Linux Security Manual

This article is reproduced from: linuxsir this article describes how to use basic security measures to make your Linux system reliable.

1. BIOS Security

You must set a password for the BIOS to prevent starting from a floppy disk by changing the startup sequence in the BIOS. This prevents others
Trying to start your system with a special boot disk can also prevent others from entering the BIOS to change the settings (for example, allowed through a floppy disk
).

2. Lilo Security
In the "/etc/Lilo. conf" file, add the following three parameters: time-out, restricted, and password. The three parameters are acceptable.
So that your system requires password verification when starting Lilo.

Step 1:

Edit the Lilo. conf file (VI/etc/Lilo. comf). If you want to modify or modify these three parameters:
Boot =/dev/hda
Map =/boot/Map
Install =/boot. B
Time-out = 00 # Set this line to 00
Prompt
Default = Linux
Restricted # Join this line
Password = # Add this line and set your own password
Image =/boot/vmlinuz-2.2.14-12
Label = Linux
Initrd =/boot/initrd-2.2.14-12.img
Root =/dev/hda6
Read-Only

Step 2:

Because the "/etc/Lilo. conf" file contains a plaintext password, set it to the root permission for reading.
[Root @ Kapil/] # chmod 600/etc/Lilo. conf

Step 3:

Update the system to make modifications to the "/etc/Lilo. conf" file.
[Root @ Kapil/] #/sbin/lilo-V

Step 4:

Run the "chattr" command to make the "/etc/Lilo. conf" file unchangeable.
[Root @ Kapil/] # chattr + I/etc/Lilo. conf
This prevents any changes (other than or for other reasons) to "/etc/Lilo. conf)

3. Delete all special accounts

You should delete all unused default users and group accounts (such as LP, sync, shutdown, halt, news,
Uucp, operator, games, Gopher, etc ).
Delete A User:
[Root @ Kapil/] # userdel lp
Delete group:
[Root @ Kapil/] # groupdel lp

4. Select the correct password

Make the following changes before selecting the correct password:
Change Password Length: the default password length is 5 bytes when you install Linux. But this is not enough. Set it to 8. Modify the most
You need to edit the login. defs file (VI/etc/login. defs) for the short password length.
Pass_min_len 5
Change
Pass_min_len 8
The login. defs file is the configuration file of the login program.

5. The shadow function with the password enabled:
You should enable the shadow function of the password to encrypt the password. Use the "/usr/sbin/authconfig" tool to open shadow
Yes. If you want to convert the existing passwords and groups to the Shadow format, you can use the "pwcov, kgconv" command.

6. Root Account
In Unix systems, the root account has the highest privilege. If the system administrator forgets to log out of the root account before leaving the system
It is automatically logged out. You can implement this function by modifying the "tmout" parameter in your account. Tmout is calculated in seconds. Edit your profile file (VI/etc/profile) and add the following line after "histfilesize =:
Tmout = 3600
3600 indicates 60*60 = 3600 seconds, that is, 1 hour. In this way, if the user logging on to the system does not take action within one hour
The system will automatically cancel this account. You can add this value to the ". bashrc" file of an individual user so that the system can implement
Special automatic logout time. After changing this setting, you must log out of the user and then log on to the user to activate this function.

7. Cancel console access permissions of common users
You should cancel the console access permissions of common users, such as shutdown, reboot, and halt commands.
[Root @ Kapil/] # rm-F/etc/security/console. Apps/
Is the name of the program you want to deregister.

8. Cancel and reinstall all unused services

Cancel and reinstall all unused services, so you will be less worried. View the "/etc/inetd. conf" file and comment it
Remove all services you don't need (Add a "#" before the service project "#"). Run the "sighup" command to upgrade the "inetd. conf" file.

Step 1:

Change "/etc/inetd. conf" to 600, and only allow root to read and write the file.
[Root @ Kapil/] # chmod 600/etc/inetd. conf

Step 2:

Make sure that the "/etc/inetd. conf" file owner is root.

Step 3:

Edit/etc/inetd. CONF file (VI/etc/inetd. conf), cancel the following services (which you do not need): FTP, telnet, Shell, login, exec, talk, NTALK, IMAP, pop-2, pop-3, finger, auth and so on. Disabling unnecessary services can significantly reduce the risk of the system.

Step 4:

Send an HUP signal to the inetd process:

[Root @ Kapil/] # killall-hup inetd

Step 5:

Use the chattr command to set the/EC/inetd. conf file as unchangeable, so that no one can modify it:

[Root @ Kapil/] # chattr + I/etc/inetd. conf

This prevents any modifications to inetd. conf (for other reasons or other reasons ). Only root users can cancel this attribute. If you want to modify the inetd. conf file, you must first cancel the unmodifiable nature:

[Root @ Kapil/] # chattr-I/etc/inetd. conf

Don't forget to change its nature to unchangeable.

