Centos 6.4 Security Protection Settings Guide

Centos 6.4 Security Protection Settings Guide

After the CentOS operating system is installed, we need to make some simple settings for the existing system to use the operating system more secure and reliable, next we will introduce some of the most basic security protection policies to further improve the security of the operating system.

1. Change the length of the customer Password

Password security is the first step of the operating system, so we must have a strong password. You can change the length of the password by modifying the/etc/login. defs file.

The original content of/etc/login. defs is as follows:

[Root @ localhost ~] # Vi/etc/login. defs

#
# Please note that the parameters in this configuration file control
# Behavior of the tools from the shadow-utils component. None of these
# Tools uses the PAM mechanic, and the utilities that use PAM (such as
# Passwd command) shocould therefore be configured elsewhere. Refer
#/Etc/pam. d/system-auth for more information.
#

# * REQUIRED *
# Directory where mailboxes reside, _ or _ name of file, relative to
# Home directory. If you _ do _ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
# QMAIL_DIR Maildir
MAIL_DIR/var/spool/mail
# MAIL_FILE. mail

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000

#
# If defined, this command is run when removing a user.
# It shoshould remove any at/cron/print jobs etc. owned
# The user to be removed (passed as the first argument ).
#
# USERDEL_CMD/usr/sbin/userdel_local

#
# If useradd shoshould create home directories for users by default
# On RH systems, we do. This option is overridden with the-m flag on
# Useradd command line.
#
CREATE_HOME yes

# The permission mask is initialized to this value. If not specified,
# The permission mask will be initialized to 022.
UMASK 077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000

#
# If defined, this command is run when removing a user.
# It shoshould remove any at/cron/print jobs etc. owned
# The user to be removed (passed as the first argument ).
#
# USERDEL_CMD/usr/sbin/userdel_local

#
# If useradd shoshould create home directories for users by default
# On RH systems, we do. This option is overridden with the-m flag on
# Useradd command line.
#
CREATE_HOME yes

# The permission mask is initialized to this value. If not specified,
# The permission mask will be initialized to 022.
UMASK 077

# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

Change the minimum password length to 8

PASS_MIN_LEN 8

2. Comment out users and user groups that are not needed by the operating system.

After the Centos 6.4 operating system is installed, we need to set unnecessary users and user groups to reduce possible security problems.

The original content of/etc/passwd is as follows:

[Root @ localhost ~] # Vi/etc/passwd

Root: x: 0: 0: root:/bin/bash
Bin: x: 1: 1: bin:/sbin/nologin
Daemon: x: 2: 2: daemon:/sbin/nologin
Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
Sync: x: 5: 0: sync:/sbin:/bin/sync
Shutdown: x: 6: 0: shutdown:/sbin/shutdown
Halt: x: 7: 0: halt:/sbin/halt
Mail: x: 8: 12: mail:/var/spool/mail:/sbin/nologin
Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
Operator: x: 11: 0: operator:/root:/sbin/nologin
Games: x: 12: 100: games:/usr/games:/sbin/nologin
Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin
Nobody: x: 99: 99: Nobody: // sbin/nologin
Messages: x: 81: 81: System message bus: // sbin/nologin
Usbmuxd: x: 113: 113: usbmuxd user: // sbin/nologin
Vcsa: x: 69: 69: virtual console memory owner:/dev:/sbin/nologin
Rpc: x: 32: 32: Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
Rtkit: x: 499: 497: RealtimeKit:/proc:/sbin/nologin
Avahi-autoipd: x: 170: 170: Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
Pulse: x: 498: 496: PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
Haldaemon: x: 68: 68: HAL daemon: // sbin/nologin
Ntp: x: 38: 38:/etc/ntp:/sbin/nologin
Apache: x: 48: 48: Apache:/var/www:/sbin/nologin
Saslauth: x: 497: 76: "Saslauthd user":/var/empty/saslauth:/sbin/nologin
Postfix: x: 89: 89:/var/spool/postfix:/sbin/nologin
Abrt: x: 173: 173:/etc/abrt:/sbin/nologin
Rpcuser: x: 29: 29: RPC Service User:/var/lib/nfs:/sbin/nologin
Nfsnobody: x: 65534: 65534: Anonymous NFS User:/var/lib/nfs:/sbin/nologin
TPD: x: 42: 42:/var/lib/TPD:/sbin/nologin
Sshd: x: 74: 74: Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Tcpdump: x: 72: 72: // sbin/nologin
Ldap: x: 55: 55: LDAP User:/var/lib/ldap:/sbin/nologin

