Turning your Linux system into a copper wall

Article Title: turning your Linux system into a copper wall. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

BIOS Security

Remember to set a BIOS password in the BIOS settings and do not receive the boot from a floppy disk. This prevents malicious users from starting your Linux system with a dedicated boot disk, and prevents others from changing BIOS settings, such as changing the disk boot settings or directly starting the server without a password box.

LILO Security

In the "/etc/lilo. conf" file, add three parameters: time-out, restricted, and password. These options require a password when the start time (such as "linux single") is switched to start the reprint program.

Step 1

Edit the lilo. conf file (/etc/lilo. conf) and add and modify these three options:

QUOTE:

Boot =/dev/hda

Map =/boot/map

Install =/boot. B

Time-out = 00 # change this line to 00

Prompt

Default = linux

Restricted # add this line

Password = # add this line and put your password

Image =/boot/vmlinuz-2.2.14-12

Label = linux

Initrd =/boot/initrd-2.2.14-12.img

Root =/dev/hda6

Read-only

Step 2

Because the password is not encrypted, the "/etc/lilo. conf" file is only readable to the root user.

[Root @ kapil/] # chmod 600/etc/lilo. conf (no longer global readable)

Step 3

After the above modification, update the configuration file "/etc/lilo. conf ".

[Root @ kapil/] #/sbin/lilo-v (update the lilo. conf file)

Step 4

Another way to make "/etc/lilo. conf" more secure is to use the chattr command to set it as unchangeable:

[Root @ kapil/] # chattr I/etc/lilo. conf

It will block any changes to the "lilo. conf" file, whether or not intentionally.

For more information about lilo security, see LILO.

Disable all dedicated accounts

Delete all default user accounts and group accounts that you do not use in systems such as lp, sync, shutdown, halt, news, uucp, operator, games, And gopher.

To delete a user account:

[Root @ kapil/] # userdel LP

To delete a group account:

[Root @ kapil/] # groupdel LP

Select an appropriate Password

Follow the following principles when selecting a password:

Password Length: the default minimum password length for Linux installation is 5 characters. This length is not enough. It should be increased to 8. To change the length to 8 characters, you must edit the login. defs file (/etc/login. defs ):

PASS_MIN_LEN 5

Changed:

PASS_MIN_LEN 8

"Login. defs" is the configuration file of the login program.

Enable blind zone password support

Enable the blind zone password function. To achieve this, use the "/usr/sbin/authconfig" utility. If you want to change the existing password and group in the system to the blind zone password and group, use the pwconv and kgconv commands respectively.

Root Account

In UNIX systems, the root account has the highest permissions. If the system administrator forgets to log out of the root system when leaving the system, the system should be able to log out automatically from the shell. Then, you need to set a special Linux variable "TMOUT" to set the time.

Edit the "/etc/profile" file in

"HISTFILESIZE ="

Then add:

TMOUT = 3600

The value entered for "TMOUT =" represents the wonderful number of hours (60*60 = 3600 ).

After this line is added to the "/etc/profile" file, any user who uses the system has a one-hour pending status will automatically log out. If you want to set the variables separately, you can define the automatic logout time in the ". bashrc" file.

After this parameter is modified, you must exit and log on again (as the root account) to make the change take effect.

Prohibit normal users from accessing the Console

Normal users on the server should be prohibited from accessing console-level programs such as shutdown, restart, and suspension. Run the following command:

[Root @ kapil/] # rm-f/etc/security/console. apps indicates the name of the program that is not allowed to access.

[1] [2] [3] Next page