CentOS Server Security Settings
GuideWe must understand: Minimum permissions + minimum services = maximum security. Therefore, whether it is to configure any server, we must disable unused services and minimize system permissions to ensure maximum server security.1. Comment out users and user groups that are not required by the system. Note: it is not recommended to delete them directly. It is very troublesome to add a user again when you need a user.
Cp/etc/passwd/etc/passwdbak # Back up vi/etc/passwd before modification # edit the user, add # comment out this line before # adm: x: 3: 4: adm:/var/adm:/sbin/nologin # lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin # sync: x: 5: 0: sync:/sbin:/bin/sync # shutdown: x: 6: 0: shutdown:/sbin/shutdown # halt: x: 7: 0: halt: /sbin:/sbin/halt # uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin # operator: x: 11: 0: operator: /root:/sbin/nologin # games: x: 12: 100: games:/usr/games:/sbin/nologin # gopher: x: 13: 30: gopher: /var/gopher:/sbin/nologin # ftp: x: 14: 50: FTP User:/var/ftp: /sbin/nologin # comment out ftp Anonymous Account cp/etc/group/etc/groupbak # Back up vi/etc/group # edit user group before modification, add # comment out this line # adm: x: 4: root, adm, daemon # lp: x: 7: daemon, lp # uucp: x: 14: uucp # games: x: 20: # dip: x: 40:
2. Shut down services not required by the systemService acpid stop chkconfig acpid off # stop the service and cancel startup # advanced settings of power supply, service autofs stop chkconfig autofs off on Laptop # disable the automatic mounting system and edge device service bluetooth stop chkconfig bluetooth off # disable Bluetooth bluetooth Bluetooth service cpuspeed stop chkconfig cpuspeed off # disable Control CPU speed is mainly used for power saving service cups stop chkconfig cups off # stop Common UNIX Printing System enable System support printer service ip6tables stop chkconfig ip6tables off # stop IPv6 firewall ######### ######################################## ######################################## ######## if you want to restore a service, you can perform the following operations: service acpid start chkconfig acpid on
3. Prohibit Non-root users from executing system commands under/etc/rc. d/init. d/Chmod-R 700/etc/rc. d/init. d/* chmod-R 777/etc/rc. d/init. d/* # restore default settings
4. Add unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.Chattr + I/etc/passwdchattr + I/etc/shadowchattr + I/etc/groupchattr + I/etc/gshadowchattr + I/etc/services # Lock the System Service port list file, prevent unauthorized deletion or addition of services lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/services # display file attributes. Note: after the preceding permissions are modified, users cannot be added or deleted. If you want to add or delete a user, cancel the preceding settings, then execute the above operation chattr-I/etc/passwd # cancel the permission lock setting chattr-I/etc/shadowchattr-I/etc/groupchattr-I/etc/gshadowchattr-I/etc /services # cancel the lock on the System Service port list file. Now you can add or delete users, after the operation, lock the directory file.
5. Restrict the permissions of different filesChattr +. bash_history # Avoid deletion. bash_history or redirect to/dev/nullchattr + I. bash_historychmod 700/usr/bin recover chmod 555/usr/binchmod 700/bin/ping recover chmod 4755/bin/pingchmod 700/usr/bin/vim recover chmod 755/usr/bin/ vimchmod 700/bin/netstat recover chmod 755/bin/netstatchmod 700/usr/bin/tail recover chmod 755/usr/bin/tailchmod 700/usr/bin/less recover chmod 755/ usr/bin/lesschmod 700/usr/bin/head recover chmod 755/usr/bin/headchmod 700/bin/cat recover chmod 755/bin/catchmod 700/bin/uname recover chmod 755/bin/unamechmod 500/bin/ps restore chmod 755/bin/ps
6. Do not restart the server by pressing Ctrl + Alt + Del.Cp/etc/inittab/etc/inittabbakvi/etc/inittab # comment out the following line # ca: ctrlaltdel:/sbin/shutdown-t3-r now
7. Use yum update to update the system without updating the kernel. Only the software package is updated.Due to the compatibility problem between the system and hardware, it is possible that the server cannot be started normally after the kernel is upgraded. This is terrible and there is no special need. We recommend that you do not upgrade the kernel at will.
