Centos System Security Protection

1. Install centos 6.2 64X

2. Customize system partitions,
2.1/partition 100 GB;
2.2.swap 2048 M;
2.3./data Partition, use all available space.
. Other requirements are customized based on service characteristics;

2. System slimming and uninstalling useless system software (this step is skipped online)
Yum-y groupremove "FTP Server" "Text-based Internet" "Windows File Server" "PostgreSQL Database"

"News Server" "DNS Name Server" "Web Server" "Dialup Networking Support" "Mail Server"

"Office/productinetworking" "Ruby" "Office/productinetworking" "Sound and Video" "X Window System" "X Software

Development "" Printing Support "" OpenFabrics Enterprise Distribution"

3. view the necessary system status for installation;
Yum-y install gcc-c ++ autoconf libjpeg-devel libpng-devel freetype-devel

Libxml2 libxml2-devel zlib-devel glibc-devel glib2 glib2-devel bzip2 bzip2-devel zip unzip

Ncurses-devel curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn-devel openssl

Openssh openssl-devel nss_ldap openldap-devel openldap-clients openldap-servers libxslt-devel

Libevent-devel ntp libtool-ltdl bison libtool vim-enhanced python wget lsof iptraf strace lrzsz

Kernel-devel kernel-headers pam-devel Tcl/Tk cmake ncurses-devel bison setuptool

4. Lock useless accounts;
Passwd-l xfs
Passwd-l news
Passwd-l nscd
Passwd-l Signature
Passwd-l vcsa
Passwd-l games
Passwd-l nobody
Passwd-l avahi
Passwd-l haldaemon
Passwd-l gopher
Passwd-l ftp
Passwd-l mailnull
Passwd-l pcap
Passwd-l mail
Passwd-l shutdown
Passwd-l halt
Passwd-l uucp
Passwd-l operator
Passwd-l sync
Passwd-l adm
Passwd-l lp

5. Restrict key commands. developers can use the root password or upgrade a user to the root level. Currently, ptmind is not applicable;
# Chmod 700/bin/ping
# Chmod 700/usr/bin/finger
# Chmod 700/usr/bin/who
# Chmod 700/usr/bin/w
# Chmod 700/usr/bin/locate
# Chmod 700/usr/bin/whereis
# Chmod 700/sbin/ifconfig
# Chmod 700/usr/bin/pico
# Chmod 700/bin/vi
# Chmod 700/usr/bin/which
# Chmod 700/usr/bin/gcc
# Chmod 700/usr/bin/make
# Chmod 700/bin/rpm

6. failed to change the password three times, locked for 5 minutes;
Sed-I's # auth required pam_env.so auth

Required pam_tally.so onerr = fail deny = 3 unlock_time = 300 auth required

/Lib/security/$ ISA/pam_tally.so onerr = fail deny = 3 unlock_time = 300 # '/etc/pam. d/system-auth

7. If there is no activity within 30 minutes after modification, the system automatically exits;

Echo "TMOUT = 1800">/etc/profile

8. Modify the maximum number of files opened by the system;

Echo "* soft nofile 66666">/etc/security/limits. conf
Echo "* hard nofile 66666">/etc/security/limits. conf

9. Disable ipv6;

Echo "alias net-pf-10 off">/etc/modprobe. conf
Echo "alias ipv6 off">/etc/modprobe. conf
/Sbin/chkconfig -- level 35 ip6tables off

10. Change the default font to UTF8;

Sed-I's @ LANG =. * $ @ LANG = \ "en_US.UTF-8 \" @ G'/etc/sysconfig/i18n

11. Modify the startup mode to 3;

Sed-I's/id:. * $/id: 3: initdefault:/G'/etc/inittab

12. Kernel Parameter Adjustment;

Cat>/etc/sysctl. conf <EOF
# Michaelkang add 120724
Net. ipv4.tcp _ abort_on_overflow = 1
Net. ipv4.tcp _ syncookies = 1
Net. ipv4.tcp _ tw_reuse = 1
Net. ipv4.tcp _ tw_recycle = 1
Net. ipv4.tcp _ fin_timeout = 20
Net. ipv4.tcp _ retries1 = 2
Net. ipv4.tcp _ retries2 = 5
Net. ipv4.tcp _ max_orphans = 2000
Net. ipv4.tcp _ keepalive_time = 1200
Net. ipv4.tcp _ keepalive_intvl = 15
Net. ipv4.tcp _ keepalive_probes = 5
Net. ipv4.tcp _ syn_retries = 2
Net. ipv4.tcp _ synack_retries = 3
Net. ipv4.tcp _ max_syn_backlog = 8192
Net. ipv4.tcp _ max_tw_buckets = 5000
EOF

