Tips for Linux Server Security: Linux Enterprise Application-Linux server application information. For more information, see the following. If your Linux server is exposed to unauthorized users (such as servers in public IDCs and public IDCs), there will be serious security risks.
Enter the system in Single User Mode
Boot appears after Linux is started: when prompted, use a special command, such as linuxsingle or linux 1, to enter Single-User mode ). This command is very useful, such as forgetting the root password. Restart the system and enter linux single (or linux 1) at the boot prompt. After a Super User enters the system, edit the Passwd file and remove x from the root line.
Countermeasure:
Log on to the system as the root user, edit the/etc/inittab file, change the id: 3: initdefault settings, and add an additional row (as shown below) to the file ), when the system restarts and enters the single-user mode, the system prompts you to enter the Super User Password:
: S: walt:/sbin/sulogin
Then run the command/sbin/init q to make the setting take effect.
Transmit dangerous parameters to the core at system startup
The most common boot loader tool in Linux is LILO, which manages the startup system (which can be added to other partitions and operating systems ). However, some illegal users may casually start Linux or pass dangerous parameters to the core at system startup, which is also quite dangerous.
Countermeasure:
Edit the file/etc/lilo. conf: add the restricted parameter to it. This parameter must be used together with the password parameter to be discussed below, indicating that at boot: prompt, when some parameters are passed to the Linux kernel, enter the password. The password parameter can be used together with restricted or separately.
Used Together with restricted: the password is required only when the Kernel Parameter needs to be passed during startup. In normal (default) mode, the password is not required, pay attention to this 1.1.
Used independently (not used together with restricted): indicates that no matter what startup mode is used, a password is always required for Linux. If there is no password, there is no way to start Linux, in this case, the security level is higher, which is equivalent to adding another layer of defense measures to the periphery. Of course there are also disadvantages-you cannot remotely restart the system unless you add the restricted parameter.
Because the password is plaintext and is not encrypted, the/etc/lilo. conf file must be set to only readable by the Super User. You can use the following command to set the password:
?? Chmod 600/ietc/lilo. conf
Run the command/sbin/lilo-V to write it to the boot sector and make the change take effect. To enhance the security of the/etc/liIo. conf file, you can also set this file as an unchangeable attribute. You can run the following command:
?? Chattr 10 I/etc/lilo. conf
If you want to modify the/etc/liIo. conf file in the future, use the chattr-I/etc/lilo. conf command to remove this attribute. Press Ctrl + Alt + Del to restart the instance. This is very important and easy to ignore. If an illegal user can access the server's keyboard, he can press Ctrl + AIt + Del to restart your server.
Countermeasure:
Edit the/etc/inittab file and add notes to ca: ctrlaltdel:/sbin/shutdown-t3-r now ### ca: ctrlaltdeI:/sbin/shutdown-t3-r now. Run/sbin/init q to make the change take effect.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
