After installing linux, make some security settings.

After CentOS is installed, many people directly install the lnmp one-key package or yumapache to install the environment, ignoring some of the simplest basic security settings, although many people say that linux is more secure than windows, do not ignore some general security settings. Today, we will introduce some simple work we have done after installing the system. 1. I will not introduce how to configure the NIC to connect to the Internet. This is required. 2. if it is in China, you can first change the yum source to 163 or sohu, so the update speed will be faster and then update the system cd/etc/yum. repos. d # enter the configuration directory mkdir bak # create a backup directory mv *. repo bakwget http://mirrors.163.com/.help/CentOS-Base-163.repo# Import the certificate. Here is the 64-bit rpm -- import http://mirrors.163.com/centos/5/os/x86_64/RPM-GPG-KEY-CentOS-5# Yum makecacheyum -- exclude = "kernel * centos-release *" update-y returned to the root directory cd ~ 3. delete some default users and user groups that are not commonly used, after all, the more accounts the more insecure The userdel admuserdel lpuserdel syncuserdel shutdownuserdel haltuserdel newsuserdel has been gamesuserdel has ftpgroupdel has lpgroupdel newsgroupdel has gamesgroupdel dipgroupdel pppusers www.2cto. com4. create a common user to log on to ssh, and refuse the root user to log on remotely, make sure that the Remote Security useradd memory # memory is the user name passwd memory according to your habits # set a password that can be used for remote connection. then configure the new account. You can only remotely log on to sed-I "s/# auth required pam_wheel.so use_uid/auth required pam_wheel.so use_uid group = wheel/"/etc/pam. d/suusermod-G10 memory change special file attributes chattr + I/etc/passwdchattr + I/etc/shadowchattr + I/etc/groupchattr + I/etc/gshadow # Disable Ctrl + Alt + Delete restart command sed-I-e "s/\ (^ ca \: \: ctrlaltdel. * $ \)/# \ 1/"/etc/inittab5. configure SSH to prevent remote root login, modify the ssh default port and back up the SSH configuration file cp/etc/ssh/sshd_config/etc/ssh/sshd_co. Nfig. it is recommended that bak change the default Port 22 to sed-I "s/# Port 22/Port 1000/"/etc/ssh/sshd_config and the root user cannot directly log on to sed-I" s/# PermitRootLogin yes/PermitRootLogin no/"/etc/ssh/sshd_config do not allow empty passwords to log on to sed-I" s/# PermitEmptyPasswords no/"/etc/ssh/ sshd_configsed-I "s/# MaxAuthTries 6/MaxAuthTries 6/"/etc/ssh/sshd_config6. configure the iptables rule to first clear the existing rule iptables-Fiptables-Xiptables-Ziptables-a input-p tcp -M multiport -- dport 9999,80-j ACCEPTiptables-I input 2-I lo-p all-j ACCEPTiptables-A OUTPUT-p udp -- dport 53-j ACCEPTiptables-A INPUT-p udp -- sport 53-j ACCEPTiptables-a input-p udp -- dport 53-j ACCEPTiptables-a output-p udp -- sport 53-j ACCEPTiptables-a input-p tcp-m multiport -- sport 80-j ACCEPT port 9999 above your own ssh port, yes. Otherwise, you will be unable to connect to the server after restarting ssh. restart iptables/etc/init. d/iptables save # save Save/etc/init. d/iptables restart # restart start stop restart ssh Login with a new account. remember port 9999. after login, you can directly switch the root account to perform the root operation. The above method is successfully tested in CentOS 6.3 32-bit 64-bit TTVPS. Now, we will be here today. See you next time.