From:
http://dev.9cbs.net/Article/58/58209.shtm
Nowadays, the system's security changes are more and more important. Here I want to write the basic security measures I usually useful in Linux, and explore everyone, so that our Linux system is reliable.
1, BIOS security settings
This is the most basic, and it is the easiest. Be sure to give your BIOS to set your password to prevent starting from the floppy disk by changing the starting order in the BIOS. This prevents nothing from starting your system with a special startup disk, but also prevents others from entering the settings of the BIOS to change, so that the hardware settings of the machine cannot be changed by others.
2, LILO's security settings
LILO is Linux
Loader's abbreviation, it is a LINUX startup module. You can configure it by modifying the content in the "/etc/lilo.conf" file. Plus the following two parameters in the /etc/lilo.conf file: restrictted, password. These three parameters allow your system to request password verification when launching LILO.
Step 1: Edit the lilo.conf file (vi /etc/lilo.comf), if you change these three parameters:
Boot = / dev / hda
MAP = / boot / map
INSTALL = / boot / boot.b
Prompt
Timeout = 00 # This line should be 00, so that the system will not wait, but directly LINUX
Message = / boot / message
Linear
Default = linux
Restricted # Add this line
Password = # Add this line and set your own password
Image = / boot / vmlinuz-2.4.2-2
Label = Linux
root = / dev / hda6
Read-only
Step 2: Because the "/etc/lilo.conf" file contains the plain text password, set it to root privilege read.
# chmod 0600 /etc/lilo.conf
Step 3: Update the system to modify the "/etc/lilo.conf" file.
# / sbin / lilo -v
Step 4: Use the "chattr" command to make the "/etc/lilo.conf" file becomes unable.
# chattr i /etc/lilo.conf
This can prevent any changes to "/etc/lilo.conf" to some extent (accident or other reason)
3, let the password safer
The password can be said to be the first defense line of the system. Most of the current online attacks start from intercept passwords or guess passwords, so we should choose more secure passwords.
First, put an end to the existence of the account that does not have a password. This can be found by viewing the / etc / passwd file. For example, the existing user name is the account number, no password, then there is a row in the / etc / passwd file:
Test :: 100: 9 :: / HOME / TEST: / BIN / BASH
The second item is empty, indicating that the Test this account does not set a password, which is very dangerous! This type of account should be deleted or set.
Second, in the old version of Linux, in the / etc / passwd file, it contains encrypted passwords in the / etc / passwd file. This brings a lot of hidden dangers to the security of the system. The easiest way is to use violent cracking methods. To get a password. You can use command / usr / sbin / pwconv or / usr / sbin / grpconv to create / etc / shadow or / etc / gshadow file so that the encrypted password is no longer included in the / etc / passwd file, but placed on / ETC In / shadow file, this file has only superuser root readable! The third point is to modify the shell variables of some system accounts, such as UUCP, FTP, and NEWS, etc., and some accounts that only need FTP functions, must not give them a shell variable such as / bin / bash or / bin / sh. You can use the usermod -s / dev / null username command to change the shell of username by setting the shell variable, for example, set to / bin / false or / dev / null. NULL. This account will not be able to log in to the system remotely!
The fourth point is to modify the default password length: The default password length is 5 bytes when you install Linux. But this is not enough, set it to 8. Modify the shortest password length Need to edit the login.defs file (vi / etc / login.defs), put the following line
PASS_MIN_LEN 5
Change to
PASS_MIN_LEN 8
The login.defs file is the profile of the Login program.
4, automatically log out of the account
The root account is the highest privilege in the UNIX system. If the system administrator forgets to cancel the root account before leaving the system, it will bring a lot of security hazards, which should let the system will be logged out. This function can be implemented by modifying the "TMOUT" parameter in the account. Tmout calculates in seconds. Edit your profile file (Vi / etc / profile), add this below after "HistfileSize =":
TMOUT = 300
300, indicating 300 seconds, that is, 5 minutes. In this way, if the user logs in in the system does not have actions within 5 minutes, the system will automatically log out of this account. You can add this value in a ".bashrc" file of individual users so that the system implements special automatic logout time.
