1. System safety record file
The log file inside the operating system is an important clue to detect whether there is a network intrusion. If your system is directly connected to the Internet, you find that there are many people who try Telnet / FTP login to your system, you can run "#more / var / log / secure | grep refused" to check the attack on the system in order to Take corresponding countermeasures, such as replacing Telnet / rlogin with SSH.
Second, startup and login security
1. BIOS Security
Set the BIOS password and modify the boot sequence to prevent the system from booting from the floppy disk.
2. User password
User passwords are a basic starting point for Linux security. The user passwords used by many people are too simple, which is equivalent to opening the door to intruders. Although in theory, as long as there is enough time and resources to use, there are no users who cannot be cracked Password, but choosing the right password is difficult to crack. A better user password is a string of characters that only he can easily remember and understand, and never write it anywhere.
3. Default account
All default accounts that are activated by the operating system and unnecessary should be banned. This should be done when you first install the system. Linux provides many default accounts, and the more accounts, the more vulnerable the system is to attack.
You can delete the account with the following command.
# userdel username
Or use the following command to delete the group user account.
# groupdel username
4. Password file
The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from gaining permissions.
# chattr + i / etc / passwd
# chattr + i / etc / shadow
# chattr + i / etc / group
# chattr + i / etc / gshadow
5. Prohibit Ctrl + Alt + Delete to restart the machine command
Modify the / etc / inittab file and comment out the line "ca :: ctrlaltdel: / sbin / shutdown -t3 -r now" Then reset the permissions of all files in the /etc/rc.d/init.d/ directory, run the following command:
# chmod -R 700 /etc/rc.d/init.d/*
In this way, only root can read, write or execute all the above script files.
6. Limit su command
If you don't want anyone to be su as root, you can edit the /etc/pam.d/su file and add the following two lines:
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group = isd
At this time, only users in the isd group can su as root. After that, if you want user admin to be su as root, you can run the following command:
# usermod -G10 admin
7. Delete login information
By default, the login prompt information includes the Linux distribution, kernel version name, and server host name. For a machine with high security requirements, this leaks too much information. You can edit /etc/rc.d/rc.local to comment out the following lines that output system information.
# This will overwrite / etc / issue at every boot. So, make any changes you
# want to make to / etc / issue here or you will lose them when you reboot.
# echo ""> / etc / issue
# echo "$ R" >> / etc / issue
# echo "Kernel $ (uname -r) on $ a $ (uname -m)" >> / etc / issue
# cp -f / etc / issue /etc/issue.net
# echo >> / etc / issue
Then, proceed as follows:
# rm -f / etc / issue
# rm -f /etc/issue.net
# touch / etc / issue
# touch /etc/issue.net
3. Restrict network access
1. NFS access
If you use the NFS network file system service, you should ensure that your / etc / exports has the most restrictive access permission settings, which means that you do not use any wildcards, do not allow root write permissions, and can only be installed as a read-only file system. Edit the file / etc / exports and add the following two lines.
/ dir / to / export host1.mydomain.com (ro, root_squash)
/ dir / to / export host2.mydomain.com (ro, root_squash)
/ dir / to / export is the directory you want to export, host.mydomain.com is the name of the machine that logs into this directory, ro means mount as a read-only system, and root_squash prohibits root from writing to this directory. In order for the changes to take effect, run the following command.
# / usr / sbin / exportfs -a
2.Inetd settings
First make sure that the owner of /etc/inetd.conf is root and the file permissions are set to 600. After setting, you can use the "stat" command to check.
# chmod 600 /etc/inetd.conf
Then, edit /etc/inetd.conf to disable the following services.
ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth
If you install ssh / scp, Telnet / FTP can also be disabled. To make the changes effective, run the following command:
#killall -HUP inetd
By default, most Linux systems allow all requests, and using TCP_WRAPPERS to enhance system security is a handy task. You can modify /etc/hosts.deny and /etc/hosts.allow to increase access restrictions. For example, setting /etc/hosts.deny to "ALL: ALL" denies all access by default. Then add the allowed access in the /etc/hosts.allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" means that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to connect via SSH.
After configuration, you can use tcpdchk to check:
# tcpdchk
tcpchk is a TCP_Wrapper configuration check tool, it checks your tcp wrapper configuration and reports any potential / existing problems found.
3. Login terminal settings
The / etc / securetty file specifies the tty devices that allow root login and are read by the / bin / login program. The format is a list of allowed names. You can edit / etc / securetty and comment out the following lines.
# tty1
# tty2
# tty3
# tty4
# tty5
# tty6
At this time, root can only log in on the tty1 terminal.
4. Avoid displaying system and version information.
If you want the remote login user to not see the system and version information, you can change the /etc/inetd.conf file with the following operation:
telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd -h
Adding -h means that telnet does not display system information, but only displays "login:".
Fourth, prevent attacks
1. Prevent ping If no one can ping your system, security will increase naturally. To this end, you can add the following line to the /etc/rc.d/rc.local file:
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
2. Prevent IP spoofing
Edit the host.conf file and add the following lines to prevent IP spoofing attacks.
order bind, hosts
multi off
nospoof on
3. Prevent DoS attacks
Setting resource limits on all users of the system can prevent DoS attacks. Such as the maximum number of processes and the number of memory usage. For example, you can add the following lines in /etc/security/limits.conf:
* hard core 0
* hard rss 5000
* hard nproc 20
Then you must edit the /etc/pam.d/login file to check whether the following line exists.
session required /lib/security/pam_limits.so
The above command prohibits debugging files, limits the number of processes to 50 and limits memory usage to 5MB.
Matt Finish Pvc Edge Banding,Pattern Pvc Edge Banding Tape,Matt Finish Pvc Banding,Pattern Pvc Edge Banding
Jiangxi Cuckoo New Material Co.,Ltd , https://www.jxcuckoo.com