Linux Server security Settings tutorial _linux

First, the system security record file

The record file inside the operating system is an important clue to detect whether there is a network intrusion. If your system is connected directly to the Internet, you find that a lot of people do telnet/ftp logon attempts on your system, and you can run the "#more/var/log/secure grep refused" to check the attack on the system to take appropriate countermeasures, such as using SSH to replace Telnet/rlogin.

Second, startup and login security

1.BIOS Security Ixpub

Setting the BIOS password and modifying the boot order prevents booting the system from the floppy disk.

2. User Password

User passwords are a fundamental starting point for Linux security. Many people use the user password is too simple, which is tantamount to the intruder open the door, although theoretically, as long as there is enough time and resources available, there is no user password can not be cracked, but the appropriate password is difficult to crack. A better user password is a string of characters that are only easy to remember and understand, and never written anywhere.

3. Default account Number

All default accounts that are started by the operating system itself should be prohibited and should be done when you first install the system, and Linux provides a number of default accounts, and the more accounts you have, the more vulnerable the system is to attack.

You can delete an account with the following command.

[Root@server/]# Userdel user name

or delete the group user account with the following command.

[Root@server/]# Groupdel username

4. password file

The chattr command adds immutable properties to the following file, preventing unauthorized users from gaining permissions.

[Root@server/]# chattr +i/etc/passwd

[Root@server/]# chattr +i/etc/shadow

[Root@server/]# chattr +i/etc/group

[Root@server/]# chattr +i/etc/gshadow

　5. Prohibit ctrl+alt+delete reboot machine command

Modify the/etc/inittab file to comment out the "Ca::ctrlaltdel:/sbin/shutdown-t3-r Now" line. Then, reset the permissions for all files under the/etc/rc.d/init.d/directory, and run the following command:

[Root@server/]# chmod-r 700/etc/rc.d/init.d/*

This allows only root to read, write, or execute all of the above script files.

6. Limit su command

If you don't want anyone to be able to su as root, you can edit the/etc/pam.d/su file and add the following two lines:

Auth sufficient/lib/security/pam_rootok.so Debug

Auth required/lib/security/pam_wheel.so GROUP=ISD

At this point, only users of the ISD group can be su as root. Thereafter, if you want the user admin to be able to su as root, you can run the following command:

[Root@server/]# usermod-g10 Admin

7. Deletion of login information

By default, logon hint information includes Linux distributions, kernel version names, and server host names. This leaks too much information for a machine with a higher security requirement. You can edit/etc/rc.d/rc.local to comment out the following lines of output system information.

# This would overwrite/etc/issue at every boot. So, make no changes you

# Want to make to/etc/issue this or you'll lose them when you reboot.

# echo "" "/etc/issue

# echo "$R" "/etc/issue

# echo "Kernel $ (uname-r) on $a $ (uname-m)" "/etc/issue

# cp-f/etc/issue/etc/issue.net

# echo "/etc/issue"

Then, do the following:

[Root@server/]# rm-f/etc/issue

[Root@server/]# rm-f/etc/issue.net

[Root@server/]# Touch/etc/issue

[Root@server/]# Touch/etc/issue.net

8. Set the GRUB password

[Root@server share]# Grub-md5-crypt

Password://Enter password

Retype password://Enter confirmation password

$1$llzdj/$VxlsjlcR 9VVWCI/YRHPPM0

Vim/boot/grub/grub.conf

Add one line: password $1$llzdj/$VxlsjlcR 9vvwci/yrhppm0

Third, restrict network access

1.NFS Access If you use the NFS Network File system service, you should ensure that your/etc/exports has the strictest access rights setting, meaning that you do not use any wildcard characters, do not allow root write permissions, and can only be installed as read-only file systems. Edit the file/etc/exports and add the following two lines.

/dir/to/export host1.mydomain.com (Ro,root_squash)

/dir/to/export host2.mydomain.com (Ro,root_squash)

/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine to log in to this directory, RO means mount into a read-only system, Root_squash prevents root from writing to the directory. For the change to take effect, run the following command.

[Root@server/]#/usr/sbin/exportfs-a

2.INETD settings

First verify that the owner of the/etc/inetd.conf is root and that the file permissions are set to 600. After the settings are complete, you can use the "stat" command to check.

[Root@server/]# chmod 600/etc/inetd.conf

Then, edit/etc/inetd.conf prohibits the following services.

FTP telnet Shell login exec talk ntalk IMAP pop-2 pop-3 finger auth

If you have a SSH/SCP installed, you can also ban telnet/ftp. For the change to take effect, run the following command:

[Root@server/]# killall-hup inetd

By default, most Linux systems allow all requests, and using tcp_wrappers to enhance system security is a snap, and you can modify/etc/hosts.deny and/etc/hosts.allow to increase access restrictions. For example, setting/etc/hosts.deny to "All:all" can deny all access by default. The allowed access is then added to the/etc/hosts.allow file. For example, "sshd:192.168.1.10/255.255.255.0 gate.openarch.com" indicates that the IP address 192.168.1.10 and host name gate.openarch.com are allowed to be connected via SSH.

After the configuration is complete, you can check with Tcpdchk:

[Root@server/]# Tcpdchk

Tcpchk is the Tcp_wrapper configuration Checker, which checks your TCP wrapper configuration and reports all potential/existing problems found.

3. Login Terminal settings

The/etc/securetty file specifies a TTY device that allows root logins to be read by the/bin/login program, which is formatted as a list of allowed names, and you can edit the/etc/securetty and comment out the following lines.

# tty1

# Tty2

# Tty3

# Tty4

# Tty5

# Tty6

At this point, root can only log on at the Tty1 terminal.

4. Avoid displaying system and version information.

If you want Telnet users to not see system and version information, you can change the/etc/inetd.conf file by doing something:

Telnet stream TCP nowait ROOT/USR/SBIN/TCPD in.telnetd-

Plus-h means that Telnet does not display system information, but merely displays "login:".

5. Do not allow root user to log on to server

[Root@server/]# Vim/etc/ssh/sshd_config

Modified: Permitrootlogin No

Iv. prevention of attacks

1. Block Ping If no one can ping your system, the security will naturally increase.

[Root@server/]# vim/etc/sysctl.conf

Added: Net.ipv4.icmp_echo_ignore_all = 1

[Root@server/]# Sysctl-p

2. Prevent IP spoofing

Edit the host.conf file and add the following lines to prevent IP spoofing attacks.

Order Bind,hosts

Multi off

Nospoof on

3. Prevent Dos attacks

Setting resource limits on all users of the system can prevent DOS type attacks. such as maximum number of processes and memory usage. For example, you can

[Root@server/]# vim/etc/security/limits.conf Add the following lines:

* Hard Core 0

* Hard RSS 5000

* Hard Nproc 20

You must then edit the/etc/pam.d/login file to check if the following line exists.

Session required/lib/security/pam_limits.so

The above command disables debug files, limits the number of processes to 50, and limits memory usage to 5MB.