Centos System Security Protection

Source: Internet
Author: User
Tags openldap

1. Install centos 6.2 64X

2. Customize system partitions,
2.1/partition 100 GB;
2.2.swap 2048 M;
2.3./data Partition, use all available space.
. Other requirements are customized based on service characteristics;

2. System slimming and uninstalling useless system software (this step is skipped online)
Yum-y groupremove "FTP Server" "Text-based Internet" "Windows File Server" "PostgreSQL Database"

"News Server" "DNS Name Server" "Web Server" "Dialup Networking Support" "Mail Server"

"Office/productinetworking" "Ruby" "Office/productinetworking" "Sound and Video" "X Window System" "X Software

Development "" Printing Support "" OpenFabrics Enterprise Distribution"


3. view the necessary system status for installation;
Yum-y install gcc-c ++ autoconf libjpeg-devel libpng-devel freetype-devel

Libxml2 libxml2-devel zlib-devel glibc-devel glib2 glib2-devel bzip2 bzip2-devel zip unzip

Ncurses-devel curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn-devel openssl

Openssh openssl-devel nss_ldap openldap-devel openldap-clients openldap-servers libxslt-devel

Libevent-devel ntp libtool-ltdl bison libtool vim-enhanced python wget lsof iptraf strace lrzsz

Kernel-devel kernel-headers pam-devel Tcl/Tk cmake ncurses-devel bison setuptool


4. Lock useless accounts;
Passwd-l xfs
Passwd-l news
Passwd-l nscd
Passwd-l Signature
Passwd-l vcsa
Passwd-l games
Passwd-l nobody
Passwd-l avahi
Passwd-l haldaemon
Passwd-l gopher
Passwd-l ftp
Passwd-l mailnull
Passwd-l pcap
Passwd-l mail
Passwd-l shutdown
Passwd-l halt
Passwd-l uucp
Passwd-l operator
Passwd-l sync
Passwd-l adm
Passwd-l lp

5. Restrict key commands. developers can use the root password or upgrade a user to the root level. Currently, ptmind is not applicable;
# Chmod 700/bin/ping
# Chmod 700/usr/bin/finger
# Chmod 700/usr/bin/who
# Chmod 700/usr/bin/w
# Chmod 700/usr/bin/locate
# Chmod 700/usr/bin/whereis
# Chmod 700/sbin/ifconfig
# Chmod 700/usr/bin/pico
# Chmod 700/bin/vi
# Chmod 700/usr/bin/which
# Chmod 700/usr/bin/gcc
# Chmod 700/usr/bin/make
# Chmod 700/bin/rpm


6. failed to change the password three times, locked for 5 minutes;
Sed-I's # auth required pam_env.so auth

Required pam_tally.so onerr = fail deny = 3 unlock_time = 300 auth required

/Lib/security/$ ISA/pam_tally.so onerr = fail deny = 3 unlock_time = 300 # '/etc/pam. d/system-auth


7. If there is no activity within 30 minutes after modification, the system automatically exits;

Echo "TMOUT = 1800">/etc/profile


8. Modify the maximum number of files opened by the system;

Echo "* soft nofile 66666">/etc/security/limits. conf
Echo "* hard nofile 66666">/etc/security/limits. conf


9. Disable ipv6;

Echo "alias net-pf-10 off">/etc/modprobe. conf
Echo "alias ipv6 off">/etc/modprobe. conf
/Sbin/chkconfig -- level 35 ip6tables off


10. Change the default font to UTF8;

Sed-I's @ LANG =. * $ @ LANG = \ "en_US.UTF-8 \" @ G'/etc/sysconfig/i18n


11. Modify the startup mode to 3;

Sed-I's/id:. * $/id: 3: initdefault:/G'/etc/inittab

12. Kernel Parameter Adjustment;

Cat>/etc/sysctl. conf <EOF
# Michaelkang add 120724
Net. ipv4.tcp _ abort_on_overflow = 1
Net. ipv4.tcp _ syncookies = 1
Net. ipv4.tcp _ tw_reuse = 1
Net. ipv4.tcp _ tw_recycle = 1
Net. ipv4.tcp _ fin_timeout = 20
Net. ipv4.tcp _ retries1 = 2
Net. ipv4.tcp _ retries2 = 5
Net. ipv4.tcp _ max_orphans = 2000
Net. ipv4.tcp _ keepalive_time = 1200
Net. ipv4.tcp _ keepalive_intvl = 15
Net. ipv4.tcp _ keepalive_probes = 5
Net. ipv4.tcp _ syn_retries = 2
Net. ipv4.tcp _ synack_retries = 3
Net. ipv4.tcp _ max_syn_backlog = 8192
Net. ipv4.tcp _ max_tw_buckets = 5000
EOF

