Home > Developer > CentOS

Centos 5.5 System Security Configuration

Source: Internet
Author: User
Tags ssh access ssh port
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
1. Comment out unnecessary users and user groups
  1. VI/etc/passwd
  1. # Adm
  2. # Lp
  3. # Sync
  4. # Shutdown
  5. # Halt
  6. # News
  7. # Uucp
  8. # Operator
  9. # Games
  10. # Gopher
  11. # Ftp
  1. VI/etc/group
  1. # Adm
  2. # Lp
  3. # News
  4. # Uucp
  5. # Games
  6. # Dip
2. Add unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.
  1. # Chattr + I/etc/passwd
  2. # Chattr + I/etc/shadow
  3. # Chattr + I/etc/group
  4. # Chattr + I/etc/gshadow

After the permission is modified, the user cannot be added or deleted. To cancel the previous modification,

  1. # Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow

Lsattr only displays the attributes of a file.

  1. # Chattr-I/etc/passwd
  2. # Chattr-I/etc/shadow
  3. # Chattr-I/etc/group
  4. # Chattr-I/etc/gshadow

View again
Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow
-----/Etc/passwd
-----/Etc/shadow
-----/Etc/group
-----/Etc/gshadow
After modification, execute

  1. Chattr + I/etc/passwd
  2. Chattr + I/etc/shadow
  3. Chattr + I/etc/group
  4. Chattr + I/etc/gshadow

Disable Ctrl + ALT + Delete from restarting machine commands

3. Modify the/etc/inittab file and comment out "CA: ctrlaltdel:/sbin/shutdown-t3-rnow" line.

Then reset the permission for all files in the/etc/rc. d/init. d/directory and run the following command:

  1. # Chmod-r 700/etc/rc. d/init. d /*

In this way, only the root user can read, write, or execute all the above script files.

4. Restrict su commands

If you do not want anyone to use Su as the root user, you can edit the/etc/PAM. d/su file and add the following two lines:

  1. Auth sufficient/lib/security/pam_rootok.sodebug
  2. Auth required/lib/security/pam_wheel.sogroup = ISD

In this case, only users in the ISD group can use Su as the root user. After that, if you want the user admin to be able to su as root, you can run the following command:

  1. # Usermod-G 10 Admin
5. Prevent Attacks

1) Prevent Ping and resist SYN:
If no one can ping the system, the security will naturally increase. Therefore, we can add the following line to the/etc/rc. d/rc. Local file:

  1. Echo 1>/proc/sys/NET/IPv4/icmp_echo_ignore_all

SYN attacks use the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but do not actually establish connections. As a result, the network queue of the attacked server is full, cannot be accessed by normal users.
The Linux Kernel provides several syn-related configurations. Run the following command:

  1. Sysctl-A | grep SYN

See:
Net. ipv4.tcp _ max_syn_backlog = 1024
Net. ipv4.tcp _ syncookies = 0
Net. ipv4.tcp _ synack_retries = 5
Net. ipv4.tcp _ syn_retries = 5
Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function. Whether to enable the SYN Cookie function can prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define the number of retries of syn.
Increasing the SYN queue length can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can prevent some SYN attacks and reduce the number of retries.
To adjust the preceding settings, follow these steps:
VI/etc/rc. d/rc. Local, add the following command Method

  1. Sysctl-W net. ipv4.tcp _ max_syn_backlog = 2048 # increase the SYN queue length to 2048
  2. Sysctl-W net. ipv4.tcp _ syncookies = 1 # enable the SYN Cookie Function
  3. Sysctl-W net. ipv4.tcp _ synack_retries = 3 # reduce the number of retries
  4. Sysctl-W net. ipv4.tcp _ syn_retries = 3

2) prevent IP Spoofing
Edit the host. conf file and add the following lines to prevent IP spoofing attacks.