Cp/etc/yum. conf/etc/yum. confbak1, modify the yum configuration file vi/etc/yum. conf adds exclude = kernel * 2 at the end of [main]. Directly Add the following parameters after the yum command: yum -- exclude = kernel * update view system version cat/etc/issue view kernel version uname-
8. Disable Automatic Centos updateChkconfig -- list yum-updatesd # display current system status yum-updatesd 0: off 1: off 2: Enable 3: Enable 4: Enable 5: Enable 6: disable service yum-updatesd stop # disable the Enable parameter "start" to stop yum-updatesd: [OK] service yum-updatesd status # Check whether yum-updatesd has been disabled chkconfig -- level 35 yum-updatesd off # disable startup (System Mode: 3, 5) chkconfig yum-updatesd off # enable/disable (all startup modes are disabled) chkconfig -- list yum-updatesd # display current system status yum-updatesd 0: Disable 1: Disable 2: enable 3: Disable 4: Enable 5: Disable 6: Disable
9. Close the redundant virtual console we know from the console to switch to the X Window, usually using Alt-F7, why? Because the system defines six virtual consoles by default,
So X is 7th. In fact, many people generally do not need so many virtual consoles. Modify the/etc/inittab and comment out the ones you don't need.cp /etc/inittab /etc/inittabbakvi /etc/inittab# Run gettys in standard runlevels1:2345:respawn:/sbin/mingetty tty1#2:2345:respawn:/sbin/mingetty tty2#3:2345:respawn:/sbin/mingetty tty3#4:2345:respawn:/sbin/mingetty tty4#5:2345:respawn:/sbin/mingetty tty5#6:2345:respawn:/sbin/mingetty tty6
10. Optimize Linux Kernel ParametersCp/etc/sysctl. conf/etc/sysctl. confbakvi/etc/sysctl. conf # Add the following content to the end of the file. net. ipv4.ip _ forward = 1 # change to 1net. core. somaxconn = 262144net. core. netdev_max_backlog = 262144net. core. wmem_default = 8388608net. core. rmem_default = 8388608net. core. rmem_max = 16777216net. core. wmem_max = 16777216net. ipv4.netfilter. ip_conntrack_max = 131072net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 180net. route 4.route. gc_timeout = 20net. ipv4.ip _ conntrack_max = 819200net. ipv4.ip _ local_port_range = 10024 65535net. ipv4.tcp _ retries2 = 5net. ipv4.tcp _ fin_timeout = 30net. ipv4.tcp _ syn_retries = 1net. ipv4.tcp _ synack_retries = 1net. ipv4.tcp _ timestamps = 0net. ipv4.tcp _ tw_recycle = 1net. ipv4.tcp _ tw_len = 1net. ipv4.tcp _ tw_reuse = 1net. ipv4.tcp _ keepalive_time = 120net. ipv4.tcp _ keepalive_probes = 3net. ipv4.tcp _ keepalive_intvl = 15net. ipv4.tcp _ max_tw_buckets = 36000net. ipv4.tcp _ max_orphans = 3276800net. ipv4.tcp _ max_syn_backlog = 262144net. ipv4.tcp _ wmem = 8192 131072 16777216net. ipv4.tcp _ rmem = 32768 131072 16777216net. ipv4.tcp _ mem = 94500000 915000000 927000000/sbin/sysctl-p # Make the configuration take effect immediately
11. CentOS System OptimizationCp/etc/profile/etc/profilebak2vi/etc/profile # Add the following content at the end of the file: ulimit-c unlimitedulimit-s unlimitedulimit-SHn 65535 ulimit-S-c 0 export LC_ALL = Csource /etc/profile # Make the configuration take effect immediately ulimit-a # display the current various user process restrictions
12. ping prohibited on the serverCp/etc/rc. d/rc. local/etc/rc. d/rc. localbakvi/etc/rc. d/rc. local # Add the following line of echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all to the end of the file. The parameter 0 indicates that 1 is allowed and the line is disabled.
So far, CentOS Linux server security settings are basically complete, the above settings have been tested by the author (CentOS-5.5-x86_64) completely available, more security settings and server optimization, please also test on your own.
Original article from: http://www.osyunwei.com/archives/754.htmloriginal Author: qihang01
This article Reprinted from: http://www.linuxprobe.com/centos-server-security-settings/