Article Title: Linux Security Settings manual. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: H2KILL
This article describes how to use basic security measures to make your Linux system reliable.
1. Bios Security
You must set a password for the Bios to prevent starting from a floppy disk by changing the startup sequence in the Bios.
This can prevent others from trying to start your system with a special boot disk, or prevent others from entering the Bios to change the settings (for example, enabling a floppy disk ).
2. LILO Security
Add the following three parameters to the "/etc/lilo. conf" file: time-
Out, restricted, password. These three parameters allow your system to require encryption when starting lilo.
Verification code.
Step 1:
Edit the lilo. conf file (vi/etc/lilo. comf). If you want to modify or modify these three parameters:
Boot =/dev/hda
Map =/boot/map
Install =/boot. B
Time-out = 00 # Set this line to 00
Prompt
Default = linux
Restricted # Join this line
Password = # Add this line and set your own password
Image =/boot/vmlinuz-2.2.14-12
Label = linux
Initrd =/boot/initrd-2.2.14-12.img
Root =/dev/hda6
Read-only
Step 2:
Because the "/etc/lilo. conf" file contains a plaintext password, set it to the root permission for reading.
[Root @ kapil/] # chmod 600/etc/lilo. conf
Step 3:
Update the system to make modifications to the "/etc/lilo. conf" file.
[Root @ kapil/] #/sbin/lilo-v
Step 4:
Use the "chattr" command to make the "/etc/lilo. conf" file unchangeable.
[Root @ kapil/] # chattr + I/etc/lilo. conf
This prevents any changes to "/etc/lilo. conf" (for other reasons)
3. Delete all special accounts
You should delete all unused default users and group accounts (such as lp, sync, shutdown, halt,
News, uucp, operator, games, gopher, etc ).
Delete A User:
[Root @ kapil/] # userdel LP
Delete group:
[Root @ kapil/] # groupdel LP
4. Select the correct password
Make the following changes before selecting the correct password:
Change Password Length: the default password length is 5 bytes when you install linux. But this is not enough. Set it to 8. To change the shortest password length, edit the login. defs file.
(Vi/etc/login. defs ).
PASS_MIN_LEN 5
Change
PASS_MIN_LEN 8
The login. defs file is the configuration file of the login program.
5. The shadow function with the password enabled:
You should enable the shadow function of the password to encrypt the password. Use
The "/usr/sbin/authconfig" tool enables the shadow function. If you want to convert the existing password and group
Changed to the shadow format. You can use the "pwcov, kgconv" command separately.
6. root Account
In unix systems, the root account has the highest privilege. If the system administrator forgets
Log out of the root account, and the system will automatically log out. You can achieve this by modifying the "TMOUT" parameter in your account
Function. TMOUT is calculated in seconds. Edit your profile file (vi/etc/profile ),
Add the following line after "HISTFILESIZE =:
TMOUT = 3600
3600 indicates 60*60 = 3600 seconds, that is, 1 hour. In this way, if the login user in the system is
If no action is performed within the hour, the system will automatically cancel the account. You can
This value is added to the ". bashrc" file so that the system can perform special automatic logout time for this user.
After changing this setting, you must log out of the user and then log on to the user to activate this function.
7. Cancel console access permissions of common users
You should cancel the console access permissions of common users, such as shutdown, reboot, and halt commands.
[Root @ kapil/] # rm-f/etc/security/console. apps/
Is the name of the program you want to deregister.
8. Cancel and reinstall all unused services
Cancel and reinstall all unused services, so you will be less worried. View
In the "/etc/inetd. conf" file, use annotations to cancel all services you do not need (in this Service Project
Add a "#"). Run the "sighup" command to upgrade the "inetd. conf" file.
Step 1:
Change "/etc/inetd. conf" to 600, and only allow root to read and write the file.
[Root @ kapil/] # chmod 600/etc/inetd. conf
Step 2:
Make sure that the owner of the "/etc/inetd. conf" file is root.
Step 3:
Edit the/etc/inetd. conf file (vi/etc/inetd. conf) and cancel the following services (you do not need
): Ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-
3, finger, auth, and so on. Disabling unnecessary services can significantly reduce the risk of the system.
