---1. Use the shell History command to record functions #/etc/bashrchistfilesize=4000 histsize=4000 histtimeformat= '%F%T ' export Histtimeformat source/ ETC/BASHRC---2. Deletion of System login welcome Information---2.1 Delete the operating system name and version number # Vi/etc/ssh/sshd_config #添加如下记录Banner/etc/issue.net---2.2 Delete all content or update to what you want to add # VI/ETC/MOTD---3.system timeout 5 minite auto Logoutecho "tmout=300" >>/etc/profilesource/et C/profile----4. Reinforcing # chmod dangerous file chmod 700/bin/pingchmod 700/usr/bin/fingerchmod 700/usr/bin/whochmod 700/usr/bin/wchmod 700/usr/bin/locatechmod 700/usr/bin/whereischmod 700/sbin/ifconfigchmod 700/usr/bin/picochmod 700/bin/vichmod 700/u Sr/bin/whichchmod 700/usr/bin/gccchmod 700/usr/bin/makechmod 700/bin/rpm# history Security Chattr +a/root/.bash_ Historychattr +i/root/.bash_history# chattr/etc/passwd/etc/shadowchattr +i/etc/passwdchattr +i/etc/shadowchattr +i/ Etc/groupchattr +i/etc/gshadow# Add Syncookie enable/etc/sysctl.confecho "Net.ipv4.tcp_syncookies=1" >>/etc/ sysctl.confsysctl-p# Modifying a configuration file Vi/etc/login.defspass_max_days 90 #新建用户的密码最长使用天数 pass_min_days 0 #新建用户的密码最短使用天数 pass_warn_age 7 #新建用户的密码到期提前提醒天数 Pass_min_len 9 # Minimum password length 9---5. Limit which accounts can switch to ROOT1) #vi/etc/pam.d/suauth required/lib/security/pam_wheel.so group=dba#usermod-gdba test Join the test user to the DBA group---6. System kernel Security vi/etc/sysctl.conf# Kernel sysctl configuration file for Red Hat linux## for binary values, 0 is Disabled, 1 is enabled. See Sysctl (8) and# sysctl.conf (5) For more details.# controls IP packet Forwardingnet.ipv4.ip_forward = 0# controls Source Route Verificationnet.ipv4.conf.default.rp_filter = # Controls The System Request debugging functionality of the Kernelk ERNEL.SYSRQ = 0# Controls Whether core dumps would append the PID to the core filename.# useful for debugging Multi-threade D applications.kernel.core_uses_pid = 1#prevent SYN attacknet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = Disables packet forwardingnet.ipv4.ip_forward=0# disables IP source Routingnet.ipv4.conf.all.accept_source_route = 0net.Ipv4.conf.lo.accept_source_route = 0net.ipv4.conf.eth0.accept_source_route = 0net.ipv4.conf.default.accept_source_ Route = 0# Enable IP spoofing Protection, turn on source route Verificationnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.lo . Rp_filter = 1net.ipv4.conf.eth0.rp_filter = 1net.ipv4.conf.default.rp_filter = # Disable ICMP Redirect Acceptancenet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.eth0.accept_ redirects = 0net.ipv4.conf.default.accept_redirects = 0# Enable Log spoofed Packets, Source Routed Packets, Redirect Packe Tsnet.ipv4.conf.all.log_martians = 1net.ipv4.conf.lo.log_martians = 1net.ipv4.conf.eth0.log_martians = # disables IP SOURCE Routingnet.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.lo.accept_source_route = 0net.ipv4.conf.eth0.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0# Enable IP Spoofing Protection, turn on source route Verificationnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.lo.rp_filter =1net.ipv4.conf.eth0.rp_filter = 114net.ipv4.conf.default.rp_filter = # Disable ICMP Redirect Acceptancenet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.eth0.accept_ redirects = 0net.ipv4.conf.default.accept_redirects = 0# disables the Magic-sysrq KEYKERNEL.SYSRQ = 0# Modify system limit s for Ensim Webppliancefs.file-max = 65000# Decrease the time default value for Tcp_fin_timeout Connectionnet.ipv4.tcp_fin _timeout = 15# Decrease the time default value for Tcp_keepalive_time connectionnet.ipv4.tcp_keepalive_time = 1800# Turn o FF the tcp_window_scalingnet.ipv4.tcp_window_scaling = 0# Turn off the Tcp_sacknet.ipv4.tcp_sack = 0# Turn off the Tcp_tim Estampsnet.ipv4.tcp_timestamps = 0# Enable TCP SYN Cookie Protectionnet.ipv4.tcp_syncookies = # Enable ignoring broadcast s requestnet.ipv4.icmp_echo_ignore_broadcasts = # Enable bad error message Protectionnet.ipv4.icmp_ignore_bogus_error _responses = # Log spoofed Packets, Source Routed Packets, RedirecT Packetsnet.ipv4.conf.all.log_martians = # Set maximum amount of memory allocated to SHM to 256mbkernel.shmmax = 2684354 56# Improve File System Performancevm.bdflush = + 1884, Improve virtual memory performancevm. Buffermem = 60# increases the size of the socket queue (effectively, q0). Net.ipv4.tcp_max_syn_backlog = 1024# Increa SE the maximum total tcp buffer-space Allocatablenet.ipv4.tcp_mem = 57344 57344 65536# increase the maximum TCP Write-buff Er-space Allocatablenet.ipv4.tcp_wmem = 32768 65536 52428815# increase the maximum TCP Read-buffer space Allocatablenet.ip V4.tcp_rmem = 98304 196608 1572864# increase the maximum and default receive socket buffer Sizenet.core.rmem_max = 524280n Et.core.rmem_default = 524280# Increase the maximum and default send socket buffer Sizenet.core.wmem_max = 524280net.core. Wmem_default = 524280# Increase the tcp-time-wait buckets pool sizenet.ipv4.tcp_max_tw_buckets = 1440000# allowed local PO RT Rangenet.ipv4.ip_locaL_port_range = 16384 65536# increase the maximum memory used to reassemble IP Fragmentsnet.ipv4.ipfrag_high_thresh = 51200 0net.ipv4.ipfrag_low_thresh = 446464# Increase the maximum amount of option memory Buffersnet.core.optmem_max = 57344# INC Rease the maximum number of skb-heads to being cachednet.core.hot_list_length = 1024## do not REMOVE the following line!## NS obuild:20051206 sysctl-p
Linux Security Hardening
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
