Environment Preparation:
1) Set the local internationalization language to en_US. UTF-8
[Email protected] ~]# sed-i ' s/^\ (lang=\). *$/\1 "en_US. UTF-8 "/'/etc/sysconfig/i18n [[email protected] ~]# cat/etc/sysconfig/i18n lang=" en_US. UTF-8 "[[email protected] ~]# Lang=en_us. UTF-8
2) Update the system software package
To back up the default Yum Source:
Find/etc/yum.repos.d-name ' *.repo '-exec mv {} {}.bak \;
To add a 163yum source:
REDHAT5 or centos5:
Wget-p/ETC/YUM.REPOS.D
Redhat6 or CENTOS6
Wget-p/ETC/YUM.REPOS.D
Add Epel Yum Source:
redhat5.x 32bit
RPM-IVH http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
redhat5.x 64bit
RPM-IVH http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
redhat6.x 32bit
RPM-IVH http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
redhat6.x 64bit
RPM-IVH http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
To update a certificate:
Yum-y Upgrade Ca-certificates--disablerepo=epel
Update all System packages:
Yum Clean Allyum makecacheyum-y Upgrade
The following is an example of redhat5/centos5
First, the principle of service minimization
Turn off all start-up services, turn on sshd, Crond, Network, iptables, Iptables, Syslog (REDHAT5), Rsyslog (REDHAT6), and add services that need to start on demand on this basis.
1) Turn off all start-up services
[[email protected] ~]# for I in ' chkconfig--list | awk ' {if ($1~/^$/) {exit 0;} else {print '}} '; Do chkconfig $i off; Done
2) Open Basic services
[[email protected] ~]# for I in sshd network syslog crond iptables; Do chkconfig $i on; Done
3) View the Open service
[[email protected] ~]# chkconfig --list | grep ' 3:on ' crond 0:off 1:off 2:on 3:on 4:on 5:on 6:o ffiptables 0:off 1:off 2:on 3:on 4:on 5:on 6:offnetwork 0:off 1:off 2:on 3:on 4:on 5:on 6:offsshd 0:off 1:off 2:on 3:on 4:on 5:on 6:offsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Second, user login restrictions
1) Disable the use of remote SSH using the root user
[[email protected] ~]# Cd/etc/ssh[[email protected] ssh]# CP sshd_config sshd_config~[[email protected] ssh]# sed-i ' s/# \ (permitrootlogin \) yes/\1no/' Sshd_config[[email protected] ssh]# grep ' permitroot '/etc/ssh/sshd_config Permitrootlogin No
2) Disable Login prompt information
[Email protected] ssh]# >/ETC/MOTD
3) Modify the default listening port for SSH (tcp:22)
[[email protected] ssh]# sed-i ' s/#\ (port \) 22/\11983/' Sshd_config (modified here to TCP 11983 ports) [[email protected] ssh]# grep ' port ' Sshd_configport 11983
4) allow only the specified IP to be SSH (optional)
Method 1 (using Tcpwrapper):
echo "sshd:192.168.124.0/255.255.255.0" >>/etc/hosts.allow//Only allow 192.168.124.0 network segment IP use Sshecho "Sshd:al L ">>/etc/hosts.deny
Method 2 (using iptables):
Note that remote operation should be taken care of, so as not to deny themselves to the remote connection, such as only allow all IP 192.168.1.0 network segment SSH, all other IPs deny Iptables-i input-s 10.0.0.1-p TCP--dport 22-j Accept//Allow your own IP first, in case of accidental iptables-i 2 input-s 192.168.1.0/24-p tcp--dport 22-j ACCEPT//Allow 192.168.1.0 Network Segment Iptables-i 3 input-p TCP--dport 22-j DROP//Deny all settings for Save iptables: Cp/etc/sysconfig/iptables/etc/sys Config/iptables~iptables-save >/etc/sysconfig/iptables
Finally, restart the SSHD service for the above configuration to take effect (do not worry that the remote terminal connection that was opened when the restart is broken, the restart will only take effect on the newly opened terminal)
[Email protected] ssh]#/etc/init.d/sshd restartstopping sshd: [OK]starti ng sshd: [OK]
Third, the user and command permissions to minimize
Create a regular user Tom, add it to the Sudo group, which is a system administrator
Groupadd sudo//create sudo group useradd-g sudo tom//create Tom User, join sudo group passwd Tom Set the login password for the Tom user
