This article describes how to use basic security measures to make your Linux system reliable.
Bios Security
You must set a password for the Bios to prevent starting from a floppy disk by changing the startup sequence in the Bios.
This can prevent others from trying to start your system with a special boot disk, or prevent others from entering the Bios to change the settings, such as allowing the disk to start ).
LILO Security
Add the following three parameters to the "/etc/lilo. conf" file: time-
Out, restricted, password. These three parameters allow your system to require encryption when starting lilo.
Verification code.
Step 1:
Edit lilo. conf file vi/etc/lilo. comf), if you want to change the three parameters: boot =/dev/hda map =/boot/map install =/boot. B time-out = 00 # Add this line to 00 prompt Default = linux restricted # Add this line of password = # Add this line and set your own password image =/boot/vmlinuz-2.2.14-12 label = linux initrd =/boot/initrd-2.2.14-12.img root =/dev/hda6 read-only |
Step 2:
Because the "/etc/lilo. conf" file contains a plaintext password, set it to the root permission for reading. [Root @ kapil/] # chmod 600/etc/lilo. conf |
Step 3:
Update the system to make modifications to the "/etc/lilo. conf" file. [Root @ kapil/] #/sbin/lilo-v |
Step 4:
Use the "chattr" command to make the "/etc/lilo. conf" file unchangeable. [Root @ kapil/] # chattr + I/etc/lilo. conf |
This will prevent any change to "/etc/lilo. conf" or other reasons)
Delete all special accounts
You should delete all unused default users and group accounts, such as lp, sync, shutdown, halt, news, uucp, operator, games, And gopher ).
Delete user: [root @ kapil/] # userdel LP Delete group: [root @ kapil/] # groupdel LP |
Make the following changes before selecting the correct password:
Change Password Length: the default password length is 5 bytes when you install linux. But this is not enough. Set it to 8. To change the shortest password length, edit the login. defs file.
Vi/etc/login. defs), change PASS_MIN_LEN 5 to PASS_MIN_LEN 8. |
The login. defs file is the configuration file of the login program.
Supports password-enabled shadow.
You should enable the shadow function of the password to encrypt the password. Use
The "/usr/sbin/authconfig" tool enables the shadow function. If you want to convert the existing password and group
Changed to the shadow format. You can use the "pwcov, kgconv" command separately.
Root Account
In unix systems, the root account has the highest privilege. If the system administrator forgets
Log out of the root account, and the system will automatically log out. You can achieve this by modifying the "TMOUT" parameter in your account
Function. TMOUT is calculated in seconds. Edit your profile file vi/etc/profile ),
Add the following line after "HISTFILESIZE =:
3600 indicates 60*60 = 3600 seconds, that is, 1 hour. In this way, if the login user in the system is
If no action is performed within the hour, the system will automatically cancel the account. You can
This value is added to the ". bashrc" file so that the system can perform special automatic logout time for this user.
After changing this setting, you must log out of the user and then log on to the user to activate this function.
Cancel the console access permission of a common user
You should cancel the console access permissions of common users, such as shutdown, reboot, and halt commands.
[root@kapil /]# rm -f /etc/security/console.apps/ |
Is the name of the program you want to deregister.
Cancel and reinstall all unused services
Cancel and reinstall all unused services, so you will be less worried. View
In the "/etc/inetd. conf" file, use annotations to cancel all services you do not need in this service project.
Add a "#"). Run the "sighup" command to upgrade the "inetd. conf" file.
Step 1: change the "/etc/inetd. conf" permission to 600, and only allow root to read and write the file. [Root @ kapil/] # chmod 600/etc/inetd. conf Step 2: confirm that the owner of the "/etc/inetd. conf" file is root. Step 3: edit/etc/inetd. conf file vi/etc/inetd. conf), cancel the following services you do not need): ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth and so on. Disabling unnecessary services can significantly reduce the risk of the system. Step 4: Send an HUP signal to the inetd process: [root @ kapil/] # killall-HUP inetd Step 5: run the chattr command to send/ec/inetd. the conf file is unchangeable, so no one can modify it: [root @ kapil/] # chattr + I/etc/inetd. conf |
This prevents any modification to inetd. conf for other reasons ). You can cancel this operation only.
Only the root property owner is allowed. If you want to modify the inetd. conf file, you must first cancel the unmodifiable nature:
[root@kapil /]# chattr -i /etc/inetd.conf |
Don't forget to change its nature to unchangeable.
