General linux System Security Optimization

For security control on the server's local terminal, you can start from the following aspects:

1. normal user logon is immediately prohibited.

When the server is performing backup, debugging, and other maintenance work, you may not want new users to log on to the system. In this case, you only need to create the/etc/nologin file, the login program checks whether the/etc/nologin file exists. If yes, it rejects normal users from logging on to the system (root users are not restricted). After deleting the file or restarting the system, the file can be restored.

touch /etc/nologin

2. Control the tty terminal opened by the server

By default, the tty1-6 is open to six local terminals (console) in linux. To disable redundant tty terminals, you can modify the/etc/inittab file. Comment out the corresponding rows.

3. Control tty terminals that allow root users to log on

In linux, the login program usually reads the/etc/securetty file and determines which terminals (security terminals) the root user is allowed to log on. To prevent the root user from logging on to a terminal, you only need to delete or comment out the corresponding row from the file.

Prevent the root user from logging on to the system from the tty2-tty3 Terminal

vi /etc/securetty

4. System logon Change Prompt,

When you log on to the linux system terminal by hiding the kernel version information, you will usually see a prompt with the system name and kernel version, as shown below: many network attackers often use this information to further scan and detect servers.

By modifying the/etc/issue and/etc/issue.net files (corresponding to local logon and network logon respectively), you can hide the preceding logon prompt information or change the prompt information to other content. After the system is restarted, the new settings take effect.

5. Adjust BIOS boot settings:

Set the First Boot Device to the hard disk of the current system, and set other Boot devices to "Disabled ". Set the administrator password for the BIOS and set the security level to "Setup"

6. prevent unexpected restart of the system by pressing Ctrl + Alt + Del

The Ctrl + Alt + Del hot key function is configured in the/etc/inittab file and loaded by the init program to identify and respond to the hot key.

vi /etc/inittab

///// Just comment out

Init q // takes effect immediately.

7. GRUB boot menu encryption:

We know that in system management, we have learned to modify the GRUB boot parameters to enter the single-user mode, so as to fix some system problems and modify the GRUB boot parameters, it is very convenient for us to access the system without a password and use the root permission. From the perspective of system security, this is a security risk.

To enhance the control of the system boot process, you can set a password for GRUB. GRUB boot parameters can be modified only when the correct password is provided.

Set the plaintext password in the grub. conf file:

 

Vi/boot/grub. conf password 123456 title Red Hat Enterprise Linux Server (2.6.18-8. el5) root (hd0, 0 ).......................... // omit subsequent content

 

In the above example, a line of "password 123456" is added before the line "title Red Hat. In this case, after the GRUB menu is started, you cannot directly press the "e" key to edit the boot parameters. You must press the "p" key and enter the correct GRUB Password as prompted before you can press the "e" key to modify the boot parameters.

Note: if you add a password before "root (hd0, 0)", you must enter the password when entering the system.

Grub. conf has the default permission of 644, And the plaintext is still secure. You can set the ciphertext!

 

Grub-md5-crypt Password: Retype password: vi/boot/grub. conf password -- md5 ~~~~~~~ Ciphertext password itle Red Hat Enterprise Linux Server (2.6.18-8. el5) root (hd0, 0 ).......................... // omit subsequent content

 

Password required to start the system ~

This is much better.

This is the general settings of the server.