9. TCP_WRAPPERS

Using TCP_WRAPPERS can protect your system against external intrusion. The best policy is to stop all hosts (in "/etc/hosts. add "All: All @ All, paranoid") to the deny file, and then add it to "/etc/hosts. add a list Of all allowed hosts to the Allow file.
Step 1:
Edit the hosts. deny file (VI/etc/hosts. Deny) and add the following line:
# Deny access to everyone.
ALL: All @ All, paranoid
This indicates that all services and addresses are blocked unless the address package is in the list of hosts allowed to access.
Step 2:
Edit the hosts. allow file (VI/etc/hosts. Allow) and add it to the list of allowed hosts, for example:
FTP: 202.54.15.99 foo.com
202.54.15.99 and foo.com are IP addresses and host names that allow access to the FTP service.
Step 3:
The tcpdchk program is the tepd wrapper setting check program. It is used to check your TCP Wrapper settings and report potential and real problems found. After setting, run the following command:
[Root @ Kapil/] # tcpdchk

10. Prohibit system information exposure
When a user logs on remotely, the system welcome information cannot be displayed. You can modify the "/etc/inetd. conf" file to achieve this goal.
Run the following line in the/etc/inetd. conf file:
Telnet stream tcp Nowait root/usr/sbin/tcpd in. telnetd
To:
Telnet stream tcp Nowait root/usr/sbin/tcpd in. telnetd-H
When "-h" is added at the end, only one login prompt is displayed when someone logs in. The system welcome information is not displayed.

11. Modify the "/etc/host. conf" File
"/Etc/host. conf" describes how to resolve the address. Edit the "/etc/host. conf" file (VI/etc/host. conf) and add the following line:
# Lookup names via DNS first then fall back to/etc/hosts.
Order bind, hosts
# We have machines with multiple IP addresses.
Multi on
# Check for IP address spoofing.
Nospoof on
The first setting first resolves the IP address through DNS and then the hosts file. The second setting checks whether the host in the "/etc/hosts" file has multiple IP addresses (for example, multiple Ethernet interfaces ). The third setting indicates that you should pay attention to unauthorized electronic spoofing on the local machine.

12. Make the "/etc/services" file immune
Make the "/etc/services" file immune to prevent unauthorized deletion or addition of services:
[Root @ Kapil/] # chattr + I/etc/services

13. root login from different consoles is not allowed
The "/etc/securetty" file allows you to define which tty the root user can log on. You can edit the "/etc/securetty" file and add the "#" mark before the tty device that you do not need to log on to prevent root login from this tty device.

14. prohibit anyone from using the su command to change to a root user.
The su command allows you to become another existing user in the system. If you do not want anyone to change to a root user using the su command or restrict the use of the su command for some users, you can go to the su configuration file (in "/etc/PAM. add the following two lines at the beginning of D/"Directory:
Edit the su file (VI/etc/PAM. d/su) and add the following two lines at the beginning:
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_wheel.so group = wheel
This indicates that only members of the "Wheel" group can use the su command to become the root user. You can add a user to the "Wheel" group so that it can use the su command to become a root user.

15. Shell Logging
BASH Shell in "~ /. Bash_history "("~ /"Indicates the user directory) the file saves 500 used commands, which makes it easy to enter the used long command. Each user with an account in the system has a ". bash_history" file in his directory. BASH Shell should save a small number of commands and delete these historical commands every time the user logs out.
Step 1:
The "histfilesize" and "histsize" lines in the "/etc/profile" file determine the number of old command lines that can be saved in the ". bash_history" file of all users. We strongly recommend that you set the values of "histfilesize" and "histsize" in the "/etc/profile" file to a smaller number, such as 30. Edit the profile file (VI/etc/profile) and change the following line:
Histfilesize = 30
Histsize = 30
This means that each user's ". bash_history" file can only save 30 old commands.
Step 2:
In the "/etc/skel/. bash_logout" file, add the following line "RM-F $ home/. bash_history ". In this way, the ". bash_history" file will be deleted every time you log out.
Edit the. bash_logout file (VI/etc/skel/. bash_logout) and add the following line:
Rm-F $ home/. bash_history

16. Disable the control-alt-delete command on the keyboard.
Comment out the following line in the "/etc/inittab" file (use #):
CA: ctrlaltdel:/sbin/shutdown-T3-R now
Changed:
# CA: ctrlaltdel:/sbin/shutdown-T3-R now
To make this change take effect, enter the following command:
[Root @ Kapil/] #/sbin/init Q

17. Set permissions for the script file under "/etc/rc. d/init. d ".
Set permissions for script files of programs executed during execution or shutdown.
[Root @ Kapil/] # chmod-r 700/etc/rc. d/init. d /*
This indicates that only the root user can read, write, and execute script files in this directory.

18. Hide System Information
By default, When you log on to the Linux system, it will tell you the name, version, kernel version, and server name of the Linux release. This information is sufficient for hackers to intrude into your system. You should only display a "login:" prompt to it.
Step 1:
Edit the "/etc/rc. d/rc. Local" file and add "#" in front of the lines shown below to comment out the command for output information.
# This will overwrite/etc/issue at every boot. So, make any changes you
# Want to make to/etc/issue here or you will lose them when you reboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "kernel $ (uname-R) on $ A $ (uname-m)">/etc/issue
#
# Cp-F/etc/issue/etc/issue.net
# Echo>/etc/issue
Step 2:
Delete the "isue.net" and "issue" files under the "/etc" directory:
[Root @ Kapil/] # rm-F/etc/issue
[Root @ Kapil/] # rm-F/etc/issue.net

19. Do not use SUID/SGID programs
If a program is set to SUID root, normal users can run the program as root. The Network Management should use SUID/SGID programs as little as possible to prohibit all unnecessary SUID/SGID programs.
Find the programs using the 's' bit in the root-owned program:
[Root @ Kapil] # Find/-type F \ (-Perm-04000-o-Perm-02000 \) \-exec LS-LG {}\;
Use the following command to disable the selected program with the 's' bit:
[Root @ Kapil/] # chmod A-s [Program]

According to the above security guidelines, the system administrator will have a basic security system. Some of the above work is a continuous process, and the network management should continue to do so to maintain the security of the system.