LINUX Security Optimization

Source: Internet
Author: User

1, without root, add ordinary users, through sudo authorization management.

2, change the default remote connection SSH service port and disable the root user remote connection.

3, scheduled automatic Update server time

4, configure the domestic Yum source code, download and install the RPM package from the domestic

5, close Selinux,iptables (iptables working scenario if used, usually open port)

6, adjust the number of file description, process file Open will consume the file descriptor.

7, scheduled automatic cleanup/var/spool/elientmpqune/directory garbage files, prevent inodes node is full, if there is no sendmail, ignore can.

8, compact boot-up self-booting (Crond, sshd, Network, Rsyslog (CENTOS5) syslog)

9, optimize kernel parameters/etc/sysctl.conf Execute sysctl-p effective

10, change character set, support Chinese, but it is recommended to use the English character set, prevent garbled problem.

11. Lock critical system files, charttr +i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab

12, empty/etc/issue Remove the system kernel version before login display

1,sudo Users

----------------------------------------------------

# Visodu = = Vi/etc/sudoers

# Visudo will automatically detect commands

# Oldboy all= (All)/user/sbin/useradd

# Oldboy all= (All) Nopasswd:all #使用时候不用输入密码

# sudo useradd test # testing sudo

# sudo su-#切换到root

# sudo-l #查看自己的权限

------------------------------------------------------

2, change the default remote connection SSH service port and disable the root user remote connection.

------------------------------------------------------

# Remember to make sure that you have created another user, or that root cannot log in and is not connected at all.

# cd/etc/ssh/

# CP Sshd_config Sshd_config.bak #一定要备份

# VI Sshd_config

# at the top level of the configuration file, add the following code

Port 52113 #→ssh Connect the default ports, everyone knows, must be changed.

Permitrootlogin No #→root user hackers know that it is forbidden to log on remotely.

Permitemptypasswords no #→ prohibit empty password login

Usedns no #→ do not use DNS

Gssapiauthentication No # authentication method

# Restart SSHD

#/etc/init.d/sshd Restart

-------------------------------------------------------

3. Time Automatic synchronization

-------------------------------------------------------

#/usr/sbin/ntpdate Time.nist.gov #自动和时间服务器同步

# echo ' */5 * * * * */usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1 ' >>/var/spool/cron/root #添加时间自动同步

# crontab-l

--------------------------------------------------------

4, configure the domestic Yum source code, download and install the RPM package from the domestic

-------------------------------------------------------

# Operations to back up

# cd/etc/yum.repos.d/

#/BIN/MV Centos-base.repo Centos-base.repo.ori # Backup

# wget Http://mirrors.163.com/.help/CentOS6-Base-163.repo

#/BIN/MV Centos6-base-163.repo Centos-base.repo

# Yum upgrade or Yum update

# yum Install tree telnet dos2unix sys stat lrzsz-y

# Rpm-qa | grep Tree #查询安装是否成功

--------------------------------------------------------

5, close Selinux,iptables (iptables working scenario if used, usually open port)

-------------------------------------------------------

1)

Edit Vi/etc/selinux/config directly

Direct Replacement Sed-i S#selinux=disable#selinux=disabled#g

Check Cat/etc/selinux/config

Check grep selinux=disable/etc/selinux/config selinux=disabled

2)

Setenforce 0 #设置selinux

Getenforce #查看SELinux

------------------------------------------------------

6, adjust the number of file description, process file Open will consume the file descriptor.

------------------------------------------------------

# ULIMIT-HSN 65535 #设置文件描述符最大数

# ulimit-n #查看是否生效

# Modify the configuration file, Centos6.5 with the command settings do not take effect, restart failure

# echo ' *-nofile 65535 ' >>/etc/security/limits.conf

# TAIL-1/etc/security/limits.con

------------------------------------------------------

7, scheduled automatic cleanup/var/spool/elientmpqune/directory garbage files, prevent inodes node is full, if there is no sendmail, ignore can.

