CentOS-based VPS security settings and Optimization

All the code in this article is based on the CentOS 6.4 operating system as an example. It should be applicable in version 6.x. If other versions are different in the command path, the idea is the same. This article can also be called: CentOS operating system full settings and optimization. After the CentOS system is installed, it is recommended that you do not rush to perform these installation settings and optimization, because early operations will be built in the Web environment (especially with the Host Control Panel) in the process, some permissions and programs are earlier prohibited. Therefore, we recommend that you complete these security settings and optimization before you proceed.

Step 1. Account Security Management

1. Change the password length

[root@localhost /]# vi /etc/login.defsPASS_MIN_LEN 18

2. Create a common user account and set the password. In this way, all operations are performed with this common account, and subsequent operations with the Root account are also prohibited.

[root@localhost /]# useradd ru[root@localhost /]# passwd ru

The above ru should be replaced by the user name you want to create

3. disable unnecessary accounts

Linux provides many accounts by default. The more accounts there are, the more vulnerable the system will be to attacks. Therefore, all default accounts started by the operating system and unnecessary accounts should be prohibited. You can use vi/etc/passwd to view the system account and vi/etc/group to view the user group of the system.

[root@localhost /]# userdel adm[root@localhost /]# userdel lp[root@localhost /]# userdel sync[root@localhost /]# userdel shutdown[root@localhost /]# userdel halt[root@localhost /]# userdel news[root@localhost /]# userdel uucp[root@localhost /]# userdel operator[root@localhost /]# userdel games[root@localhost /]# userdel gopher[root@localhost /]# userdel ftp[root@localhost /]# groupdel adm[root@localhost /]# groupdel lp[root@localhost /]# groupdel news[root@localhost /]# groupdel uucp[root@localhost /]# groupdel games[root@localhost /]# groupdel dip[root@localhost /]# groupdel pppusers

The preceding code can be entered and run in one line.

5. prohibit unauthorized users from obtaining permissions

[root@localhost /]# chattr +i /etc/passwd[root@localhost /]# chattr +i /etc/shadow[root@localhost /]# chattr +i /etc/group[root@localhost /]# chattr +i /etc/gshadow

After this operation, you cannot create an account or change the password. You can use the chattr-I command to restore the account and then perform the operation. This is why we recommend that you optimize VPS at the beginning of my article.

6. Disable the Ctrl + Alt + Delete restart command

Modify the/etc/inittab file and comment out the following line.

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

Or

[Root @ localhost ~] # Vi/etc/init/control-alt-delete.conf # exec/sbin/shutdown-r now "Control-Alt-Deletepressed" # comment out

7. Set/etc/profile

# Set Automatic Terminal exit to prevent excessive Logon Processes due to the illegal shutdown of the ssh client. You can set a larger value, the Unit is second [root @ localhost/] # echo "TMOUT = 3600">/etc/profile # The number of historical Command records is set to 10 [root @ localhost/] # sed- I "s/HISTSIZE = 1000/HISTSIZE = 10/"/etc/profile [root @ localhost/] # source/etc/profile

8. Reset the permission for all files in the/etc/rc. d/init. d/directory.

All the files in the/etc/rc. d/init. d/directory can only be read, written, and executed by the root account:

[root@localhost /]# chmod -R 700 /etc/rc.d/init.d/*

Step 2. SSH Security Configuration

SSH, as the entry to system login, is important for security. Generally, SSH is installed by default. If SSH is not installed, run the yum install ssh command.

Next, back up the original configuration file.

[root@localhost /]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Then modify the Vi/etc/ssh/sshd_config file:

# SSH port. The default value is 22, the analogy is changed to Port 5028 in Port 5028 # change # protocol to protocol 2 # Do not allow root users to directly log on to PermitRootLogin no # Do not allow empty passwords to log on to PermitEmptyPasswords no # Do not allow users to log on to UseDns no using URLs

Then use service sshd restart to restart the SSH service.

