CentOS Server Security Settings

CentOS Server Security Settings

We must understand: Minimum permissions + minimum services = maximum security

Therefore, whether it is to configure any server, we must disable unused services and set system permissions to the minimum level so as to ensure the maximum security of the server. Below isCentOS server security settings for your reference.

1. Comment out unnecessary users and user groups.
Note: It is not recommended to delete a user directly. If you need a user, it will be difficult to add it again.
Cp/etc/passwd/etc/passwdbak # backup before modification
Vi/etc/passwd # edit the user and add # comment out this line
# Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
# Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
# Sync: x: 5: 0: sync:/sbin:/bin/sync
# Shutdown: x: 6: 0: shutdown:/sbin/shutdown
# Halt: x: 7: 0: halt:/sbin/halt
# Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
# Operator: x: 11: 0: operator:/root:/sbin/nologin
# Games: x: 12: 100: games:/usr/games:/sbin/nologin
# Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
# Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin # comment out the ftp Anonymous Account
Cp/etc/group/etc/groupbak # back up before modification
Vi/etc/group # edit the user group and add # comment out this row
# Adm: x: 4: root, adm, daemon
# Lp: x: 7: daemon, lp
# Uucp: x: 14: uucp
# Games: x: 20:
# Dip: x: 40:
2. Shut down services not required by the system
Service acpid stop chkconfig acpid off # stop service, cancel startup # advanced settings of power supply, usually on Laptop
Service autofs stop chkconfig autofs off # disable the automatic mounting system and edge mounting Device
Service bluetooth stop chkconfig bluetooth off # disable Bluetooth bluetooth
Service cpuspeed stop chkconfig cpuspeed off # stop to control CPU speed mainly for power saving
Service cups stop chkconfig cups off # disable Common UNIX Printing System to enable System support for printers
Service ip6tables stop chkconfig ip6tables off # Disable IPv6
######################################## ######################################## ####################
To restore a service, perform the following operations:
Service acpid start chkconfig acpid on
3. Prohibit Non-root users from executing system commands under/etc/rc. d/init. d/
Chmod-R 700/etc/rc. d/init. d /*
Chmod-R 777/etc/rc. d/init. d/* # restore default settings
System O & M www.osyunwei.com reminder: qihang01 original content©All rights reserved. For more information, see the source and original link.
4. Add unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.
Chattr + I/etc/passwd
Chattr + I/etc/shadow
Chattr + I/etc/group
Chattr + I/etc/gshadow
Chattr + I/etc/services # Lock the System Service port list file to prevent unauthorized deletion or addition of services
Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/services # display file attributes
Note: After the preceding permissions are modified, users cannot be added or deleted.
If you want to add or delete a user, you need to cancel the preceding settings. After the user is added or deleted, perform the preceding operations.
Chattr-I/etc/passwd # cancel permission lock settings
Chattr-I/etc/shadow
Chattr-I/etc/group
Chattr-I/etc/gshadow
Chattr-I/etc/services # unlock the System Service port list file
Now you can add or delete users. After the operation, lock the directory file.
5. Restrict the permissions of different files
Chattr + a. bash_history # avoid deleting. bash_history or redirecting to/dev/null
Chattr + I. bash_history
Chmod 700/usr/bin restore chmod 555/usr/bin
Chmod 700/bin/ping restore chmod 4755/bin/ping
Chmod 700/usr/bin/vim restore chmod 755/usr/bin/vim
Chmod 700/bin/netstat resume chmod 755/bin/netstat
Chmod 700/usr/bin/tail restore chmod 755/usr/bin/tail
Chmod 700/usr/bin/less restore chmod 755/usr/bin/less
Chmod 700/usr/bin/head resume chmod 755/usr/bin/head
Chmod 700/bin/cat restore chmod 755/bin/cat
Chmod 700/bin/uname restore chmod 755/bin/uname
Chmod 500/bin/ps restore chmod 755/bin/ps
6. Do not restart the server by pressing Ctrl + Alt + Del.
Cp/etc/inittab/etc/inittabbak
Vi/etc/inittab # comment out the following line
# Ca: ctrlaltdel:/sbin/shutdown-t3-r now
7. Use yum update to update the system without updating the kernel. Only the software package is updated.

