Linux Security Guide

Author: H2KILL this article describes how to pass basic safety measures, so that your Linux system becomes more reliable.

1, BiosSecurity must set a password for the Bios to prevent changes in the BIOS boot order, and you can start from floppy disk. This prevents someone else tries to use a special boot your system, you can prevent others from entering the Bios change settings (such as allowed by the floppy disk boot, etc.). 2, LILOSecurity "/etc/lilo.conf" file into the following three parameters: time-out, restricted, and password. These three parameters can make your system when you start the lilo requires password validation. Step 1: Edit the lilo.conf file (vi/etc/lilo.comf), if or change the three arguments: boot =/dev/da map =/boot/map install =/boot/boot.b time-out = 00 # put this line of the prompt for the linux Default = 00 restricted # add this line password = # add this line and set your own password image =/boot/vmlinuz-2.2.14-12 label = linux root = initrd =/boot/initrd-2.2.14-12.img/dev/da6 read-only second: because the/etc/lilo.conf file contains plain text passwords, so you want to have it set to root permissions. Root @ kapil/] # chmod600/etc/lilo.con step 3: update the system to "/etc/lilo.conf" file modifications. Root @ kapil/] #/sbin/lilo-v step four: use "chattr" command causes the/etc/lilo.conf file becomes irreversible. Root @ kapil/] # chattr + I/etc/lilo.con so you can prevent any change "/etc/lilo.conf" (or other reasons) 3, delete all of the special account you should delete all unused default user and group accounts (such as lp, sync, shutdown, alt, news, uucp, operator, games, gopher, etc.). Delete user: root @ kapil/] # userdelLP delete Group: root @ kapil/] # groupdelLP 4, select the correct password before selecting the correct password should also make the following modifications: modify password length: when you install linux default password length is 5 bytes. But this is not enough, it is set to 8. Modify the minimum password length will need to edit the login.defs file (vi/etc/login.defs), put this line PASS_MIN_LEN5 to PASS_MIN_LEN8 login.defs file is the configuration file for login. 5. open password shadow support functions: you should open the shadow feature, the password to encrypt the password. Use the "/usr/sbin/authconfig" tool open shadow function. If you want to put the existing passwords and groups into shadow format, you can use the "pwcov, grpconv" command. 6. root account on the UNIX system root account is the highest privilege. If the system administrator before you forget to logout from the system root account, the system will automatically log off. Modify account "TMOUT" parameter, you can implement this functionality. TMOUT press seconds. Edit your profile file (vi/etc/profile), in "HISTFILESIZE =" back to this line: TMOUT = 3600 3600, represents 60 * 60 = 3600 seconds, or 1 hour. So, if your system login user in one hour is not an action, then the system will automatically log out of this account. You can in the individual user of the ".bashrc" file, add the value to system users implement special automatic logout time. To change this setting, you must first log off users, then use the users login to activate this function. 7. cancellation of normal user console access you should cancel the normal user console access, such as shutdown, reboot, halt, etc. commands. Root @ kapil/] # rm-f/etc/security/console.apps/is your program name to unregister. 8, cancel and reverse installation all unused services, cancel and reverse installation all unused services, so you might have a lot less. See "/etc/inetd.conf file, through the comment" cancel all your unwanted services (in the service project with a "#"). Then use the "sighup" command to upgrade "inetd.conf" file. Step 1: change the permissions of the "/etc/inetd.conf", allowing only for 600 root to read and write the file. Root@Kapil/] # chmod600/etc/inetd.con step 2: determine the "owner" file/etc/inetd.conf as root. Step 3: Edit the/etc/inetd.conf file (vi/etc/inetd.conf), remove the following service (you don't need): telnet, ftp, shell, login, exec, talk, ntalk, imap, pop-3 pop-2,, finger, auth, and so on. To turn off unneeded services can cause the system to reduce many of the risk. Step 4: send the inetd process a HUP signal: root @ kapil/] # killall-HUPinetd step five: using chattr command put/ec/inetd.conf file to be modified, so that nobody can modify it: root @ kapil/] # chattr + I/etc/inetd.con this prevents any modifications to the inetd.conf (or other reasons). Only you can cancel this attribute only root. If you want to modify the inetd.conf file, first of all if cancellation is not modify properties: root @ kapil/] # chattr-i/etc/inetd.con don't forget that after its nature to not modifiable. 