1. Use a firewall to close unnecessary ports. If someone else fails to ping the server, the threat is naturally reduced by more than half.
Methods To prevent ping by others:
1) at the command prompt
Echo 1>/proc/sys/NET/IPv4/icmp_echo_ignore_all
2) use a firewall to prohibit (or discard) ICMP Packets
Iptables-A input-p icmp-J Drop
First use/sbin/ifconfig to view the NIC information and find the NIC name, for example, eth0.
Run
Iptables-A output-O eth0-p icmp-J accept
Iptables-A input-I eth0-P ICMP-type echo-reply-J accept
Iptables-A input-I eth0-P ICMP-type echo-request-J Drop
Service iptables save
3) do not respond to all ICMP Packets
For example, Ping tracert.
2. Change the ssh port to over 10000, and the chances of others scanning the port will also decrease.
VI/etc/ssh/sshd_config
Change port to port 1000 or above
Create a Common Logon user and cancel direct root logon.
Useradd newuser
Passwd newuser
Usermod-G 10 newuser
Or
Usermod-G wheel newuser
// Add the user to the wheel group and allow the Su-command to escalate the permission to root.
VI/etc/ssh/sshd_config
Add the following sentence at the end:
Permitrootlogin No
# Cancelling root direct remote login
VI/etc/PAM. d/su
# Auth required pam_wheel.so use_uid locate this line and remove "#" from the beginning of the line
Echo 'su _ wheel_only Yes '>/etc/login. defs // The preceding command prohibits users not in the wheel group from using the Su-command.
Restart sshd service
Service sshd restart
3. delete unused accounts with a bloated system:
Userdel Adm
Userdel lp
Userdel sync
Userdel Shutdown
Userdel halt
Userdel news
Userdel uuucp
Userdel Operator
Userdel games
Userdel Gopher
Userdel FTP
If you do not allow anonymous FTP, delete this user account.
Groupdel Adm
Groupdel lp
Groupdel news
Groupdel uuucp
Groupdel games
Groupdel dip
4. Change the following file permissions so that no one has the permission to change the account:
Chattr + I/etc/passwd
Chattr + I/etc/shadow
Chattr + I/etc/group
Chattr + I/etc/gshadow
5. chmod 600/etc/xinetd. conf
VI/etc/xinetd. conf disables all unnecessary services, such as FTP, telnet, Shell, login, exec, talk, NTALK, IMAP, pop-2, pop-3, finger, and Auth, you can also use the setup command to set the service items.
After changing the "xinetd. conf" file, do not forget to send a sighup signal to the inetd process:
Killall-hup xinetd
Chattr + I/etc/xinetd. conf // set inetd. conf to unchangeable. To change the xinetd. conf file, you must first clear the flag that cannot be changed:
Chattr-I/etc/inetd. conf
6. Disable Anonymous FTP user logon. The centos security settings are described above.
Edit the "host. conf" file (VI/etc/host. conf) and add the following lines:
Order bind, hosts
Multi on
Nospoof on