Linux security protection ten strokes

  

System security is critical to users, and Linux users are no exception. The author has summarized some tips for enhancing Linux security protection on his own experience of using Linux. I will introduce it to you here. 1. Add a boot password for LILO ---- Add options to the /etc/lilo.conf file so that LILO requires a password when booting to enhance system security. The specific settings are as follows: ----boot=/dev/had ----map=/boot/map ----install=/boot/boot.b ----time-out=60 #wait 1 minute - ---prompt ----default=linux ----password= ---- #密码设置 ----image=/boot/vmlinuz-2.2.14-12 ----label=linux --- -initrd=/boot/initrd-2.2.14-12.img ----root=/dev/hda6 ----read-only ---- At this point, note that since the password is in clear mode in LILO Stored, so you need to set the file property of ----lilo.conf to only root can read and write. ----# chmod 600 /etc/lilo.conf ---- Of course, you need to make the following settings to make the changes to ----lilo.conf take effect. ----# /sbin/lilo -v 2. Set the minimum password length and ---- the shortest use time ---- Password is the main means of authenticating users in the system. The default password minimum length is usually 5 when the system is installed, but the password can be increased to ensure that the password is not easily guessed. The minimum length is at least equal to 8. To do this, modify the parameter PASS_MIN_LEN in the file /etc/login.defs. At the same time, the password usage time should be limited to ensure that the password is changed periodically. It is recommended to modify the parameter PASS_MIN_DAYS. 3. User Timeout Logout ---- If you forget to log out of the account when the user leaves, it may bring hidden dangers to the system security. The /etc/profile file can be modified to ensure that the account is automatically logged out of the system after a period of inactivity. ----Edit the file /etc/profile and add the following line to the next line of the "HISTFILESIZE=”" line: ----TMOUT=600 ---- All users will be automatically logged out after 10 minutes of no operation. 4. Prohibit access to important files ---- Some key files in the system such as inetd.conf, services and lilo.conf can be modified to prevent accidental modification and viewing by ordinary users. ---- First change the file attribute to 600: ----# chmod 600 /etc/inetd.conf ---- Ensure that the owner of the file is root, and then you can set it to not change: ---- # chattr +I /etc/inetd.conf ----This way, any changes to this file will be disabled. ---- Only root can reset after resetting the reset flag: ----# chattr -I /etc/inetd.conf 5. Allow and disable remote access ---- The two files in /etc/hosts.allow and /etc/hosts.deny are allowed in Linux to allow and prohibit remote host access to local services. The usual practice is: ---- (1) Edit the hosts.deny file, add the following line: ----# Deny access to everyone. ----ALL: ALL@ALL ---- then all services for all External hosts are prohibited unless specified by the hosts.allow file. ---- (2) Edit the hosts.allow file, you can add the following line: ----#Just an example: ----ftp: 202.84.17.11 xinhuanet.com ---- will allow the IP address is 202.84 .17.11 and the machine hosted by xinhuanet.com act as a client to access the FTP service. ---- (3) After the setting is completed, tcpdchk can be used to check whether the settings are correct. 6. Limit Shell Command Record Size ---- By default, the bash shell will store up to 500 command records in the file $HOME/.bash_history (depending on the specific system, the default number of records is different). There is one such file under the home directory of each user in the system. Here I strongly recommend limiting the size of this file. ---- You can edit the /etc/profile file and modify the options as follows: HISTFILESIZE=30 or HISTSIZE=30 7. Delete the command record when you log out ---- Edit the /etc/skel/.bash_logout file and add the following line: ----rm -f $HOME/.bash_history ---- This way, all users in the system will log out when they log out. Delete its command record. ---- If you only need to set it for a specific user, such as the root user, you can modify the /$HOME/.bash_history file only in the user's home directory and add the same line. 8. Suppressing unnecessary SUID programs ----SUID allows ordinary users to execute a program with root privileges, so such programs in the system should be strictly controlled. ---- Find the program with the s bit that root belongs to: ----# find /-type f \\( -perm -04000 -o -perm -02000 \\) -print

Copyright © Windows knowledge All Rights Reserved