Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Linux Security Setup Guide     - How linux network security configuration (Linux)

- Openfire Hazelcast cluster Detailed (Server)

- Linux System Getting Started Learning: Debian download, installation and graphical interface (Linux)

- Apache POI Excel Document Processing (Linux)

- Linux system versions organize local root password cracking method (Linux)

- How to Install lightweight Budgie desktop on Ubuntu 14.04 (v8) (Linux)

- To compile install and test Swift under Linux (Linux)

- How to prevent page five invisible killer (Linux)

- Free compiler install MySQL-5.6.14 (Database)

- Nodejs mysql pool Example (Programming)

- Lazarus for Raspbian installation (Linux)

- Smack 4.1.x Upgrade Guide (Linux)

- Shell scripts quickly deploy Tomcat project (Server)

- To create a Linux server network security (Linux)

- DIY security of Linux platform (Linux)

- Java interface and inheritance (Programming)

- CentOS6 5 Configure SSH password Free (Linux)

- Six Ways to view slides can be implemented Android (Programming)

- 64-bit Windows Server 2012 R2 install Oracle 10g Second Edition (Database)

- Linux Command Tutorial: du command to view disk space (Linux)

  Linux Security Setup Guide
  Add Date : 2016-11-20      
  1, Bios Security

You must give Bios set a password to prevent by changing the boot order in the Bios, which you can boot from a floppy disk. This prevents someone trying to use a special boot disk to your system, you can also prevent others from entering the Bios settings which change (such as allowing through the floppy disk, etc.).

2, LILO Security

Adding "/etc/lilo.conf" file in the following three parameters: time-out, restricted, password. These three parameters may make your system when you start lilo requires password authentication.

The first step:

Edit lilo.conf file (vi /etc/lilo.comf), or if changing these three parameters:

boot = / dev / hda

map = / boot / map

install = / boot / boot.b

time-out = 00 # this line that is 00


Default = linux

restricted # add this line

password = # add this line and set your own password

image = / boot / vmlinuz-2.2.14-12

label = linux

initrd = / boot / initrd-2.2.14-12.img

root = / dev / hda6


Step two:

Because "/etc/lilo.conf" file contains clear text passwords, so it should be set to root permissions to read.

[Root @ kapil /] # chmod 600 /etc/lilo.conf

third step:

Update the system in order to "/etc/lilo.conf" file made changes to take effect.

[Root @ kapil /] # / sbin / lilo -v

the fourth step:

Use "chattr" command to make the "/etc/lilo.conf" file becomes irrevocable.

[Root @ kapil /] # chattr + i /etc/lilo.conf

This will prevent "/etc/lilo.conf" change

3, delete all special accounts

You should remove all unused default user and group accounts (such as lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc.).

delete user:

[Root @ kapil /] # userdel LP

Delete Group:

[Root @ kapil /] # groupdel LP

4, the minimum password

Before selecting the correct code should be the following modifications:

Change Password Length: When you install linux default password length is 5 bytes. But this is not enough to have it set to 8. Modify the minimum password length login.defs need to edit the file (vi /etc/login.defs), the following line




login.defs file is the login program's configuration file.

5, open the shadow password support:

You should open the shadow password function, come and password encryption. Using the "/ usr / sbin / authconfig" tool opens shadow function. If you want an existing password and group into shadow format, you can use respectively "pwcov, grpconv" command.

6, set the root account

In unix system root account is the highest privilege. If the system administrator forgets to log out of the system before the root account, the system will automatically log off. By modifying the account "TMOUT" parameter, you can achieve this functionality. TMOUT calculated in seconds. Edit your profile file (vi / etc / profile), in the "HISTFILESIZE =", insert the following line:

TMOUT = 3600

3600, represents 60 * 60 = 3600 seconds, or 1 hour. Thus, if the system login user within an hour no action, then the system will automatically log off the account. You can add the value of individual users ".bashrc" file to the user so that the system adopts special automatic logout time.

After changing this setting, you must first log off the user, then the user is logged in to activate this feature.

7, the abolition of the ordinary user console access

You should cancel console access to ordinary users, such as shutdown, reboot, halt commands.

[Root @ kapil /] # rm -f /etc/security/console.apps/

To log out of your program name.

