Several small steps to build a Secure Linux System

1. LILO Security Settings vi/etc/lilo. conf. anaconda // modify the LILO file ==================================== ==================
......
Restricted // join this line
Password = 111111 // Add this line and set the password to 111111
......
========================================================== ==========
Chmod600/etc/lilo. conf. anaconda // set as ROOT permission to read
/Sbin/lilo-v // update the system to make the above operations take effect
Chattr + I/etc/lilo. conf. anaconda // set LILO file is not writable 2. Set the default password and account length and validity period vi/etc/login. defs // modify login. defs file =================================================== ============
......
PASS_MAX_DAYS99999
PASS_MIN_DAYS0
PASS_MIN_LEN8 // modify the default password length to 8 characters
PASS_WARN_AGE7 // The password is valid for 7 days. 3. Clear the account vi/etc/passwd without a password. // modify the passwd file ============ ========================================
......
Elain: 500: 501: elain:/home/elain:/bin/bash
......
// No password is set for elain. Because the second item is blank, it indicates that this account has no password, which is very dangerous. You should delete this account or set a password for it. 4. Special Account Processing and deletion of useless users and group users
The command is as follows:
Delete user: userdelusername
Delete group user: groupdelgroupname
Delete the following users:
Adm
Lp
Sync
Shutdown
Halt
Mail
--------------
News
Uucp
Operator
Games // can be deleted if there is no MAIL server
--------------
Gopher // Delete if no XWindows server exists
Ftp // If anonymous access to FTP is not allowed to delete this account 5. Permission and file system lsattr // list file attributes
Chattr // modify the attributes of a file
A // only attributes can be added
I // attributes cannot be changed
Modify the key files in the system as follows:
Passwd
Passwd ._
Shadow
Shadown ._
Xinetd. conf
Services
Lilo. conf, etc.
Example: chmod600/etc/xinetd. conf // modify the file owner to root.
Chattr + (-) I/etc/xinetd. conf // you cannot modify it. 6. Restrict the system to use resource vi/etc/security/limits. conf.
========================================================== ==========
......
Add or modify the following lines:
* Hardcore0 // you cannot create a core file.
* Hardrss5000 // except root, the memory usage of other users is 5 MB
* Hardnproc20 // The maximum number of processes restricted is 20vi/etc/pam. d/login.
========================================================== ==========
......
Sessionrequired/lib/security/pam_limits.so
// Add the above line to the end of the file. 7. Set the logon vi/etc/profile for the account to be automatically logged out.
========================================================== ==============
......
HOSTNAME = '/bin/hostname'
HISTSIZE = 1000 // This is the number of historical records. The smaller the value, the better.
Tmout = 300 // Add this row, indicating that the system did not perform any operation within five minutes. This account is automatically deregistered 8. The/etc/securetty file security settings vi/etc/securetty
========================================================== ================
Tty1
# Tty2
......
# Tty11 // comment out all tty except tty1 in the default content, indicating that root can only log on to the tty1 Terminal
9. prohibit external PING requests to prevent supplemental attacks vi/etc/rc. d/rc. local
========================================================== ================
Echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all
// Add the preceding line to prevent the system from responding to any external PING requests. 10. Restrict the display of system version information. When a user enters the LINUX system, the system will notify the user of the LINUX version number, kernel version number and server host name.
Vi/etc/rc. d/rc. local
========================================================== ==================
Add the following content to it:
......
# Thiswilloverwrite/etc/issueateveryboot. So, makeanychangesyou
# Wanttomaketo/etc/issuehereoryouwilllosethemwhenyoureboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue
#
# Cp-f/etc/issue/etc/issue.net
# Echo>/etc/issue
......
Then, execute the following commands:
# Rm-f/etc/issue
# Rm-f/etc/issue.net
# Touch/etc/issue
# Touch/etc/issue.net
You can also edit a single command (telnet), such as modifying/etc/inetd. conf.
