| |
1, Bios Security
You must give Bios set a password to prevent by changing the boot order in the Bios, which you can boot from a floppy disk. This prevents someone trying to use a special boot disk to your system, you can also prevent others from entering the Bios settings which change (such as allowing through the floppy disk, etc.).
2, LILO Security
Adding "/etc/lilo.conf" file in the following three parameters: time-out, restricted, password. These three parameters may make your system when you start lilo requires password authentication.
The first step:
Edit lilo.conf file (vi /etc/lilo.comf), or if changing these three parameters:
boot = / dev / hda
map = / boot / map
install = / boot / boot.b
time-out = 00 # this line that is 00
prompt
Default = linux
restricted # add this line
password = # add this line and set your own password
image = / boot / vmlinuz-2.2.14-12
label = linux
initrd = / boot / initrd-2.2.14-12.img
root = / dev / hda6
read-only
Step two:
Because "/etc/lilo.conf" file contains clear text passwords, so it should be set to root permissions to read.
[Root @ kapil /] # chmod 600 /etc/lilo.conf
third step:
Update the system in order to "/etc/lilo.conf" file made changes to take effect.
[Root @ kapil /] # / sbin / lilo -v
the fourth step:
Use "chattr" command to make the "/etc/lilo.conf" file becomes irrevocable.
[Root @ kapil /] # chattr + i /etc/lilo.conf
This will prevent "/etc/lilo.conf" change
3, delete all special accounts
You should remove all unused default user and group accounts (such as lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc.).
delete user:
[Root @ kapil /] # userdel LP
Delete Group:
[Root @ kapil /] # groupdel LP
4, the minimum password
Before selecting the correct code should be the following modifications:
Change Password Length: When you install linux default password length is 5 bytes. But this is not enough to have it set to 8. Modify the minimum password length login.defs need to edit the file (vi /etc/login.defs), the following line
PASS_MIN_LEN 5
To
PASS_MIN_LEN 8
login.defs file is the login program's configuration file.
5, open the shadow password support:
You should open the shadow password function, come and password encryption. Using the "/ usr / sbin / authconfig" tool opens shadow function. If you want an existing password and group into shadow format, you can use respectively "pwcov, grpconv" command.
6, set the root account
In unix system root account is the highest privilege. If the system administrator forgets to log out of the system before the root account, the system will automatically log off. By modifying the account "TMOUT" parameter, you can achieve this functionality. TMOUT calculated in seconds. Edit your profile file (vi / etc / profile), in the "HISTFILESIZE =", insert the following line:
TMOUT = 3600
3600, represents 60 * 60 = 3600 seconds, or 1 hour. Thus, if the system login user within an hour no action, then the system will automatically log off the account. You can add the value of individual users ".bashrc" file to the user so that the system adopts special automatic logout time.
After changing this setting, you must first log off the user, then the user is logged in to activate this feature.
7, the abolition of the ordinary user console access
You should cancel console access to ordinary users, such as shutdown, reboot, halt commands.
[Root @ kapil /] # rm -f /etc/security/console.apps/
To log out of your program name.
8, cancel and uninstall all unused services
Cancel and uninstall all unused services, so you will worry a lot less. View "/etc/inetd.conf" file, you do not need by commenting cancel all services (plus a "#" before the service project). Then "sighup" command to upgrade "inetd.conf" file.
The first step:
Change "/etc/inetd.conf" permissions to 600, allows only root to read and write the file.
[Root @ kapil /] # chmod 600 /etc/inetd.conf
Step two:
OK "/etc/inetd.conf" file owner is root.
third step:
Edit /etc/inetd.conf file (vi /etc/inetd.conf), cancel the following services (you do not need): ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop- 3, finger, auth, and so on. Close the unneeded services can reduce the risk of system a lot.
the fourth step:
To send the inetd process a HUP signal:
[Root @ kapil /] # killall -HUP inetd
the fifth step:
/ec/inetd.conf With chattr command to set the file can not be modified, so that no one can modify it:
[Root @ kapil /] # chattr + i /etc/inetd.conf
This prevents any changes to inetd.conf (outside or other reasons). The only people who can cancel this property only root. If you want to modify the inetd.conf file, first of all if nature can not be modified canceled:
[Root @ kapil /] # chattr -i /etc/inetd.conf
Do not forget that after the change of its nature can not be modified.
9, TCP_WRAPPERS
Use TCP_WRAPPERS can make your system security in the face of external invasion. The best strategy is to prevent all hosts (adding "/etc/hosts.deny" file "ALL: ALL @ ALL, PARANOID"), and then add all to allow access to the "/etc/hosts.allow" file the list of hosts.
The first step:
Edit hosts.deny file (vi /etc/hosts.deny), add the following line
# Deny access to everyone.
ALL: ALL @ ALL, PARANOID
This suggests that unless the address of the packet to allow good access to the host list, or blocking all services and address.
