Linux System Security Basics

Basic Security Measures for Linux:

1) SYSTEM account cleanup:

Common Non-logged-on users include bin, daemon, adm, lp, mail, nobody, apache, mysql, mysql, ftp, and ga1.

To ensure system security, these users' logon shells are usually/sbin/nologin, which indicates that terminal logon is prohibited:

There are also a few users that are rarely used, such as news, uucp, games, And gopher. These users can be regarded as redundant accounts and can be deleted directly.

If you cannot determine whether to delete a user account that is not used on a Linux server for a long time, you can temporarily lock it.

Recommended reading:

Linux System Security Shell Version 2

Linux security knowledge memo

Six defense vulnerabilities to ensure the security of your Linux System

Block system vulnerabilities to ensure Linux system security applications

Eg: locking and unlocking zqq user accounts:

If the user account on the server is fixed and no modification is made, you can lock the account configuration file.

Use the chattr command to lock and unlock files by combining the "+ I" and "-I" options, and use the lsattr command to view the file locking status.

[Root @ www.bkjia.com ~] # Chattr + I/etc/passwd/etc/shadow

[Root @ www.bkjia.com ~] # Lsattr/etc/passwd/etc/shadow

When the account file is locked, its content cannot be changed.

2) password security control:

To reduce the risk of password guesses or brute-force cracking, users should develop the habit of regular password changes.

The administrator can restrict the maximum number of valid days for a user's password on the server. If the password has expired, the Administrator is required to reset the Password Upon logon. Otherwise, the user is denied logon.

Eg: Set the password validity period to 30 days, and use chage to set the password time limit:

3) command history and automatic logout:

The command mechanism in the shell environment provides great convenience for users, but also brings great risks to users.

In the Bash terminal environment, the number of History commands is controlled by the variable HISTSIZE. The default value is 1000. You can modify the value of the HISTSIZE variable in the/etc/profile file to affect all users in the system.

For example, you can set a maximum of 150 historical Command records:

[Root @ www.bkjia.com ~] # Vim/etc/profile -- applies to new login users

In addition, you can also modify ~ /. Bash_logout file, and add the operation statement for clearing History commands.

Eg: After you log out of the Bash environment, delete the recorded history command:

[Root @ www.bkjia.com ~] # Vim ~ /. Bash_logout

In the Bash terminal environment, you can set an idle timeout time. If no operation is performed after the specified time is exceeded, the terminal is automatically logged out.

The idle timeout value is controlled by the variable TMOUT. The default unit is seconds.

When compiling program code and modifying system configurations, avoid setting TMOUT variables. If necessary, run the unsetTMOUT command to cancel the TMOUT variable.

1 2 3 Next Page