Linux has a special command (linux single) also known as ‘single-user mode’, which can be entered at the boot prompt during startup of the system. The single-user mode is generally used for system maintenance. You can boot Linux in single-user mode by typing at the LILO boot prompt the following command: LILO: linux single This [...]
Configure the /etc/exports file with the most restrictive access possible. This means not using wildcards, not allowing root write access, and mounting read-only wherever possible. � Edit the exports file (vi /etc/exports) and add: As an example: /dir/to/export host1.mydomain.com(ro,root_squash) /dir/to/export host2.mydomain.com(ro,root_squash) Where /dir/to/export is the directory you want to export, host1.mydomain.com is the machine allowed [...]
- Mounting boot partition read only, increases security of kernel. This how you do it in /etc/fstab LABEL=/boot /boot ext2 defaults,ro 1 2 And reload changes # mount /boot -oremount And yes, make it writable when you are planning kernel upgrade. Otherwise new kernel wont be able to enter Other security options in the fstab [...]
By default, when you login to a Linux machine, it tells you the Linux distribution name, version, kernel version, and the name of the server. This is giving away too much info. We’d rather just prompt users with a “Login:” prompt. To do this, edit the rc.local file (vi /etc/rc.local) and place “#” in front [...]
To find all files with the ‘s’ bits from root-owned programs, use the command: # find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -l {} \; software named “sXid�? that will do the job for you automatically each day and report the results via mail. To disable the suid bits [...]
The password length Edit the passwd file (vi /etc/pam.d/passwd) and remove the following line: password required /lib/security/pam_stack.so service=system-auth Edit the system-auth file (vi /etc/pam.d/system-auth) and remove the lines: password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so Now add the following lines to /etc/pam.d/passwd. We use the PAM “pam_cracklib�? module [...]
Fix the permissions of the script files that are responsible for starting and stopping all your normal processes that need to run at boot time. To fix the permissions of those files, use the following command: [root@deep /]# chmod -R 700 /etc/init.d/* Which means just the super-user “root�? is allowed to Read, Write, and Execute [...]
http://www.securityfocus.com/infocus/1613
It is important to look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by the “ls�? command), as these can be used to hide tools and information (password cracking programs, password files from other systems, etc.). A common technique on UNIX systems is [...]
