Transferred from: http://www.osyunwei.com/archives/754.html
Introduction:
We must understand: minimal privileges + minimal service = maximum security
Therefore, regardless of the configuration of any server, we must shut down the unused services, set the system permissions to the minimum, so as to ensure maximum security of the server. The following is the CentOS server security settings for your reference.
First, comment out the user and user groups not required by the system
Note: It is not recommended to delete directly, and when you need a user, it can be cumbersome to re-add them.
cp /etc/passwd /etc/passwdbak #修改之前先备份
vi/etc/passwd #编辑用户, precede with # comment off this line
#adm: X:3:4:adm:/var/adm:/sbin/nologin
#lp: X:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync: X:5:0:sync:/sbin:/bin/sync
#shutdown: X:6:0:shutdown:/sbin:/sbin/shutdown
#halt: x:7:0:halt:/ Sbin:/sbin/halt
#uucp: X:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator: x:11:0:operator:/root:/sbin/ Nologin
#games: X:12:100:games:/usr/games:/sbin/nologin
#gopher: X:13:30:gopher:/var/gopher:/sbin/nologin
#ftp: x:14:50:ftp user:/var/ftp:/sbin/nologin #注释掉ftp匿名账号
cp/etc/group /etc/ groupbak #修改之前先备份
vi/etc/group #编辑用户组, preceded by # comment off this line
#adm: X:4:root,adm,daemon
#lp: X:7:DAEMON,LP
#uucp: X:14:UUCP
#games: x:20:
#dip: x:40:
Second, shut down services not required by the system
Service acpid stop chkconfig acpid off #停止服务, cancel boot start # Power advanced settings, commonly used on Laptop
service autofs stop chkconfig autofs off #停用自动挂载档桉系统与週边装置
Service bluetooth stop& nbsp chkconfig bluetooth off #停用Bluetooth蓝芽
Service cpuspeed stop chkconfig cpuspeed off #停用控制CPU速度主要用来省电
Service cups stop chkconfig cups off #停用 Common UNIX Printing system support Printer
Service ip6tables stop chkconfig ip6tables off #禁止IPv6
# ###################################################################################################
If you want to restore a service, you can do the following
service acpid start chkconfig acpid on
Iii. prohibit non-root users from executing system commands under/etc/rc.d/init.d/
Chmod-r 700/etc/rc.d/init.d/*
Chmod-r 777/etc/rc.d/init.d/* #恢复默认设置
Iv. add an immutable attribute to the following file to prevent unauthorized users from gaining access
Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +i/etc/gshadow
Chattr +i/etc/services #给系统服务端口列表文件加锁 to prevent unauthorized deletion or addition of services
Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/services #显示文件的属性
Note: After you perform the above permissions modification, you cannot add a delete user.
If you want to add a delete user, you need to first cancel the above settings, and so on after the user adds the delete completes, then performs the above action
Chattr-i/etc/passwd #取消权限锁定设置
Chattr-i/etc/shadow
Chattr-i/etc/group
Chattr-i/etc/gshadow
Chattr-i/etc/services #取消系统服务端口列表文件加锁
You can now add and delete users, and then lock the catalog files after you have finished the operation.
v. Restricting permissions for different files
Chattr +a. bash_history #避免删除. Bash_history or Redirect to/dev/null
Chattr +i. bash_history
chmod 700/usr/bin Recovery chmod 555/usr/bin
chmod 700/bin/ping Recovery chmod 4755/bin/ping
chmod 700/usr/bin/vim Recovery chmod 755/usr/bin/vim
chmod 700/bin/netstat Recovery chmod 755/bin/netstat
chmod 700/usr/bin/tail Recovery chmod 755/usr/bin/tail
chmod 700/usr/bin/less Recovery chmod 755/usr/bin/less
chmod 700/usr/bin/head Recovery chmod 755/usr/bin/head
chmod 700/bin/cat Recovery chmod 755/bin/cat
chmod 700/bin/uname Recovery chmod 755/bin/uname
chmod 500/bin/ps Recovery chmod 755/bin/ps
Vi. Disable the use of Ctrl+alt+del shortcut keys to restart the server
Cp/etc/inittab/etc/inittabbak
Vi/etc/inittab #注释掉下面这一行
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now
VII. update the system without upgrading the kernel when using Yum Update, update only the package
Due to system and hardware compatibility issues, it is possible to upgrade the kernel after the server does not start normally, this is very scary, no special need, it is recommended not to upgrade the kernel arbitrarily.