Step two:
Edit hosts.allow file (vi /etc/hosts.allow), was added to allow access to the host list, such as:
ftp: 202.54.15.99 foo.com
202.54.15.99 foo.com and are allowed to access the ftp service ip address and host name.
third step:
tcpdchk tepd wrapper program is set up inspection procedures. It is used to check your tcp wrapper setting, the potential and real problems and report findings. After setting, run the following command:
[Root @ kapil /] # tcpdchk
10, disable the system information exposure
When someone remotely login to prohibit display system welcome message. You can modify the "/etc/inetd.conf" file to achieve this objective.
The /etc/inetd.conf file is the following line:
telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd
change into:
telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd -h
In the last add "-h" can display only when someone landing a login: prompt, the system does not display a welcome message.
11, modify the "/etc/host.conf" file
"/etc/host.conf" Shows how to resolve the address. Edit "/etc/host.conf" file (vi /etc/host.conf), add the following line:
# Lookup names via DNS first then fall back to / etc / hosts.
order bind, hosts
# We have machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
nospoof on
The first setting first resolves the IP address via DNS, and then analyzed by the hosts file. The second entry is set to detect whether "/ etc / hosts" file whether the host has multiple IP addresses (for example, there are multiple Ethernet NICs). The third set of instructions to pay attention to the machine unauthorized spoofing.
12, "/ etc / services" file immunization
So that "/ etc / services" file immunization to prevent unauthorized deletion or addition of services:
[Root @ kapil /] # chattr + i / etc / services
13, does not allow root login from different consoles
"/ Etc / securetty" file allows you to define the root user can login from the TTY device. You can edit the "/ etc / securetty" file, then you do not need to login TTY equipment before adding "#" sign to prohibit root landing from the TTY device.
14 is prohibited by the su command to change the root user
su (Substitute User substitute user) command allows you to become a system already exists in other users. If you do not want anyone to su to the root user command to change or limit the use of su command for some users, you can add the following two lines in the su profile beginning (in the "/etc/pam.d/" directory) of:
Editing su file (vi /etc/pam.d/su), add the following two lines at the beginning:
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/Pam_wheel.so group = wheel
This indicates that only members of the "wheel" group can use the su command to become root user. You can add users to the "wheel" group so that it can use the su command to become root user.
15, Shell logging
Bash shell in the "~ / .bash_history" ( "~ /" indicates that the user directory) files store 500 used commands, so you can make your input used long commands easier. Each user has an account in the system under his directory has a ".bash_history" file. bash shell should save a small amount of commands, and each time the user logs regard these commands to delete history.
The first step:
"/ Etc / profile" file "HISTFILESIZE" and "HISTSIZE" old command line to determine the number of all users ".bash_history" file that can be saved. It is strongly recommended to the "/ etc / profile" file value "HISTFILESIZE" and "HISTSIZE" line is set to a smaller number, such as 30. Edit profile file (vi / etc / profile), the following line should read:
HISTFILESIZE = 30
HISTSIZE = 30
This means that each user's ".bash_history" file can save only 30 old commands.
Step two:
NMS should also add the following line "rm -f $ HOME / .bash_history" in "/etc/skel/.bash_logout" file. Thus, each time the user logs off, ". Bash_history" file will be deleted.
Edit .bash_logout file (vi /etc/skel/.bash_logout), add the following line:
rm -f $ HOME / .bash_history
16, prohibit Control-Alt-Delete keyboard shutdown command
Comment out this line (using #) in the "/ etc / inittab" file:
ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
Read:
#ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
To make this change work, enter the following command:
[Root @ kapil /] # / sbin / init q
17, to "/etc/rc.d/init.d" under the script file to set permissions
To execute a program at startup or shutdown to perform the script file to set permissions.
[Root @ kapil /] # chmod -R 700 /etc/rc.d/init.d/*
This means that only root is allowed to read, write, execute script files in the directory.
18, hidden system information
By default, when you log in to a linux system, it will tell you the name of the linux distribution name, version, kernel version of the server. This information is enough for hackers to invade your system of it. You should just give it to display a "login:" prompt.
The first step:
Edit "/etc/rc.d/rc.local" file, add a "#" in front of these lines shown below, the output of the command commented out.
# This will overwrite / etc / issue at every boot. So, make any changes you
# Want to make to / etc / issue here or you will lose them when you reboot.
#echo ""> / etc / issue
#echo "$ R" >> / etc / issue
#echo "Kernel $ (uname -r) on $ a $ (uname -m)" >> / etc / issue
#
#cp -f / etc / issue /etc/issue.net
#echo >> / etc / issue
Step two:
Delete "isue.net" and "issue" file "/ etc" directory:
[Root @ kapil /] # rm -f / etc / issue
[Root @ kapil /] # rm -f /etc/issue.net
19, does not prohibit the use of SUID / SGID program
If a program is set to SUID root, so ordinary users will be able to run the program as root. NMS should be possible to use less SUID / SGID program, disable all unnecessary SUID / SGID program.
Find a root-owned program using bit program 's':
[Root @ kapil] # find / -type f \ (-perm -04000 -o -perm -02000 \) \ -exec ls -lg {} \;
Use the following command to disable the selected bit program with 's':
[Root @ kapil /] # chmod a-s [program]
After the basic settings according to the above, the system administrator will have a relatively secure system. However, administrators must know, security is not the moment, in any case require a continuous process and continuous improvement. |
|
|
|