Article Title: turning your Linux system into a copper wall. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
BIOS Security
Remember to set a BIOS password in the BIOS settings and do not receive the boot from a floppy disk. This prevents malicious users from starting your Linux system with a dedicated boot disk, and prevents others from changing BIOS settings, such as changing the disk boot settings or directly starting the server without a password box.
LILO Security
In the "/etc/lilo. conf" file, add three parameters: time-out, restricted, and password. These options require a password when the start time (such as "linux single") is switched to start the reprint program.
Step 1
Edit the lilo. conf file (/etc/lilo. conf) and add and modify these three options:
QUOTE:
Boot =/dev/hda
Map =/boot/map
Install =/boot. B
Time-out = 00 # change this line to 00
Prompt
Default = linux
Restricted # add this line
Password = # add this line and put your password
Image =/boot/vmlinuz-2.2.14-12
Label = linux
Initrd =/boot/initrd-2.2.14-12.img
Root =/dev/hda6
Read-only
Step 2
Because the password is not encrypted, the "/etc/lilo. conf" file is only readable to the root user.
[Root @ kapil/] # chmod 600/etc/lilo. conf (no longer global readable)
Step 3
After the above modification, update the configuration file "/etc/lilo. conf ".
[Root @ kapil/] #/sbin/lilo-v (update the lilo. conf file)
Step 4
Another way to make "/etc/lilo. conf" more secure is to use the chattr command to set it as unchangeable:
[Root @ kapil/] # chattr I/etc/lilo. conf
It will block any changes to the "lilo. conf" file, whether or not intentionally.
For more information about lilo security, see LILO.
Disable all dedicated accounts
Delete all default user accounts and group accounts that you do not use in systems such as lp, sync, shutdown, halt, news, uucp, operator, games, And gopher.
To delete a user account:
[Root @ kapil/] # userdel LP
To delete a group account:
[Root @ kapil/] # groupdel LP
Select an appropriate Password
Follow the following principles when selecting a password:
Password Length: the default minimum password length for Linux installation is 5 characters. This length is not enough. It should be increased to 8. To change the length to 8 characters, you must edit the login. defs file (/etc/login. defs ):
PASS_MIN_LEN 5
Changed:
PASS_MIN_LEN 8
"Login. defs" is the configuration file of the login program.
Enable blind zone password support
Enable the blind zone password function. To achieve this, use the "/usr/sbin/authconfig" utility. If you want to change the existing password and group in the system to the blind zone password and group, use the pwconv and kgconv commands respectively.
Root Account
In UNIX systems, the root account has the highest permissions. If the system administrator forgets to log out of the root system when leaving the system, the system should be able to log out automatically from the shell. Then, you need to set a special Linux variable "TMOUT" to set the time.
Edit the "/etc/profile" file in
"HISTFILESIZE ="
Then add:
TMOUT = 3600
The value entered for "TMOUT =" represents the wonderful number of hours (60*60 = 3600 ).
After this line is added to the "/etc/profile" file, any user who uses the system has a one-hour pending status will automatically log out. If you want to set the variables separately, you can define the automatic logout time in the ". bashrc" file.
After this parameter is modified, you must exit and log on again (as the root account) to make the change take effect.
Prohibit normal users from accessing the Console
Normal users on the server should be prohibited from accessing console-level programs such as shutdown, restart, and suspension. Run the following command:
[Root @ kapil/] # rm-f/etc/security/console. apps indicates the name of the program that is not allowed to access.
[1] [2] [3] Next page