CentOS Linux Server security Settings _linux

We must understand: Minimal permissions + minimum service = maximum security

Therefore, regardless of the configuration of any server, we must turn off the unused services, set the system permissions to the minimum, so as to ensure the maximum security server. The following is the CentOS server security settings for your reference.

One, note out the system does not need users and user groups

Note: It is not recommended to delete directly, when you need a user, it will be troublesome to add yourself again.
Cp/etc/passwd/etc/passwdbak #修改之前先备份
VI/ETC/PASSWD #编辑用户, add # comment in front
#adm: X:3:4:adm:/var/adm:/sbin/nologin
#lp: X:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync: X:5:0:sync:/sbin:/bin/sync
#shutdown: X:6:0:shutdown:/sbin:/sbin/shutdown
#halt: X:7:0:halt:/sbin:/sbin/halt
#uucp: X:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator: X:11:0:operator:/root:/sbin/nologin
#games: X:12:100:games:/usr/games:/sbin/nologin
#gopher: X:13:30:gopher:/var/gopher:/sbin/nologin
#ftp: X:14:50:ftp user:/var/ftp:/sbin/nologin #注释掉ftp匿名账号
Cp/etc/group/etc/groupbak #修改之前先备份
Vi/etc/group #编辑用户组, add # comment in front
#adm: X:4:root,adm,daemon
#lp: X:7:DAEMON,LP
#uucp: X:14:UUCP
#games: x:20:
#dip: x:40:

Second, shut down the system does not need the service

Service acpid stop Chkconfig acpid off #停止服务, cancel boot boot #电源进阶设定, commonly used in laptop
Service AutoFS stop chkconfig autofs off #停用自动挂载档桉系统与週边装置
Service bluetooth stop chkconfig bluetooth off #停用Bluetooth蓝芽
Service cpuspeed stop chkconfig cpuspeed off #停用控制CPU速度主要用来省电
Service cups stop chkconfig cups off #停用 Common UNIX Printing system enables systems to support printer
Service ip6tables stop chkconfig ip6tables off #禁止IPv6
####################################################################################################
If you want to restore a service, you can do the following
Service Acpid start Chkconfig acpid on

Iii. prohibit non-root users from executing system commands under/etc/rc.d/init.d/

Chmod-r 700/etc/rc.d/init.d/*
Chmod-r 777/etc/rc.d/init.d/* #恢复默认设置

To prevent unauthorized users from gaining access to the following file with a non-change attribute

Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +i/etc/gshadow
Chattr +i/etc/services #给系统服务端口列表文件加锁 to prevent unauthorized deletion or addition of services
Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/services #显示文件的属性
Note: After you have modified the above permissions, you cannot add the deletion user.
If you want to add a delete user, you need to cancel the above settings, and so on after the user adds the deletion completes, then performs the above action
Chattr-i/etc/passwd #取消权限锁定设置
Chattr-i/etc/shadow
Chattr-i/etc/group
Chattr-i/etc/gshadow
Chattr-i/etc/services #取消系统服务端口列表文件加锁
You can now add a delete user, and then lock the catalog file after the operation is done

V. Restrictions on the rights of different documents

Chattr +a. bash_history #避免删除. Bash_history or Redirect to/dev/null
Chattr +i. bash_history
chmod 700/usr/bin restore chmod 555/usr/bin
chmod 700/bin/ping restore chmod 4755/bin/ping
chmod 700/usr/bin/vim restore chmod 755/usr/bin/vim
chmod 700/bin/netstat restore chmod 755/bin/netstat
chmod 700/usr/bin/tail restore chmod 755/usr/bin/tail
chmod 700/usr/bin/less restore chmod 755/usr/bin/less
chmod 700/usr/bin/head restore chmod 755/usr/bin/head
chmod 700/bin/cat restore chmod 755/bin/cat
chmod 700/bin/uname restore chmod 755/bin/uname
chmod 500/bin/ps restore chmod 755/bin/ps

Six, prohibit the use of Ctrl+alt+del shortcut keys to restart the server

Cp/etc/inittab/etc/inittabbak
Vi/etc/inittab #注释掉下面这一行
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now

VII. update the kernel without upgrading the system using the Yum Update, update the package only

Because of the system and hardware compatibility issues, it is possible to upgrade the kernel after the server can not start the normal, this is very frightening, there is no special need, it is recommended not to upgrade the kernel at random.
Cp/etc/yum.conf/etc/yum.confbak
1, modify the Yum profile vi/etc/yum.conf at the end of [main] add exclude=kernel*
2. Add the following parameters directly after the Yum command:
Yum--exclude=kernel* Update
View System version Cat/etc/issue
View Kernel version uname-a