8, cancel and uninstall all unused services

Cancel and uninstall all unused services, so you will worry a lot less. View "/etc/inetd.conf" file, you do not need by commenting cancel all services (plus a "#" before the service project). Then "sighup" command to upgrade "inetd.conf" file.

The first step:

Change "/etc/inetd.conf" permissions to 600, allows only root to read and write the file.

[Root @ kapil /] # chmod 600 /etc/inetd.conf

Step two:

OK "/etc/inetd.conf" file owner is root.

third step:

Edit /etc/inetd.conf file (vi /etc/inetd.conf), cancel the following services (you do not need): ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop- 3, finger, auth, and so on. Close the unneeded services can reduce the risk of system a lot.

the fourth step:

To send the inetd process a HUP signal:

[Root @ kapil /] # killall -HUP inetd

the fifth step:

/ec/inetd.conf With chattr command to set the file can not be modified, so that no one can modify it:

[Root @ kapil /] # chattr + i /etc/inetd.conf

This prevents any changes to inetd.conf (outside or other reasons). The only people who can cancel this property only root. If you want to modify the inetd.conf file, first of all if nature can not be modified canceled:

[Root @ kapil /] # chattr -i /etc/inetd.conf

Do not forget that after the change of its nature can not be modified.


Use TCP_WRAPPERS can make your system security in the face of external invasion. The best strategy is to prevent all hosts (adding "/etc/hosts.deny" file "ALL: ALL @ ALL, PARANOID"), and then add all to allow access to the "/etc/hosts.allow" file the list of hosts.

The first step:

Edit hosts.deny file (vi /etc/hosts.deny), add the following line

# Deny access to everyone.


This suggests that unless the address of the packet to allow good access to the host list, or blocking all services and address.

Step two:

Edit hosts.allow file (vi /etc/hosts.allow), was added to allow access to the host list, such as:

ftp: foo.com foo.com and are allowed to access the ftp service ip address and host name.

third step:

tcpdchk tepd wrapper program is set up inspection procedures. It is used to check your tcp wrapper setting, the potential and real problems and report findings. After setting, run the following command:

[Root @ kapil /] # tcpdchk

10, disable the system information exposure

When someone remotely login to prohibit display system welcome message. You can modify the "/etc/inetd.conf" file to achieve this objective.

The /etc/inetd.conf file is the following line:

telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd

change into:

telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd -h

In the last add "-h" can display only when someone landing a login: prompt, the system does not display a welcome message.

11, modify the "/etc/host.conf" file

"/etc/host.conf" Shows how to resolve the address. Edit "/etc/host.conf" file (vi /etc/host.conf), add the following line:

# Lookup names via DNS first then fall back to / etc / hosts.

order bind, hosts

# We have machines with multiple IP addresses.

multi on

# Check for IP address spoofing.

nospoof on

The first setting first resolves the IP address via DNS, and then analyzed by the hosts file. The second entry is set to detect whether "/ etc / hosts" file whether the host has multiple IP addresses (for example, there are multiple Ethernet NICs). The third set of instructions to pay attention to the machine unauthorized spoofing.

12, "/ etc / services" file immunization

So that "/ etc / services" file immunization to prevent unauthorized deletion or addition of services:

[Root @ kapil /] # chattr + i / etc / services

13, does not allow root login from different consoles

"/ Etc / securetty" file allows you to define the root user can login from the TTY device. You can edit the "/ etc / securetty" file, then you do not need to login TTY equipment before adding "#" sign to prohibit root landing from the TTY device.

14 is prohibited by the su command to change the root user

su (Substitute User substitute user) command allows you to become a system already exists in other users. If you do not want anyone to su to the root user command to change or limit the use of su command for some users, you can add the following two lines in the su profile beginning (in the "/etc/pam.d/" directory) of:

Editing su file (vi /etc/pam.d/su), add the following two lines at the beginning:

auth sufficient /lib/security/pam_rootok.so debug

auth required /lib/security/Pam_wheel.so group = wheel

This indicates that only members of the "wheel" group can use the su command to become root user. You can add users to the "wheel" group so that it can use the su command to become root user.

