"Go" CentOS 6 Server Security Configuration Guide

Original connection:

CentOS 6 Server Security Configuration Guide (general)

Linux is an open system that can find many out-of-the-box programs and tools on the Web, which makes it easy for users and hackers to easily find programs and tools to sneak into Linux systems or steal important information from Linux systems. However, as long as we carefully set the various system functions of Linux, and with the necessary security measures, can let hackers can be inorganic. In general, the security settings for Linux systems include eliminating unnecessary services, restricting remote access, hiding important information, patching security breaches, adopting security tools, and frequent security checks.

This article is a reference to the actual operation, do not involve the principle of such as IP spoofing, and security issues are not counted as a few lines of command can be prevented, here is just the basic security of Linux system method of reinforcement, followed by new content added in.

Note: All files are to be backed up before modification as

cp /etc/passwd{,.dist}

1. Disable users who are not in use

Note: It is not recommended to delete it directly, and it will be cumbersome to re-add it when you need a user. It can be usermod -L or passwd -l user locked.

cp/etc//etc/passwd Edit user, precede with # comment off this line

User name for the comment:

#Cat/etc/passwd|grep ^##Adm:x:3:4:adm:/var/adm:/sbin/nologin#Lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin#Shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown#Halt:x:7:0:halt:/sbin:/sbin/halt#Uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin#Operator:x:11:0:operator:/root:/sbin/nologin#Games:x:12:100:games:/usr/games:/sbin/nologin#Gopher:x:13:30:gopher:/var/gopher:/sbin/nologin#ftp:x:14:50:ftp User:/var/ftp:/sbin/nologin#nfsnobody:x:65534:65534:anonymous NFS User:/var/lib/nfs:/sbin/nologin#Postfix:x:89:89::/var/spool/postfix:/sbin/nologin

Group of comments:

#Cat/etc/group|grep ^##Adm:x:4:adm,daemon#Lp:x:7:daemon#uucp:x:14:#games:x:20:#gopher:x:30:#video:x:39:#dip:x:40:#ftp:x:50:#audio:x:63:#floppy:x:19:#postfix:x:89:

2. Turn off services that are not in use

# chkconfig--list |grep ' 3:on '

Mail Service, using the corporate mail server:

--level 2345 Off

Generic UNIX Print Service, useless for server:

--level 2345 Off

Adjust CPU speed to save power, commonly used on laptop:

--level 2345 Off

Bluetooth wireless communication, useless to the server:

--level 2345 Off

After the initial setup of the system, it is useless to start the system for the first time:

--level 2345 Off

To turn off NFS services and clients:

--level 2345--level 2345 off

If you want to restore a service, you can do the following:

Service acpid start && chkconfig acpid on

You can also use setup tool to set

3. Disable IPV6

IPV6 is to solve the problem of IPv4 address exhaustion, but our servers generally do not have it, but disabling IPv6 not only speeds up the network, but also helps reduce administrative overhead and increase the level of security. The following steps completely disable IPv6 on CentOS.

Disable loading of IPV6 modules:
Let the system does not load IPv6 related modules, which need to modify the Modprobe related settings files, for management convenience, we create a new set /etc/modprobe.d/ipv6off.conf of files, the content is as follows

Alias net-pf-10 offoptions ipv6 disable=1

Disable based on the IPV6 network so that it is not triggered to start:

# vi/etc/sysconfig/network Networking_ipv6=no

Disable the NIC IPv6 setting so that it runs only in IPV4 mode:

# Vi/etc/sysconfig/network-scripts/ifcfg-eth0 ipv6init=noipv6_autoconf=no

Close ip6tables:

# chkconfig ip6tables off

Restart the system to verify that it is active:

# lsmod | grep ipv6 # ifconfig | grep-i inet6

If there is no output, it means that the IPV6 module is disabled, otherwise it is enabled.

4. Iptables rules

Enable the Linux firewall to prohibit unauthorized program access. Use iptable rules to filter inbound, outbound, and forwarded packets. We can grant and deny access to specific UDP/TCP ports for source and destination addresses.

For firewall settings, refer to the blog post iptables setting up an instance.

5. SSH Security

If possible, the first thing is to modify the default SSH port 22, change to a large port such as 20002 will greatly increase the safety factor, reduce the likelihood of SSH hack login.

Create recognizable application users such as CRM and system management user Sysmgr

# useradd crm-d/apps/crm # passwd CRM # Useradd sysmgr # passwd sysmgr

5.1 Only allow users of the wheel user group to switch su

# usermod-g Wheel Sysmgr # Vi/etc/pam.d/su # uncomment the following line to require a user to is in the "wheel" group. Auth            required        pam_wheel.so use_uid

Other users switch root, even if the password will prompt su:incorrect password

5.2 Login Timeout

User online 5 minutes without action timeout disconnect, /etc/profile add in:

Export tmout=300readonly tmout

5.3 Disable root direct telnet

# Vi/etc/ssh/sshd_config Permitrootlogin No

5.4 Limit the number of login failures and lock

/etc/pam.d/loginAfter you add

Auth Required pam_tally2.so deny=6 unlock_time=180 even_deny_root root_unlock_time=180

Login failed 5 times lock for 180 seconds, set whether to include root as needed.

5.5 Login IP Restrictions

(temporarily not set due to binding to a fixed IP or IP segment)
The more restrictive limit is to sshd_config the user and source IP that are allowed to ssh in a:

# # allowed SSH users sysmgr allowusers [Email protected]*

or use Tcpwrapper:

vi/etc//etc/hosts.allowsshd:172.29.73.23sshd:172.29.73.