9, TCP_WRAPPERS using TCP_WRAPPERS you can make your system security in the face of external intrusion. The best strategy is to block all hosts (in the/etc/hosts.deny file adding "ALL: & nbspALL @ ALL, PARANOID"), and then in the/etc/hosts.allow file join all allow access to the host list. Step 1: Edit the hosts.deny file (vi/etc/hosts.deny) by adding the following line # Denyaccesstoeveryone. ALL: & nbspALL @ ALL, PARANOID suggests that unless the address is wrapped in allowing access to the host list, otherwise blocked all services and address. Step 2: Edit the hosts.allow file (vi/etc/hosts.allow), to allow access to the host list, for example: ftp: 202.54.15.99foo.com 202.54.15.99 and foo.com allows access ftp service IP address and host name. Step three: tcpdchk program is tepdwrapper set checker. It is used to check your settings, and report the tcpwrapper found potential and real problems. Settings finished, run the following command: Root @ kapil/] # tcpdck 10, suppress system information is exposed when someone remote login, suppress system welcome information. You can modify/etc/inetd.conf "file" to achieve this objective. The/etc/inetd.conf file the following line: telnetstreamtcpnowaitroot/usr/sbin/tcpdin.telnetd modified to: telnetstreamtcpnowaitroot/usr/sbin/tcpdin.telnetd-last-added the "-h" can make when someone login only displays a login: prompt is displayed instead of the welcome message system. 11, modify the "/etc/host.conf" file "/etc/host.conf" explains how to resolve the address. Edit the "/etc/host.conf" file (vi/etc/host.conf) by adding the following line: # LookupnamesviaDNSfirstthenfallbackto/etc/hosts. orderbind,osts　　#WehavemachineswithmultipleIPaddresses. multion　　#CheckforIPaddressspoofing. Nospoo on the first one sets the first DNS resolving IP address, and then through the hosts file to resolve. The second set test whether "/etc/hosts" file in the host has multiple IP addresses (for example, has more than one Ethernet interface card). The third Setup instructions to note on native unauthorized spoofing. 12, so that the "/etc/services" file "immune to immunization,/etc/services" file to prevent unauthorized removal or add services: root @ kapil/] # chattr + I/etc/services 13, do not allow from different console root login "/etc/securetty" file allows you to define the root user can login from the TTY device. You can edit the file "/etc/securetty", no longer need to sign in before adding the TTY device "#" symbol, to prohibit from the TTY device root login. 14, prohibit any person through the su command to change to root user su (substitute user SubstituteUser) command allows you to become a system of other existing users. If you do not want anyone through the su command to change to root user or restricted to certain usersUse the su command, you can su profile (in/etc/pam.d/directory) and add the following two lines at the beginning: Edit su file (vi/etc/pam.d/su), in the beginning of the following two lines: authsufficient/lib/security/pam_rootok.sodebug authrequired/lib/security/Pam_wheel.sogroup = weel this indicates that only the "wheel" group members can use the su command to become root user. You can add a user to "wheel" group so that it can use the su command to become root user. 15, Shelllogging Bashshell/.bash_history "~" ("~/" indicates that the user directory) files saved in 500 used command, which allows you to enter long commands used. Every system has an account of the user in his directory has a ".bash_history" file. You should save a small amount of bashshell command, and each time the user logs off all the history command to remove. Step one: "/etc/profile" file "in" and "HISTSIZE HISTFILESIZE" rows determine all users ".bash_history" file you can save the old order number. It is strongly recommended that the "/etc/profile" file "in" and "HISTSIZE HISTFILESIZE" row value is set to a smaller number, such as 30. Edit profile file (vi/etc/profile), the