We all know, network security is a very important issue, and the server is a network security key.
Linux is considered a safer Internet server as an open-source operating system, Linux system security vulnerabilities are found, the Internet from all over the world, volunteers are eager to fix it. However, administrators often fail to timely and correct information, it will give a hacker to exploit. However, relative to these vulnerabilities of the system itself, more security problems are caused by incorrect configuration, you can pass the appropriate configuration to prevent. Services running on the server, the more inappropriate configuration of the opportunities the more, the possibility of a security problem. To this end, this article will explain some of the enhancements to Linux/Unix server system security knowledge. System security records files the operating system's internal log files is to detect whether there is a network intrusion of important clues. If your system is directly connected to the Internet, you find that there are a lot of people on your system to do Telnet/FTP login attempts, you can run "# more/var/log/secure greprefused" to check the system by an attacker to take the appropriate measures, such as the use of SSH to replace Telnet/rlogin, etc. Start and login security 1.BIOS security setting BIOS password and change the boot order to boot the system from the floppy disk. 2. user password user password is a basic Linux security as a starting point, a lot of people are using the user password is too simple, this equals to the trespasser opened, although in theory, as long as there is sufficient time and resources you can use, there is nothing we cannot crack the password of the user. But the password is selected properly are hard to break, the better the user passwords are those that only his own easy to remember and understand a string of characters, and never write it out in any place. 3. the default account should prohibit all default start of the operating system itself and does not need an account, when you first install the system should do, Linux provides many default account number, account number, the more the system more vulnerable to attack. You can use the following command to delete the account. # Userdel username or use the following command to delete the user account. # Groupdelusername4. password file chattr command to the following file plus the unchangeable properties, thereby preventing non-authorized user access permissions. # Chattr + I/etc/passwd # chattr + I/etc/sadow # chattr + I/etc/group # chattr + I/etc/gshadow5. Prohibition of Ctrl + Alt + Delete to restart the machine commands modify/etc/inittab file, the "ca:: ctrlaltdel:/sbin/shutdown-t3-rnow" line commented out. Then reset your/etc/rc.d/init.d/directory permissions of all files, run the following command: # chmod-R700/etc/rc.d/init.d/* so that only root can read, write, or execute all script files. 6. limitation su command if you do not want anybody to be able to su as root, you can edit the file, add the following/etc/pam.d/su two rows: authsufficient/lib/security/pam_rootok.sodebugauthrequired/lib/security/pam_wheel.sogroup = isd at this point, only the isd Group, you can use su as root. Subsequently, if you want the user admin to use su as root, you can run the following command # usermod-G10admin7. the deletion of your login information by default, the login prompt information including Linux distributions and kernel versions of the name and the server host name. For a security demand higher machine, thus revealing too much information. You can edit the/etc/rc.d/rc.local will output system information following line commented out. # Thiswilloverwrite/etc/issueateveryboot.So, makeanychangesyou # wanttomaketo/etc/issuehereoryouwilllosethemwhenyoureboot # echo "" >/etc/issue # echo "" ¾/etc/issue # echo "Kernel100100uname-r) on100100uname-m)" ¾/etc/issue # cp-f/etc/issue/etc/issue.net # echo ¾/etc/issue then, do the following: # rm-f/etc/issue # rm-f/etc/issue.net # touch/etc/issue # touch/etc/issue.net
No comments:
Post a Comment