Linux Server reinforcement

1. system security record files
 
Recording files in the operating system are important clues for detecting network intrusion. If your system is directly connected to the Internet, you find that many people try to Telnet or FTP your system, you can run "# more/var/log/secure greprefused" to check the system for attacks, so as to take appropriate measures, such as replacing Telnet/rlogin with SSH.
 
Ii. startup and login security
 
1. BIOS Security
 
Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.
 
2. User Password
 
The user password is a basic starting point for linux security. The user password used by many people is too simple, which opens the door to the intruders, although theoretically speaking, as long as you have enough time and resources to use, there is no user password that cannot be cracked, but it is difficult to choose a proper password. A good user password is a string of characters that can only be easily remembered and understood by him, and should never be written anywhere.
 
3. Default Account
 
All default accounts that are started by the operating system itself and are not necessary should be prohibited. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts, the more vulnerable the system is.
 
You can use the following command to delete an account.
 
# Userdel Username
 
Or use the following command to delete the group user account.
 
# Groupdelusername
 
4. Password File
 
The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.
 
# Chattr + I/etc/passwd # chattr + I/etc/shadow # chattr + I/etc/group # chattr + I/etc/gshadow
 
5. Disable Ctrl + Alt + Delete to restart the machine command.
 
Modify the/etc/inittab file and comment out the line "ca: ctrlaltdel:/sbin/shutdown-t3-rnow. Then reset the permission for all files in the/etc/rc. d/init. d/directory and run the following command:
 
# Chmod-R700/etc/rc. d/init. d /*
 
In this way, only the root user can read, write, or execute all the above script files.
 
6. Restrict the su command www.2cto.com
 
If you do not want anyone to use su as the root user, you can edit the/etc/pam. d/su file and add the following two lines:
 
Authsufficient/lib/security/pam_rootok.sodebug authrequired/lib/security/pam_wheel.sogroup = isd
 
In this case, only users in the isd group can use su as the root user. After that, if you want the user admin to su as the root user, you can run the following command:
 
# Usermod-G10admin
 
7. Delete logon information
 
By default, the logon prompt includes the Linux release, kernel version, and server host name. For a machine with high security requirements, too much information is leaked. You can edit/etc/rc. d/rc. local to comment out the following lines of output system information.
 
# Thiswilloverwrite/etc/issueateveryboot. so, makeanychangesyou # wanttomaketo/etc/issuehereoryouwilllosethemwhenyoureboot. # echo "">/etc/issue # echo "$ R"/etc/issue # echo "Kernel $ (uname-r) on $ a $ (uname-m) "/etc/issue # cp-f/etc/issue/etc/issue.net # echo"/etc/issue

 
Then, perform the following operations:
 
# Rm-f/etc/issue # rm-f/etc/issue.net # touch/etc/issue # touch/etc/issue.net
 
3. restrict network access
 
1. NFS access
 
If you use the NFS Network File System Service, make sure that your/etc/exports has the strictest access permission settings, that is to say, do not use any wildcard characters, do not allow root write permissions, and can only be installed as a read-only file system. Edit the/etc/exports file and add the following two lines.
 
/Dir/to/exporthost1.mydomain.com (ro, root_squash)/dir/to/exporthost2.mydomain.com (ro, root_squash)
 
/Dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs on to this directory, ro means to mount it into a read-only system, and root_squash prohibits root from writing it to this directory. To make the changes take effect, run the following command.
 
#/Usr/sbin/exportfs-
 
This is the end of security configuration on the Linux operating system server.
 
 
 
All users in Linux know that to run a software program, they should first read the configuration file, just as ftp and other software have default accounts, and permission allocation, the most important thing is permission allocation. I personally think that in Linux, if you want a user or a user to have operation permissions on a file, or use acl for authorization, do not change the owner or group, other people and other such permissions