CentOS System General Initialization operation

Environment Preparation:

1) Set the local internationalization language to en_US. UTF-8

[Email protected] ~]# sed-i ' s/^\ (lang=\). *$/\1 "en_US. UTF-8 "/'/etc/sysconfig/i18n
[Email protected] ~]# cat/etc/sysconfig/i18n lang= "en_US. UTF-8 "
[Email protected] ~]# Lang=en_us. UTF-8

2) Update the system software package

To back up the default Yum Source:

Find/etc/yum.repos.d-name ' *.repo '-exec mv {} {}.bak \;

To add a 163yum source:

REDHAT5 or centos5:

Wget-p/ETC/YUM.REPOS.D

Redhat6 or CENTOS6

Wget-p/ETC/YUM.REPOS.D

Add Epel Yum Source:

redhat5.x 32bit

RPM-IVH http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

redhat5.x 64bit

RPM-IVH http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

redhat6.x 32bit

RPM-IVH http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

redhat6.x 64bit

RPM-IVH http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

To update a certificate:

Yum-y Upgrade Ca-certificates--disablerepo=epel

Update all System packages:

Yum Clean All
Yum Makecache
Yum-y Upgrade

The following is an example of redhat5/centos5

First, the principle of service minimization

Turn off all start-up services, turn on sshd, Crond, Network, iptables, Iptables, Syslog (REDHAT5), Rsyslog (REDHAT6), and add services that need to start on demand on this basis.

1) Turn off all start-up services

[[email protected] ~]# for I in ' chkconfig--list | awk ' {if ($1~/^$/) {exit 0;} else {print '}} '; Do chkconfig $i off; Done

2) Open Basic services

[[email protected] ~]# for I in sshd network syslog crond iptables; Do chkconfig $i on; Done

3) View the Open service

[Email protected] ~]# Chkconfig--list | grep ' 3:on '
Crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Second, user login restrictions

1) Disable the use of remote SSH using the root user

[Email protected] ~]# CD/ETC/SSH
[email protected] ssh]# CP sshd_config sshd_config~
[Email protected] ssh]# sed-i ' s/#\ (permitrootlogin \) yes/\1no/' Sshd_config
[[email protected] ssh]# grep ' permitroot '/etc/ssh/sshd_config
Permitrootlogin No

2) Disable Login prompt information

[Email protected] ssh]# >/ETC/MOTD

3) Modify the default listening port for SSH (tcp:22)

[Email protected] ssh]# sed-i ' s/#\ (Port \) 22/\11983/' Sshd_config
(This is modified to TCP port 11983)
[[email protected] ssh]# grep ' Port ' sshd_config
Port 11983

4) allow only the specified IP to be SSH (optional)

Method 1 (using Tcpwrapper):

echo "sshd:192.168.124.0/255.255.255.0" >>/etc/hosts.allow//Allow only IP for 192.168.124.0 segment to use SSH
echo "Sshd:all" >>/etc/hosts.deny

Method 2 (using iptables):

Note that the remote operation should be taken care of, so as not to deny themselves and caused the remote connection
If only SSH is allowed for all IP of the 192.168.1.0 network segment, all other IPs are rejected
Iptables-i input-s 10.0.0.1-p TCP--dport 22-j ACCEPT//Allow your own IP first, in case of accidental action by the rear
Iptables-i 2 input-s 192.168.1.0/24-p tcp--dport 22-j ACCEPT//Allow 192.168.1.0 network segment
Iptables-i 3 input-p TCP--dport 22-j DROP//Reject All
To save Iptables settings:
cp/etc/sysconfig/iptables/etc/sysconfig/iptables~
Iptables-save >/etc/sysconfig/iptables

Finally, restart the SSHD service for the above configuration to take effect (do not worry that the remote terminal connection that was opened when the restart is broken, the restart will only take effect on the newly opened terminal)

[Email protected] ssh]#/etc/init.d/sshd restart
stopping sshd: [OK]
Starting sshd: [OK]

Third, the user and command permissions to minimize

Create a regular user Tom, add it to the Sudo group, which is a system administrator