--------------------------------------------------

Find/var/spool/clientmqueue-type f-print-exec rm-f {} \;

------------------------------------------------

8, compact boot-up self-booting (Crond, sshd, Network, Rsyslog (CENTOS5) syslog)

----------------------------------------------------------

The sshd OpenSSH server should be considered open.

Syslog is an operating system that provides a mechanism by which daemons typically use these mechanisms to write various information to each system log file (must)

Rsyslog CENTOS6.2 System Log rsyslog replace the default log service Syslog

Network activation/Shutdown each of the networking interfaces at startup (must) should be considered open.

Crond the task of running the user schedule periodically. Adds a lot of attributes to the traditional UNIX version, and is more secure and easier to configure, providing running services for processes that are automatically scheduled under Linux.

#/sbin/chkconfig--list | grep 3:on #查看在3级别下, command started

# lang=en

1) Method One

# for Oldboy in ' chkconfig--list|grep 3:on|awk ' {print '} ';d o chkconfig--level 3 $oldboy off;done

# for Oldboy in Crond network rsyslog sshd;d o chkconfig--level 3 $oldboy on;done

2) Method 21 command

# for Oldboy in ' chkconfig--list|grep ' 3:on ' |awk ' {print '} ' |grep-ve ' Crond|network|sshd|rsyslog ' ';d o chkconfig $oldboy Off;done

# chkconfig--list|grep "3:on" #检查命令

------------------------------------------------------

9. Optimize kernel parameters/etc/sysctl.conf Execute sysctl-p effective

------------------------------------------------------

Net.ipv4.tcp_fin_timeout = 2

Net.ipv4.tcp_tw_reuse = 1

Net.ipv4.tcp_tw_recycle = 1

Net.ipv4.tcp_syncookies = 1

Net.ipv4.tcp_keepalive_time = 600

Net.ipv4.ip_local_port_range = 4000 65000

Net.ipv4.tcp_max_syn_backlog = 16384

Net.ipv4.tcp_max_tw_buckets = 36000

Net.ipv4.route.gc_timeout = 100

Net.ipv4.tcp_syn_retries = 1

Net.ipv4.tcp_synack_retries = 1

Net.core.somaxconn = 16384

Net.core.netdev_max_backlog = 16384

Net.ipv4.tcp_max_orphans = 16384

Sysctl–p #生效

-------------------------------------------------------

10. Change character set, support Chinese, but it is recommended to use the English character set, prevent garbled problem.

-------------------------------------------------------

# cat/etc/sysconfig/i18n

# sed-i ' s#lang= ' en_US. UTF-8 "#LANG =" zh_cn.gb2312 "#g/etc/sysconfig/i18n #替换字符集

# source/etc/sysconfig/i18n # Let the character set take effect

# echo $LANG

# LANG=ZH_CN. UTF-8

------------------------------------------------------

11. Lock the critical system files, charttr +i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab

------------------------------------------------------

#chattr +i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab #加锁

#chattr-I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab #解锁

-------------------------------------------------------

12. Empty/etc/issue to remove the system kernel version before the login display

-------------------------------------------------------

Echo ' >/etc/issue

---------------------------------------------------------

13 Modifying the Run level

---------------------------------------------------------

Vi/etc/inittab #启动命令行模式

Sed s/id:5:initdefault:/id:3:initdefault://etc/inittab

---------------------------------------------------------

14 Modifying firewalls

---------------------------------------------------------

/etc/init.d/iptables stop

--------------------------------------------------------

15. View the Installation Kit

----------------------------------------------------------

Yum Grouplist:

Installed Groups:

Base

Compatibility libraries

Debugging Tools

Development tools

Dial-up Networking Support

Hardware Monitoring Utilities

Performance Tools

If you forget to select the package, you can select the package after installation as follows:

Yum groupinstall "Compatibility Libraries" "Base" "Development tools"

Yum Groupinstall "Performance Tools" "Debugging Tools" "Dial-up Networking Support"

Yum Groupinstall "Base" "Development tools"

You can view the specific installed components through the Yum GroupInfo package group.

----------------------------------------------------------


LINUX Security Optimization

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.