Linux on Linux operating system security settings

Today, Linux system security becomes more and more important, here I would like to use some of my usual Linux basic security measures written to discuss with you, let our Linux system become reliable.

1, the security settings of the BIOS

This is the most basic, but also the simplest. Be sure to set your BIOS password to prevent booting from the floppy disk by changing the boot order in the BIOS. This can prevent the ulterior motives of trying to start your system with a special boot disk, but also to prevent others from entering the BIOS changes the settings, so that the hardware settings of the machine can not be changed by others.

2, Lilo's security settings

LILO is the acronym for Linux Loader, which is the startup module for Linux. You can configure it by modifying the contents of the "/etc/lilo.conf" file. Add the following two parameters to the/etc/lilo.conf file: Restricted,password. These three parameters enable your system to require password authentication when you start Lilo.

Step one: Edit the lilo.conf file (VI/ETC/LILO.COMF), if or change these three parameters:

1boot=/dev/HDA2 3map=/boot/Map4 5install=/boot/boot.b6 7 prompt8 9timeout=xx#把这行该为00 so that the system starts without waiting and starts Linux directlyTen  Onemessage=/boot/message A  - Linear -  the default=Linux -  - restricted #加入这行 -  +password=#加入这行并设置自己的密码 -  +image=/boot/vmlinuz-2.4.2-2   A  atLabel=Linux -  -root=/dev/Hda6 -  -Read-only

The second step: because the "/etc/lilo.conf" file contains the plaintext password, it is set to the root permission to read.

0600

Step three: Update the system so that the changes made to the "/etc/lilo.conf" file work.

Fourth step: Use the "chattr" command to make the "/etc/lilo.conf" file immutable.

#

This prevents any change to "/etc/lilo.conf" (accidental or otherwise) to a certain extent

3. Make password more secure

The password can be said to be the system's first line of defense, most of the online attacks on the system from the interception of passwords or guessing password start, so we should choose a more secure password.

First of all, do not set the password account exists. This can be found by viewing the/etc/passwd file. For example, an account that exists with a user name of test and no password is set, the following line is in the/etc/passwd file:

The second item is empty, indicating that the test account does not have a password set, which is very dangerous! You should delete or set the password for that type of account.

Second, in the old version of Linux, in the/etc/passwd file contains encrypted passwords, which gives the security of the system a great hidden danger, the simplest way is to use brute force to obtain the password. You can use the/usr/sbin/pwconv or/usr/sbin/grpconv to create/etc/shadow or/etc/gshadow files, so that the/etc/passwd file does not contain the encrypted password, but is placed in the/etc/ Shadow file, the file is readable only by Superuser root!

The 3rd is to modify some of the system account shell variables, such as UUCP,FTP and news, and some only need FTP function account, must not give them to set/bin/bash or/bin/sh and other shell variables. You can empty their shell variables in/etc/passwd, such as/bin/false or/dev/null, or you can use the Usermod-s/dev/nullusername command to change the username shell to/ Dev/null. Using these accounts will not telnet to the system remotely!

The 4th is to modify the default password length: The default password length is 5 bytes when you install Linux. But that's not enough, set it to 8. To modify the minimum password length, you need to edit the Login.defs file (vi/etc/login.defs) and put the following line

Pass_min_len 5  instead  

The Login.defs file is a configuration file for the login program.

　4, automatic logout account login

The root account in a Unix system has the highest privileges. If the system administrator forgets to log out of the root account before leaving the system, it will pose a great security risk and should be automatically logged off. This function can be achieved by modifying the "tmout" parameter in the account. Tmout is calculated by seconds. Edit your profile file (vi/etc/profile) and add the following line after "histfilesize=":

300, which means 300 seconds, which means 5 minutes. This way, if the user logged on in the system has no action within 5 minutes, the system will automatically log off the account. You can do it in individual user's ". BASHRC "file, so that the system has a special automatic logoff time for that user.

After you change this setting, you must log off the user and then log in to activate the feature.

5. Remove the console access for ordinary users

You should remove the console access from the normal user, such as shutdown, reboot, Halt, and so on.

# rm-f/etc/security/console.apps/  

is the name of the program you want to unregister.

6. Cancel and reverse install all unused services

Cancel and reinstall all unused services, so your fears will be much less. Check the "/etc/inetd.conf" file to remove all services you don't need by commenting (add a "#" to the service item). Then use the "sighup" command to upgrade the "inetd.conf" file.

Linux on Linux operating system security settings