With its stable and open source code, Linux has been increasingly used as Web servers and database servers on the Internet. As a result, the security of Linux systems has been paid more and more attention, reinforcing the Linux system is imminent for many people. So what should we do to better harden the Linux system to cope with various emergencies and hacker attacks?
1. Installation and upgrade
Use the latest Linux release version as much as possible. Unplug the network cable and disconnect the physical connection before installation. During installation, we recommend that you install software packages in the custom mode of M. Generally, there is no need to install X-windows on the server. Add password restrictions to the lilo/grub boot to prevent malicious users who can physically access the server.
Because the rescue mode of the Linux installation CD can be skipped, you need to add a password or lock the server chassis to the BIOS. Directories such as/var,/home,/usr, And/root use independent physical partitions to prevent the D. o. S attack caused by filling hard disks with junk data and logs. Give a strong password to the root account.
Upgrade the system software with up2date or apt immediately after installation is complete. Sometimes upgrading the kernel is also necessary, because kernel problems also give attackers a chance. Apt is a powerful package management tool under Debian GNU Linux and can be used in other versions of Linux.
2. Account
If there are many users in the system, you can edit/etc/login. defs: change the password policy and delete unnecessary accounts and groups in the system. If anonymous ftp is not enabled, you can also delete the ftp account. The command to delete an account is as follows:
[root@ayazero/]#userdel-r username |
The safest way is local maintenance. Unfortunately, it is not realistic, but you still need to restrict the remote access of the root user. The administrator can log on remotely with an ordinary account and then su to the root user, we can add su users to the wheel group to improve security. Add the following two lines of code to the header of the/etc/pam. d/su file:
Edit/etc/securetty, comment out all the consoles that allow remote root logon, and disable all console programs. The command is as follows:
Encrypted ssn is used for Logon. If the Administrator only logs on from a fixed terminal, the valid ssn client range should also be limited,
Prevents sniffing and man-in-the-middle attacks. At the same time, the command history is classified as zero to hide what you have done as much as possible. The command is:
3. Service
The minimum service principle is adopted, and all unnecessary services are commented out. In/etc/inetd. add "#" to the service that is not required in conf. In later versions, inetd is not available, but Xinetd is replaced. Cancel the automatic start of the service and set/etc/rc. in d/rc3.d, the first letter of the fat service that does not need to be run is "S" changed to "K", and the rest remains unchanged.
If you want to simplify it, you can use the/etc/host. allow and/etc/host. deny files. However, we recommend using the iptables firewall, so we will not detail it here.