1, without root, add ordinary users, through sudo authorization management.
2, change the default remote connection SSH service port and disable the root user remote connection.
3, scheduled automatic Update server time
4, configure the domestic Yum source code, download and install the RPM package from the domestic
5, close Selinux,iptables (iptables working scenario if used, usually open port)
6, adjust the number of file description, process file Open will consume the file descriptor.
7, scheduled automatic cleanup/var/spool/elientmpqune/directory garbage files, prevent inodes node is full, if there is no sendmail, ignore can.
8, compact boot-up self-booting (Crond, sshd, Network, Rsyslog (CENTOS5) syslog)
9, optimize kernel parameters/etc/sysctl.conf Execute sysctl-p effective
10, change character set, support Chinese, but it is recommended to use the English character set, prevent garbled problem.
11. Lock critical system files, charttr +i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
12, empty/etc/issue Remove the system kernel version before login display
1,sudo Users
----------------------------------------------------
# Visodu = = Vi/etc/sudoers
# Visudo will automatically detect commands
# Oldboy all= (All)/user/sbin/useradd
# Oldboy all= (All) Nopasswd:all #使用时候不用输入密码
# sudo useradd test # testing sudo
# sudo su-#切换到root
# sudo-l #查看自己的权限
------------------------------------------------------
2, change the default remote connection SSH service port and disable the root user remote connection.
------------------------------------------------------
# Remember to make sure that you have created another user, or that root cannot log in and is not connected at all.
# cd/etc/ssh/
# CP Sshd_config Sshd_config.bak #一定要备份
# VI Sshd_config
# at the top level of the configuration file, add the following code
Port 52113 #→ssh Connect the default ports, everyone knows, must be changed.
Permitrootlogin No #→root user hackers know that it is forbidden to log on remotely.
Permitemptypasswords no #→ prohibit empty password login
Usedns no #→ do not use DNS
Gssapiauthentication No # authentication method
# Restart SSHD
#/etc/init.d/sshd Restart
-------------------------------------------------------
3. Time Automatic synchronization
-------------------------------------------------------
#/usr/sbin/ntpdate Time.nist.gov #自动和时间服务器同步
# echo ' */5 * * * * */usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1 ' >>/var/spool/cron/root #添加时间自动同步
# crontab-l
--------------------------------------------------------
4, configure the domestic Yum source code, download and install the RPM package from the domestic
-------------------------------------------------------
# Operations to back up
# cd/etc/yum.repos.d/
#/BIN/MV Centos-base.repo Centos-base.repo.ori # Backup
# wget Http://mirrors.163.com/.help/CentOS6-Base-163.repo
#/BIN/MV Centos6-base-163.repo Centos-base.repo
# Yum upgrade or Yum update
# yum Install tree telnet dos2unix sys stat lrzsz-y
# Rpm-qa | grep Tree #查询安装是否成功
--------------------------------------------------------
5, close Selinux,iptables (iptables working scenario if used, usually open port)
-------------------------------------------------------
1)
Edit Vi/etc/selinux/config directly
Direct Replacement Sed-i S#selinux=disable#selinux=disabled#g
Check Cat/etc/selinux/config
Check grep selinux=disable/etc/selinux/config selinux=disabled
2)
Setenforce 0 #设置selinux
Getenforce #查看SELinux
------------------------------------------------------
6, adjust the number of file description, process file Open will consume the file descriptor.
------------------------------------------------------
# ULIMIT-HSN 65535 #设置文件描述符最大数
# ulimit-n #查看是否生效
# Modify the configuration file, Centos6.5 with the command settings do not take effect, restart failure
# echo ' *-nofile 65535 ' >>/etc/security/limits.conf
# TAIL-1/etc/security/limits.con
------------------------------------------------------
7, scheduled automatic cleanup/var/spool/elientmpqune/directory garbage files, prevent inodes node is full, if there is no sendmail, ignore can.
