Linux Security Settings

Now the security of the system is becoming more and more important. Here I want to write down some basic security measures in linux that I usually use to discuss with you, make our Linux system reliable.

 

1. BIOS Security Settings

This is the most basic and simple. You must set a password for your BIOS to prevent starting from a floppy disk by changing the startup sequence in the BIOS. This will prevent others from trying to start your system with a special boot disk, and prevent others from entering the BIOS to modify the settings so that the hardware settings of the machine cannot be changed at will.

2. LILO Security Settings

LILO is LInux

The abbreviation of LOader, which is the startup module of LINUX. You can modify the content in the "/etc/lilo. conf" file for configuration. Add the following two parameters to the/etc/lilo. conf file: restrictedpassword. These three parameters allow your system to require password verification when starting lilo.

Step 1: edit the lilo. conf file (vi/etc/lilo. comf) if the three parameters are modified or changed:
Boot =/dev/hda
Map =/boot/map
Install =/boot. B
Prompt
Timeout = 00 # Set this line to 00. In this way, the system starts LINUX directly instead of waiting.
Message =/boot/message
Linear
Default = linux
Restricted # Join this line
Password = # Add this line and set your own password

Image =/boot/vmlinuz-2.4.2-2
Label = linux
Root =/dev/hda6
Read-only

Step 2: because the "/etc/lilo. conf" file contains the plaintext password, set it to the root permission for reading.
# Chmod 0600/etc/lilo. conf

Step 3: update the system to make modifications to the "/etc/lilo. conf" file.
#/Sbin/lilo-v

Step 4: run the "chattr" command to make the "/etc/lilo. conf" file unchangeable.
# Chattr + I/etc/lilo. conf

To some extent, this will prevent any changes to "/etc/lilo. conf" (unexpected or otherwise)

3. Make passwords more secure

Passwords can be said to be the first line of defense of the system. At present, most of the attacks to the system on the Internet start from password interception or speculation. Therefore, we should choose a safer password.

First, you must prevent accounts without passwords. This can be found by viewing the/etc/passwd file. For example, if the account with the username "test" is not configured with a password, the following line is displayed in the/etc/passwd file:
Test: 100: 9:/home/test:/bin/bash

The second item is blank, indicating that the account test has no password, which is very dangerous! Delete or set a password for this type of account.
Secondly, in the earlier version of linux, the/etc/passwd file contains an encrypted password, which brings great security risks to the system, the simplest method is to obtain the password through brute force cracking. You can use the command/usr/sbin/pwconv or/usr/sbin/kgconv to create the/etc/shadow or/etc/gshadow file, in this way, the/etc/passwd file does not contain the encrypted password, but is stored in the/etc/shadow file, which is only readable by the root user!

The third point is to modify Shell variables of some system accounts, such as uucpftp and news, and some accounts that only require FTP functions, do not set Shell variables such as/bin/bash or/bin/sh for them. You can leave their Shell variables blank in/etc/passwd, such as/bin/false or/dev/null, you can also use the usermod-s/dev/null username command to change the Shell of username to/dev/n.

Ull. By using these accounts, you cannot remotely log on to the system through Telnet!

The fourth step is to change the default password length: When you install linux, the default password length is 5 bytes. But this is not enough. Set it to 8. To change the shortest password length, edit the login. defs file (vi/etc/login. defs ).
PASS_MIN_LEN 5
Change
PASS_MIN_LEN 8
The login. defs file is the configuration file of the login program.

4. log out of the account automatically

 

In unix systems, the root account has the highest privilege. If the system administrator forgets to log out of the root account before leaving the system, this poses a major security risk and should be automatically logged out by the system. You can implement this function by modifying the "TMOUT" parameter in your account. TMOUT is calculated in seconds. Edit your profile file (vi/etc/profile) and add the following line after "HISTFILESIZE =:
TMOUT = 300

300 indicates 300 seconds, that is, 5 minutes. In this way, if the user logged on to the system does not take action within five minutes, the system will automatically cancel the account. You can add this value to the ". bashrc" file of an individual user so that the system can perform a special automatic logout time for this user.

After changing this setting, you must log out of the user and then log on to the user to activate this function.
5. Cancel console access permissions of common users

You should cancel the console access permissions of common users, such as shutdown, reboot, and halt commands.
# Rm-f/etc/security/console. apps/
Is the name of the program you want to deregister.

