About Linux partition
If a potential hacker to attack your Linux servers, he first attempts to buffer overflow. In the past few years, with the type of buffer overflow vulnerabilities is the most common form. More seriously, buffer overflow vulnerability accounted for the vast majority of remote network attacks, such attacks can easily make an anonymous Internet users have access to some or all of the control of a host!
To prevent such attacks, we install the system from it should be noted. If the root partition records data such as log files and email, it is possible to produce a large number of logs because of denial of service or spam, causing the system to crash. It is recommended for the / var open up a separate partition, used to store logs and e-mail, in order to avoid the root partition is overflow. Best to open a separate partition for specific applications, in particular, can produce large log programs, as well as recommendations for the / home a separate sub-zone, so they can not fill the / partition, so as to avoid some of the partitions for Linux overflow of malicious attacks.
Remember to set a BIOS password in BIOS setup does not accept floppy disk. This prevents malicious people to use a special boot disk on your Linux system and change the BIOS settings to avoid others, such as changing the boot floppy disk set or not pop up the password box directly start the server and so on.
Passwords are the primary means of user authentication system, the system will install the default minimum password length is usually 5, but not easy to ensure the password guessing attacks, increase the minimum length of the password, at least equal to 8. To do this, you need to modify the file /etc/login.defs parameters PASS_MIN_LEN (minimum password length). At the same time should be limited to the use of a password, the password be changed regularly to ensure that the proposed changes to the parameters PASS_MIN_DAYS (password to use time).
Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command line to /etc/rc.d/rc.local, so run automatically each time you start, so that you can prevent your system to respond to any ping request from external / internal come.
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
Do not show the operating system and version information if you want the user to use Telnet remote login to your server (to avoid targeted exploits), you should rewrite /etc/inetd.conf row like this:
telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd -h
Add -h flag in the background and finally makes telnet not display system information, but merely displayed login.
About privileged account
Prohibit all the default operating system itself was initiated and unnecessary account, when you first install the system should do this check, Linux offers a variety of accounts, you may not need, if you do not need this account, to remove it, you have one account, the more vulnerable to attack.
To delete users on your system, use the following command: userdel username
To delete your user account on the system group, use the following command: groupdel username