Linux operating system security protection measures

Source: Internet
Author: User
Tags ftp login
Article Title: Linux operating system security protection measures instance. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

System security record file

Recording files in the operating system are important clues for detecting network intrusion. If your system is directly connected to the Internet, you find that many people try to Telnet/FTP login to your system, you can run "# more/var/log/secure | grep refused" to check the system's attacks and take corresponding countermeasures, such as replacing Telnet/rlogin with SSH.

Startup and login security

1. BIOS Security

Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.

2. User Password

The user password is a basic starting point for Linux security. The user password used by many people is too simple, which opens the door to the intruders, although theoretically speaking, as long as you have enough time and resources to use, there is no user password that cannot be cracked. However, selecting a proper password is difficult to crack. A good user password is a string of characters that only he can easily remember and understand, and should never be written anywhere.

3. Default Account

All default accounts that are started by the operating system and are not necessary should be prohibited. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts, the more vulnerable the system is.

You can use the following command to delete an account.

       
        
# Userdel Username
       

Or use the following command to delete the group user account.

       
          # groupdel username
       

4. Password File

The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.

       
          # chattr +i /etc/passwd   # chattr +i /etc/shadow   # chattr +i /etc/group         # chattr +i /etc/gshadow
       

5. Disable Ctrl + Alt + delete to restart the machine command.

Modify the/etc/inittab file and comment out the line "ca: ctrlaltdel:/sbin/shutdown-t3-r now. Then reset the permission for all files in the/etc/rc. d/init. d/directory and run the following command:

       
          # chmod -R 700 /etc/rc.d/init.d/*
       

In this way, only the root user can read, write, or execute all the above script files.

6. Restrict su commands

If you don't want anyone to use su as root, you can edit the/etc/pam. d/su file and add the following two lines:

       
          auth sufficient /lib/security/pam_rootok.so debug         auth required /lib/security/pam_wheel.so group=isd
       

In this case, only users in the isd group can use su as the root user. After that, if you want the user admin to use su as the root user, you can run the following command:

       
          # usermod -G10 admin
       

7. Delete logon information

By default, the logon prompt includes the Linux release, kernel version, and server host name.

For a machine with high security requirements, too much information is leaked.

You can edit/etc/rc. d/rc. local to comment out the following lines of output system information.

       
          # This will overwrite /etc/issue at every boot. So, make any changes you   # want to make to /etc/issue here or you will lose them when you reboot  # echo "" > /etc/issue   # echo "$R" >> /etc/issue   # echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue   # cp -f /etc/issue /etc/issue.net         # echo >> /etc/issue
       

Then, perform the following operations:

       
          # rm -f /etc/issue   # rm -f /etc/issue.net   # touch /etc/issue         # touch /etc/issue.net
       

 

[1] [2] [3] Next page

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.