Step 3: disable unnecessary services in the system and delete unnecessary software packages

1. Delete unnecessary software packages

yum remove Deployment_Guide-en-US finger cups-libs cups ypbindyum remove bluez-libs desktop-file-utils ppp rp-pppoe wireless-tools irda-utilsyum remove sendmail* samba* talk-server finger-server bind* xinetdyum remove nfs-utils nfs-utils-lib rdate fetchmail eject ksh mkbootdisk mtoolsyum remove syslinux tcsh startup-notification talk apmd rmt dump setserial portmap yp-toolsyum groupremove "Mail Server" "Games and Entertainment" "X Window System" "X Software Development" yum groupremove "Development Libraries" "Dialup Networking Support" yum groupremove "Games and Entertainment" "Sound and Video" "Graphics" "Editors" yum groupremove "Text-based Internet" "GNOME Desktop Environment" "GNOME Software Development"

2. disable unnecessary services

Command: chkconfig service content off

Run the following command to disable the service:

# New linux power management standard. We recommend that you use the chkconfig acpid off in your notebook # Similar task scheduler to cron, however, it does not require the system to continuously run the chkconfig anacron off # Run the task scheduled by the user using the at command. The at command must be kept with chkconfig atd off # Bluetooth, if no, the chkconfig bluetooth off is disabled. # If no printing is performed on the server, the chkconfig cups off is disabled. # The Configuration tool chkconfig firstboot off started for the first time after system installation # The bluetooth input supports chkconfig hidd off # ipv6 firewall chkconfig ip6tables off # The intranet is too lazy to configure the firewall chkconfig iptables off # new hardware detection chkconfig kudzu off # mainly used for SELinux, if SELinux is not enabled, chkconfig mcstrans off # IA32 microcode driver chkconfig microcode_ctl off # SELinux is used to monitor the chkconfig restorecond off # email program, if it is not an email server, chkconfig sendmail off SELinux Troubleshooting chkconfig setroubleshoot off # disable the system from automatically updating chkconfig yum-updatesd off

Then restart the server and reboot the server, so that these services will not be started.

Step 4: Prevent Attacks

1. Stop ping

Modify the content of the/proc/sys/net/ipv4/icmp_echo_ignore_all file to 1. However, if the server is restarted, it will be restored to 0.

You can add the following content to the/etc/rc. d/rc. local file:

echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_all

2. prevent IP spoofing attacks

Edit the/etc/host. conf file and add the following lines below:

[root@localhost /]# vi /etc/host.conforder bind，hostsmulti offnospoof on

3. Prevent DoS Attacks

Setting resource limits for all users of the system can prevent DoS attacks. Such as the maximum number of processes and memory usage. Add the following content to the/etc/security/limits. conf file:

# Prohibit debugging files * hard core 0 # Restrict memory usage to 5 MB * hard rss 5000 # restrict the number of processes to 20 * hard nproc 20 *

Next, edit the/etc/pam. d/login file to check whether the following line exists. If not, add it:

session required /lib/security/pam_limits.so

You can use the DDos deflate script for DDoS attacks. For more information, see the references below.

Step 5: system configuration and Performance Tuning

1. Modify the default Character Set of the system

If the system is installed in English and garbled characters are displayed in Chinese, you need to modify the default Character Set of the system:

[Root @ localhost/] # vi/etc/sysconfig/i18nLANG = "zh_CN.UTF-8" # Vi editor Common commands 'I' for modification, 'esc 'For exit edit status ,': wq' to save and exit [root @ localhost/] # source/etc/sysconfig/i18n

Change the system's encoding to a zh_CN.UTF-8, and the subsequent command is to make the modification take effect immediately.

** 2. Use the ntp service to update the server time **

First, check whether the ntp service is installed in the system:

[root@localhost /]# chkconfig --list |grep ntp

If not, use yum for installation and update time

[root@localhost /]# yum install ntp[root@localhost /]# ntpdate time.windows.com

You can also add the update command to cron for automatic update:

[root@localhost /]# crontab -e* */12 * * * ntpdate time.windows.com[root@localhost /]# service crond restart

The preceding operations are automatically updated every 12 hours. You can run the crontab-l command to view the update time.