6. Configure only use key file login

Using a key file instead of a common simple password authentication can also greatly improve security:

[Email protected] ~]$ SSH-KEYGEN-T rsa-b 2048Generating Public/private RSA key pair. Enter fileinchWhich to save the key (/ROOT/.SSH/ID_RSA)://default path, enter passphrase (empty forNo passphrase)://Enter your key phrase, log in using enter same passphrase Again:your identification has been savedinch/root/.ssh/Id_rsa. Your public key has been savedinch/root/.ssh/id_rsa.pub.The Key fingerprint is:3e:fd:fc:e5:d3:22:86:8e:2c:4b:a7:3d:92:18:9f:64 [email protected]link.netthe key ' s randomart image is:+--[RSA 2048]----+| |... ..| O++o. Oo.. o|+-----------------+

Rename the public key to authorized_key :

$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys$ chmod ~/.ssh/authorized_keys

Download private key file Id_rsa to local (for easier identification, you can hostname_username_id_rsa rename it to ) and save it to a safe place. Later username user Login This host must use this private key, with the passphrase to log in (no longer use the username user's own password)

In addition, you need to modify the /etc/ssh/sshd_config file
Open comments

rsaauthentication yespubkeyauthentication yesauthorizedkeysfile      . SSH/authorized_keys

We require username users (who can switch to other users, especially root) to log in using SSH key files, while other ordinary users can log in directly. It is therefore also necessary to add the following in the Sshd_config file:

Match User itsectionpasswordauthentication No

Restarting the SSHD service

# service sshd restart

In addition, the public and private keys must be stored separately on the other machine, the loss of the public key or the connection to the loss of the private key (or key phrase), may cause no longer login to the server to gain root privileges!

7. Reduce the history command record

The more history commands you have executed, the easier it will be to maintain, but it will also be accompanied by security issues

Vi/etc/profile

Find HISTSIZE=1000 instead HISTSIZE=50 .

or clean up the history each time you exit,history -c

8. Enhanced Special File Permissions

Add an immutable attribute to the following file to prevent unauthorized users from gaining access

Chattr +i/etc/+i/etc/+i/etc/+i/etc/# Lock the system service Port list file, Prevent unauthorized deletion or addition of services chattr +i/etc/pam.d/+i/etc/ssh/sshd_config

Display the properties of a file

Lsattr/etc/passwd/etc/shadow/etc/services/etc/ssh/sshd_config

Note: After performing the above chattr permissions modification, you cannot add a delete user.

If you want to add a delete user, you need to first cancel the above settings, and so on after the user adds the deletion completes, then performs the above action, for example cancels the read-only permission chattr -i /etc/passwd . (Remember to reset the read-only)

9. Preventing General cyber attacks

Network attacks are not a few lines of setup can be avoided, the following are just a few simple to minimize the likelihood of attack, increase the difficulty but not completely blocked.

9.1 Forbidden Ping

Block Ping If no one can ping your system, security increases naturally and can effectively prevent ping flooding. To do this, you can /etc/rc.d/rc.local add the following line to the file:

# echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

Or use Iptable to disable ping:

Iptables-a input-p ICMP--icmp-type 0-s 0/0-j DROP

不允许ping其他主机：

Iptables-a output-p ICMP--icmp-type 8-j DROP

9.2. Prevent IP spoofing

Edit the/etc/host.conf file and add the following lines to prevent IP spoofing attacks.

Order Hosts,bind    # name interpretation sequence multi on           # allows host to have multiple IP addresses nospoof on         #  Disable IP address spoofing

9.3 Preventing Dos attacks

Setting resource limits on all users of the system can prevent DOS type attacks, such as the maximum number of processes and memory usage.
You can /etc/security/limits.conf add the following lines in:

*    Soft    core    0*    soft    nproc   2048*    hard    nproc   16384*    Soft    Nofile 1024*    Hard    nofile  65536

Core 0 disables the creation of a core file; Nproc 128 limits the maximum number of processes to 20;nofile 64 to limit the maximum number of files that a user opens at the same time to 64;* indicates that all users logged on to the system, not including root

You must then edit the /etc/pam.d/login file to check if the following line exists.

Session    required     pam_limits.so

limits.confThe value of the parameter needs to be adjusted according to the specific situation.

10. Fix known security vulnerabilities

On Linux occasionally will be a devastating level of vulnerability, such as Udev, Heartbleed, Shellshock, ghost, etc., if the server exposed to the external network, must be repaired in time.

11. Regular Log Security checks

Moving logs to a dedicated log server prevents intruders from easily altering local logs. The following are the default log files for common Linux and their uses:

• /var/log/message– Record the system log or the current activity log.
• /var/log/auth.log– Identity authentication log.
• /var/log/cron–crond log (cron Task).
• /var/log/maillog– Mail server logs.
• /var/log/secure– Certification Log.
• /var/log/wtmpHistory login, logoff, startup, shutdown log, and Lastb command to view users who failed to log on
• /var/run/utmpCurrently logged in user Information log, W, who command information is derived from this
• /var/log/yum.logYum logs.

Reference depth analysis CentOS logs back intrusion.

11.1 Installing Logwatch

Logwatch is a log analysis tool developed using Perl. Ability to analyze Linux log files and automatically send mail to relevant handlers to customize requirements.

The Mail function of Logwatch is sent by mail server with the host system, so the system needs to install mail server, such as Sendmail,postfix,qmail, etc.

See Post Linux log monitoring logwatch for installation and configuration methods.

Web Server Security

Server-side programs like Apache or Tomcat are configured with security issues that can be consulted for security hardening. There will be time to add new articles later.

Reference

• Top OpenSSH Server Best Security practices

"Go" CentOS 6 Server Security Configuration Guide