Centos 5.5 Security Configuration

Centos 5.5 Security Configuration
1. system security record files
The internal record file in centos is an important clue for detecting network intrusion. if the system is directly connected to the Internet, it is found that many people attempt to telnet or FTP login to the system, you can run "# More/var/log/secure | greprefused" to check the system for attacks, so as to take corresponding countermeasures, such as replacing Telnet/rlogin with SSH.
Ii. startup and login security
1. BIOS Security
Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.
2. User Password
User passwords are a basic starting point for Linux security. Many users use too simple passwords, which opens the door to intruders, theoretically, As long as enough time and resources are available, there is no user password that cannot be cracked. However, it is difficult to choose a proper password. A good user password is a string of characters that can only be easily remembered and understood by him, and should never be written anywhere.
To change the password length, compile the login. defs file.
VI/etc/login. defs
Pass_min_len8
3. Comment out unnecessary users and user groups
All default accounts that are started by the operating system itself and are not necessary should be prohibited. This should be done when the system is installed for the first time. Linux provides many default accounts, and the more accounts, the more vulnerable the system is.
VI/etc/passwd
# Userdeladm
# Userdellp
# Userdelsync
# Userdelshutdown
# Userdelhalt
# Userdelnews
# Userdeluucp
# Userdeloperator
# Userdelgames
# Userdelgopher
# Userdelftp
VI/etc/group
# Groupdeladm
# Groupdellp
# Groupdelnews
# Groupdeluucp
# Groupdelgames
# Groupdeldip
# Groupdelpppusers
4. Password File
The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.
# Chattr + I/etc/passwd
# Chattr + I/etc/shadow
# Chattr + I/etc/group
# Chattr + I/etc/gshadow
5. Disable ctrlaltdelete from restarting the machine command
Modify the/etc/inittab file and comment out a line of CA: ctrlaltdel:/sbin/shutdown-t3-rnow.
Then reset the permission for all files in the/etc/rc. d/init. d/directory and run the following command:
# Chmod-R700/etc/rc. d/init. d /*
In this way, only the root user can read, write, or execute all the above script files.
6. Restrict su commands
If you do not want anyone to use Su as the root user, you can edit the/etc/PAM. d/su file and add the following two lines:
Authsufficient/lib/security/pam_rootok.sodebug
Authrequired/lib/security/pam_wheel.sogroup = ISD
In this case, only users in the ISD group can use Su as the root user. After that, if you want the user admin to be able to su as root, you can run the following command:
# Usermod-G10admin
7. Delete logon information
By default, the logon prompt information includes the Linux release, kernel version, and server host name. For a machine with high security requirements, too much information is leaked, you can edit/etc/rc. d/RC. local comment out the following lines of output system information.
# Thiswilloverwrite/etc/issueateveryboot. So, makeanychangesyou
# Wanttomaketo/etc/issuehereoryouwilllosethemwhenyoureboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "kernel $ (uname-R) on $ A $ (uname-m)">/etc/issue
# Cp-F/etc/issue/etc/issue.net
# Echo>/etc/issue
Then, perform the following operations:
# Rm-F/etc/issue
# Rm-F/etc/issue.net
# Touch/etc/issue
# Touch/etc/issue.net
8. Change the ssh port to 10000 or above, and the chances of others scanning the port will also decrease.
Earlier versions of SSH protocol are not allowed
VI/etc/ssh/ssd_config
Change # Protocol2, 1
Protocol2
Change port to port 1000 or above
VI/etc/ssh/sshd_config
Port10000
Create a Common Logon user and cancel direct root logon.
Useradd 'username'
Passwd 'username'
VI/etc/ssh/sshd_config
Permitrootloginno # cancel root direct remote login
9. Shut down services that are not needed. Remember to open one service less, it is less dangerous.
Only services to be started are listed below, and all services not listed are closed:
# Setup
Acpid
Anacron
Cpuspeed
Crond
Irqbalance \ must be enabled only when the server CPU is in the S. m.p architecture or supports dual-core, HT technology. Otherwise, it must be disabled.
Microcode_ctl
Network
Random
Sendmail
Sshd
Syslog
Yum-updatesd
10. Enabling the iptables firewall has many benefits for increasing system security. Set firewall rules.
VI/etc/sysconf/iptables
* Filter
: Inputdrop [0: 0]
: Forwarddrop [0: 0]
: Outputaccept [0: 0]
# Allowlocalloopbackconnections
-Ainput-ILO-jaccept
# Dropinvalidconnections
-Ainput-mstate -- stateinvalid-jdrop
-Aoutput-mstate -- stateinvalid-jdrop
-Aforward-mstate -- stateinvalid-jdrop
# Allowallestablishedandrelated
-Ainput-mstate -- stateestablished, related-jaccept
# Addanymoreruleshere
Commit
3. restrict network access
1. NFS access
When using the NFS Network File System Service, make sure that/etc/exports has the strictest access permission settings, that is to say, do not use any wildcard characters, do not allow root write permissions, and can only be installed as a read-only file system. Edit the/etc/exports file and add the following two lines.