Comment out the following users
# Userdel adm: x: 3: 4: adm:/var/adm:/sbin/nologin
# Userdel lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
# Userdel sync: x: 5: 0: sync:/sbin:/bin/sync
# Userdel shutdown: x: 6: 0: shutdown:/sbin/shutdown
# Userdel halt: x: 7: 0: halt:/sbin/halt
# Userdel uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
# Userdel operator: x: 11: 0: operator:/root:/sbin/nologin
# Userdel games: x: 12: 100: games:/usr/games:/sbin/nologin
# Userdel gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
# Userdel ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin

The original content of/etc/group is as follows:

[Root @ localhost ~] # Vi/etc/group

Root: x: 0:
Bin: x: 1: bin, daemon
Daemon: x: 2: bin, daemon
Sys: x: 3: bin, adm
Adm: x: 4: adm, daemon
Tty: x: 5:
Disk: x: 6:
Lp: x: 7: daemon
Mem: x: 8:
Kmem: x: 9:
Wheel: x: 10:
Mail: x: 12: mail, postfix
Uucp: x: 14:
Man: x: 15:
Games: x: 20:
Gopher: x: 30:
Video: x: 39:
Dip: x: 40:
Ftp: x: 50:
Lock: x: 54:
Audio: x: 63:
Nobody: x: 99:
Users: x: 100:
Rows: x: 81:
Usbmuxd: x: 113:
Utmp: x: 22:
Utempter: x: 35:
Export top_admin_r: x: 499:
Export top_user_r: x: 498:
Floppy: x: 19:
Vcsa: x: 69:
Rpc: x: 32:
Rtkit: x: 497:
Avahi-autoipd: x: 170:
Cdrom: x: 11:
Tape: x: 33:
Dialout: x: 18:
Wbpriv: x: 88:
Pulse: x: 496:
Pulse-access: x: 495:
Fuse: x: 494:
Haldaemon: x: 68: haldaemon
Ntp: x: 38:
Apache: x: 48:
Saslauth: x: 76:
Postdrop: x: 90:
Postfix: x: 89:
Abrt: x: 173:
Rpcuser: x: 29:
Nfsnobody: x: 65534:
TPD: x: 42:
Stapusr: x: 156:
Stapsys: x: 157:
Stapdev: x: 158:
Sshd: x: 74:
Tcpdump: x: 72:
Slocate: x: 21:
Ldap: x: 55:

Comment out the following user groups

# Groupdel adm: x: 4: adm, daemon
# Groupdel lp: x: 7: daemon
# Groupdel uuucp: x: 14:
# Groupdel games: x: 20:
# Groupdel dip: x: 40:

3. Check the secure login file of the system.

By checking the information of the/var/log/secure file, we can see which users and IP addresses are logged on.

