| |
1. BIOS security
Set BIOS passwords and modify boot order prohibiting boot from a floppy disk system.
2. User password
User password is a basic starting point for Linux security, many people use the user password is too simple, which is equal to the intruder opened the door, although in theory, as long as there is sufficient time and resources available, there is no can not crack users. password. But properly selected password is difficult to crack, better user passwords are easy to remember those who only he himself and understand the string of characters, and never write it anywhere.
3. Default Account
Should prohibit all the default operating system itself was initiated and unnecessary account, when you first install the system should do, Linux provides a number of default account, and the account more, the system more vulnerable to attack.
You can use the following command to delete the account.
# Userdel username
Or use the following command to delete the user group account.
# Groupdel username
4. The password file
chattr command to add the following file attributes can not be changed to prevent unauthorized users access privileges.
# Chattr + i / etc / passwd
# Chattr + i / etc / shadow
# Chattr + i / etc / group
# Chattr + i / etc / gshadow
5. Prohibition Ctrl + Alt + delete command to restart the machine
Modify / etc / inittab file, "ca :: ctrlaltdel: / sbin / shutdown -t3 -r now" comment out the line. Then re-set at /etc/rc.d/init.d/ directory permissions of all files, run the following command:
# Chmod -R 700 /etc/rc.d/init.d/*
Thus only root can read, write, or execute all of the above script file.
6. Restrictions su command
If you do not want anyone to be able to use su as root, you can edit /etc/pam.d/su file, add the following two lines:
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group = isd
At this time, only isd group of users can use su as root. Then, if you want the user admin can use su as root, you can run the following command:
# Usermod -G10 admin
7. deletion login information
By default, the login prompt release includes Linux kernel version name and server host name and so on.
For a higher security requirements for this machine leaked too much information.
You can edit the /etc/rc.d/rc.local the following line commented out system information output.
# This will overwrite / etc / issue at every boot. So, make any changes you
# Want to make to / etc / issue here or you will lose them when you reboot
# Echo ""> / etc / issue
# Echo "$ R" >> / etc / issue
# Echo "Kernel $ (uname -r) on $ a $ (uname -m)" >> / etc / issue
# Cp -f / etc / issue /etc/issue.net
# Echo >> / etc / issue
Then, proceed as follows:
# Rm -f / etc / issue
# Rm -f /etc/issue.net
# Touch / etc / issue
# Touch /etc/issue.net |
|
|
|