Linux server security risks

When the boot: prompt appears after Linux boot, use a special command, such as linuxsingle or linux 1, to enter single-user mode (Single-User mode). This command is very useful, such as forgetting the superuser (root) password. Restart the system, enter linux single (or linux 1) at the boot: prompt, after the super user enters the system, edit the Passwd file and remove the x in the root line.

Preventive measures:

Enter the system as superuser (root), edit the /etc/inittab file, change the setting of id:3:initdefault, add an extra line (see below), let When the system restarts into single-user mode, prompt for the super user password:

◆~~:S:walt:/sbin/sulogin

Then execute the command: /sbin/init q, Make this setting work.

Passing dangerous parameters to the kernel at system startup

The most common boot loader tool for Linux is LILO, which manages the boot system (can be added to other partitions and operations) system). However, some illegal users may start Linux casually or pass dangerous parameters to the core when the system starts, which is quite dangerous.

Preventive measures:

Edit the file /etc/lilo.conf and add the restricted parameter to it. This parameter must be used together with the password parameter to be mentioned below, indicating that it is in the boot: prompt. Next, you need to enter a password when passing some parameters to the Linux kernel.

◆The password parameter can be used together with restricted, or it can be used separately, as explained below.

Use with restricted: Only when you need to pass to the kernel parameters at startup, you will be asked for a password. In normal (default) mode, you do not need a password. This must be done. note.

Used alone (not used with restricted): Indicates that no matter what startup mode is used, Linux will always ask for a password; if there is no password, there is no way to start Linux, in this case more secure. It is equivalent to adding a layer of defense measures to the periphery. Of course there are also disadvantages —— you can't reboot the system remotely unless you add the restricted parameter.

Since the password is plain text and not encrypted, the /etc/lilo.conf file must be set to be readable by only the superuser. Use the following command to set it:

◆chmod 600 /ietc /lilo.conf

Then execute the command: /sbin/lilo -V, write it to the boot sector, and make this change take effect.

To enhance the security of the /etc/liIo.conf file, you can also set this file as an immutable property. Use the command:

◆chattr ten i/etc/lilo.conf

If you want to modify the /etc/liIo.conf file in the future, use the chattr -i/etc/lilo.conf command to remove this attribute.

Restart with
Alt+Del”

This is very important and very easy to ignore. If an illegal user can access the server's keyboard, he can Use the key combination “Ctrl+AIt+Del” to restart your server.

Preventive measures:

Edit the /etc/inittab file and add the comment to ca::ctrlaltdel:/sbin/shutdown-t3 -r now###ca::ctrlaltdeI:/sbin /shutdown-t3 -r now.

Then execute the command: /sbin/init q to make this change take effect.