Due to the compatibility problem between the system and hardware, it is possible that the server cannot be started normally after the kernel is upgraded. This is terrible and there is no special need. We recommend that you do not upgrade the kernel at will.
Cp/etc/yum. conf/etc/yum. confbak
1. Modify the yum configuration file vi/etc/yum. conf and add exclude = kernel * at the end of [main *
2. Add the following parameters directly after the yum command:
Yum -- exclude = kernel * update
View the system version cat/etc/issue
View kernel version uname-
8. Disable Automatic Centos update
Chkconfig -- list yum-updatesd # display the current system status
Yum-updatesd 0: Disable 1: Disable 2: Enable 3: Enable 4: Enable 5: Enable 6: Disable
Service yum-updatesd stop # Turn off the Enable parameter to start
Stop yum-updatesd: [OK]
Service yum-updatesd status # check whether it is disabled
Yum-updatesd stopped
Chkconfig -- level 35 yum-updatesd off # enable/disable (System Mode: 3 or 5)
Chkconfig yum-updatesd off # enable/disable all startup modes)
Chkconfig -- list yum-updatesd # display the current system status
Yum-updatesd 0: Disable 1: Disable 2: Enable 3: Disable 4: Enable 5: Disable 6: Disable
9. Disable redundant virtual consoles
We know switching from the console to the X Window, usually using Alt-F7, why? Because the system defines six virtual consoles by default,
So X is 7th. In fact, many people generally do not need so many virtual consoles. Modify the/etc/inittab and comment out the ones you don't need.
Cp/etc/inittab/etc/inittabbak
Vi/etc/inittab
# Run gettys in standard runlevels
1: 2345: respawn:/sbin/mingetty tty1
#2: 2345: respawn:/sbin/mingetty tty2
#3: 2345: respawn:/sbin/mingetty tty3
#4: 2345: respawn:/sbin/mingetty tty4
#5: 2345: respawn:/sbin/mingetty tty5
#6: 2345: respawn:/sbin/mingetty tty6
10. Delete MySQL history
System O & M www.osyunwei.com reminder: qihang01 original content©All rights reserved. For more information, see the source and original link.
The SQL commands executed after you log on to the database are also recorded in the. mysql_history file in the user directory by MySQL.
If the database user uses an SQL statement to modify the Database Password, The. mysql_history file will also leak.
Therefore, do not add a password after-p during shell login and backup. Instead, enter the database password after prompt.
In addition, we should not allow these two files to record our operations, just in case.
Cd
Cp. bash_history. bash_historybak # backup
Cp. mysql_history. mysql_historybak
Rm. bash_history. mysql_history
Ln-s/dev/null. bash_history
Ln-s/dev/null. mysql_history
11. Modify the history Command record
Cp/etc/profile/etc/profilebak
Vi/etc/profile
Change HISTSIZE = 1000 to HISTSIZE = 50
12. Hiding Server System Information
By default, When you log on to the linux system, it will tell you the name, version, kernel version, and server name of the linux release.
To prevent the default information from being leaked, we need to perform the following operations to display only one "login:" prompt.
Delete the/etc/issue and/etc/issue.net files, or change the names of the two files to the same effect.
Mv/etc/issue/etc/issuebak
Mv/etc/issue.net/etc/issue. netbak
13. Optimize Linux Kernel Parameters
Cp/etc/sysctl. conf/etc/sysctl. confbak
Vi/etc/sysctl. conf # Add the following content to the end of the file
Net. ipv4.tcp _ max_syn_backlog = 65536
Net. core. netdev_max_backlog = 32768
Net. core. somaxconn = 32768
Net. core. wmem_default = 8388608
Net. core. rmem_default = 8388608
Net. core. rmem_max = 16777216
Net. core. wmem_max = 16777216
Net. ipv4.tcp _ timestamps = 0
Net. ipv4.tcp _ synack_retries = 2
Net. ipv4.tcp _ syn_retries = 2
Net. ipv4.tcp _ tw_recycle = 1
# Net. ipv4.tcp _ tw_len = 1
Net. ipv4.tcp _ tw_reuse = 1
Net. ipv4.tcp _ mem = 94500000 915000000 927000000
Net. ipv4.tcp _ max_orphans = 3276800
# Net. ipv4.tcp _ fin_timeout = 30
# Net. ipv4.tcp _ keepalive_time = 120
Net. ipv4.ip _ local_port_range = 10024 65535 # (indicates the port range used for external connection. The default value is small: 32768 to 61000. Note: Do not set the minimum value to be too low. Otherwise, the normal port may be occupied! )
/Sbin/sysctl-p # Make the configuration take effect immediately
System O & M www.osyunwei.com reminder: qihang01 original content©All rights reserved. For more information, see the source and original link.
14. CentOS System Optimization
Cp/etc/profile/etc/profilebak2
Vi/etc/profile # Add the following content at the end of the file
Ulimit-c unlimited
Ulimit-s unlimited
Ulimit-SHn 65535
Source/etc/profile # Make the configuration take effect immediately
Ulimit-a # display various current user process restrictions
15. ping prohibited on the server
Cp/etc/rc. d/rc. local/etc/rc. d/rc. localbak
Vi/etc/rc. d/rc. local # Add the following line at the end of the file
Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
The value 0 indicates that 1 is allowed.

So far, CentOS Linux server security settings are basically complete, the above settings have been tested by the author (CentOS-5.5-x86_64) completely available, more security settings and server optimization, please also test on your own.