CentOS Server security Settings

We must understand: Minimum privilege + minimum service = maximum security. So whether to configure any server, we must shut down the unused services, set the system permissions to minimize, so as to ensure maximum security of the server. One, comment out the system does not need users and user groupsNote: It is not recommended to delete it directly, and it will be cumbersome to re-add it when you need a user.

Cp/etc/passwd/etc/passwdbak #修改之前先备份vi/etc/passwd #编辑用户, add # Comments Off this line in front #adm:x:3:4:adm:/var/adm:/sbin/nologin#lp:x : 4:7:lp:/var/spool/lpd:/sbin/nologin#sync:x:5:0:sync:/sbin:/bin/sync#shutdown:x:6:0:shutdown:/sbin:/sbin/ Shutdown#halt:x:7:0:halt:/sbin:/sbin/halt#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin#operator:x:11:0:o perator:/root:/sbin/nologin#games:x:12:100:games:/usr/games:/sbin/nologin#gopher:x:13:30:gopher:/var/gopher:/ Sbin/nologin#ftp:x:14:50:ftp user:/var/ftp:/sbin/nologin #注释掉ftp匿名账号cp/etc/group/etc/groupbak #修改之前先备份vi/etc/gro Up #编辑用户组, precede with # comment off this line #adm:x:4:root,adm,daemon#lp:x:7:daemon,lp#uucp:x:14:uucp#games:x:20: #dip: x:40:

second, the system does not need to shut down services

Service acpid stop Chkconfig acpid off #停止服务, cancel boot boot #电源进阶设定, commonly used on Laptop service autofs stop chkconfig autofs off #停用  Automatic mount file Eucalyptus system with Edge device service Bluetooth stop chkconfig bluetooth off #停用Bluetooth蓝芽service cpuspeed stop Chkconfig cpuspeed  Off #停用控制CPU速度主要用来省电service cups stop chkconfig cups off #停用 Common UNIX Printing System supports the printer service Ip6tables Stop Chkconfig ip6tables off #停用IPv6防火墙 ########################################################################### ##################### #如果要恢复某一个服务, you can perform the following Operation service Acpid start Chkconfig acpid on

Iii. prohibit non-root users from executing system commands under/etc/rc.d/init.d/

Chmod-r 700/etc/rc.d/init.d/*chmod-r 777/etc/rc.d/init.d/* #恢复默认设置

Iv. Add an immutable attribute to the following file to prevent unauthorized users from gaining access

Chattr +i/etc/passwdchattr +i/etc/shadowchattr +i/etc/groupchattr +i/etc/gshadowchattr +i/etc/services #给系统服务端口列表文 To prevent unauthorized deletion or addition of services Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/services #显示文件的属性注意: After performing the above permissions modification, you cannot add Delete the user. If you want to add delete users, you need to first cancel the above settings, and so on after the user adds the deletion completes, then performs the above operation Chattr-i/etc/passwd #取消权限锁定设置chattr-I/etc/shadowchattr-i/etc/groupcha Ttr-i/etc/gshadowchattr-i/etc/services #取消系统服务端口列表文件加锁现在可以进行添加删除用户了, then lock the directory file after operation

v. Restricting permissions for different files

Chattr +a .bash_history            #避免删除. Bash_history or Redirect to/dev/ Nullchattr +i. Bash_historychmod 700/usr/bin                 recovery   chmod 555/usr/binchmod 700/bin/ping               recovery   chmod 4755/bin/pingchmod 700/usr/bin/vim          recovery   chmod 755/usr/bin/vimchmod 700/bin/netstat           recovery   chmod 755/bin/netstatchmod 700/usr/bin/tail            Recovery   chmod 755/usr/bin/tailchmod 700/usr/bin/less         Recovery   chmod 755/usr/bin/lesschmod 700/usr/bin/head        recovery   chmod 755/ Usr/bin/headchmod 700/bin/cat                 Recovery   chmod 755/bin/catchmod 700/bin/uname            Recovery   chmod 755/bin/unamechmod 500/bin/ps                   Recovery   chmod 755/bin/ps

Vi. Disable the use of Ctrl+alt+del shortcut keys to restart the server

Cp/etc/inittab/etc/inittabbakvi/etc/inittab #注释掉下面这一行 #ca::ctrlaltdel:/sbin/shutdown-t3-r Now

vii. Update the system without upgrading the kernel when using Yum Update, update only the package

Due to system and hardware compatibility issues, it is possible to upgrade the kernel after the server does not start normally, this is very scary, no special need, it is recommended not to upgrade the kernel arbitrarily.