  1. Order hosts, bind # name interpretation order
  2. Multi on # Allow the host to have multiple IP addresses
  3. Nospoof on # Disable IP Address Spoofing

3) Prevent DoS Attacks
Setting resource limits for all users of the system can prevent DoS attacks, such as the maximum number of processes and memory usage.
For example, you can add the following lines in/etc/security/limits. conf:

  1. * Hard core 0
  2. * Hard RSS 5000
  3. * Hard nproc 20

Then, you must edit the/etc/PAM. d/login file to check whether the following row exists.
Session required/lib/security/pam_limits.so
4) modify the sshd_config file
First, modify the configuration file VI/etc/ssh/sshd_config.
A. Modify the ssh port
Find the section # port 22, which indicates that port 22 is used by default and changed to the following:

  1. Port 22
  2. Port 50000

Save and exit
Run/etc/init. d/sshd restart
In this way, the ssh port will work on both 22 and 50000.
Now edit the firewall configuration: VI/etc/sysconfig/iptables
Port 50000 is enabled.
Run/etc/init. d/iptables restart
Now, use the SSH tool to connect to port 50000 to test whether the connection is successful.
If the connection is successful, edit the settings of sshd_config again and delete port22.
B only uses SSH v2
Change # Protocol 2 to Protocol 2
C. Restrict SSH access.
Assume that you only need the root, Vivek, and Jerry users to use the system via SSH and add the following to the sshd_config configuration file:

  1. Allowusers root Vivek Jerry

D. Configure the idle time-out exit interval.
You can log on to the server through SSH. You can set an idle timeout interval to avoid orphan SSH sessions. Open the sshd_config configuration file to ensure the following configuration items are available:

  1. Clientaliveinterval 300
  2. Clientalivecountmax 0

In the preceding example, the idle timeout interval is set to 300 seconds, that is, 5 minutes. After this time, the idle user is automatically kicked out (which can be understood as logout or logout ).
E. Disable the. rhosts file.
Do not read the user's ~ /. Rhosts and ~ /. Shosts file. Use the following settings to update the sshd_config configuration file:
IgnoreRhosts Yes
SSH can simulate outdated RSH commands. RSH is recognized as an insecure Remote Access Protocol and must be disabled.

6. Restrict the permissions of different files
  1. [Root @ localhost ~] # Chmod 700/usr/bin/
  2. [Root @ localhost ~] # Chmod 750/usr/bin/* ++ *
  3. [Root @ localhost ~] # Chmod 750/usr/bin/C ++ *
  4. [Root @ localhost ~] # Chmod 750/usr/bin/LD
  5. [Root @ localhost ~] # Chmod 750/usr/bin/
  6. [Root @ localhost ~] # Locate sqlaccess
  7. /Opt/lampp/bin/mysqlaccess
  8. [Root @ localhost ~] # Chmod 755/opt/lampp/bin/mysqlaccess
  9. [Root @ localhost ~] # Chattr + A. bash_history
  10. [Root @ localhost ~] # Chattr + I. bash_history
  11. [Root @ localhost ~] # Chmod 700/bin/ping
  12. [Root @ localhost ~] # Chmod 700/usr/bin/finger
  13. [Root @ localhost ~] # Chmod 700/usr/bin/WHO
  14. [Root @ localhost ~] # Chmod 700/usr/bin/W
  15. [Root @ localhost ~] # Chmod 700/usr/bin/locate
  16. [Root @ localhost ~] # Chmod 700/usr/bin/whereis
  17. [Root @ localhost ~] # Chmod 700/usr/bin/Vim
  18. [Root @ localhost ~] # Chmod 700/usr/bin/make
  19. [Root @ localhost ~] # Chmod 700/bin/netstat
  20. [Root @ localhost ~] # Chmod 700/usr/bin/tail
  21. [Root @ localhost ~] # Chmod 700/usr/bin/less
  22. [Root @ localhost ~] # Chmod 700/usr/bin/head
  23. [Root @ localhost ~] # Chmod 700/bin/cat
  24. [Root @ localhost ~] # Chmod 700/bin/uname
  25. [Root @ localhost ~] # Chmod 500/bin/PS
  26. [Root @ localhost ~] # Chmod 500/usr/sbin/lsof

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
centos repository configuration centos system error log system configuration install installer configuration changed restart system system configuration information security configuration management for dummies nsa router security configuration guide
Related Article
Play Openresty 1.13.6.1 resty-cli module on CentOS 6.9 x86_64
Install build Essentials on CentOS 7 and Ubuntu 14.03
Linux CentOS Centos7 installs oci8 and PDO_OCI extensions
Setting up a PPPoE server on Linux (CentOS)
Installing a Ceph storage cluster under CentOS 7
CENTOS 6.10 Installation VirtualBox virtualization Platform

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More