Top 10 security protection measures in Linux (1)

1. Add a boot password for LILO
Add options to the/etc/lilo. conf file so that LILO requires a password when starting to enhance system security. The specific settings are as follows:

Boot =/dev/hdamap =/boot/mapinstall =/boot. btime-out = 60 # Wait 1 minute promptdefault = linuxpassword = # password set image =/boot/vmlinuz-2.2.14-12label = linuxinitrd =/boot/initrd-2.2.14-12.imgroot =/dev/hda6read-only

Note that the password in LILO is stored in plaintext
The file attribute of lilo. conf is set to read and write only by root.

# chmod 600 /etc/lilo.conf

Of course, you also need to make the following settings
The change to lilo. conf takes effect.

# /sbin/lilo -v

2. Set the Minimum Password Length and Minimum Password Use Time.
Password is the main means to authenticate users in the system. The default minimum password length during system installation is usually 5. To ensure that the password is not easy to guess, you can increase the minimum password length, at least 8. To this end, modify the parameter PASS_MIN_LEN in the/etc/login. defs file. At the same time, the password usage time should be limited to ensure regular password replacement. We recommend that you modify the PASS_MIN_DAYS parameter.
3. User logout upon timeout
If you forget to log out of your account when you leave, the system may have security risks. You can modify the/etc/profile file to ensure that the account is automatically canceled from the system after it has not been operated for a period of time.
Edit the/etc/profile file and add the following line to the next line of "HISTFILESIZE =:

TMOUT=600

All users will log out automatically after 10 minutes of no operation.
4. prohibit access to important files
You can modify attributes of key files such as inetd. conf, services, and lilo. conf in the system to prevent accidental modification and viewing by common users.
First, change the file property to 600:

# chmod 600 /etc/inetd.conf

Ensure that the owner of the file is root, and set it to unchangeable:

# chattr +i /etc/inetd.conf

In this way, any changes to the file will be prohibited.
Only after the reset flag is reset by the root user can it be modified:

# chattr -i /etc/inetd.conf

5. Allow and disable remote access
In Linux, you can use the/etc/hosts. allow and/etc/hosts. deny files to allow and disable remote host access to local services. The common practice is:
(1) edit the hosts. deny file and add the following lines:

# Deny access to everyone.ALL: ALL@ALL

All services are prohibited from all external hosts unless specified by the hosts. allow file.
(2) edit the hosts. allow file and add the following lines:

#Just an example:ftp: 202.84.17.11 xinhuanet.com

The server with the IP address 202.84.17.11 and host name xinhuanet.com is allowed to access the FTP service as the Client.
(3) After the settings are complete, use tcpdchk to check whether the settings are correct.