CentOS6 security configuration (CentOSLinux server security settings)

The CentOS server is supported by many netizens. How to set the security of the CentOS server? Next, let's talk about centos6's security settings from the following aspects: System security record files, startup and login security, network access restriction (centos network configuration), and prevention of CentOS attacks 1. system security record files

Recording files in the operating system are important clues for detecting network intrusion. If your system is directly connected to the Internet, you find that many people try to Telnet or FTP your system, you can run "# more/var/log/secure | grep refused" to check the system's attacks and take corresponding countermeasures, such as replacing Telnet/rlogin with SSH.

II. startup and login security

1. BIOS security

Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.

2. user password

The user password is a basic starting point for Linux security. The user password used by many people is too simple, which opens the door to the intruders, although theoretically speaking, as long as you have enough time and resources to use, there is no user password that cannot be cracked, but it is difficult to choose a proper password. A good user password is a string of characters that can only be easily remembered and understood by him, and should never be written anywhere.

To change the password length, compile the login. defs file.
Vi/etc/login. defs
PASS_MIN_LEN 8

3. comment out unnecessary users and user groups

All default accounts that are started by the operating system itself and are not necessary should be prohibited. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts, the more vulnerable the system is.


Copy codeThe code is as follows:
Vi/etc/passwd
# Userdel adm
# Userdel lp
# Userdel sync
# Userdel shutdown
# Userdel halt
# Userdel news
# Userdel uuucp
# Userdel operator
# Userdel games
# Userdel gopher
# Userdel ftp
Vi/etc/group
# Groupdel adm
# Groupdel lp
# Groupdel news
# Groupdel uuucp
# Groupdel games
# Groupdel dip
# Groupdel pppusers


4. password file

The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.


Copy codeThe code is as follows:
# Chattr + I/etc/passwd
# Chattr + I/etc/shadow
# Chattr + I/etc/group
# Chattr + I/etc/gshadow


5. disable Ctrl Alt Delete to restart the machine Command

Modify the/etc/inittab file and comment out the line "ca: ctrlaltdel:/sbin/shutdown-t3-r now. Then reset the permission for all files in the/etc/rc. d/init. d/directory and run the following command:


Copy codeThe code is as follows:
# Chmod-R 700/etc/rc. d/init. d /*


In this way, only the root user can read, write, or execute all the above script files.

6. restrict su commands

If you do not want anyone to use su as the root user, you can edit the/etc/pam. d/su file and add the following two lines:

Copy codeThe code is as follows:
Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_wheel.so group = isd


In this case, only users in the isd group can use su as the root user. After that, if you want the user admin to su as the root user, you can run the following command:
# Usermod-G10 admin # note that the ID number of the isd Group is not necessarily 10, so proceed with caution. No isd Group exists in centos 6!

If you want to restrict su's power to the root user, and only allow the specified user group to use su, you can edit/etc/pam. d/su, which has the following annotations:


Copy codeThe code is as follows:
# Uncomment the following line to require a user to be in the "wheel" group.
# Auth required pam_wheel.so use_uid


Modify the second action as follows: Save


Copy codeThe code is as follows:
Auth required pam_wheel.so group = mysugroup


Create a mysugroup user group and add appropriate users to the group. later, only users in the group can use su to switch to root. on the actual server, it is recommended that the root user cannot log on remotely through ssh.


7. delete logon information

By default, the logon prompt includes the Linux release, kernel version, and server host name. For a machine with high security requirements, too much information is leaked. You can edit/etc/rc. d/rc. local to comment out the following lines of output system information. (Note: In centos 6, the file does not contain the following content)


Copy codeThe code is as follows:
# This will overwrite/etc/issue at every boot. So, make any changes you
# Want to make to/etc/issue here or you will lose them when you reboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue
# Cp-f/etc/issue/etc/issue.net
# Echo>/etc/issue


Then, perform the following operations:


Copy codeThe code is as follows:
# Rm-f/etc/issue
# Rm-f/etc/issue.net
# Touch/etc/issue
# Touch/etc/issue.net


8. change the SSH port to 10000 or above, and the chances of others scanning the port will also decrease.