Eight, turn off CentOS Automatic Update

Chkconfig--list yum-updatesd #显示当前系统状态
YUM-UPDATESD 0: Off 1: Off 2: Enable 3: Enable 4: Enable 5: Enable 6: Off
Service YUM-UPDATESD Stop #关闭 open parameter is start
Stop yum-updatesd: [OK]
Service YUM-UPDATESD Status #查看是否关闭
YUM-UPDATESD has stopped.
Chkconfig--level yum-updatesd off #禁止开启启动 (System mode 3, 5)
Chkconfig yum-updatesd off #禁止开启启动 (all boot modes are disabled)
Chkconfig--list yum-updatesd #显示当前系统状态
YUM-UPDATESD 0: Off 1: Off 2: Enable 3: Close 4: Enable 5: Close 6: Off

Nine, shut down the redundant virtual consoles

We know to switch from the console to the X window, generally using ALT-F7, why? Because the system defines 6 virtual consoles by default,
So X is the 7th one. In fact, many people do not need so many virtual consoles, modify/etc/inittab, and comment out what you don't need.

Cp/etc/inittab/etc/inittabbak
vi/etc/inittab
# Run Gettys in standard runlevels
1:2345:respawn:/sbin/ Mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn :/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6

X. Delete MySQL History

SQL commands executed after the user logs in to the database are also recorded in the user directory's. mysql_history file by MySQL.
If a database user modifies the database password with an SQL statement, it is also compromised by the. mysql_history file.
So we in the shell landing and backup when not directly after-p password, but in the prompt and then enter the database password.
In addition to these two files we should also not let it record our operation, just in case.

CD
CP. Bash_history. Bash_historybak #备份
CP. mysql_history. Mysql_historybak
rm. bash_history. Mysql_ History
ln-s/dev/null. bash_history ln-s/dev/null
. mysql_history

Xi. modification of History command records

Cp/etc/profile/etc/profilebak
vi/etc/profile
find histsize=1000 instead histsize=50

12. Hide Server System Information

By default, when you log on to the Linux system, it tells you the name, version, kernel version, and server name of the Linux distribution.
To keep the default information out of the box, let's do the following so that it displays only a "login:" prompt.
Deleting the two files/etc/issue and/etc/issue.net, or renaming the 2 files, has the same effect.
Mv/etc/issue/etc/issuebak
Mv/etc/issue.net/etc/issue.netbak

13, optimize the Linux kernel parameters

Cp/etc/sysctl.conf/etc/sysctl.confbak vi/etc/sysctl.conf #在文件末尾添加以下内容 net.ipv4.ip_forward = 1 #修改为1 net.core.somaxcon n = 262144 Net.core.netdev_max_backlog = 262144 Net.core.wmem_default = 8388608 Net.core.rmem_default = 8388608 NET.CORE.R Mem_max = 16777216 Net.core.wmem_max = 16777216 Net.ipv4.netfilter.ip_conntrack_max = 131072 Net.ipv4.netfilter.ip_ conntrack_tcp_timeout_established = 180 Net.ipv4.route.gc_timeout = Net.ipv4.ip_conntrack_max = 819200 Net.ipv4.ip_ Local_port_range = 10024 65535 net.ipv4.tcp_retries2 = 5 Net.ipv4.tcp_fin_timeout = net.ipv4.tcp_syn_retries = 1 Net.ip V4.tcp_synack_retries = 1 Net.ipv4.tcp_timestamps = 0 Net.ipv4.tcp_tw_recycle = 1 Net.ipv4.tcp_tw_len = 1 net.ipv4.tcp_tw_ Reuse = 1 Net.ipv4.tcp_keepalive_time = Net.ipv4.tcp_keepalive_probes = 3 NET.IPV4.TCP_KEEPALIVE_INTVL = net.ipv4.t Cp_max_tw_buckets = 36000 Net.ipv4.tcp_max_orphans = 3276800 Net.ipv4.tcp_max_syn_backlog = 262144 Net.ipv4.tcp_wmem = 81 131072 16777216 Net.ipv4.tcp_rmem = 32768 131072 16777216 net.ipv4.tcp_mem = 94500000 915000000 927000000/sbin/sysctl-p #使配置立即生效
 

14, CentOS system optimization

CP/ETC/PROFILE/ETC/PROFILEBAK2
vi/etc/profile  #在文件末尾添加以下内容
ulimit-c Unlimited
ulimit-s Unlimited
Ulimit-shn 65535
ulimit-s-C 0
export lc_all=c
source/etc/profile #使配置立即生效
ulimit-a # Displays the current user process restrictions

XV, the server does not ping

Cp/etc/rc.d/rc.local/etc/rc.d/rc.localbak
vi/etc/rc.d/rc.local  #在文件末尾增加下面这一行
echo 1 >/proc/sys /net/ipv4/icmp_echo_ignore_all
parameter 0 indicates that 1 is allowed to indicate a prohibition

At this point, CentOS Linux Server security settings are basically completed, the above settings after the author's actual combat testing (CENTOS-5.5-X86_64) is fully available, more security settings and server optimization, but also please test yourself.