** 3. Remove system information **

[root@localhost ~]# echo "Welcome to Server" >/etc/issue [root@localhost ~]# echo "Welcome to Server" >/etc/redhat-release 

** 4. Synchronize system time **

[Root @ localhost ~] # Cp/usr/share/zoneinfo/Asia/Shanghai/etc/localtime # Set the Shanghai time zone [root @ localhost ~] # Ntpdate cn.pool.ntp.org; hwclock-w # Sync time and write blos hardware time [root @ localhost ~] # Crontab-e # set the task plan to synchronize 0 *****/usr/sbin/ntpdate cn.pool.ntp.org; hwclock-w at each day

** 5. system kernel optimization **

[Root @ localhost ~] # Vi/etc/sysctl. conf # Add the following parameter net at the end. ipv4.tcp _ syncookies = 1 #1 enable SYN Cookies. When a SYN wait queue overflow occurs, enable Cookies to prevent a small number of SYN attacks. The default value is 0 to disable net. ipv4.tcp _ tw_reuse = 1 #1 indicates enabling reuse. TIME_AIT sockets is allowed to be reused for New TCP connections. net is disabled by default. ipv4.tcp _ tw_recycle = 1 # number of TCP retransmission failures. The default value is 15. You can release the kernel resource. net. ipv4.ip _ local_port_range = 4096 65000 # port range that can be used by the application. net. ipv4.tcp _ max_tw_buckets = 5000 # The system maintains the maximum number of TIME_WAIT sockets at the same time. If this number is exceeded, the TIME_WATI socket is immediately cleared and an alert message is printed.. The default value is 180000. net. ipv4.tcp _ max_syn_backlog = 4096 # enter the maximum Request queue of SYN treasure. The default value is 1024 net. core. netdev_max_backlog = 10240 # maximum device queue of data packets allowed to be sent to the queue. The default value is 300. net. core. somaxconn = 2048 # maximum number of listen pending requests. The default value is 128. net. core. wmem_default = 8388608 # default value of the size of the sending cache. net. core. rmem_default = 8388608 # accept the default value of the socket buffer size (in bytes). net. core. rmem_max = 16777216 # maximum received buffer size. net. core. wmem_max = 16777216 # maximum size of the sending buffer. net. ipv4.tcp _ synack_retries = 2 # S The number of retries in the YN-ACK handshake status. The default value is 5. net. ipv4.tcp _ syn_retries = 2 # Number of external SYN handshake retries. The default value is 4. net. ipv4.tcp _ tw_recycle = 1 # enable quick recovery of TIME_WAIT sockets in TCP connections. net is disabled by default. ipv4.tcp _ max_orphans = 3276800 # the maximum number of TCP sockets in the system is not associated with any user file handle. If this number is exceeded, the orphan connection is reset immediately and warning information is printed. net. ipv4.tcp _ mem = 94500000 915000000 927000000 net. ipv4.tcp _ mem [0]: lower than this value, TCP has no memory pressure; net. ipv4.tcp _ mem [1]: Enter the memory Pressure Stage under this value; net. ipv4.tcp _ mem [2]: higher than this value, TCP rejects socket allocation. The memory unit is page, which can be adjusted based on the physical memory size. If the memory is large enough, you can adjust it accordingly. The above memory unit is page, not byte.

Or use the following parameters for optimization:

[Root @ localhost/] # cp/etc/sysctl. conf/etc/sysctl. conf. bak [root @ localhost/] # vi/etc/sysctl. conf

net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_syncookies = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.ip_local_port_range = 400065000net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.route.gc_timeout = 100net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.ipv4.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_max=25000000net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120

Finally, run the sysctl-p command to make the preceding settings take effect immediately. After all the settings are complete, remember to disable automatic system updates. At the same time, you can create a system image and restore it as needed. You do not need to set it again every time the system is installed.