After changing this setting, you must first log out of the user, and use the user to log in to activate this feature.
5. Cancel the general user's console access
You should cancel the general user's console access, such as ShutDown, Reboot, Halt and other commands.
# rm -f /etc/security/console.apps/
It is the program name you want to log out.
6, cancel and reverse all the unused services
Cancel and reverse install all unused services so your worries will be much less. Look at the "/etc/inetd.conf" file, cancel all your unwanted services (add a "#" before the service item). Then use the "SIGHUP" command to upgrade the "inetd.conf" file.
first step:
Change "/etc/inetd.conf" permission is 600, only Root is allowed to read and write this file.
# chmod 600 /etc/inetd.conf
Step 2:
Determine the "/etc/inetd.conf" file owner to root.
third step:
Edit /etc/inetd.conf file (vi /etc/inetd.conf), cancel the following services (you don't need): FTP, Telnet, Shell, Login, Exec, Talk, Ntalk, IMAP, POP-2, POP- 3, finger, auth, etc. Closing unwanted services can reduce the risk of systems. the fourth step:
Send an HUP signal to the inetd process:
# KILLALL-HUP inetd
the fifth step:
Set the /ec/inetd.conf file to not modify with the chattr command, so no one can modify it:
# chattr I /etc/inetd.conf
This prevents any modifications to inetd.conf (outside or other reasons). The only person who can cancel this property has only root. If you want to modify the inetd.conf file, if you do not modify the nature:
# chattr -i /etc/inetd.conf
Don't forget to change its nature to not be modified.
7, TCP_WrapPERS
Using TCP_WrapPers allows your system security plane to external intrusion. The best strategy is to block all hosts ("/etc/hosts.deny" files from adding "All: all @ all, paranoid"), then add all allowed access in the "/etc/hosts.allow" file. Host list.
first step:
Edit Hosts.Deny file (vi /etc/hosts.deny), join the following line
# De Ney Access to everyone.
All: All @ all, paranoid
This indicates that all services and addresses are blocked unless the address package is allowed to access.
Step 2:
Edit the hosts.allow file (vi /etc/hosts.allow), add a list of hosts allowed to access, such as:
FTP: 202.54.15.99 foo.com
202.54.15.99 and foo.com are IP addresses and host names that allow access to the FTP service.
third step:
The TCPDCHK program is a TEPD Wrapper Settings Checkpoint. It is used to check your TCP Wrapper settings and report potential and real problems found. After setting, run the following command:
# TCPDCHK
8, modify "/etc/host.conf" file
"/Etc/host.conf" describes how to resolve the address. Edit "/etc/host.conf" file (vi /etc/host.conf), add this line:
# Lookup name Via DNS First The Fall Back to / etc / hosts.
ORDER BIND, HOSTS
# We Have Machines with Multiple IP Addresses.
Multi on
# Check for ip address spoofing.
Nospoof on
The first setting first parses the IP address by DNS and then parsed by HOSTS file. The second setting is detected whether the host in the "/ etc / hosts" file has multiple IP addresses (such as multiple Ethernet cards). The third setting Description should pay attention to the unauthorized electronic deception of this unit.
9, make "/ etc / services" file immunization
Make the "/ etc / services" file immunization, prevent unlicensed deletions or add services:
# Chattr I / ETC / Services10, not allowing root login from different console
"/ etc / securetty" file allows you to define root users to log in from that TTY device. You can edit the "/ etc / securetty" file, no longer need to add a "#" flag before the TTY device to log in, to disable ROOT login from the TTY device.
There is a paragraph in / etc / inittab file:
# Run GetTys in Standard Runlevels
1: 2345: Respawn: / sbin / mingetty TTY1
2: 2345: Respawn: / sbin / mingetty TTY2
# 3: 2345: Respawn: / sbin / mingetty TTY3
# 4: 2345: Respawn: / sbin / mingetty TTY4
# 5: 2345: Respawn: / sbin / mingetty tty5
# 6: 2345: Respawn: / sbin / mingetty TTY6
The system default can use 6 console, ie Alt F1, Alt F2 ..., here, "#", in front of 3, 4, 5, 6, comment, this sentence, this is now only two console It is available for use, it is best to keep two. Then restart the init process, change to take effect!