CP/ETC/YUM.CONF/ETC/YUM.CONFBAK1, modify the Yum configuration file vi/etc/yum.conf at the end of [main] add exclude=kernel*2, directly after the Yum command, add the following parameters: Yum- -exclude=kernel* Update View system version cat/etc/issue view kernel version uname-a

Eight, turn off CentOS Automatic Update

Chkconfig--list yum-updatesd #显示当前系统状态yum-updatesd 0: Off 1: Off 2: Enable 3: Enable 4: Enable 5: Enable 6: Turn off service yum-updatesd stop #关闭 open parameter for start stop yum-updatesd: [OK]service yum-updatesd status #查看是否关闭yum-u Pdatesd stopped Chkconfig--level yum-updatesd off #禁止开启启动 (System mode 3, 5) Chkconfig yum-updatesd off #禁止开启启动 (all boot modes are all disabled) CHKCONFI G--list yum-updatesd #显示当前系统状态yum-updatesd 0: Off 1: Off 2: Enable 3: Off 4: Enable 5: Off 6: Off

Nine, close the redundant Virtual ConsoleWe know that switching from the console to the X window, generally using ALT-F7, why? Because the system defines 6 virtual consoles by default, X becomes the 7th one. In fact, many people do not normally need so many virtual consoles, modify/etc/inittab, and comment out the ones you don't need.

cp/etc/inittab/etc/inittabbakvi/etc/inittab# Run Gettys in standard Runlevels1:2345:respawn:/sbin/mingetty tty1#2:23 45:respawn:/sbin/mingetty Tty2#3:2345:respawn:/sbin/mingetty tty3#4:2345:respawn:/sbin/mingetty tty4#5:2345: Respawn:/sbin/mingetty Tty5#6:2345:respawn:/sbin/mingetty Tty6

10. Optimizing Linux Kernel Parameters

cp/etc/sysctl.conf /etc/sysctl.confbakvi/etc/sysctl.conf    #在文件末尾添加以下内容net. Ipv4.ip_forward = 1 #修改为1net. core.somaxconn = 262144net.core.netdev_max_backlog = 262144net.core.wmem_default = 8388608net.core.rmem_ Default = 8388608net.core.rmem_max = 16777216net.core.wmem_max = 16777216net.ipv4.netfilter.ip_conntrack_max = 131072net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180net.ipv4.route.gc_timeout = 20net.ipv4.ip_ Conntrack_max = 819200net.ipv4.ip_local_port_range = 10024  65535net.ipv4.tcp_retries2 = 5net.ipv4.tcp_fin_ Timeout = 30net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_timestamps = 0net.ipv4.tcp_tw_ Recycle = 1net.ipv4.tcp_tw_len = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_keepalive_time = 120net.ipv4.tcp_keepalive_ Probes = 3NET.IPV4.TCP_KEEPALIVE_INTVL = 15net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.tcp_max_orphans = 3276800net.ipv4.tcp_max_syn_backlog = 262144net.ipv4.tcp_wmem = 8192 131072 16777216net.ipv4.tcp_rmem= 32768 131072 16777216net.ipv4.tcp_mem = 94500000 915000000 927000000/sbin/sysctl-p   #使配置立即生效 

11. CentOS System Optimization

Cp/etc/profile/etc/profilebak2vi/etc/profile #在文件末尾添加以下内容ulimit-C unlimitedulimit-s unlimitedulimit-shn 65535 Ulimit-s-C 0export lc_all=csource/etc/profile #使配置立即生效ulimit-a #显示当前的各种用户进程限制

12. The server disables ping

Cp/etc/rc.d/rc.local/etc/rc.d/rc.localbakvi/etc/rc.d/rc.local #在文件末尾增加下面这一行echo 1 >/PROC/SYS/NET/IPV4/ICM P_echo_ignore_all parameter 0 means allow 1 to disallow

at this point, the CentOS Linux server security settings are basically complete, the above settings after the author of the actual Combat test (CENTOS-5.5-X86_64) fully available, more security settings and server optimization, but also please self-test.

This article was reproduced from: http://www.linuxprobe.com/centos-server-security-settings/

Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better: http://www.linuxprobe.com/

CentOS Server security Settings