This article describes some basic security measures that enable you to use Linux more securely and focus on the secure use of Red Hat Linux.
BIOS Security
Remember to set a BIOS password in the BIOS settings and do not receive the boot from a floppy disk. This prevents malicious users from starting your Linux system with a dedicated boot disk, and prevents others from changing BIOS settings, such as changing the disk boot settings or directly starting the server without a password box.
LILO Security
In the "/etc/lilo. conf" file, add three parameters: time-out, restricted, and password. These options are required to provide a password when the start time, such as "linux single", is switched to start the reprinting program.
Step 1
Edit the lilo. conf file/etc/lilo. conf) to add and change these three options:
Boot =/dev/hda
Map =/boot/map
Install =/boot. B
Time-out = 00 # change this line to 00
Prompt
Default = linux
Restricted # add this line
Password = # add this line and put your password
Image =/boot/vmlinuz-2.2.14-12
Label = linux
Initrd =/boot/initrd-2.2.14-12.img
Root =/dev/hda6
Read-only
Step 2
Because the password is not encrypted, the "/etc/lilo. conf" file is only readable to the root user.
[Root @ kapil/] # chmod 600/etc/lilo. conf is no longer globally readable)
Step 3
After the above modification, update the configuration file "/etc/lilo. conf ".
[Root @ kapil/] #/sbin/lilo-v update the lilo. conf file)
Step 4
Another way to make "/etc/lilo. conf" more secure is to use the chattr command to set it as unchangeable:
[Root @ kapil/] # chattr + I/etc/lilo. conf
It will block any changes to the "lilo. conf" file, whether or not intentionally.
For more information about lilo security, see LILO.
Disable all dedicated accounts
Delete all default user accounts and group accounts that you do not use in systems such as lp, sync, shutdown, halt, news, uucp, operator, games, And gopher.
To delete a user account:
[Root @ kapil/] # userdel LP
To delete a group account:
[Root @ kapil/] # groupdel LP
Select an appropriate Password
When selecting a password, follow these steps:Principles:
Password Length: The minimum password length for Linux installation is 5 Characters by default. This length is not enough. It should be increased to 8. To change the length to 8 characters, you must edit the login. defs file/etc/login. defs ):
PASS_MIN_LEN 5
Changed:
PASS_MIN_LEN 8
"Login. defs" is the configuration file of the login program.
Enable blind zone password support
Enable the blind zone password function. To achieve this, use the "/usr/sbin/authconfig" utility. If you want to change the existing password and group in the system to the blind zone password and group, use the pwconv and kgconv commands respectively.
Root Account
In UNIX systems, the root account has the highest permissions. If the system administrator forgets to log out of the root system when leaving the system, the system should be able to log out automatically from the shell. Then, you need to set a special Linux variable "TMOUT" to set the time.
Edit the "/etc/profile" file in
"HISTFILESIZE ="
Then add:
TMOUT = 3600
For "TMOUT =", the input value indicates the wonderful number of hours 60*60 = 3600 ).
After this line is added to the "/etc/profile" file, any user who uses the system has a one-hour pending status will automatically log out. If you want to set the variables separately, you can define the automatic logout time in the ". bashrc" file.
After this parameter is modified, you must exit and log on to the root account again.
Prohibit normal users from accessing the Console
Normal users on the server should be prohibited from accessing console-level programs such as shutdown, restart, and suspension. Run the following command:
[Root @ kapil/] # rm-f/etc/security/console. apps/
The name of the program to which access is prohibited.
Disable and Uninstall all unavailable services
Disable and uninstall services that are not used, which can be less troublesome. View the "/etc/inetd. conf" file, and add the "#" sign before the unwanted project line, that is, change it to the comment statement to disable them. Then, send a SIGHUP command to the inetd process to update the "inetd. conf" file. The procedure is as follows:
Step 1
Change the "/etc/inetd. conf" file license to 600 so that it can only be read and written to the root user.
[Root @ kapil/] # chmod 600/etc/inetd. conf
Step 2
Make sure that the owner of the "/etc/inetd. conf" file is the root user.
Step 3
Edit the inetd. conf file/etc/inetd. conf) and disable the following services:
Ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, and so on.
If you do not plan to use these services, disabling these services can reduce risks.
Step 4
Send an HUP signal to the inetd process:
[Root @ kapil/] # killall-HUP inetd
Step 5
Set the "/etc/inetd. conf" file to unchangeable. The chattr command prevents anyone from modifying it:
[Root @ kapil/] # chattr + I/etc/inetd. conf
Only the root user can set or clear this attribute. To modify the inetd. conf file, you must remove the unchangeable Tag:
[Root @ kapil/] # chattr-I/etc/inetd. conf
TCP_WRAPPERS
Through TCP_WRAPPERS, the server can better resist external intrusion. The best way is to reject all hosts: In "/etc/hosts. add "ALL: ALL @ ALL, PARANOID" to the deny file, and then add "/etc/hosts. "allow" lists the allowed hosts. TCP_WRAPPERS is controlled by two files, and the search stops at the First Matching place.
/Etc/hosts. allow
/Etc/hosts. deny