Shulou(Shulou.com)06/01 Report--

In this article, the editor introduces in detail "how to improve the security of the Linux system", the content is detailed, the steps are clear, and the details are handled properly. I hope that this article "how to improve the security of the Linux system" can help you solve your doubts.

1. Ensure the security of shared memory

Hackers always want to view shared memory, so the importance of ensuring the security of shared memory is self-evident. The / etc/fstab file can be modified to secure shared memory.

First, open the file using the terminal command

Sudo nano / etc/fstab

Then, add the following code to the bottom of the file

Tmpfs / run/shm tmpfs defaults,noexec,nosuid 0 0

Save and close the file. In order for the change to take effect, you need to restart Ubuntu 16.04.

two。 Allow ssh logins for specific users

If you only want the user whose username is olivia,IP and the address is 192.168.1.152 to go through secure shell, it goes like this:

1. Open the terminal command window

two。 Use the command to open the ssh configuration file

Sudo nano / etc/ssh/sshd_config

3. At the bottom of the file, add AllowUsers olivia@192.168.1.152

4. Save, close file

5. Restart sshd using the command

Sudo service ssh restart

At this point, secure shell will only give olivia with the IP address 192.168.1.152 access to the Ubuntu server. If others try to access the server using ssh, they will be asked to enter a password, but even if the password is correct, access to the Ubuntu server will be denied.

If you want all users on your network to access the server through ssh, add the following code

AllowUsers @ 192.168.1.

Restart the ssh server and it will take effect.

3. Add a secure login banner

Adding a secure login bannner doesn't seem to have any effect on your server security, but if someone gets access to your server and sees a warning on banner, they may think twice about whether to continue. Although this is a kind of psychological function, don't underestimate it.

To create a new banner, follow these steps:

1. Open the terminal window

two。 Execute a command

Sudo nano / etc/issue.net

3. Add the appropriate warning message

4. Close, save fil

Next, we will disable motd from displaying banner. First open the terminal and enter the following command

Sudo nano / etc/pam.d/sshd

Add the following two lines (precede each line with #)

Session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate

Open the / etc/ssh/sshd_config file in a text editor and add

Banner / etc/issue.net

Close, save fil

Finally, restart the ssh server using the command

Sudo service ssh restart

At this point, if someone logs in to your server through ssh, they will see your new banner and warn them that you are paying attention.

4. Enhance the network layer

To avoid source routing input packets on your Ubuntu server and print out all malformed IP addresses, use the command

Sudo nano / etc/sysctl.conf

Then add the following

# IP Spoofing protectionnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = "Ignore ICMP broadcast requestsnet.ipv4.icmp_echo_ignore_broadcasts =" Disable source packet routingnet.ipv4.conf.all.accept_source_route = 0net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0net.ipv6.conf.default.accept_source_route = "Ignore send redirectsnet.ipv4.conf.all.send_" Redirects = 0net.ipv4.conf.default.send_redirects = "Block SYN attacksnet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries =" Log Martiansnet.ipv4.conf.all.log_martians = 1net.ipv4.icmp_ignore_bogus_error_responses = "Ignore ICMP redirectsnet.ipv4.conf.all.accept_redirects = 0net.ipv6.conf.all.accept_redirects = 0net.ipv4.conf" .default.accept _ redirects = 0 net.ipv6.conf.default.accept_redirects = accept Ignore Directed pingsnet.ipv4.icmp_echo_ignore_all = 1

Close, save the file, and restart using the following command.

Sudo sysctl-p5. Avoid IP address spoofing

Next, IP address spoofing can be avoided through simple operations. Use the following terminal command:

Sudo nano / etc/host.conf

The opened file looks like this:

# The "order" line is only used by old versions of the C library.order hosts,bindmulti on

Change this file to:

# The "order" line is only used by old versions of the C library.order bind,hostsnospoof on

Save, close the file, now there will be no IP address spoofing.

After reading this, the article "how to improve the security of the Linux system" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.