11. Use the PAM (plug-in authentication module) to ban anyone from changing to root user su (Substitute
User replacement user) Command Allows you to be other existing users in the system. If you don't want anyone to change to root users through the su command, you can add the following two lines in the SU configuration file (in the "/etc/pam.d/" directory):
Edit the SU file (vi /etc/pam.d/su), add the following two lines at the beginning:
Auth sufficient /lib/security/pam_rootok.so
Auth Required /Lib/security/pam_wheel.so group = WHEEL
This indicates that only the "Wheel" group can use the su command to be a root user. You can add users to the "Wheel" group so that it can use the su command to be a root user. Add how you can use this command: chmod -g10 username.
12, Shell Logging Bash
The shell saved 500 used commands in "~ / .bash_history" ("~ /" Represents User Directory) file, which makes you entered the long command used easy. Each user with an account in the system has a ".bash_history" file in his directory. Bash
The shell should save a small amount of command and delete these history commands at each user logout.
first step:
The "HistfileSize" and "HISTSIZE" line in the / etc / profile file determine the number of old commands that can be saved in all users' ".bash_history" files. It is highly recommended to set the value of "HistfileSize" and "HISTSIZE" lines in the "/ etc / profile" file to a smaller number, such as 30. Edit the Profile file (vi / etc / profile), change the following line below:
Histfilesize = 30
Histicsize = 30
This means that each user's ".bash_history" file can only save 30 old commands.
Step 2:
The NMS should also add this line "RM -F $ HOME / .BASH_HISTORY" in the "/etc/skel/.bash_logout" file. Thus, when the user is logged out, ". Bash_history" file will be deleted. Edit .bash_logout file (vi /etc/skel/.bash_logout), add this line:
RM -F $ homen / .bash_history
13. Prohibit Control-Alt-delete keyboard shutdown command
Release this line below (using #) in the "/ etc / inittab" file:
Ca :: ctrlatdel: / sbin / shutdown -t3 -r now
Change to:
#ca :: ctrlatdel: / sbin / shutdown -t3 -r Now
In order to make this change work, enter the following command:
# / sbin / init Q
14, set the Script file setting permission to "/etc/rc.d/init.d"
Script file setting permissions for executing the program executed when the startup is turned off.
# chmod -r 700 /etc/rc.d/init.d/*
This means that only root allows read, write, execute the Script file in this directory.
15, hidden system information
By default, when you log in to the Linux system, it will tell you the name, version, kernel version, and server name of the Linux release. For hackers, this information is enough to invade your system. You should only show it a "login:" prompt.
First edit the "/etc/rc.d/rc.local" file, add a "#" before the line displayed below, and comment out the command of the output information.
# This will overwrite / etc / issue at every boot. So, make any changes you
# Want to make to / etc / issue here or you will lose theme you reboot.
#echo ""> / etc / Issue
#echo "$ r" >> / etc / issue
#echo "kernel $ (uname -r) on $ a $ (uname -m) >> / etc / ssue
#
#CP -F / etc / Issue /etc/issue.net
#echo >> / etc / issu
Secondly delete "isue.net" and "Issue" files under the "/ etc" directory:
# r r -f / etc / ssue
# rm -f /etc/issue.net
16. SUID / SGID programs that do not use
If a program is set to SuID
ROOT, then normal users can run this program as root. The network management should use the Suid / SGID program as much as possible to prohibit all unnecessary Suid / SGID programs.
Find a program that uses the S bit in the root-owned program:
# Find / -type f (-perm -04000 -o -perm -02000) -EXEC ls -lg {};
Use the following command to disable the selected program with the S bit:
# chmod a-s [program]
These are some basic relatively simple steps that are required for some maintenance system security. To make your system more secure, you need to do a lot, such as configuring OpenSSL, etc., maintaining the stability and security of the system is a continuous long-lasting Work, take a lot of time and energy. It is only some of my usual work, and I will communicate!
