Nowadays, the system's security changes are more and more important. Here I want to write the basic security measures I usually useful in Linux, and explore everyone, so that our Linux system is reliable. 1. The BIOS security setting is the most basic, and it is the easiest. First ......... Chen Kangpeng is now more important in the safety of the system. Here I want to write the basic security measures I usually use under some of Linux, and everyone will explore. Let our Linux system be reliable. 1. The BIOS security setting is the most basic, and it is the easiest. Be sure to give your BIOS to set your password to prevent starting from the floppy disk by changing the starting order in the BIOS. This prevents nothing from starting your system with a special startup disk, but also prevents others from entering the settings of the BIOS to change, so that the hardware settings of the machine cannot be changed by others. 2, LILO's security settings LILO is the abbreviation of Linux Loader, which is the LINUX startup module. You can configure it by modifying the content in the "/etc/lilo.conf" file. Plus the following two parameters in the /etc/lilo.conf file: restrictted, password. These three parameters allow your system to request password verification when launching LILO. Step 1: Edit the lilo.conf file (vi /etc/lilo.comf), if you change these three parameters: boot = / dev / hda map = / boot / map install = / boot / boot.b propt timeout = 00 # This line should be 00, so that the system will not wait, and directly launch Linux Message = / boot / message linear default = linux restricted # Add this line password = # Add this line and set your own password image = / Boot / vmlinuz-2.4.2-2 label = Linux root = / dev / hda6 read-only step 2: Because the "/etc/lilo.conf" file contains the plain text password, it is necessary to set it to root privileges. . # Chmod 0600 /etc/lilo.conf Step 3: Update the system to modify the "/etc/lilo.conf" file. # / Sbin / lilo -v Step 4: Use the "chattr" command to make the "/etc/lilo.conf" file becomes non-change. # chattr i /etc/lilo.conf This can prevent any change (accident or other reason) of "/etc/lilo.conf" to a certain extent, allowing the password to be more secure password to be said to be the system's first defense At present, most of the online attacks start from intercept passwords or guess passwords, so we should choose a safer password. First, put an end to the existence of the account that does not have a password. This can be found by viewing the / etc / passwd file. For example, the existing user name is TEST account, no set password, then there is a row in the / etc / passwd file: test :: 100: 9 :: / Home / Test: / bin / bash The second item is Empty, indicating that the Test does not set a password, which is very dangerous! This type of account should be deleted or set. Second, in the old version of Linux, in the / etc / passwd file, it contains encrypted passwords in the / etc / passwd file. This brings a lot of hidden dangers to the security of the system. The easiest way is to use violent cracking methods. To get a password.
You can use command / usr / sbin / pwconv or / usr / sbin / grpconv to create / etc / shadow or / etc / gshadow file so that the encrypted password is no longer included in the / etc / passwd file, but placed on / ETC In / shadow file, this file has only superuser root readable! The third point is to modify the shell variables of some system accounts, such as UUCP, FTP, and NEWS, etc., and some accounts that only need FTP functions, must not give them a shell variable such as / bin / bash or / bin / sh. You can use the usermod -s / dev / null username command to change the shell of username by setting the shell variable, for example, set to / bin / false or / dev / null. NULL. This account will not be able to log in to the system remotely! The fourth point is to modify the default password length: The default password length is 5 bytes when you install Linux. But this is not enough, set it to 8. Modify the shortest password length Requires editing of login.defs files (vi / etc / login.defs), change the line PASS_MIN_LEN 5 to the pass_min_len 8 login.defs file is the profile of the Login program. 4. Automatically log in the login of the account is the highest privilege in the UNIX system. If the system administrator forgets to cancel the root account before leaving the system, it will bring a lot of security hazards, which should let the system will be logged out. This function can be implemented by modifying the "TMOUT" parameter in the account. Tmout calculates in seconds. Edit your profile file (Vi / etc / profile), add the following line after "Histfilesize =": Tmout = 300 300, indicating 300 seconds, that is, to represent 5 minutes. In this way, if the user logs in in the system does not have actions within 5 minutes, the system will automatically log out of this account. You can add this value in a ".bashrc" file of individual users so that the system implements special automatic logout time. After changing this setting, you must first log out of the user, and use the user to log in to activate this feature. 5. Cancel a general user's console access You should cancel a general user's console access, such as ShutDown, Reboot, Halt, etc. # RM -F /etc/security/console.apps/ is the name you want to log out. 6. Cancel and reverse all the unused services to cancel and install all unused services so that your worries will be much less. Look at the "/etc/inetd.conf" file, cancel all your unwanted services (add a "#" before the service item). Then use the "SIGHUP" command to upgrade the "inetd.conf" file. Step 1: Change "/etc/inetd.conf" permission to 600, only allow root to read and write the file. # Chmod 600 /etc/inetd.conf Step 2: Determine the "/etc/inetd.conf" file owner to root. Step 3: Edit the /etc/inetd.conf file (vi /etc/inetd.conf), cancel the following services (you don't need): FTP, Telnet, Shell, Login, Exec, Talk, NTalk, IMAP, POP- 2, POP-3, Finger, Auth, etc. Closing unwanted services can reduce the risk of systems.
