etc/fstab file, we recommend that you use the linuxconf program.
Run the linuxconf program;
Select "Access local drive" under "File systems ";
Select the disk partition for which you want to modify the attribute;
Select "No setuid programs allowed;
Select other options as needed;
Exit normally. (The system will usually prompt you to re-mount the partition)

Ii. Installation

1. Too many software packages should not be installed on non-tested hosts. This reduces the possibility of security vulnerabilities caused by software packages.
2. For non-test hosts, do not select a non-essential service when selecting a host to start the service. Such as routed and ypbind.

Iii. Security Configuration and Enhancement

Kernel upgrade. Upgrade to 2.2.16 or later.
Upgrade the GNU libc shared library. (Warning: you cannot try it easily if you have no experience. Can be suspended .)
Disable dangerous network services. Echo, chargen, shell, login, finger, NFS, RPC, etc.
Disable non-essential network services. Talk, ntalk, pop-2, etc.
Security Configuration and upgrade of Common Network Services
Make sure that the version used by the network service is the latest and safest version.
Cancel anonymous FTP access
Unless necessary suid Program
Use tcpwrapper
Use ipchains Firewall
Some details:
1. The log file in the operating system is an important clue for detecting network intrusion.Of course, this assumes that your logfile is not damaged by the intruder. If you have a server that uses a leased line to directly connect to the Internet, this means that your IP address is a permanent fixed address, you will find that many people try to telnet/ftp login to your system and try to run # more/var/log/secure | grep refused to check.
2. restrict the number of programs with the SUID permission flagPrograms with this permission flag run as root, which is a potential security vulnerability. Of course, some programs must have this flag, such as passwd programs.
3. BIOS Security. Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.
4. User Password. User passwords are the most basic starting point for Linux security. Many users use simple 'Password', which opens the door to intruders, although theoretically there is no uncertain user password, it can be used as long as there is enough time and resources. A good user password is a string of characters that can only be easily remembered and understood by himself, and should never be written anywhere.
5./etc/exports file. If you use the NFS Network File System Service, make sure that your/etc/exports has the strictest access permission settings. This does not mean that you do not use any wildcards and do not allow root write permissions, mount the file to a read-only file system. Edit the/etc/exports file and add: for example:
/Dir/to/export (ro, root_squash)
/Dir/to/export (ro, root_squash)
/Dir/to/export is the directory you want to output, is the name of the machine that logs on to this directory,
Ro means to mount the file to a read-only system. root_squash prohibits root from writing data to this directory.
To make the above changes take effect, run/usr/sbin/exportfs-
6. Make sure that the owner of/etc/inetd. conf is root.,Set the File Permission to 600..

[root@deep]# chmod 600 /etc/inetd.confENSURE that the owner is root.[root@deep]# stat /etc/inetd.confFile: "/etc/inetd.conf"Size: 2869 Filetype: Regular FileMode: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)Device: 8,6 Inode: 18219 Links: 1Access: Wed Sep 22 16:24:16 1999(00000.00:10:44)Modify: Mon Sep 20 10:22:44 1999(00002.06:12:16)Change:Mon Sep 20 10:22:44 1999(00002.06:12:16)

Edit/etc/inetd. conf to disable the following services:
Ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger,
Auth, etc. unless you really want to use it.
In particular, prohibit those r commands. If you use ssh/scp, you can also disable telnet/ftp.
To make the change take effect, run # killall-HUP inetd
You can also run # chattr + I/etc/inetd. conf to make the file unchangeable.
Only the root user can unlock it. Use the command
# Chattr-I/etc/inetd. conf

[1] [2] [3] [4] [5] Next page

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.