Ten Linux security protection measures

System security is critical to users, and Linux users are no exception. Based on my own Linux experience, I have summarized some ideas on how to enhance Linux security.
Tips for protection.
1. Add a boot password for LILO

---- Add the option in the/etc/lilo. conf file so that LILO requires a password during startup to enhance system security. The specific settings are as follows:

---- Boot =/dev/hda

---- Map =/boot/map

---- Install =/boot. B

---- Time-out = 60 # Wait 1 minute

---- Prompt

---- Default = linux

---- Password =

---- # Password settings

---- Image =/boot/vmlinuz-2.2.14-12

---- Label = linux

---- Initrd =/boot/initrd-2.2.14-12.img

---- Root =/dev/hda6

---- Read-only

---- Note that the password in LILO is stored in plaintext

---- The file attribute of lilo. conf is set to read and write only by root.

---- # Chmod 600/etc/lilo. conf

---- Of course, you also need to make the following settings

---- The modification of lilo. conf takes effect.

---- #/Sbin/lilo-v

2. Set the minimum length and

---- Shortest time

---- Password is the main means to authenticate users in the system. The minimum length of the default password during system installation is usually 5, but to ensure that the password is not prone to speculative attacks,
The minimum length of the password can be increased, at least 8. To this end, modify the parameter PASS_MIN_LEN in the/etc/login. defs file. Restrict the use of passwords
Use Time To ensure regular password change. We recommend that you modify the PASS_MIN_DAYS parameter.

3. User logout upon timeout

---- If you forget to cancel your account when you leave, it may pose a security risk to the system. The/etc/profile file can be modified to ensure that the account is in a period of time
After no operation is performed, the system logs out automatically.

---- Edit the file/etc/profile and add the following line in the next line of "HISTFILESIZE =:

---- TMOUT = 600

---- All users will log out automatically after 10 minutes of no operation.

4. prohibit access to important files

---- You can modify the attributes of key files such as inetd. conf, services, and lilo. conf in the system to prevent accidental modification and
User View.

---- First, change the file attribute to 600:

---- # Chmod 600/etc/inetd. conf

---- Ensure that the owner of the file is root, and set it to unchangeable:

---- # Chattr + I/etc/inetd. conf

---- In this way, any changes to the file will be forbidden.

---- Modification can be made only after the reset flag is reset by the root user:

---- # Chattr-I/etc/inetd. conf

5. Allow and disable remote access

---- In Linux, you can use the/etc/hosts. allow and/etc/hosts. deny files to allow and disable remote host access to local services.
The common practice is:

---- (1) edit the hosts. deny file and add the following lines:

---- # Deny access to everyone.

---- ALL: ALL @ ALL

---- All services are prohibited from all external hosts unless specified in the hosts. allow file.

---- (2) edit the hosts. allow file and add the following lines:

---- # Just an example:

---- Ftp: 202.84.17.11 xinhuanet.com

---- The host with the IP address 202.84.17.11 and host name xinhuanet.com will be allowed to access the FTP service as the Client.

---- (3) After the settings are complete, use tcpdchk to check whether the settings are correct.

6. Limit the Shell Command record size

---- By default, bash shell stores up to 500 Command records in the file $ HOME/. bash_history.
The number of records is different ). In the system, each user's home directory has such a file. I strongly recommend that you limit the size of this file.

---- You can edit the/etc/profile file and modify the options as follows: HISTFILESIZE = 30 or HISTSIZE = 30

7. DELETE Command records when logging out

---- Edit the/etc/skel/. bash_logout file and add the following lines:

---- Rm-f $ HOME/. bash_history

---- In this way, all users in the system will delete their command records when logging out.

---- If you only need to set a specific user, such as the root user, you can modify/$ HOME/. bash_history only in the user's HOME directory.
File, add the same line.

8. disable unnecessary SUID programs

---- SUID allows common users to execute a program as root, so such programs in the system should be strictly controlled.

---- Find out the program with s-bit for root:

---- # Find/-type f (-perm-04000-o-perm-02000)-print | less

---- Prohibit unnecessary programs:

---- # Chmod a-s program_name

9. Check the information displayed at startup.

---- When the Linux system is started, a large series of boot information will be rolled over on the screen. If a problem occurs when the system is started, check the problem after the system is started.
Run the following command:

---- # Dmesg> bootmessage

---- This command will redirect the information displayed at startup to a file bootmessage.

10. Disk Space Maintenance

---- Checking disk space frequently is necessary to maintain the Linux File System. In Linux, the most frequently used commands for disk space maintenance are df and du.

---- The df command mainly checks the usage of the file system. The common usage is:

---- # Df-k

---- Filesystem 1k-blocks Used Available Use % Mounted on

----/Dev/hda3 1967156 1797786 67688 96%/

---- The du command checks the disk space occupied by files, directories, and sub-directories. Generally, the "-s" option is used to display only the total disk space occupied by directories,
The following sub-directories occupy disks.

---- % Du-s/usr/X11R6 /*

---- 34490/usr/X11R6/bin

---- 1/usr/X11R6/doc

---- 3354/usr/X11R6/include