Security Settings for Linux operating systems

Now the security of linux is becoming more and more important. Here I want to write down some basic security measures in linux that I usually use to discuss with you, make our linux system reliable.

1. BIOS Security Settings

This is the most basic and simple. You must set a password for your BIOS to prevent starting from a floppy disk by changing the startup sequence in the BIOS. This will prevent others from trying to start your system with a special boot disk, and prevent others from entering the BIOS to modify the settings so that the hardware settings of the machine cannot be changed at will.

2. LILO Security Settings

LILO is short for linux LOader, which is the startup module of linux. You can modify the content in the "/etc/lilo. conf" file for configuration. In the/etc/lilo. conf file, add the following two parameters: restricted and password. So that your system requires password verification when starting lilo.

Step 1: edit the lilo. conf file vi/etc/lilo. comf). If you want to change the three parameters:

 
 

  
  
Boot =/dev/hda
  
  
Map =/boot/map
  
  
Install =/boot. B
  
  
Prompt
  
  
Timeout = 00 # Set this line to 00. In this way, the system starts linux directly instead of waiting.
  
  
Message =/boot/message
  
  
Linear
  
  
Default = linux
  
  
Restricted # Join this line
  
  
Password = # Add this line and set your own password
  
  
Image =/boot/vmlinuz-2.4.2-2
  
  
Label = linux
  
  
Root =/dev/hda6
  
  
Read-only
 
 

Step 2: because the "/etc/lilo. conf" file contains the plaintext password, set it to the root permission for reading.

 
 

  
  
# chmod 0600 /etc/lilo.conf 
 
 

Step 3: update the system to make modifications to the "/etc/lilo. conf" file.

 
 

  
  
# /sbin/lilo -v 
 
 

Step 4: run the "chattr" command to make the "/etc/lilo. conf" file unchangeable.

 
 

  
  
# chattr +i /etc/lilo.conf 
 
 

To some extent, this can prevent any unexpected changes or other causes to "/etc/lilo. conf)

3. Make passwords more secure

Passwords can be said to be the first line of defense of the system. At present, most of the attacks to the system on the Internet start from password interception or speculation. Therefore, we should choose a safer password.

First, you must prevent accounts without passwords. This can be found by viewing the/etc/passwd file. For example, if the account with the username "test" is not configured with a password, the following line is displayed in the/etc/passwd file:

 
 

  
  
test：：100：9：：/home/test：/bin/bash 
 
 

The second item is blank, indicating that the account test has no password, which is very dangerous! Delete or set a password for this type of account.

Secondly, in the earlier version of linux, the/etc/passwd file contains an encrypted password, which brings great security risks to the system, the simplest method is to obtain the password through brute force cracking. You can use/usr/sbin/pwconv or/usr/sbin/kgconv to create/etc/shadow or/etc/gshadow files, in this way, the/etc/passwd file does not contain the encrypted password, but is stored in the/etc/shadow file, which is only readable by the root user!

The third point is to modify Shell variables of some system accounts, such as UCP, ftp, and news, and some accounts that only require FTP functions, do not set Shell variables such as/bin/bash or/bin/sh for them. You can leave their Shell variables blank in/etc/passwd, such as/bin/false or/dev/null, you can also use the usermod-s/dev/nullusername command to change the Shell of username to/dev/null. by using these accounts, you cannot remotely log on to the system through Telnet!

The fourth step is to change the default password length: When you install linux, the default password length is 5 bytes. But this is not enough. To set it to 8. To change the shortest password length, you need to edit the login. defs file vi/etc/login. defs) and set the following line:

 
 

  
  
PASS_MIN_LEN 5
  
  
Change
  
  
PASS_MIN_LEN 8
 
 

The login. defs file is the configuration file of the login program.

　4. log out of the account automatically

In unix systems, the root account has the highest privilege. If the system administrator forgets to log out of the root account before leaving the system, this poses a major security risk and should be automatically logged out by the system. You can implement this function by modifying the "TMOUT" parameter in your account. TMOUT is calculated in seconds. Edit your profile file vi/etc/profile) and add the following line after "HISTFILESIZE =:

 
 

  
  
TMOUT=300 
 
 

300 indicates 300 seconds, that is, 5 minutes. In this way, if the user logged on to the system does not take action within five minutes, the system will automatically cancel the account. You can click ". This value is added to the bashrc file so that the system can perform special automatic logout time for this user.

After changing this setting, you must log out of the user and then log on to the user to activate this function.

5. Cancel console access permissions of common users

You should cancel the console access permissions of common users, such as shutdown, reboot, and halt commands.

 
 

  
  
# rm -f /etc/security/console.apps/  
 
 

Is the name of the program you want to deregister.

6. Cancel and reinstall all unused services

Cancel and reinstall all unused services, so you will be less worried. Check the "/etc/inetd. conf" file and annotate it to cancel all services you do not need. Add a "#" before the service project). Run the "sighup" command to upgrade the "inetd. conf" file.