It is often said that Linux is more secure than Windows. But any computer connected to the network is not absolutely safe. Just as we need to constantly pay attention to whether the walls of the yard are strong, we also need to maintain and strengthen the operating system. Here, we only talk about the general steps that several users can use to harden the system. This article focuses on how to strengthen the problem, but before starting to strengthen, users need to have a clear understanding of the following three questions, one question is what the system is used for, the second is which software it needs to run, and the third is the user. What vulnerabilities or threats need to be protected. These three questions are in turn causal, that is, the former problem is the cause of the latter problem, and the latter problem is the result of the previous one. Starting from scratch It is entirely possible to strengthen a system from a known security state, but in practice this reinforcement can also start with a "naked" system. This means that users will have the opportunity to repartition the system disk, separating all data files from the operating system files is not a prudent security measure. The next step is to configure a minimal installation, of course, to get the system up and then add the necessary packages to get the job done. This step is critical. Why do you need to minimize the installation? The reason is that the less code in the machine, the fewer vulnerabilities that can be exploited: no one can exploit a non-existent vulnerability, isn't it? You also need to patch the operating system and have to patch all applications running on this system. However, be aware that if someone is physically close to the machine being accessed, it is possible to boot the computer from a CD or other media and gain access to the system. Therefore, it is best for the user to configure the system's BIOS, limit the boot from the hard drive, and use a strong password to protect this setting. The next step is to compile your own system kernel. It's important to emphasize only the parts you need. Once your own custom system is built and rebooted into the kernel, the chances of being attacked by your own kernel will be greatly reduced. But the way to strengthen the system is not limited to this, the good play is still behind. Reducing Services After running a slimmed-down system, the next step is to make sure you only run the services you need. Until now, users have cleared many services, but there may be many services still running in the background. Users need to find these services in multiple places, such as /etc/init.d and /etc/rc.d/rc.local, which contain a variety of boot processes, to check everything started by cron. Users can also check the listening sockets using programs such as netstat or Nmap. For example, many services that users need to disable may include network file systems (samba), remote access services, and so on. Of course, you can't generalize. If you really need some services, try to limit its potentially damaging effect on the rest of the system. Try to run it in your own chroot path to separate it from the rest of the file system. . Emphasis on licensing issues As a user or administrator, you must ensure that no users can perform their unnecessary programs or open unnecessary files. Administrators should audit the entire system and reduce the permissions of each file to a minimum feasible level. Our goal is that no one can read or write files that are not related to them. In addition, all sensitive data should be encrypted. Further, administrators must ensure that they have a secure root password, and that the fewer people know the password, the only way to ensure that no one can access an account they should not access. It is also necessary to ensure the latest user login information, and to adhere to the policy issues such as the expiration of the password. In addition, it is also very smart to clear the pre-provisioned account, or at least change the default password. It is important to emphasize that security is a process and not a temporary job. This means that managers should monitor and further strengthen the system, especially if they need to monitor the system logs and patch the system as quickly as possible. Also pay attention to safety advice, and respond to it as soon as possible after learning the latest vulnerabilities. So this article does not fully address Linux security, but shows users some possibilities to strengthen the system. If you are a Linux user or administrator, you should take some steps to make it more secure, but this may reduce system efficiency. So the key is to find the right balance.