6. Cancel and reinstall all unused services

Cancel and reinstall all unused services, so you will be less worried. Check the "/etc/inetd. conf" file and annotate it to cancel all services you do not need (Add a "#" before the service project). Run the "sighup" command to upgrade the "inetd. conf" file.

Step 1:

Change "/etc/inetd. conf" to 600, and only allow root to read and write the file.
# Chmod 600/etc/inetd. conf

Step 2:

Make sure that the owner of the "/etc/inetd. conf" file is root.

Step 3:

Edit/etc/inetd. conf file (vi/etc/inetd. conf), cancel the following services (you do not need to): ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth and so on. Disabling unnecessary services can significantly reduce the risk of the system.

 

Step 4:

Send an HUP signal to the inetd process:
# Killall-HUP inetd

Step 5:

Use the chattr command to set the/ec/inetd. conf file as unchangeable, so that no one can modify it:
# Chattr + I/etc/inetd. conf

This prevents any modifications to inetd. conf (for other reasons or other reasons ). Only root users can cancel this attribute. If you want to modify the inetd. conf file, you must first cancel the unmodifiable nature:
# Chattr-I/etc/inetd. conf

Don't forget to change its nature to unchangeable.

7. TCP_WRAPPERS

Using TCP_WRAPPERS can protect your system against external intrusion. The best policy is to stop all hosts ("/etc/hosts. add "ALL: ALL @ all paranoid" to the deny file, and then add it to "/etc/hosts. add a list Of all allowed hosts to the allow file.

Step 1:

Edit the hosts. deny file (vi

/Etc/hosts. deny), add the following line
# Deny access to everyone.
ALL: ALL @ ALL PARANOID

This indicates that all services and addresses are blocked unless the address package is in the list of hosts allowed to access.

Step 2:

Edit the hosts. allow file (vi/etc/hosts. allow) and add it to the list of allowed hosts, for example:
Ftp: 202.54.15.99 foo.com
202.54.15.99 and foo.com are IP addresses and host names that allow access to the ftp service.

Step 3:

The tcpdchk program is the tepd wrapper setting check program. It is used to check your tcp wrapper settings and report potential and real problems found. After setting, run the following command:
# Tcpdchk

8. Modify the "/etc/host. conf" file.

"/Etc/host. conf" describes how to resolve the address. Edit the "/etc/host. conf" file (vi/etc/host. conf) and add the following line:
# Lookup names via DNS first then fall back to/etc/hosts.
Order bindhosts
# We have machines with multiple IP addresses.
Multi on
# Check for IP address spoofing.
Nospoof on

The first setting first resolves the IP address through DNS and then the hosts file. The second setting checks whether the host in the "/etc/hosts" file has multiple IP addresses (for example, multiple Ethernet interfaces ). The third setting indicates that you should pay attention to unauthorized electronic spoofing on the local machine.

9. Make the "/etc/services" file immune

Immune the "/etc/services" file to prevent unauthorized deletion or addition of services:
# Chattr + I/etc/services

10. root login from different consoles is not allowed

The "/etc/securetty" file allows you to define which TTY the root user can log on. You can edit the "/etc/securetty" file and add the "#" mark before the TTY device that you do not need to log on to prevent root login from this TTY device.

The/etc/inittab file contains the following paragraph:
# Run gettys in standard runlevels
1: 2345: respawn:/sbin/mingetty tty1
2: 2345: respawn:/sbin/mingetty tty2
#3: 2345: respawn:/sbin/mingetty tty3
#4: 2345: respawn:/sbin/mingetty tty4
#5: 2345: respawn:/sbin/mingetty tty5
#6: 2345: respawn:/sbin/mingetty tty6

By default, the system can use six consoles, namely Alt + F1Alt + F2 ..., add "#" in front of 3, 4, 5, and 6 to comment out this sentence. Now there are only two consoles available. It is best to keep two. Restart the init process and the changes will take effect!

11. use PAM (Pluggable Authentication Module) to prohibit anyone from using the su command to change to the root user su (Substitute

The User command allows you to become another existing User in the system. If you do not want anyone to change to a root user using the su command or restrict the use of the su command for some users, you can go to the su configuration file (in "/etc/pam. d/"Directory)