| |
If the owners of the Linux server can be a non-authorized users access to (such as IDC server on the public room, the public office), then it has some security risks.
Into the system using the single-user mode
Linux boot after boot: prompt, use a special command, such as linuxsingle or linux 1, will be able to enter single user mode (Single-User mode). This command is useful, such as forget super user (root) password. Reboot the system, the boot: prompt enter linux single (or linux 1), after the super user access system, edit the Passwd file, remove the root line of x can be.
Countermeasures:
The super user (root) into the system, edit / etc / inittab file, change the id: 3:
initdefault setting, in which the additional line is added (see below), let the system reboot into single user mode when prompted for super user password:
~ ~: S: walt: / sbin / sulogin
Then execute the command: / sbin / init q, so this setting take effect.
Transfer to the core during system startup dangerous parameters most commonly used boot loader in Linux (boot loader) tool is LILO, it is responsible for managing the boot system (can add other partitions and operating system). But some illegal users may easily start Linux or risk parameters passed to the kernel at system startup, which is quite dangerous.
Countermeasures:
Edit the file /etc/lilo.conf, which was added in the restricted parameters, this parameter must be used with the following parameters of a password to talk, indicating that at the boot: prompt, some of the parameters passed to the Linux kernel, you need to enter your password. password parameter can be used together with the restricted, but also can be used alone, the following will explain. Used in conjunction with restricted: only at startup parameters passed to the kernel, will be required to enter a password, and in the normal (default) mode, the password is not required, it must pay attention.
Alone (not used in conjunction with restricted): that no matter what boot mode, Linux always requires a password; If there is no password, no way to boot Linux, a higher degree of safety in this case, the equivalent of the peripheral joined a layer of defense. Of course there are disadvantages - you can not remotely reboot the system, unless you add restricted parameters.
Because the password is not encrypted clear text, so the /etc/lilo.conf file must be set to read only the super user can be set using the following command:
c hmod 600 /ietc/lilo.conf
Then execute the command: / sbin / lilo -V, writes boot sector, and to make this change to take effect.
^ D '/ [&
In order to strengthen security /etc/liIo.conf files, you can also set this file as immutable attribute, use the command:
c hattr ten i / etc / lilo.conf
If in the future you want to modify /etc/liIo.conf file with chattr -i / etc / lilo.conf command can remove this attribute.
Use "Ctrl + Alt + Del" key combination to restart this point is very important and very easy to overlook, if unauthorized users have access to the servers' keyboard, he can use the key combination "Ctrl + AIt + Del" to make your server restart.
Countermeasures:
Edit / etc / inittab file, to the ca :: ctrlaltdel: / sbin / shutdown-t3 -r now annotate ### ca :: ctrlaltdeI: / sbin / shutdown-t3 -r now.
Then execute the command: / sbin / init q, make the changes to take effect. |
|
|
|