Linux system security configuration details

System security is critical to users, and Linux users are no exception. I have summarized some tips for enhancing Linux security protection based on my own Linux experience. I will introduce it to you here.

1. Add a boot password for LILO

Add options to the/etc/lilo. conf file so that LILO requires a password when starting to enhance system security. The specific settings are as follows:

Boot =/dev/hdamap =/boot/mapinstall =/boot. btime-out = 60 # Wait 1 minute promptdefault = linuxpassword = # password set image =/boot/vmlinuz-2.2.14-12label = linux initrd =/boot/initrd-2.2.14-12.img root =/dev/hda6 read-only

In this case, note that the password in LILO is stored in plaintext mode, so you also need to set the file attribute of lilo. conf to be read and written only by the root user.

# Chmod 600/etc/lilo. conf

Of course, the following settings are also required to make the lilo. conf modification take effect.

#/Sbin/lilo-v

2. Set the minimum length and

Shortest time

Password is the main means to authenticate users in the system. The default minimum password length during system installation is usually 5. To ensure that the password is not easy to guess, you can increase the minimum password length, at least 8. To this end, modify the parameter PASS_MIN_LEN in the/etc/login. defs file. At the same time, the password usage time should be limited to ensure regular password replacement. We recommend that you modify the PASS_MIN_DAYS parameter.

3. User logout upon timeout

If you forget to log out of your account when you leave, the system may have security risks. You can modify the/etc/profile file to ensure that the account is automatically canceled from the system after it has not been operated for a period of time.

Edit the/etc/profile file and add the following line to the next line of "HISTFILESIZE =:

TMOUT = 600

All users will log out automatically after 10 minutes of no operation.

4. prohibit access to important files

You can modify attributes of key files such as inetd. conf, services, and lilo. conf in the system to prevent accidental modification and viewing by common users.

First, change the file property to 600:

# Chmod 600/etc/inetd. conf

Ensure that the owner of the file is root, and set it to unchangeable:

# Chattr + I/etc/inetd. conf

In this way, any changes to the file will be prohibited.

Only after the reset flag is reset by the root user can it be modified:

# Chattr-I/etc/inetd. conf

5. Allow and disable remote access

In Linux, you can use the/etc/hosts. allow and/etc/hosts. deny files to allow and disable remote host access to local services. The common practice is:

(1) edit the hosts. deny file and add the following lines:

# Deny access to everyone. ALL: ALL @ ALL

All services are prohibited from all external hosts unless specified by the hosts. allow file.

(2) edit the hosts. allow file and add the following lines:

# Just an example: ftp: 202.84.17.11 xinhuanet.com

The server with the IP address 202.84.17.11 and host name xinhuanet.com is allowed to access the FTP service as the Client.

(3) After setting, use tcpdchk to check whether the setting is correct.

6. Limit the Shell Command record size

By default, bash shell stores up to 500 Command records in the file $ HOME/. bash_history (the default number of records varies depending on the system ). In the system, each user's home directory has such a file. I strongly recommend that you limit the size of this file.

You can edit the/etc/profile file and modify the options as follows: HISTFILESIZE = 30 or HISTSIZE = 30.

7. DELETE Command records when logging out

Edit the/etc/skel/. bash_logout file and add the following lines:

Rm-f $ HOME/. bash_history

In this way, all users in the system will delete their command records when logging out.

If you only need to set a specific user, such as the root user, you can only modify the/$ HOME/. bash_history file in the user's HOME directory and add the same row.

8. disable unnecessary SUID programs

SUID allows common users to execute a program as root, so such programs in the system should be strictly controlled.

Find out the program with s bit to which the root belongs:

# Find/-type f \ (-perm-04000-o-perm-02000 \)-print less

Prohibit unnecessary programs:

# Chmod a-s program_name

9. Check the information displayed at startup.

When a Linux system is started, a large series of boot information will be rolled over on the screen. If a problem occurs when the system is started, run the following command to check the problem:

# Dmesg> bootmessage

This command will redirect the information displayed at startup to a file bootmessage.

10. Disk Space Maintenance

Checking disk space frequently is necessary to maintain the Linux File System. In Linux, the most frequently used commands for disk space maintenance are df and du.

1 2 3 Next Page