Groupadd sudo//create sudo group
Useradd-g sudo tom//create Tom User, join Sudo group
passwd Tom//Set the login password for Tom's user

Modify the sudo configuration file, Users who authorize the sudo group can execute all commands as root (different commands can be granted for different users, allowing all commands to be executed, and system administrators in the production environment should allocate as few executable commands as needed for the user to minimize the permissions). All sudo actions performed by the user are logged in the/var/log/sudo.log for future security events. Execute the command as follows:

[[email protected] ~]# cat &NBSP;>>&NBSP;/ETC/SUDOERS&NBSP;<<EOF
> %sudo     all= (Root)     all
> &NBSP;DEFAULTS&NBSP;&NBSP;&NBSP;&NBSP;LOGFILE=/VAR/LOG/SUDO.LOG
visudo -c        //This command is used to check the syntax correctness of the  /etc/sudoers  file 
[[email  protected] ~]# echo  "local2.debug        /var/log/ Sudo.log " >> /etc/syslog.conf
[[email  Protected] ~]# /etc/init.d/syslog restart  

Four, kernel security parameter setting

vim/etc/sysctl.conf Add the following content:

#关闭对ping包的响应 (optional, generally not recommended because it is inconvenient to troubleshoot network failure)
Net.ipv4.icmp_echo_ignore_all = 1

#关闭对广播ping的响应
Net.ipv4.icmp_echo_ignore_broadcasts = 1

#开启syncookie用于防范syn flood attack, when a SYN wait queue overflow occurs (the number of SYN exceeds Tcp_max_syn_backlog setting), the cookie is enabled for processing, and the server replies Syn_ Before an ACK, the client is asked to reply to a sequence number that contains the information from the original SYN packet, and if the serial number is incorrect, the server side ignores the SYN connection.
Net.ipv4.tcp_syncookies = 1

#设置sync_ack的最大重传次数, the default value is 5, the range is 0-255, the time to retransmit 5 times is approximately 180s
Net.ipv4.tcp_synack_retries = 3

# set when KeepAlive is turned on, the sending interval of the keepalive message, the default is 2 hours (due to the current network attack and other factors, resulting in the use of this attack is very frequent, if the two sides established a connection, and then do not send any data or rst/fin messages, Then the duration is 2 hours, the achievement of an empty connection attack, Tcp_keepalive_time is to prevent this situation.)
Net.ipv4.tcp_keepalive_time = 1200
After saving exits, execute the "sysctl-p" command to load the above settings into the kernel to take effect immediately

Five, kernel performance-related parameter settings (optional)

vim/etc/sysctl.conf Add the following content:

#设置syn等待队列的长度, for machines with memory greater than 128M, the default value is 1024, which can be adjusted when the concurrent request is large
Net.ipv4.tcp_max_syn_backlog

#开启timewait重用. Allow time_wait sockets to be re-used for new TCP connections
Net.ipv4.tcp_tw_reuse = 1

Fast recovery of #开启tcp连接中time_wait sockets
Net.ipv4.tcp_tw_recycle = 1

#TCP发送keepalive探测以确定该连接已经断开的次数, the default value is 9
Net.ipv4.tcp_keepalive_probes = 5

#指定探测消息发送的频率, this value is multiplied by tcp_keepalive_probes to get the time it takes for the connection to be deleted from the beginning of the probe. The default value is 75, which means that no active connections will be discarded after approximately 11 minutes. (For normal applications, this value is somewhat larger and can be changed as needed.) in particular, the Web Class Server needs to be smaller, 15 is a more appropriate value)
NET.IPV4.TCP_KEEPALIVE_INTVL = 15

#表示系统同时保持TIME_WAIT the maximum number of sockets, if this number is exceeded, the time_wait socket is immediately purged and output a warning message. The default is 180000, which is changed to 5000. For squid servers, this parameter controls the maximum number of time_wait sockets, preventing squid servers from being dragged to death by a large number of time_wait sockets.
Net.ipv4.tcp_max_tw_buckets = 5000

#表示向外连接的端口范围. The default value is small: 32768~61000, change to 1024~65000
net.ipv4.ip_local_port_range=1024 65000

CentOS System General Initialization operation