Step 4: Send an HUP signal to the inetd process: # killall -hup inetd Step 5: Set the /ec/inetd.conf file with the chattr command to not be modified, so no one can modify it: # chattr I / Etc / inetd.conf This can prevent any modifications to inetd.conf (outside or other reasons). The only person who can cancel this property has only root. If you want to modify the inetd.conf file, if you cancel the unforgered nature: # chattr -i /etc/inetd.conf Don't forget to change its nature to not modify. 7, TCP_WrapPers use TCP_WrapPers to make your system security plane to external intrusion. The best strategy is to block all hosts ("/etc/hosts.deny" files from adding "All: all @ all, paranoid"), then add all allowed access in the "/etc/hosts.allow" file. Host list. Step 1: Edit the hosts.deny file (VI /etc/hosts.deny), add the following line # deny access to everyone. All: All @ all, paraNod This indicates that unless the address package is allowed to access the host list, Otherwise block all the services and addresses. Step 2: Edit the hosts.allow file (vi /etc/hosts.allow) to join the list of hosts allowed, such as: ftp: 202.54.15.99 foo.com 202.54.15.99 and foo.com is allowed to access the FTP service IP Address and host name. Step 3: The TCPDCHK program is a TEPD Wrapper Settings Checkpoint. It is used to check your TCP Wrapper settings and report potential and real problems found. After setting, run the following command: # tcpdchk 8, modify the "/etc/host.conf" file "/etc/host.conf" how to resolve the address. Edit the "/etc/host.conf" file (vi /etc/host.conf), add this line: # ikeup name via DNS First The Fall Back to / etc / hosts. Order Bind, Hosts # we have machine with multiple IP Addresses. Multi On # Check for IP Address Spoofing. NOSPOOF On First Settings first parsed the IP address via the DNS and parsed by HOSTS file. The second setting is detected whether the host in the "/ etc / hosts" file has multiple IP addresses (such as multiple Ethernet cards). The third setting Description should pay attention to the unauthorized electronic deception of this unit. 9. Make "/ etc / services" file immune to immunize "/ etc / services" file to prevent unauthorized deletion or add services: # chattr I / etc / services 10, not allowing ROOT from different console Log in to the "/ etc / securetty" file allows you to define root users to log in from that TTY device. You can edit the "/ etc / securetty" file, no longer need to add a "#" flag before the TTY device to log in, to disable ROOT login from the TTY device.
There is a paragraph in / etc / inittab file: # Run GetTys in Standard Runlevels 1: 2345: Respawn: / sbin / mingetty TTY1 2: 2345: Respaw: / sbin / mingetty tty2 # 3: 2345: Respawn: / sbin / MINGETTY TTY3 # 4: 2345: Respawn: / sbin / mingetty Tty4 # 5: 2345: Respawn: / sbin / mingetty tty5 # 6: 2345: Respawn: / sbin / mingetty TTY6 system default can use 6 console, ie Alt F1, Alt F2 ..., here in front of 3, 4, 5, 6 "#", comment, so that only two console can be used, it is best to keep two. Then restart the init process, change to take effect! 11. Use the PAM (Pluggable Authentication Module) to ban anyone from changing to the root user su (Substitute User replacement user) command through the su command allows you to be other existing users in the system. If you don't want anyone to change to root users through the su command, you can add the following two lines in the SU configuration file (in the "/etc/pam.d/" directory): Edit the Su file (vi /etc/pam.d/su), add the following two lines at the beginning: auth sufficient /lib/security/pam_rootok.so auth request /lib/security/pam_wheel.so group = Wheel This indicates that only "Wheel "The member of the group can use the su command to be a root user. You can add users to the "Wheel" group so that it can use the su command to be a root user. Add how you can use this command: chmod -g10 username. 12, Shell Logging Bash Shell Save 500 used commands in "~ / .bash_history" file, so that you can entertaire easier. Each user with an account in the system has a ".bash_history" file in his directory. Bash Shell should save a small amount of command and delete these history commands when the user is logged out. The "Histfilesize" and "HISTSIZE" line in the "/ etc / profile" file determine the number of old commands that can be saved in all users' ".bash_history" files. It is highly recommended to set the value of "HistfileSize" and "HISTSIZE" lines in the "/ etc / profile" file to a smaller number, such as 30. Edit the Profile file (VI / etc / profile, change the row below: histfilesize = 30 histsize = 30 This means that each user's ".bash_history" file can only save 30 old commands. Step 2: The NMS should also add the following line "RM -F $ HOME / .BASH_HISTORY" in the "/etc/skel/.bash_logout" file. Thus, when the user is logged out, ". Bash_history" file will be deleted.
