CentOS 5.5 System Security Configuration

Source: Internet
Author: User

 

1. Comment out unnecessary users and user groups

Vi/etc/passwd

# Adm

# Lp

# Sync

# Shutdown

# Halt

# News

# Uucp

# Operator

# Games

# Gopher

# Ftp

Vi/etc/group

# Adm

# Lp

# News

# Uucp

# Games

# Dip

2. Add unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.

# Chattr + I/etc/passwd

# Chattr + I/etc/shadow

# Chattr + I/etc/group

# Chattr + I/etc/gshadow

After the permission is modified, the user cannot be added or deleted. To cancel the previous modification,

 

# Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow

Lsattr only displays the attributes of a file.

 

# Chattr-I/etc/passwd

# Chattr-I/etc/shadow

# Chattr-I/etc/group

# Chattr-I/etc/gshadow

View again

Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow

-----/Etc/passwd

-----/Etc/shadow

-----/Etc/group

-----/Etc/gshadow

After modification, execute

 

Chattr + I/etc/passwd

Chattr + I/etc/shadow

Chattr + I/etc/group

Chattr + I/etc/gshadow

Disable Ctrl + Alt + Delete from restarting machine commands

 

3. Modify the/etc/inittab file and comment out "ca: ctrlaltdel:/sbin/shutdown-t3-rnow" line.

Then reset the permission for all files in the/etc/rc. d/init. d/directory and run the following command:

 

# Chmod-R 700/etc/rc. d/init. d /*

In this way, only the root user can read, write, or execute all the above script files.

 

4. Restrict su commands

If you do not want anyone to use su as the root user, you can edit the/etc/pam. d/su file and add the following two lines:

 

Auth sufficient/lib/security/pam_rootok.sodebug

Auth required/lib/security/pam_wheel.sogroup = isd

In this case, only users in the isd group can use su as the root user. After that, if you want the user admin to be able to su as root, you can run the following command:

 

# Usermod-G 10 admin

5. Prevent Attacks

1) Prevent ping and resist SYN:

If no one can ping the system, the security will naturally increase. Therefore, we can add the following line to the/etc/rc. d/rc. local file:

 

Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

SYN attacks use the three-way handshake principle of the TCP/IP protocol to send a large number of network packets that establish connections, but do not actually establish connections. As a result, the network queue of the attacked server is full, cannot be accessed by normal users.

The Linux Kernel provides several SYN-related configurations. Run the following command:

 

Sysctl-a | grep syn

See:

Net. ipv4.tcp _ max_syn_backlog = 1024

Net. ipv4.tcp _ syncookies = 0

Net. ipv4.tcp _ synack_retries = 5

Net. ipv4.tcp _ syn_retries = 5

Tcp_max_syn_backlog is the length of the SYN queue, and tcp_syncookies are a function. Whether to enable the SYN Cookie function can prevent some SYN attacks. Tcp_synack_retries and tcp_syn_retries define the number of retries of SYN.

Increasing the SYN queue length can accommodate more network connections waiting for connection. Enabling the SYN Cookie function can prevent some SYN attacks and reduce the number of retries.

To adjust the preceding settings, follow these steps:

Vi/etc/rc. d/rc. local, add the following command Method

 

Sysctl-w net. ipv4.tcp _ max_syn_backlog = 2048 # increase the SYN queue length to 2048

Sysctl-w net. ipv4.tcp _ syncookies = 1 # enable the syn cookie Function

Sysctl-w net. ipv4.tcp _ synack_retries = 3 # reduce the number of retries

Sysctl-w net. ipv4.tcp _ syn_retries = 3

2) prevent IP Spoofing

Edit the host. conf file and add the following lines to prevent IP spoofing attacks.

 

Order hosts, bind # name interpretation order

Multi on # Allow the host to have multiple IP addresses

Nospoof on # Disable IP Address Spoofing

3) Prevent DoS Attacks

Setting resource limits for all users of the system can prevent DoS attacks, such as the maximum number of processes and memory usage.

For example, you can add the following lines in/etc/security/limits. conf:

 

* Hard core 0

* Hard rss 5000

* Hard nproc 20

Then, you must edit the/etc/pam. d/login file to check whether the following row exists.

Session required/lib/security/pam_limits.so

4) modify the sshd_config file

First, modify the configuration file vi/etc/ssh/sshd_config.

A. Modify the SSH port

Find the section # Port 22, which indicates that Port 22 is used by default and changed to the following:

 

Port 22

Port 50000

Save and exit

Run/etc/init. d/sshd restart

In this way, the SSH port will work on both 22 and 50000.

Now edit the firewall configuration: vi/etc/sysconfig/iptables

Port 50000 is enabled.

Run/etc/init. d/iptables restart

Now, use the ssh tool to connect to port 50000 to test whether the connection is successful.

If the connection is successful, edit the settings of sshd_config again and delete Port22.

B only uses SSH v2

Change # Protocol 2 to Protocol 2

C. Restrict SSH access.

Assume that you only need the root, vivek, and jerry users to use the system via SSH and add the following to the sshd_config configuration file:

 

AllowUsers root vivek jerry

D. Configure the idle time-out exit interval.

You can log on to the server through ssh. You can set an idle timeout interval to avoid orphan ssh sessions. Open the sshd_config configuration file to ensure the following configuration items are available:

 

ClientAliveInterval 300

ClientAliveCountMax 0

In the preceding example, the idle timeout interval is set to 300 seconds, that is, 5 minutes. After this time, the idle user is automatically kicked out (which can be understood as logout or logout ).

E. Disable the. rhosts file.

Do not read the user's ~ /. Rhosts and ~ /. Shosts file. Use the following settings to update the sshd_config configuration file:

IgnoreRhosts yes

SSH can simulate outdated rsh commands. rsh is recognized as an insecure Remote Access Protocol and must be disabled.

 

6. Restrict the permissions of different files

[Root @ localhost ~] # Chmod 700/usr/bin/

[Root @ localhost ~] # Chmod 750/usr/bin/* ++ *

[Root @ localhost ~] # Chmod 750/usr/bin/c ++ *

[Root @ localhost ~] # Chmod 750/usr/bin/ld

[Root @ localhost ~] # Chmod 750/usr/bin/

[Root @ localhost ~] # Locate sqlaccess

/Opt/lampp/bin/mysqlaccess

[Root @ localhost ~] # Chmod 755/opt/lampp/bin/mysqlaccess

[Root @ localhost ~] # Chattr + a. bash_history

[Root @ localhost ~] # Chattr + I. bash_history

[Root @ localhost ~] # Chmod 700/bin/ping

[Root @ localhost ~] # Chmod 700/usr/bin/finger

[Root @ localhost ~] # Chmod 700/usr/bin/who

[Root @ localhost ~] # Chmod 700/usr/bin/w

[Root @ localhost ~] # Chmod 700/usr/bin/locate

[Root @ localhost ~] # Chmod 700/usr/bin/whereis

[Root @ localhost ~] # Chmod 700/usr/bin/vim

[Root @ localhost ~] # Chmod 700/usr/bin/make

[Root @ localhost ~] # Chmod 700/bin/netstat

[Root @ localhost ~] # Chmod 700/usr/bin/tail

[Root @ localhost ~] # Chmod 700/usr/bin/less

[Root @ localhost ~] # Chmod 700/usr/bin/head

[Root @ localhost ~] # Chmod 700/bin/cat

[Root @ localhost ~] # Chmod 700/bin/uname

[Root @ localhost ~] # Chmod 500/bin/ps

[Root @ localhost ~] # Chmod 500/usr/sbin/lsof

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.