Sysctl-p

13. Clear useless services;
#! /Bin/sh
For I in 'ls/etc/rc3.d/S *'
Do
CURSRV = 'echo $ I | cut-c 15 -'

Echo $ CURSRV
Case $ CURSRV in
Cpuspeed | crond | irqbalance | microcode_ctl | xinetd | network | mon | partmon | messagebus | udev-

Post | sshd | rsyslog | syslog)
# This system service is set based on specific application conditions. network, sshd, and syslog are three system services that must be started!
Echo "Base services, Skip! "
;;
*)
Echo "change $ CURSRV to off"
Chkconfig -- level 235 $ CURSRV off
Service $ CURSRV stop
;;
Esac
Done

14. add necessary users and groups

Mkdir/workspace
Cp/etc/shadow/workspace/
Cp/etc/passwd/workspace/
Groupadd public
Useradd abc-g public
Echo 'abc: $1 $ V5X9cldh $ skn2.IclKEc. HFVLW/'| chpasswd-e

History-c

15. Add special permissions to key files;

Chattr + I/etc/passwd
Chattr + I/etc/shadow
Chattr + I/etc/group
Chattr + I/etc/gshadow
# History security
Chattr + a/root/. bash_history
Chattr + I/root/. bash_history

16. modify directory permissions under/data

Chown user: group/data/

17. Grant user high-level Permissions
Echo "user ALL = (ALL) NOPASSWD: ALL">/etc/sudoers

18. Upgrade the openssh logon program;
Cd/workspace
Wget http://mirror.internode.on.net/p... penssh-5.8p2.tar.gz

Tar-xvf openssh-5.8p2.tar.gz
Cd openssh-5.8p2

# Yum install pam-devel

./Configure -- prefix =/usr -- sysconfdir =/etc/ssh -- with-pam -- with-zlib -- with-ssl-

Dir =/usr/include/openssl -- mandir =/usr/share/man
Make
Mkdir-p/etc/sshbak
Mv/etc/ssh/*/etc/sshbak/
Make install
Chkconfig -- add sshd
Chkconfig sshd on
/Etc/init. d/sshd restart
Cd/workspace/

19. Install the denyhost brute-force cracking software;
Wget http://sourceforge.net/projects/... enyHosts-2.6.tar.gz

Tar-zxvf DenyHosts-2.6.tar.gz
Music DenyHosts-2.6 denyhost

Cd denyhost/

Yum install python-y

Python setup. py install

Cd/usr/share/denyhosts/
Cp daemon-control-dist daemon-control

Cp denyhosts. cfg-dist denyhosts. cfg

Chown root daemon-control

Chmod 700 daemon-control

Ln-s/usr/share/denyhosts/daemon-control/etc/init. d/denyhosts

Chkconfig -- add denyhosts

Chkconfig denyhosts on

Mv denyhosts. cfg denyhosts. cfg. bak

Cat>/usr/share/denyhosts/denyhost. cfg <EOF

SECURE_LOG =/var/log/secure
# Ssh log files
HOSTS_DENY =/etc/hosts. deny
# Write the blocked IP address to hosts. deny
PURGE_DENY = 1d
# How long will it take to clear prohibited items? w indicates weeks, d Indicates days, h indicates hours, s indicates seconds, and m indicates minutes.
BLOCK_SERVICE = ALL
# Blocked service name
DENY_THRESHOLD_INVALID = 5
# Number of Logon failures of invalid users (not listed in/etc/passwd) and the number of Logon failures of invalid users are allowed.
DENY_THRESHOLD_VALID = 5
# Number of Logon failures allowed for common users
DENY_THRESHOLD_ROOT = 5
# Number of root logon failures allowed
DENY_THRESHOLD_RESTRICTED = 1
# Set the deny host to be written to this folder
WORK_DIR =/usr/share/denyhosts/data
# Record the deny host or ip address to Work_dir
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS = YES
HOSTNAME_LOOKUP = YES
# Whether domain name resolution is performed
LOCK_FILE =/var/lock/subsys/denyhosts
# Record the pid started by DenyHOts to LOCK_FILE. Make sure that the service is correctly started to prevent multiple services from being started at the same time.
ADMIN_EMAIL = michaelkang@ptmind.com
# Set the Administrator email address
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody @ localhost>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID = 1d
# Time when the logon Failure count of a valid user is set to zero
AGE_RESET_ROOT = 1d
# Time when the logon Failure count of the root user is zero
AGE_RESET_RESTRICTED = 5d
# Time when the user's logon Failure count is reset to 0 (/usr/share/denyhosts/data/restricted-usernames)
AGE_RESET_INVALID = 10d
# Return time of Logon Failure count of invalid users
DAEMON_LOG =/var/log/denyhosts
# Your own log files
DAEMON_SLEEP = 30 s
DAEMON_PURGE = 1d
# This item is set to the same as PURGE_DENY, which is also the time for clearing hosts. deniedssh users.
EOF
Cd/workspace/
/Etc/init. d/denyhosts start