/DIR/to/exporthost1.mydomain.com (RO, root_squash)
/DIR/to/exporthost2.mydomain.com (RO, root_squash)
/DIR/to/export is the directory to be output, host.mydomain.com is the name of the machine that logs on to this directory, RO means to mount it into a read-only system,
Root_squash: Prohibit root from writing to this directory. To make the changes take effect, run the following command.
#/Usr/sbin/exportfs-
2. inetd settings
First, make sure that the owner of/etc/inetd. conf is root and the File Permission is set to 600. After the settings are complete, run the "stat" command to check the settings.
# Chmod600/etc/inetd. conf
Edit/etc/inetd. conf to disable the following services.
Ftptelnetshellloginexectalkntalkimappop-2pop-3fingerauth
If ssh/SCP is installed, you can disable Telnet/FTP. To make the change take effect, run the following command:
# Killall-hupinetd
By default, most Linux systems allow all requests, and using TCP_WRAPPERS to enhance system security is a breeze.
You can modify/etc/hosts. Deny and/etc/hosts. Allow to add access restrictions. For example, setting/etc/hosts. Deny to "all: All" can deny all access by default, and then add allowed access to the/etc/hosts. allow file.
For example, "sshd: 192.168.10.10/255.255.255.0gate.openarch.com" indicates
The IP address 192.168.10.10 and the host name gate.openarch.com are allowed to be connected over ssh.
After the configuration is complete, you can use tcpdchk to check:
# Tcpdchk
Tcpchk is a tcp_wrapper configuration check tool that checks tcpwrapper configuration and reports all detected potential/existing problems.
3. logon terminal settings
The/etc/securetty file specifies the tty device that allows root login, which is read by the/bin/login program in the format of a list of permitted names, you can edit/etc/securetty and comment out the following lines.
Tty1
# Tty2
# Tty3
# Tty4
# Tty5
# Tty6
In this case, root can only log on to the tty1 terminal.
4. Avoid Displaying System and version information.
If you want to remotely log on to the user and cannot see the system and version information, you can change the/etc/inetd. conf file through the following operations:
Telnetstreamtcpnowaitroot/usr/sbin/tcpdin. telnetd-H
Adding-h indicates that Telnet does not display system information, but only displays "login :".
5. Modify the corresponding configuration file to stop IPv6.
# Vi/etc/modprobe. conf
Aliasnet-pf-10off
Aliasipv6off
# Shutdown-Rnow
4. Prevent Attacks
1. Prevent ping. If no one can ping the system, the security will naturally increase. Therefore, we can add the following line in the/etc/rc. d/rc. Local file.
:
# Echo1>/proc/sys/NET/IPv4/icmp_echo_ignore_all
2. prevent IP Spoofing
Edit the host. conf file and add the following lines to prevent IP spoofing attacks.
Orderbind, hosts
Multioff
Nospoofon
3. Prevent DoS Attacks
Setting resource limits for all users of the system can prevent DoS attacks, such as the maximum number of processes and memory usage.
For example, you can add the following lines in/etc/security/limits. conf:
* Hardcore0
* Hardrss5000
* Hardnproc20
Then, you must edit the/etc/PAM. d/login file to check whether the following row exists.
Sessionrequired/lib/security/pam_limits.so
The preceding command prohibits debugging files. The maximum number of processes is 50 and the memory usage is 5 MB.
After the preceding settings, the Linux Server can be immune to the vast majority of known security issues and network attacks. However, a good system administrator must always pay attention to network security trends, fix exposed and potential security vulnerabilities at any time.
V. Kernel Parameter Adjustment
# Vi/etc/sysctl. conf
Sysctl-wnet.ipv4.conf.default.accept_source_route = 0
Sysctl-wnet.ipv4.icmp_echo_ignore_broadcasts = 1
# Sysctl-wnet.ipv4.icmp_echo_ignore_all = 1
Sysctl-wnet.ipv4.icmp_ignore_bogus_error_responses = 1
Sysctl-wnet.ipv4.ip_conntrack_max = 65535
Sysctl-wnet.ipv4.tcp_syncookies = 1
Sysctl-wnet.ipv4.tcp_syn_retries = 1
Sysctl-wnet.ipv4.tcp_fin_timeout = 5
Sysctl-wnet.ipv4.tcp_synack_retries = 1
Sysctl-wnet.ipv4.tcp_syncookies = 1
Sysctl-wnet.ipv4.route.gc_timeout = 100
Sysctl-wnet.ipv4.tcp_keepalive_time = 500
Sysctl-wnet.ipv4.tcp_max_syn_backlog = 10000