Step 4:
Send an HUP signal to the inetd process:
[Root @ kapil/] # killall-HUP inetd
Step 5:
Use the chattr command to set the/ec/inetd. conf file as unchangeable, so that no one can modify it:
[Root @ kapil/] # chattr + I/etc/inetd. conf
This prevents any modifications to inetd. conf (for other reasons or other reasons ). You can cancel this operation only.
Only the root property owner is allowed. If you want to modify the inetd. conf file, you must first cancel the unmodifiable nature:
[Root @ kapil/] # chattr-I/etc/inetd. conf
Don't forget to change its nature to unchangeable.
9. TCP_WRAPPERS
Using TCP_WRAPPERS can protect your system against external intrusion. The best policy is to stop all
Host (in "/etc/hosts. add "ALL: ALL @ ALL, PARANOID") to the deny file, and then add it to "/etc/hosts. add a list Of all allowed hosts to the allow file.
Step 1:
Edit the hosts. deny file (vi/etc/hosts. deny) and add the following line:
# Deny access to everyone.
ALL: ALL @ ALL, PARANOID
This indicates that all services and addresses are blocked unless the address package is in the list of hosts allowed to access.
Step 2:
Edit the hosts. allow file (vi/etc/hosts. allow) and add the list of hosts allowed to access.
For example:
Ftp: 202.54.15.99 foo.com
202.54.15.99 and foo.com are IP addresses and host names that allow access to the ftp service.
Step 3:
The tcpdchk program is the tepd wrapper setting check program. It is used to check your tcp wrapper settings and report potential and real problems found. After setting, run the following command:
[Root @ kapil/] # tcpdchk
10. Prohibit system information exposure
When a user logs on remotely, the system welcome information cannot be displayed. You can modify
"/Etc/inetd. conf" file to achieve this goal.
Run the following line in the/etc/inetd. conf file:
Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd
To:
Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h
When "-h" is added at the end, only one login prompt is displayed when someone logs in. The system welcome information is not displayed.
11. Modify the "/etc/host. conf" file.
"/Etc/host. conf" describes how to resolve the address. Edit the "/etc/host. conf" File
(Vi/etc/host. conf), add the following line:
# Lookup names via DNS first then fall back to/etc/hosts.
Order bind, hosts
# We have machines with multiple IP addresses.
Multi on
# Check for IP address spoofing.
Nospoof on
The first setting first resolves the IP address through DNS and then the hosts file. The second setting checks whether the host in the "/etc/hosts" file has multiple IP addresses (for example, multiple Ethernet interfaces ). The third setting indicates that you should pay attention to unauthorized electronic spoofing on the local machine.
12. Make the "/etc/services" file immune
Immune the "/etc/services" file to prevent unauthorized deletion or addition of services:
[Root @ kapil/] # chattr + I/etc/services
13. root login from different consoles is not allowed
The "/etc/securetty" file allows you to define which TTY the root user can log on. You can edit the "/etc/securetty" file and add the "#" mark before the TTY device that you do not need to log on to prevent root login from this TTY device.
14. prohibit anyone from using the su command to change to a root user.
The su command allows you to become another existing User in the system. If you do not want anyone to change to a root user using the su command or restrict the use of the su command for some users, you can go to the su configuration file (in "/etc/pam. add the following two lines at the beginning of d/"Directory:
Edit the su file (vi/etc/pam. d/su) and add the following two lines at the beginning:
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/Pam_wheel.so group = wheel
This indicates that only members of the "wheel" group can use the su command to become the root user. You can add a user to the "wheel" group so that it can use the su command to become a root user.
15. Shell logging
Bash shell in "~ /. Bash_history "(" ~ /"Indicates the user directory.) The file saves 500 used commands, which makes it easy to enter the used long commands. Each user with an account in the system has a ". bash_history" file in his directory. Bash shell should save a small number of commands and delete these historical commands every time the user logs out.
Step 1:
The "HISTFILESIZE" and "HISTSIZE" lines in the "/etc/profile" file determine
The number of old command lines that can be saved in the ". bash_history" file. We strongly recommend that you
Set the value of "HISTFILESIZE" and "HISTSIZE" in the "/etc/profile" file to a greater value.
A small number, such as 30. Edit the profile file (vi/etc/profile ),
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.