Sysctl-p

13. Clear useless services;
#! /Bin/sh
For I in 'ls/etc/rc3.d/S *'
Do
CURSRV = 'echo $ I | cut-c 15 -'

Echo $ CURSRV
Case $ CURSRV in
Cpuspeed | crond | irqbalance | microcode_ctl | xinetd | network | mon | partmon | messagebus | udev-

Post | sshd | rsyslog | syslog)
# This system service is set based on specific application conditions. network, sshd, and syslog are three system services that must be started!
Echo "Base services, Skip! "
;;
*)
Echo "change $ CURSRV to off"
Chkconfig -- level 235 $ CURSRV off
Service $ CURSRV stop
;;
Esac
Done

14. add necessary users and groups


Mkdir/workspace
Cp/etc/shadow/workspace/
Cp/etc/passwd/workspace/
Groupadd public
Useradd abc-g public
Echo 'abc: $1 $ V5X9cldh $ skn2.IclKEc. HFVLW/'| chpasswd-e

History-c

15. Add special permissions to key files;

Chattr + I/etc/passwd
Chattr + I/etc/shadow
Chattr + I/etc/group
Chattr + I/etc/gshadow
# History security
Chattr + a/root/. bash_history
Chattr + I/root/. bash_history


16. modify directory permissions under/data

Chown user: group/data/


17. Grant user high-level Permissions
Echo "user ALL = (ALL) NOPASSWD: ALL">/etc/sudoers


18. Upgrade the openssh logon program;
Cd/workspace
Wget http://mirror.internode.on.net/p... penssh-5.8p2.tar.gz

Tar-xvf openssh-5.8p2.tar.gz
Cd openssh-5.8p2

# Yum install pam-devel

./Configure -- prefix =/usr -- sysconfdir =/etc/ssh -- with-pam -- with-zlib -- with-ssl-

Dir =/usr/include/openssl -- mandir =/usr/share/man
Make
Mkdir-p/etc/sshbak
Mv/etc/ssh/*/etc/sshbak/
Make install
Chkconfig -- add sshd
Chkconfig sshd on
/Etc/init. d/sshd restart
Cd/workspace/


19. Install the denyhost brute-force cracking software;
Wget http://sourceforge.net/projects/... enyHosts-2.6.tar.gz

Tar-zxvf DenyHosts-2.6.tar.gz
Music DenyHosts-2.6 denyhost

Cd denyhost/

Yum install python-y

Python setup. py install

Cd/usr/share/denyhosts/
Cp daemon-control-dist daemon-control

Cp denyhosts. cfg-dist denyhosts. cfg


Chown root daemon-control

Chmod 700 daemon-control


Ln-s/usr/share/denyhosts/daemon-control/etc/init. d/denyhosts


Chkconfig -- add denyhosts

Chkconfig denyhosts on

Mv denyhosts. cfg denyhosts. cfg. bak


Cat>/usr/share/denyhosts/denyhost. cfg <EOF

SECURE_LOG =/var/log/secure
# Ssh log files
HOSTS_DENY =/etc/hosts. deny
# Write the blocked IP address to hosts. deny
PURGE_DENY = 1d
# How long will it take to clear prohibited items? w indicates weeks, d Indicates days, h indicates hours, s indicates seconds, and m indicates minutes.
BLOCK_SERVICE = ALL
# Blocked service name
DENY_THRESHOLD_INVALID = 5
# Number of Logon failures of invalid users (not listed in/etc/passwd) and the number of Logon failures of invalid users are allowed.
DENY_THRESHOLD_VALID = 5
# Number of Logon failures allowed for common users
DENY_THRESHOLD_ROOT = 5
# Number of root logon failures allowed
DENY_THRESHOLD_RESTRICTED = 1
# Set the deny host to be written to this folder
WORK_DIR =/usr/share/denyhosts/data
# Record the deny host or ip address to Work_dir
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = YES
HOSTNAME_LOOKUP = YES
# Whether domain name resolution is performed
LOCK_FILE =/var/lock/subsys/denyhosts
# Record the pid started by DenyHOts to LOCK_FILE. Make sure that the service is correctly started to prevent multiple services from being started at the same time.
ADMIN_EMAIL = michaelkang@ptmind.com
# Set the Administrator email address
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody @ localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID = 1d
# Time when the logon Failure count of a valid user is set to zero
AGE_RESET_ROOT = 1d
# Time when the logon Failure count of the root user is zero
AGE_RESET_RESTRICTED = 5d
# Time when the user's logon Failure count is reset to 0 (/usr/share/denyhosts/data/restricted-usernames)
AGE_RESET_INVALID = 10d
# Return time of Logon Failure count of invalid users
DAEMON_LOG =/var/log/denyhosts
# Your own log files
DAEMON_SLEEP = 30 s
DAEMON_PURGE = 1d
# This item is set to the same as PURGE_DENY, which is also the time for clearing hosts. deniedssh users.
EOF
Cd/workspace/
/Etc/init. d/denyhosts start