20. Install the anti-DDOS firewall;

Wget http://www.inetbase.com/scripts/ddos/install.sh
Chmod 0700 install. sh
./Install. sh

21. Enhance system security, modify the system, and set to display only 10 historical commands through history ;;
Sed-I "s/HISTSIZE = 1000/HISTSIZE = 10/"/etc/profile

22. Deploy user behavior audit;

Mkdir-p/etc/share/

Cat/dev/null>/usr/share/um. log

Chown nobody: nobody/usr/share/um. log

Chmod 002/usr/share/um. log

Chattr + a/usr/share/um. log

Add the following content to/etc/profile

Export HISTORY_FILE =/etc/share/um. log

Export PROMPT_COMMAND = '{date "+ % y-% m-% d % T ##### $ (who am I | awk" {print \ $1 \"\" \ $2 \ "\" \ $5 }") ####

$ (Id | awk "{print \ $1}") ####$ (history 1 | {read x cmd; echo "$ cmd ";}) ";}>> $ HISTORY_FILE'

Run: source/etc/profile

23. Set the sticky bits for/tmp and/var/tmp;
Chmod + t/var/
Chmod + t/tmp/

18. Modify ssh Logon Restrictions for users;

Cat>/etc/hosts. allow <EOF
Sshd: 192.168.16.0/255.255.255.0

EOF

Echo 'sshd: all'>/etc/hosts. deny

24. ssh security reinforcement;

# Ssh security reinforcement, modify the/etc/ssh/sshd_config file
# Only SSH2 connections are allowed
Sed-I "s/# Protocol 2, 1/Protocol 2/"/etc/ssh/sshd_config
# Specify the maximum number of authentications allowed for each connection. The default value is 6.
Sed-I "s/# MaxAuthTries 6/MaxAuthTries 6/"/etc/ssh/sshd_config
# Do not use DNS resolution
Sed-I "s/# UseDNS yes/UseDNS no/"/etc/ssh/sshd_config
# Root users are not allowed to log on directly, but root users can log on directly using certificates
Sed-I "s/# PermitRootLogin yes/PermitRootLogin without-password/"/etc/ssh/sshd_config
# Length of SERVER_KEY
Sed-I "s/# ServerKeyBits 768/# ServerKeyBits 1024/"/etc/ssh/sshd_config
Sed-I "s/# UseLogin no/UseLogin yes/"/etc/ssh/sshd_config
# PermitEmptyPasswords no # Do not allow empty passwords for login (only in plaintext mode and not in certificate mode ).
Sed-I "s/# PermitEmptyPasswords no/"/etc/ssh/sshd_config
# RSAAuthentication yes # enable RSA Authentication.
Sed-I "s/# RSAAuthentication yes/"/etc/ssh/sshd_config
# PubkeyAuthentication yes # enable public key authentication.
Sed-I "s/# PubkeyAuthentication yes/"/etc/ssh/sshd_config
# Supplement: Modify the vi/etc/ssh/ssh_config file (global configuration file)
# Allow RSA private key authentication.
Sed-I "s/# RSAAuthentication yes/"/etc/ssh/sshd_config
# Do not use a blank password to log on
Sed-I "s/# PermitEmptyPasswords no/"/etc/ssh/sshd_config

# PasswordAuthentication no #. Do not log on with the plaintext password.
# Sed-I "s/# PasswordAuthentication yes/PasswordAuthentication no/"/etc/ssh/sshd_config

25. The password can be changed for a maximum of 90 days. The minimum length of the password is 8 characters;
/Etc/login. defs
PASS_MAX_DAYS 90
PASS_MIN_LEN 8

26. Import Management Certificates