Startup and login security
1. BIOS security
Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.
2. User password
The user password is a basic starting point for linux security. The user password used by many people is too simple, which opens the door to the intruders, although theoretically speaking, as long as you have enough time and resources to use, there is no user password that cannot be cracked, but it is difficult to choose a proper password. A good user password is a string of characters that can only be easily remembered and understood by him, and should never be written anywhere.
3. Default account
All default accounts that are started by the operating system itself and are not necessary should be prohibited. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts, the more vulnerable the system is.
1. Delete redundant users and user groups
The code is as follows: |
Copy code |
// Delete unnecessary users # Vi/etc/passwd Userdel adm Userdel lp Userdel sync Userdel shutdown Userdel halt Userdel news Userdel uuucp Userdel operator Userdel games Userdel gopher Userdel ftp // Delete unnecessary User groups # Vi/etc/group Groupdel adm Groupdel lp Groupdel news Groupdel uuucp Groupdel games Groupdel dip Groupdel pppusers |
2. Delete logon information
By default, the logon prompt includes the Linux release, kernel version, and server host name. For a machine with high security requirements, too much information is leaked. You can edit/etc/rc. d/rc. local to comment out the following lines of output system information.
The code is as follows: |
Copy code |
# Thiswilloverwrite/etc/issueateveryboot. so, makeanychangesyou # wanttomaketo/etc/issuehereoryouwilllosethemwhenyoureboot # echo "">/etc/issue # echo "$ R"/etc/issue # echo "Kernel $ (uname-r) on $ a $ (uname-m) "/etc/issue # Cp-f/etc/issue/etc/issue.net # echo "/etc/issue |
Then, perform the following operations:
# Rm-f/etc/issue # rm-f/etc/issue.net # touch/etc/issue # touch/etc/issue.net
3. Modify the password file attributes
The code is as follows: |
Copy code |
// Add attributes to prohibit modification Chattr + I/etc/passwd Chattr + I/etc/shadow Chattr + I/etc/group Chattr + I/etc/gshadow // Remove attributes # Chattr-I/etc/passwd # Chattr-I/etc/shadow # Chattr-I/etc/group # Chattr-I/etc/gshadow
|
3. Disable the [Ctrl + Alt + Delete] Restart command
The code is as follows: |
Copy code |
Vi/etc/inittab // Comment out the following line # Ca: ctrlaltdel:/sbin/shutdown-t3-r now // Set the file permissions in the/etc/rc. d/init. d/directory. Chmod-R 700/etc/rc. d/init. d /*
|
4. Prevent ping by others
The code is as follows: |
Copy code |
Echo 1>/proc/sys/net/ipv4/icmp_ignore_all // Use the firewall to disable (or discard) icmp packets Iptables-a input-p icmp-j DROP |
1. Modify the SSH Port
The code is as follows: |
Copy code |
Vi/etc/ssh/sshd_config Port 22 modification PermitEmptyPasswords no # unregister-do not log on to the server with a blank password account! If MaxAuthTries does not work twice, log on through SSH again. |
2. Automatic logout without any operation within 5 minutes:
The code is as follows: |
Copy code |
Vim/etc/profile Export TMOUT = 300-5 minutes automatically canceled Find History size = 1000 To: HISTSIZE = 100-reduce the log byte to kb. If the content is too large, it is easy to leak important information. |
3. Modify file attributes
The code is as follows: |
Copy code |
Chmod 700/bin/rpm: Only root users can use rpm to install software packages. Chmod 664/etc/hosts Chmod 644/etc/passwd Chmod 644/etc/exports Chmod 644/etc/issue Chmod 664/var/log/wtmp Chmod 664/var/log/btmp Chmod 644/etc/services Chmod 600/etc/shadow Chmod 600/etc/login. defs Chmod 600/etc/hosts. allow Chmod 600/etc/hosts. deny Chmod 600/etc/securetty Chmod 600/etc/security Chmod 600/etc/ssh/ssh_host_key Chmod 600/etc/ssh/sshd_config Chmod 600/var/log/lastlog Chmod 600/var/log/messages |
4. ping prohibited users from using ping without any reflection
The code is as follows: |
Copy code |
Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all-disable ping Echo 0>/proc/sys/net/ipv4/icmp_echo_ignore_all-unban ping |
5. Disable IP spoofing
The code is as follows: |
Copy code |
Vi/etc/host. conf Add: Nospoof on |
6. Prevent DOS attacks:
The code is as follows: |
Copy code |
Vi/etc/security/limits. conf Add the following configurations: * Hard core 0 * Hard rss 10000 * Hard nproc 20 |
The above are based on your needs!
7. The more complex the root account password, the better:
7.1. It contains uppercase and lowercase letters;
7.2 contains numbers;
7.3 characters;
7.4. Do not use your own birthday or other frequently associated letters, numbers, and characters.
9. Block junk IP addresses
The code is as follows: |
Copy code |
More/var/log/secure |
First, observe the spam IP addresses that you want to remotely log on to the server using the preceding command;
Then
Vi/etc/hosts. deny
Added:
Sshd: 61.131.47.157-this takes 61.131.47.157 as an example!
Save it!
Attack Prevention
1. Prevent ping. If no one can ping your system, the security will naturally increase. Therefore, you can add the following line to the/etc/rc. d/rc. local file:
The code is as follows: |
Copy code |
# Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all |
2. Prevent IP spoofing
Edit the host. conf file and add the following lines to prevent IP spoofing attacks.
The code is as follows: |
Copy code |
Order bind, hosts Multi off Nospoof on |
3. Prevent DoS attacks
Setting resource limits for all users of the system can prevent DoS attacks. Such as the maximum number of processes and memory usage. For example, you can add the following lines in/etc/security/limits. conf:
The code is as follows: |
Copy code |
* Hard core 0 * Hard rss 5000 # (this line may be useless. man limits. conf displays maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher) * Hard nproc 50 |
Then, you must edit the/etc/pam. d/login file to check whether the following row exists.
The code is as follows: |
Copy code |
Session required/lib/security/pam_limits.so |
The preceding command prohibits debugging files. The maximum number of processes is 50 and the memory usage is 5 MB.
After the preceding settings, your Linux server can be immune to the vast majority of known security issues and network attacks. However, a good system administrator must always pay attention to network security trends, fix exposed and potential security vulnerabilities at any time