This article tells how to make your Linux system reliable through basic security measures.
1. BIOS Security must set the password to the BIOS to prevent starting from the floppy disk by changing the starting order in the BIOS. This prevents others from starting your system with a special boot disk, but also preventing others from entering the settings of the BIOS to change (such as allowing to start by floppy disk).
2, LILO Security Adds the following three parameters in the "/etc/lilo.conf" file: Time- Out, Restricted, Password. These three parameters allow your system to request password verification when launching LILO.
Step 1: Edit the lilo.conf file (vi /etc/lilo.comf), if you change these three parameters: boot = / dev / hda map = / boot / map install = / boot / boot.b Time-Out = 00 # This line is 00 prompt default = linux restricted # Add this line password = # Add this line and set your own password image = / boot / vmlinuz-2.2.14-12 label = Linux initrd = / boot / initrd -2.2.14-12.img root = / dev / hda6 read-only
Step 2: Because the "/etc/lilo.conf" file contains the plain text password, set it to root privilege read. [root @ Kapil /] # chmod 600 /etc/lilo.conf
Step 3: Update the system to modify the "/etc/lilo.conf" file. [Root @ KAPIL /] # / sbin / lilo -v
Step 4: Use the "chattr" command to make the "/etc/lilo.conf" file becomes unable. [root @ Kapil /] # chattr I /etc/lilo.conf This can prevent any changes to "/etc/lilo.conf" (outside or other reasons)
3. Remove all special accounts. You should delete all unused default users and group accounts (such as LP, Sync, ShutDown, Halt, News, UUCP, Operator, Games, Gopher, etc.). Delete users: [root @ kapil /] # Userdel LP delete group: [root @ Kapil /] # GroupDel LP
4. Select the correct password to choose the following modification before selecting the correct password: Modify the password length: The default password length is 5 bytes when you install Linux. But this is not enough, set it to 8. Modify the shortest password length Requires editing of login.defs files (vi /etc/login.defs), change the line pass_lt_len 5 to the pass_min_len 8 login.defs file is the profile of the Login program.
5. Open your password Shadow Support: You should open your password shadow function to encrypt Password. Use the "/ usr / sbin / authconfig" tool to open the shadow function. If you want to turn existing passwords and groups to Shadow format, you can use the "PWCOV, GRPCONV" command.
6. The root account is the highest privilege in the UNIX system. If the system administrator forgets to log out of the root account before leaving the system, the system will automatically log out. This function can be implemented by modifying the "TMOUT" parameter in the account. Tmout calculates in seconds. Edit your Profile file (VI / etc / profile), add this line below "HistfileSize =": tmout = 3600 3600, indicating 60 * 60 = 3600 seconds, which is 1 hour. In this way, if the user logs in in the system has no action within an hour, the system will automatically log out of this account. You can add this value in a ".bashrc" file of individual users so that the system implements special automatic logout time. After changing this setting, you must first log out of the user, and use the user to log in to activate this feature. 7. Cancel the general user's console access You should cancel the console access permission of normal users, such as Shutdown, Reboot, Halt and other orders. [root @ Kapil /] # rm -f /etc/security/console.apps/ is the program name you want to log out.
8. Cancel and reverse install all unused services to cancel and install all the unused services so that your worries will be much less. Look at the "/etc/inetd.conf" file, cancel all your unwanted services (add a "#" before the service item). Then use the "SIGHUP" command to upgrade the "inetd.conf" file. Step 1: Change "/etc/inetd.conf" permission to 600, only allow root to read and write the file. [Root @ KAPIL /] # chmod 600 /etc/inetd.conf Step 2: Determine the "/etc/inetd.conf" file owner to root. Step 3: Edit the /etc/inetd.conf file (vi /etc/inetd.conf), cancel the following services (you don't need): FTP, Telnet, Shell, Login, Exec, Talk, NTalk, IMAP, POP- 2, POP- 3, Finger, Auth, etc. Closing unwanted services can reduce the risk of systems. Step 4: Send a HUP signal to the inetd process: [root @ KAPIL /] # killall -hup inetd Step 5: Set the /ec/inetd.conf file to not be modified with the chattr command, so no one can modify it. : [Root @ Kapil /] # chattr I /etc/inetd.conf This can prevent any modifications to inetd.conf (outside or other reasons). The only person who can cancel this property has only root. If you want to modify the inetd.conf file, if you cancel the unmodified nature: [root @ Kapil /] # chattr -i /etc/inetd.conf Don't forget to change its nature to not modify.
