Security Protection for a system is a very important task. To be a qualified system administrator, you must have knowledge about Linux security protection. Linux security protection is essential for administrators. We can start from some aspects:
1. Add a boot password for LILO
Add options to the/etc/lilo. conf file so that LILO requires a password when starting to enhance system security. The specific settings are as follows:
Boot =/dev/hda
Map =/boot/map
Install =/boot. B
Time-out = 60 # Wait 1 minute
Prompt
Default = Linux
Password =
# Password settings
Image =/boot/vmlinuz-2.2.14-12
Label = Linux
Initrd =/boot/initrd-2.2.14-12.img
Root =/dev/hda6
Read-only
Note that the password in LILO is stored in plaintext
The file attribute of lilo. conf is set to read and write only by root.
# Chmod 600/etc/lilo. conf
Of course, you also need to make the following settings
The change to lilo. conf takes effect. #/Sbin/lilo-v
2. Set the Minimum Password Length and Minimum Password Use Time.
Password is the main means to authenticate users in the system. The default minimum password length during system installation is usually 5. To ensure that the password is not easy to guess, you can increase the minimum password length, at least 8. To this end, modify the parameter PASS_MIN_LEN in the/etc/login. defs file. At the same time, the password usage time should be limited to ensure regular password replacement. We recommend that you modify the PASS_MIN_DAYS parameter.
3. User logout upon timeout
If you forget to log out of your account when you leave, the system may have security risks. You can modify the/etc/profile file to ensure that the account is automatically canceled from the system after it has not been operated for a period of time.
Edit the/etc/profile file and add the following line in the next line of "HISTFILESIZE =": TMOUT = 600
All users will log out automatically after 10 minutes of no operation.
4. prohibit access to important files
You can modify attributes of key files such as inetd. conf, services, and lilo. conf in the system to prevent accidental modification and viewing by common users.
First, change the file attribute to 600: # chmod 600/etc/inetd. conf.
Ensure that the owner of the file is root, and set it as unchangeable: # chattr + I/etc/inetd. conf
In this way, any changes to the file will be prohibited.
You can only modify the reset flag after the root user resets the reset flag: # chattr-I/etc/inetd. conf
5. Allow and disable remote access
In Linux, you can use the/etc/hosts. allow and/etc/hosts. deny files to allow and disable remote host access to local services. The common practice is:
(1) edit the hosts. deny file and add the following lines: # Deny access to everyone.
ALL: ALL @ ALL
All services are prohibited from all external hosts unless specified by the hosts. allow file.
(2) edit the hosts. allow file and add the following lines: # Just an example:
Ftp: 202.84.17.11 xinhuanet.com
The server with the IP address 202.84.17.11 and host name xinhuanet.com is allowed to access the FTP service as the Client.
(3) After the settings are complete, use tcpdchk to check whether the settings are correct.
6. Limit the Shell Command record size
By default, bash shell stores up to 500 Command records in the file $ HOME/. bash_history (the default number of records varies depending on the system ). In the system, each user's home directory has such a file. I strongly recommend that you limit the size of this file.
You can edit the/etc/profile file and modify the options as follows: HISTFILESIZE = 30 or HISTSIZE = 30
7. DELETE Command records when logging out
Edit the/etc/skel/. bash_logout file and add the following line: rm-f $ HOME/. bash_history
In this way, all users in the system will delete their command records when logging out.
If you only need to set a specific user, such as the root user, you can only modify the/$ HOME/. bash_history file in the user's HOME directory and add the same row.
8. disable unnecessary SUID programs
SUID allows common users to execute a program as root, so such programs in the system should be strictly controlled.
Find out the program with s-bit root: # find/-type f (-perm-04000-o-perm-02000)-print | less
Prohibit unnecessary programs: # chmod a-s program_name
9. Check the information displayed at startup.
When a Linux system is started, a large series of boot information will be rolled over on the screen. If a problem occurs when the system is started, run the following command to check the problem: # dmesg> bootmessage
This command will redirect the information displayed at startup to a file bootmessage.
10. Disk Space Maintenance
Checking disk space frequently is necessary to maintain the Linux File System. In Linux, the most frequently used commands for disk space maintenance are df and du.
The df command mainly checks the usage of the file system. The common usage is: # df-k
Filesystem 1k-blocks Used Available Use % Mounted on
/Dev/hda3 1967156 1797786 67688 96%/
Run the "du" command to check disk space occupied by files, directories, and sub-directories. Generally, the "-s" option is used to display only the total disk space occupied by directories, the following sub-directories occupy disks. % Du-s/usr/X11R6 /*
34490/usr/X11R6/bin
1/usr/X11R6/doc
3354/usr/X11R6/include
I believe that if a Linux administrator can fully consider the above aspects for Linux security protection, the machines managed by him will have a high security factor.