20. Install the anti-DDOS firewall;

Wget http://www.inetbase.com/scripts/ddos/install.sh
Chmod 0700 install. sh
./Install. sh


21. Enhance system security, modify the system, and set to display only 10 historical commands through history ;;
Sed-I "s/HISTSIZE = 1000/HISTSIZE = 10/"/etc/profile


22. Deploy user behavior audit;

Mkdir-p/etc/share/

Cat/dev/null>/usr/share/um. log

Chown nobody: nobody/usr/share/um. log

Chmod 002/usr/share/um. log

Chattr + a/usr/share/um. log


Add the following content to/etc/profile

Export HISTORY_FILE =/etc/share/um. log

Export PROMPT_COMMAND = '{date "+ % y-% m-% d % T ##### $ (who am I | awk" {print \ $1 \"\" \ $2 \ "\" \ $5 }") ####

$ (Id | awk "{print \ $1}") ####$ (history 1 | {read x cmd; echo "$ cmd ";}) ";}>> $ HISTORY_FILE'


Run: source/etc/profile


23. Set the sticky bits for/tmp and/var/tmp;
Chmod + t/var/
Chmod + t/tmp/

18. Modify ssh Logon Restrictions for users;

Cat>/etc/hosts. allow <EOF
Sshd: 192.168.16.0/255.255.255.0

EOF

Echo 'sshd: all'>/etc/hosts. deny


24. ssh security reinforcement;

# Ssh security reinforcement, modify the/etc/ssh/sshd_config file
# Only SSH2 connections are allowed
Sed-I "s/# Protocol 2, 1/Protocol 2/"/etc/ssh/sshd_config
# Specify the maximum number of authentications allowed for each connection. The default value is 6.
Sed-I "s/# MaxAuthTries 6/MaxAuthTries 6/"/etc/ssh/sshd_config
# Do not use DNS resolution
Sed-I "s/# UseDNS yes/UseDNS no/"/etc/ssh/sshd_config
# Root users are not allowed to log on directly, but root users can log on directly using certificates
Sed-I "s/# PermitRootLogin yes/PermitRootLogin without-password/"/etc/ssh/sshd_config
# Length of SERVER_KEY
Sed-I "s/# ServerKeyBits 768/# ServerKeyBits 1024/"/etc/ssh/sshd_config
Sed-I "s/# UseLogin no/UseLogin yes/"/etc/ssh/sshd_config
# PermitEmptyPasswords no # Do not allow empty passwords for login (only in plaintext mode and not in certificate mode ).
Sed-I "s/# PermitEmptyPasswords no/"/etc/ssh/sshd_config
# RSAAuthentication yes # enable RSA Authentication.
Sed-I "s/# RSAAuthentication yes/"/etc/ssh/sshd_config
# PubkeyAuthentication yes # enable public key authentication.
Sed-I "s/# PubkeyAuthentication yes/"/etc/ssh/sshd_config
# Supplement: Modify the vi/etc/ssh/ssh_config file (global configuration file)
# Allow RSA private key authentication.
Sed-I "s/# RSAAuthentication yes/"/etc/ssh/sshd_config
# Do not use a blank password to log on
Sed-I "s/# PermitEmptyPasswords no/"/etc/ssh/sshd_config

# PasswordAuthentication no #. Do not log on with the plaintext password.
# Sed-I "s/# PasswordAuthentication yes/PasswordAuthentication no/"/etc/ssh/sshd_config


25. The password can be changed for a maximum of 90 days. The minimum length of the password is 8 characters;
/Etc/login. defs
PASS_MAX_DAYS 90
PASS_MIN_LEN 8


26. Import Management Certificates

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.