cp/etc/yum.conf /etc/yum.confbak
1, modify the Yum configuration file vi/etc/yum.conf add exclude= at the end of [main] kernel*
2, add the following parameters directly after the Yum command:
Yum--exclude=kernel* update
View system version Cat/etc/issue
View kernel version Uname-a
Eight, turn off CentOS Automatic Updates
chkconfig--list yum-updatesd #显示当前系统状态
yum-updatesd 0: Close 1: Close 2: Enable 3: Enable 4: Enable 5: Enable 6: Turn off
Service yum-updatesd stop & nbsp; #关闭 Start parameter is start
Stop yum-updatesd: [OK]
Service yum-updatesd status #查看是否关闭
Yum-updatesd stopped
chkconfig--level yum-updatesd off #禁止开启启动 (System mode 3, 5)
Chkconfig yum-updatesd off #禁止开启启动 (all boot modes disabled)
Chkconfig--list yum-updatesd #显示当前系统状态
yum-updatesd 0: Close 1: Close 2: Enable 3: Off 4: Enable 5: Close 6: Close
Nine, close the redundant Virtual Console
We know that switching from the console to the X window, generally using ALT-F7, why? Because the system defines 6 virtual consoles by default,
So X is the 7th one. In fact, many people do not normally need so many virtual consoles, modify/etc/inittab, and comment out the ones you don't need.
Cp/etc/inittab/etc/inittabbak
Vi/etc/inittab
# Run Gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty Tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty Tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
X. Delete MySQL History
The SQL command executed after the user logs in to the database is also recorded in the. mysql_history file of the user directory by MySQL.
If the database user modifies the database password with an SQL statement, it is also compromised by the. mysql_history file.
So we do not in the shell landing and backup when the password directly after-p, but after the prompt and then enter the database password.
In addition to these two files we should also not let it record our operation, just in case.
Cd
CP. bash_history. Bash_historybak #备份
CP. Mysql_history. Mysql_historybak
Rm. bash_history. mysql_history
Ln-s/dev/null. bash_history
Ln-s/dev/null. mysql_history
Xi. Modify the history command record
Cp/etc/profile/etc/profilebak
Vi/etc/profile
Find histsize=1000 instead of histsize=50
12. Hide Server System Information
By default, when you log in to a Linux system, it will tell you the name, version, kernel version, and server name of the Linux distribution.
In order not to let the default information leak out, let's do the following to show it only a "login:" prompt.
Delete the/etc/issue and/etc/issue.net two files, or rename the 2 files, the effect is the same.
Mv/etc/issue/etc/issuebak
Mv/etc/issue.net/etc/issue.netbak
13. Optimizing Linux Kernel Parameters
Cp/etc/sysctl.conf/etc/sysctl.confbak
Vi/etc/sysctl.conf #在文件末尾添加以下内容
Net.ipv4.ip_forward = 1 #修改为1
Net.core.somaxconn = 262144
Net.core.netdev_max_backlog = 262144
Net.core.wmem_default = 8388608
Net.core.rmem_default = 8388608
Net.core.rmem_max = 16777216
Net.core.wmem_max = 16777216
Net.ipv4.netfilter.ip_conntrack_max = 131072
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
Net.ipv4.route.gc_timeout = 20
Net.ipv4.ip_conntrack_max = 819200
Net.ipv4.ip_local_port_range = 10024 65535
Net.ipv4.tcp_retries2 = 5
Net.ipv4.tcp_fin_timeout = 30
Net.ipv4.tcp_syn_retries = 1
Net.ipv4.tcp_synack_retries = 1
Net.ipv4.tcp_timestamps = 0
Net.ipv4.tcp_tw_recycle = 1
Net.ipv4.tcp_tw_len = 1
Net.ipv4.tcp_tw_reuse = 1
Net.ipv4.tcp_keepalive_time = 120
Net.ipv4.tcp_keepalive_probes = 3
NET.IPV4.TCP_KEEPALIVE_INTVL = 15
Net.ipv4.tcp_max_tw_buckets = 36000
Net.ipv4.tcp_max_orphans = 3276800
Net.ipv4.tcp_max_syn_backlog = 262144
Net.ipv4.tcp_wmem = 8192 131072 16777216
Net.ipv4.tcp_rmem = 32768 131072 16777216
Net.ipv4.tcp_mem = 94500000 915000000 927000000
/sbin/sysctl-p #使配置立即生效
14. CentOS System Optimization
Cp/etc/profile/etc/profilebak2
Vi/etc/profile #在文件末尾添加以下内容
Ulimit-c Unlimited
Ulimit-s Unlimited
Ulimit-shn 65535
Ulimit-s-C 0
Export Lc_all=c
Source/etc/profile #使配置立即生效
Ulimit-a #显示当前的各种用户进程限制
XV, server disable ping
Cp/etc/rc.d/rc.local/etc/rc.d/rc.localbak
Vi/etc/rc.d/rc.local #在文件末尾增加下面这一行
Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
A parameter of 0 means that 1 is allowed to disallow
At this point, the CentOS Linux server security settings are basically complete, the above settings after the author of the actual Combat test (CENTOS-5.5-X86_64) fully available, more security settings and server optimization, but also please self-test.
CentOS Linux Server security settings