The sudo configuration file is modified to allow users of the sudo group to execute all commands as root (different commands can be granted for different users, allowing all commands to be executed, and the system administrator in the production environment should assign the user as few executable commands as needed to minimize the privileges). All sudo actions performed by the user are logged in the/var/log/sudo.log for future security events. The following commands are executed:
[email protected] ~]# cat >>/etc/sudoers <<EOF>%sudo all= (root) all> Defaults logfile=/var/l Og/sudo.log> eofvisudo-c//This command is used to check the syntax correctness of the/etc/sudoers file [[email protected] ~]# echo "Local2.debug/var/lo G/sudo.log ">>/etc/syslog.conf[[email protected] ~]#/etc/init.d/syslog restart
Four, kernel security parameter setting
vim/etc/sysctl.conf Add the following content:
#关闭对ping包的响应 (optional, generally not recommended because of inconvenient network troubleshooting) Net.ipv4.icmp_echo_ignore_all = # Close response to broadcast ping net.ipv4.icmp_echo_ignore_ broadcasts = 1 #开启syncookie用于防范syn flood attack, when a SYN wait queue overflow occurs (the number of SYN exceeds the set value of Tcp_max_syn_backlog), the cookie is enabled for processing, and the server replies Syn_ Before an ACK, the client is asked to reply to a sequence number that contains the information from the original SYN packet, and if the serial number is incorrect, the server side ignores the SYN connection. Net.ipv4.tcp_syncookies = 1 #设置sync_ack的最大重传次数, default value is 5, range 0-255, retransmission 5 times is approximately 180snet.ipv4.tcp_synack_retries = 3# When KeepAlive is turned on, the sending interval of the keepalive message is set by default of 2 hours (due to the current network attack and other factors, resulting in the use of this attack is very frequent, if the two sides established a connection, and then do not send any data or rst/fin messages, Then the duration is 2 hours, the achievement of an empty connection attack, Tcp_keepalive_time is to prevent this situation.) Net.ipv4.tcp_keepalive_time = 1200 after saving exit, execute "sysctl-p" command to load the above settings into the kernel to make it effective immediately
Five, kernel performance-related parameter settings (optional)
#设置syn等待队列的长度, for a machine with memory greater than 128M, the default value is 1024, when the concurrent request is large, you can increase the value net.ipv4.tcp_max_syn_backlog# turn on timewait reuse. Allow time_wait socket to be reused for new TCP connection Net.ipv4.tcp_tw_reuse = # Open TCP connection Time_wait fast recovery of socket net.ipv4.tcp_tw_recycle = # TCP sends a KeepAlive probe to determine the number of times that the connection has been disconnected, and the default value is 9net.ipv4.tcp_keepalive_probes = 5 #指定探测消息发送的频率, multiplied by tcp_keepalive_ Probes can get the time it takes to detect the connection being deleted from the beginning. The default value is 75, which means that no active connections will be discarded after approximately 11 minutes. (For normal applications, this value is somewhat larger and can be changed as needed.) in particular, the Web server needs to be smaller, 15 is a more appropriate value) NET.IPV4.TCP_KEEPALIVE_INTVL = #表示系统同时保持TIME_WAIT The maximum number of sockets, if this number is exceeded, the time_wait socket is immediately cleared and output a warning message. The default is 180000, which is changed to 5000. For squid servers, this parameter controls the maximum number of time_wait sockets, preventing squid servers from being dragged to death by a large number of time_wait sockets. Net.ipv4.tcp_max_tw_buckets = 5000# indicates the port range of the outward connection. The default value is small: 32768~61000, change to 1024~65000net.ipv4.ip_local_port_range=1024 65000
Common CentOS System initialization operations