--------------------------------------------------
Find/var/spool/clientmqueue-type f-print-exec rm-f {} \;
------------------------------------------------
8, compact boot-up self-booting (Crond, sshd, Network, Rsyslog (CENTOS5) syslog)
----------------------------------------------------------
The sshd OpenSSH server should be considered open.
Syslog is an operating system that provides a mechanism by which daemons typically use these mechanisms to write various information to each system log file (must)
Rsyslog CENTOS6.2 System Log rsyslog replace the default log service Syslog
Network activation/Shutdown each of the networking interfaces at startup (must) should be considered open.
Crond the task of running the user schedule periodically. Adds a lot of attributes to the traditional UNIX version, and is more secure and easier to configure, providing running services for processes that are automatically scheduled under Linux.
#/sbin/chkconfig--list | grep 3:on #查看在3级别下, command started
# lang=en
1) Method One
# for Oldboy in ' chkconfig--list|grep 3:on|awk ' {print '} ';d o chkconfig--level 3 $oldboy off;done
# for Oldboy in Crond network rsyslog sshd;d o chkconfig--level 3 $oldboy on;done
2) Method 21 command
# for Oldboy in ' chkconfig--list|grep ' 3:on ' |awk ' {print '} ' |grep-ve ' Crond|network|sshd|rsyslog ' ';d o chkconfig $oldboy Off;done
# chkconfig--list|grep "3:on" #检查命令
------------------------------------------------------
9. Optimize kernel parameters/etc/sysctl.conf Execute sysctl-p effective
------------------------------------------------------
Net.ipv4.tcp_fin_timeout = 2
Net.ipv4.tcp_tw_reuse = 1
Net.ipv4.tcp_tw_recycle = 1
Net.ipv4.tcp_syncookies = 1
Net.ipv4.tcp_keepalive_time = 600
Net.ipv4.ip_local_port_range = 4000 65000
Net.ipv4.tcp_max_syn_backlog = 16384
Net.ipv4.tcp_max_tw_buckets = 36000
Net.ipv4.route.gc_timeout = 100
Net.ipv4.tcp_syn_retries = 1
Net.ipv4.tcp_synack_retries = 1
Net.core.somaxconn = 16384
Net.core.netdev_max_backlog = 16384
Net.ipv4.tcp_max_orphans = 16384
Sysctl–p #生效
-------------------------------------------------------
10. Change character set, support Chinese, but it is recommended to use the English character set, prevent garbled problem.
-------------------------------------------------------
# cat/etc/sysconfig/i18n
# sed-i ' s#lang= ' en_US. UTF-8 "#LANG =" zh_cn.gb2312 "#g/etc/sysconfig/i18n #替换字符集
# source/etc/sysconfig/i18n # Let the character set take effect
# echo $LANG
# LANG=ZH_CN. UTF-8
------------------------------------------------------
11. Lock the critical system files, charttr +i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
------------------------------------------------------
#chattr +i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab #加锁
#chattr-I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab #解锁
-------------------------------------------------------
12. Empty/etc/issue to remove the system kernel version before the login display
-------------------------------------------------------
Echo ' >/etc/issue
---------------------------------------------------------
13 Modifying the Run level
---------------------------------------------------------
Vi/etc/inittab #启动命令行模式
Sed s/id:5:initdefault:/id:3:initdefault://etc/inittab
---------------------------------------------------------
14 Modifying firewalls
---------------------------------------------------------
/etc/init.d/iptables stop
--------------------------------------------------------
15. View the Installation Kit
----------------------------------------------------------
Yum Grouplist:
Installed Groups:
Base
Compatibility libraries
Debugging Tools
Development tools
Dial-up Networking Support
Hardware Monitoring Utilities
Performance Tools
If you forget to select the package, you can select the package after installation as follows:
Yum groupinstall "Compatibility Libraries" "Base" "Development tools"
Yum Groupinstall "Performance Tools" "Debugging Tools" "Dial-up Networking Support"
Yum Groupinstall "Base" "Development tools"
You can view the specific installed components through the Yum GroupInfo package group.
----------------------------------------------------------
LINUX Security Optimization