Telnetstreamtcpnowaitroot/usr/sbin/tcpdin. telnetd-h
In this way, when you TELNET the server, the system version information will not be displayed, and only "login:" will be displayed :". 11. Set the file/etc/host. conf to prevent IP spoofing vi/etc/host. conf.
========================================================== ==============
......
# LookupnamesviaDNSfirstthenfallbackto/etc/hosts.
Orderbind, hosts
# Wedon 'thavemachineswithmultipeipaddressesonthesamecard
(Likevirtualserver, IPAliasing ).
Multioff
# CheskforIPaddressspoofing.
Nospoofon
IPSpoofing: IP-Spoofingisasecurityexploitthatworksbytrichking
Computersinatrustrelationshipthatyouaresomeonethatyoureallyaren.
// Add the above lines to prevent IP spoofing attacks 12. Disable su as rootvi/etc/pam. d/su
========================================================== ====================
......
Authsufficient/lib/security/pam_rootok.sodebug
Authrequired/lib/security/pam_wheel.sogroup = elain
Add the above two lines to the file, which indicates that only Members in the elain user group can use su as root.
If you want to use admin as the root user, run the following command:
# Usermod-G10admin13, do not use CTRL + ALT + DEL restart Server vi/etc/inittab
......
# Ca: ctrlaltdel:/sbin/shutdown-t3-rnow // comment out this line "#"
Then run:
#/Sbin/init-q14, DELETE Command records vi/etc/skel/. bash_logout upon logout
========================================================== ================================
Rm-f $ HOME/. bash_history15. Common Service commands to ensure the security of the enabled services:
Grep-v "#"/etc/services // display services that have not been commented out
Ps-eaf | wc-l // count the total number of services opened by the current system
Netstat-na (an ip address can be added after a remote connection) // view the currently running service
Netstat-an | grepLISTEN // check whether a Suspicious Port is opened.
Of course, you can also execute the following command:
Shattr + I/etc/services // set to irrational attribute
When Linux is started, check the script file. in REDHAT, in/etc/rc. d/rc3.d (rc5.d) (graphical), The Script Name Is the startup sequence.
K indicates killing the process
S indicates the started service
If a service is disabled at startup, you only need to change the upper-case "S" of the script file of the Service to lower-case "s"
Note: There are many vulnerabilities in the following three services. We strongly recommend that you close them.
Yppasswdd (NIS Server)
Ypserv (NIS Server)
Nfs (NFS server) 16, LINUX firewall security configuration system-config-securitylevel17, LINUX system security tool Sxid: Check System suid, sgid and files without the master
Skey: one-time password Tool
Logrotate: A log loop Tool
Logcheck: log management tool
Swatch: A log management tool that is more real-time than logcheck
Ssh (openssh): provides secure connection authentication.
Portsentry: an anti-scan tool that monitors udp and tcp ports.
Tripwire: Provides system integrity check
Gnupg: encrypts a single file and creates a digital signature.
Hostsentry: Host-Based Intrusion detection that records connections to logs
IpchainsLinux: package filtering Firewall provided by the release
Anti-sniff: Anti-sniffing tool to check whether there is a sniffer in the Network
Freeswan: a VPN tool in LINUX
Syslog-ng: a log file system that replaces syslog
Scandns: DNS check and Tracing Tool
Whisker: CGI Scanner
Snoopy: trace the execve system call record file command
Krnsniff: A kernel-based Listening Module
Iptable: Used to replace ipchains packet filtering Firewall
Imsafe: detects buffer overflow and other problems by tracking system calls.
Iplog: logs sent and received packets.
Solarisdesigner: kernel patch to prevent Buffer Overflow.
Stackguard: patch GCC to prevent Buffer Overflow
DTK: Honeyport defensive
Antiroute: route-based tracing ================================================== ==============
Collected on the network, hoping to provide some help to Linux enthusiasts,
If you have better suggestions, please complete them!