15, Shell logging

Bash shell in the "~ / .bash_history" ( "~ /" indicates that the user directory) files store 500 used commands, so you can make your input used long commands easier. Each user has an account in the system under his directory has a ".bash_history" file. bash shell should save a small amount of commands, and each time the user logs regard these commands to delete history.

The first step:

"/ Etc / profile" file "HISTFILESIZE" and "HISTSIZE" old command line to determine the number of all users ".bash_history" file that can be saved. It is strongly recommended to the "/ etc / profile" file value "HISTFILESIZE" and "HISTSIZE" line is set to a smaller number, such as 30. Edit profile file (vi / etc / profile), the following line should read:



This means that each user's ".bash_history" file can save only 30 old commands.

Step two:

NMS should also add the following line "rm -f $ HOME / .bash_history" in "/etc/skel/.bash_logout" file. Thus, each time the user logs off, ". Bash_history" file will be deleted.

Edit .bash_logout file (vi /etc/skel/.bash_logout), add the following line:

rm -f $ HOME / .bash_history

16, prohibit Control-Alt-Delete keyboard shutdown command

Comment out this line (using #) in the "/ etc / inittab" file:

ca :: ctrlaltdel: / sbin / shutdown -t3 -r now


#ca :: ctrlaltdel: / sbin / shutdown -t3 -r now

To make this change work, enter the following command:

[Root @ kapil /] # / sbin / init q

17, to "/etc/rc.d/init.d" under the script file to set permissions

To execute a program at startup or shutdown to perform the script file to set permissions.

[Root @ kapil /] # chmod -R 700 /etc/rc.d/init.d/*

This means that only root is allowed to read, write, execute script files in the directory.

18, hidden system information

By default, when you log in to a linux system, it will tell you the name of the linux distribution name, version, kernel version of the server. This information is enough for hackers to invade your system of it. You should just give it to display a "login:" prompt.

The first step:

Edit "/etc/rc.d/rc.local" file, add a "#" in front of these lines shown below, the output of the command commented out.

# This will overwrite / etc / issue at every boot. So, make any changes you

# Want to make to / etc / issue here or you will lose them when you reboot.

#echo ""> / etc / issue

#echo "$ R" >> / etc / issue

#echo "Kernel $ (uname -r) on $ a $ (uname -m)" >> / etc / issue


#cp -f / etc / issue /etc/issue.net

#echo >> / etc / issue

Step two:

Delete "isue.net" and "issue" file "/ etc" directory:

[Root @ kapil /] # rm -f / etc / issue

[Root @ kapil /] # rm -f /etc/issue.net

19, does not prohibit the use of SUID / SGID program

If a program is set to SUID root, so ordinary users will be able to run the program as root. NMS should be possible to use less SUID / SGID program, disable all unnecessary SUID / SGID program.

Find a root-owned program using bit program 's':

[Root @ kapil] # find / -type f \ (-perm -04000 -o -perm -02000 \) \ -exec ls -lg {} \;

Use the following command to disable the selected bit program with 's':

[Root @ kapil /] # chmod a-s [program]

After the basic settings according to the above, the system administrator will have a relatively secure system. However, administrators must know, security is not the moment, in any case require a continuous process and continuous improvement.
- Linux --- manual release system cache (Linux)
- Https (SSL / TLS) Detailed principles (Server)
- Intrusion prevention network server security maintenance tips (Linux)
- Oracle to use full-text indexing (Database)
- Create several practical points of high security PHP site (Linux)
- To build Spring RestTemplate use HttpClient4 (Programming)
- Linux user directory (Linux)
- RedHat6.4 installation tutorial --- Minimal Edition (Linux)
- Ubuntu download install and configure Plank Dock (Linux)
- Git uses a basic tutorial (Linux)
- On FreeBSD 10.2 Bugzilla how to install and configure Apache SSL (Server)
- Lambda expressions of evolution (Programming)
- Memcached and Redis (Linux)
- Ubuntu 13.04 configure MyEclipse 10.7 Environment (Linux)
- Linux Command study manual - GPG command (Linux)
- shell script: MySQL monitoring service is normal (Database)
- Hibernate Search and Lucene quick introduction (Linux)
- Ubuntu install Wireshark (Linux)
- Ubuntu 14.04 users how to install VLC 2.2.0 (Linux)
- Mybatis + binding Struts2: achieving user to insert and find (Programming)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.