[Root @ localhost ~] # More/var/log/secure grep refused
::::::::::::::
/Var/log/secure
::::::::::::::
Jan 16 22:33:29 localhost polkitd (authority = local): Unregistered Authentication Agent for session/org/freed
Esktop/ConsoleKit/Session1 (system bus name: 1.23, object path/org/gnome/yykit1/AuthenticationAgent, lo
Cale zh_CN.UTF-8) (disconnected from bus)
Jan 16 22:33:32 localhost sshd [1728]: canceled ed signal 15; terminating.
Jan 16 22:33:32 localhost sshd [2460]: Exiting on signal 15
Jan 16 22:33:32 localhost sshd [2460]: pam_unix (sshd: session): session closed for user root
Jan 17 15:54:27 localhost sshd [1737]: Server listening on 0.0.0.0 port 22.
Jan 17 15:54:27 localhost sshd [1737]: Server listening on: port 22.
Jan 17 15:54:35 localhost polkitd (authority = local): Registered Authentication Agent for session/org/freedes
Ktop/ConsoleKit/Session1 (system bus name: 1.24 [/usr/libexec/polkit-gnome-authentication-agent-1], object p
Ath/org/gnome/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
Jan 17 15:54:50 localhost sshd [2461]: Accepted password for root from 192.168.1.3 port 55918 ssh2
Jan 17 15:54:50 localhost sshd [2461]: pam_unix (sshd: session): session opened for user root by (uid = 0)
Jan 17 16:01:55 localhost polkitd (authority = local): Unregistered Authentication Agent for session/org/freed
Esktop/ConsoleKit/Session1 (system bus name: 1.24, object path/org/gnome/yykit1/AuthenticationAgent, lo
Cale zh_CN.UTF-8) (disconnected from bus)
Jan 17 16:01:58 localhost sshd [1737]: canceled ed signal 15; terminating.
Jan 17 16:01:58 localhost sshd [2461]: Exiting on signal 15
Jan 17 16:01:58 localhost sshd [2461]: pam_unix (sshd: session): session closed for user root
Jan 29 10:49:52 localhost sshd [1728]: Server listening on 0.0.0.0 port 22.
Jan 29 10:49:52 localhost sshd [1728]: Server listening on: port 22.
Jan 29 10:49:57 localhost polkitd (authority = local): Registered Authentication Agent for session/org/freedes
Ktop/ConsoleKit/Session1 (system bus name: 1.23 [/usr/libexec/polkit-gnome-authentication-agent-1], object p
Ath/org/gnome/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
Jan 29 10:50:02 localhost sshd [2452]: Accepted password for root from 192.168.1.4 port 53853 ssh2
Jan 29 10:50:02 localhost sshd [2452]: pam_unix (sshd: session): session opened for user root by (uid = 0)
Jan 29 10:51:43 localhost vsftpd [2482]: pam_unix (vsftpd: auth): check pass; user unknown
Jan 29 10:51:43 localhost vsftpd [2482]: pam_unix (vsftpd: auth): authentication failure; logname = uid = 0 euid = 0
Tty = ftp ruser = fsdaf rhost = 192.168.1.4
Jan 29 10:51:43 localhost vsftpd [2482]: pam_succeed_if (vsftpd: auth): error retrieving information about user
Fsdaf
Jan 29 10:51:58 localhost vsftpd [2484]: pam_unix (vsftpd: auth): check pass; user unknown
Jan 29 10:51:58 localhost vsftpd [2484]: pam_unix (vsftpd: auth): authentication failure; logname = uid = 0 euid = 0
Tty = ftp ruser = ithov rhost = 192.168.1.4
Jan 29 10:51:58 localhost vsftpd [2484]: pam_succeed_if (vsftpd: auth): error retrieving information about user
Ithov
Jan 29 10:54:35 localhost sshd [2452]: pam_unix (sshd: session): session closed for user root
Jan 29 10:54:36 localhost sshd [2493]: Accepted password for root from 192.168.1.4 port 54693 ssh2
Jan 29 10:54:36 localhost sshd [2493]: pam_unix (sshd: session): session opened for user root by (uid = 0)
Grep: No file or directory
Refused: the file or directory does not exist.

4. Use the chattr command to add unchangeable properties to the following files

This effectively prevents unauthorized users from modifying files.

[Root @ localhost ~] # Chattr + I/etc/passwd
[Root @ localhost ~] # Chattr + I/etc/shadow
[Root @ localhost ~] # Chattr + I/etc/group
[Root @ localhost ~] # Chattr + I/etc/gshadow

5. Change the SSH port to enhance login security

After CentOS 6.4 is installed, port 22 is used by default for connection, just like Windows Server 2008 operating system 3389, for general users, it is easy to guess what service this port provides. Therefore, we recommend that you use a port over 10000 so that when someone else scans the port, the chances of scanning ports are also reduced.

Do not allow connections using SSH protocol of earlier versions

[Root @ localhost ~] # Vi/etc/ssh/sshd_config
Change # protocol 2, 1
Protocol 2
(Note: The earlier version protocol has been canceled by default in centos 6. The default value is protocol 2)

Change PORT to PORT 1000 or above
[Root @ localhost ~] # Vi/etc/ssh/sshd_config
Port 10000

Enable the firewall port and restart the firewall to take effect.
[Root @ localhost ~] # Vi/etc/sysconfig/iptables
-A input-m state -- state NEW-m tcp-p tcp -- dport 10000-j ACCEPT

[Root @ localhost ~] # Service iptables restart
Iptables: clear firewall rules: [OK]
Iptables: Set the chain to policy ACCEPT: filter [OK]
Iptables: uninstalling module: [OK]
Iptables: Application Firewall Rules: [OK]
Iptables: Load additional module: ip_nat_ftp [OK]

6. prevent IP Spoofing

Edit the/etc/host. conf file and add the following lines to prevent IP spoofing attacks.

Order bind, hosts
Multi off
Nospoof on