9, TCP_WrapPERS Use TCP_WrapPers to make your system security plane to external intrusion. The best strategy is to block all hosts from adding "all: all @ all, paranoid" files in the "/etc/hosts.deny" file, then add all allowed access in the "/etc/hosts.allow" file. Host list. Step 1: Edit Hosts.Deny file (vi /etc/hosts.deny), add the following line
All: All @ all, paraNid This indicates that all services and addresses are blocked unless the address is allowed to access the host list. Step 2: Edit the hosts.allow file (vi /etc/hosts.allow) to join the list of hosts allowed, such as: ftp: 202.54.15.99 foo.com 202.54.15.99 and foo.com is allowed to access the FTP service IP Address and host name. Step 3: The TCPDCHK program is a TEPD Wrapper Settings Checkpoint. It is used to check your TCP Wrapper settings and report the potential and real problems found. After setting, run the following command: [root @ KAPIL /] # TCPDCHK10, the system information is prohibited when someone is remotely logged in, and the system is banned from displaying the system. You can achieve this by modifying the "/etc/inetd.conf" file. Tot below the /etc/inetd.conf file: Telnet Stream TCP NOWAIT ROOT / USR / SBIN / TCPD in.telnetd Modified to: Telnet Stream TCP NoWait Root / USR / SBIN / TCPD IN.TELNETD -H in the final plus "- h "can make only one login: prompt when someone is logged in: prompt without displaying the system.
11. Modify the "/etc/host.conf" file "/etc/host.conf" describes how to resolve the address. Edit "/etc/host.conf" file (vi /etc/host.conf), add this line:
ORDER BIND, HOSTS
Multi on
The Nospoof on the first setting first parses the IP address via the DNS and then parsed by HOSTS file. The second setting is detected whether or not the host in the "/ etc / hosts" file has multiple IP addresses (such as multiple Ethernet cards). The third setting Description should pay attention to the unauthorized electronic deception of this unit.
12. Make the "/ etc / services" file to immunize "/ etc / services" file immune to prevent unauthorized deletion or add services: [root @ Kapil /] # chattr I / etc / services
13. Do not allow the root login "/ etc / secureTty" file from different console to allow you to define root users to log in from that TTY device. You can edit the "/ etc / securetty" file, and then add a "#" flag before the TTY device that needs to be logged in, and prohibits root login from the TTY device.
14. No one will change to the root user su (Substitude User replacement user) command to change the user's command to be other existing users in the system. If you don't want anyone to change to root users through the su command, you can add the following two lines in the SU configuration file (in the "/etc/pam.d/" directory): Edit the Su file (vi /etc/pam.d/su), add the following two lines at the beginning: auth sufficient /lib/security/pam_rootok.so debug auth request /lib/security/pam_wheel.so group = Wheel This shows that only " Members of the Wheel group can use the su command to be a root user. You can add users to the "Wheel" group so that it can use the su command to be a root user.
15. Shell Logging Bash Shell saves 500 used commands in "~ / .bash_history" file, so that you can make your long command you entered easily. Each user with an account in the system has a ".bash_history" file in his directory. Bash Shell should save a small amount of command and delete these history commands at each user logout. The "Histfilesize" and "HISTSIZE" line in the "/ etc / profile" file determine the number of old commands that can be saved in all users' ".bash_history" files. It is highly recommended to set the value of "HistfileSize" and "HISTSIZE" lines in the "/ etc / profile" file to a smaller number, such as 30. Edit the Profile file (VI / etc / profile, change the row below: histfilesize = 30 histsize = 30 This means that each user's ".bash_history" file can only save 30 old commands. Step 2: The NMS should also add the following line "RM -F $ HOME / .BASH_HISTORY" in the "/etc/skel/.bash_logout" file. Thus, when the user is logged out, ". Bash_history" file will be deleted. Edit .bash_logout file (vi /etc/skel/.bash_logout), add this line: RM -F $ home / .bash_history16, prohibiting the control-alt-delete keyboard Close command in the "/ etc / initTab" file comes out below This line (using #): ca :: ctrlaltdel: / sbin / shutdown -t3 -r now is changed to:
In order to make this change work, enter the following command: [root @ KAPIL /] # / sbin / init Q
17. Set the Script file setting permissions to the Script file setting permission to execute or close the schedule execution, or turn off the schedule. [root @ Kapil /] # chmod -r 700 /etc/rc.d/init.d/* This means that only root allows read, write, execute the Script file in this directory.
18, hidden system information is default, when you log in to the Linux system, it will tell you the name, version, kernel version, and server name of the Linux release. For hackers, this information is enough to invade your system. You should only show it a "login:" prompt. The first step: edit the "/etc/rc.d/rc.local" file, add a "#" before the line shown below, and comment out the command of the output information.
You
Reboot.
Step 2: Delete "ISUE.NET" and "Issue" files under the "/ etc" directory: [Root @ Kapil /] # RM -F / ETC / ISSUE [root @ KAPIL /] # RM -F / ETC / Issue.net
19. SUID / SGID programs that do not use If a program is set to Suid Root, then normal users can run this program as root. The network management should use the Suid / SGID program as much as possible to prohibit all unnecessary Suid / SGID programs. Find the Root-Owned program using the 's' bit: [root @ KAPIL] # Find / -Type F / (-Perm -04000-perm -02000 / - exec ls -lg {} /; with the following The command is prohibited from selecting a program with 's' bit: [Root @ Kapil /] # chmod as [program] After setting these security guidelines, the system administrator will have a basic security system. Some of these tasks are some sustained processes, and the network management should continue to do this to maintain system security.