Earlier versions of SSH Protocol are not allowed
Vi/etc/ssh/sshd_config
Change # protocol 2, 1
Protocol 2
(Note: The earlier version protocol has been canceled by default in centos 6)

Change PORT to PORT 1000 or above
Vi/etc/ssh/sshd_config
Port 10000

Create a common logon user and cancel direct root logon.
Useradd 'username'
Passwd 'username'

Vi/etc/ssh/sshd_config
PermitRootLogin no # cancel root direct remote login
X11Forwarding no # (the server generally does not enable X, so do not enable X forwarding) cancel X11 forwarding

9. shut down services that are not needed. remember to open one service less, it is less dangerous.

Only services to be started are listed below, and all services not listed are closed:

Copy codeThe code is as follows:
# Setup
Acpid
Anacron
Cpuspeed
Crond
Irqbalance # must be enabled only when the server CPU is in the S. M.P architecture or supports dual-core, HT technology. Otherwise, it must be disabled.
Microcode_ctl
Network
Random # (this service is not available in centos 6)
Sendmail
Sshd
Syslog
Yum-updatesd


10. enabling the iptables firewall has many benefits for increasing system security. Set firewall rules.

Copy codeThe code is as follows:
Vi/etc/sysconf/iptables
* Filter
: Input drop [0: 0]
: Forward drop [0: 0]
: Output accept [0: 0]
# Allow local loopback connections
-A input-I lo-j ACCEPT
# Drop INVALID connections
-A input-m state -- state INVALID-j DROP
-A output-m state -- state INVALID-j DROP
-A forward-m state -- state INVALID-j DROP
# Allow all established and related
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Add anymore rules here
COMMIT


3. restrict network access

1. NFS access

If you use the NFS network file system service, make sure that your/etc/exports has the strictest access permission settings, that is to say, do not use any wildcard characters, do not allow root write permissions, and can only be installed as a read-only file system. Edit the/etc/exports file and add the following two lines.

/Dir/to/export host1.mydomain.com (ro, root_squash)
/Dir/to/export host2.mydomain.com (ro, root_squash)

/Dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs on to this directory, ro means to mount it into a read-only system, and root_squash prohibits root from writing it to this directory. To make the changes take effect, run the following command.

#/Usr/sbin/exportfs-

2. Inetd settings

First, make sure that the owner of/etc/inetd. conf is root and the file permission is set to 600. After the settings are complete, run the "stat" command to check the settings.
# Chmod 600/etc/inetd. conf
Edit/etc/inetd. conf to disable the following services.
Ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth

If you have installed ssh/scp, you can disable Telnet/FTP. To make the change take effect, run the following command:
# Killall-HUP inetd

By default, most Linux systems allow all requests, and using TCP_WRAPPERS to enhance system security is a breeze. you can modify/etc/hosts. deny and/etc/hosts. allow to add access restrictions. For example, setting/etc/hosts. deny to "ALL: ALL" can deny ALL access by default. Then add the allowed access to the/etc/hosts. allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" indicates that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to be connected through SSH.

After the configuration is complete, you can use tcpdchk to check:
# Tcpdchk

Tcpchk is a TCP_Wrapper configuration check tool that checks your tcp wrapper configuration and reports all detected potential/existing problems.

3. logon terminal settings

The/etc/securetty file specifies the tty device that allows root login, which is read by the/bin/login program in the format of a list of permitted names, you can edit/etc/securetty and comment out the following lines.


Copy codeThe code is as follows:
Tty1
# Tty2
# Tty3
# Tty4
# Tty5
# Tty6

In this case, root can only log on to the tty1 terminal.

4. avoid displaying system and version information.

If you want the remote login user to see the system and version information, you can change the/etc/inetd. conf file through the following operations:

Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h

Adding-h indicates that telnet does not display system information, but only displays "login :".

5. modify the corresponding configuration file to stop ipv6.
# Vi/etc/modprobe. conf
Alias net-pf-10 off
Alias ipv6 off
# Shutdown-r now

4. prevent attacks

1. prevent ping. If no one can ping your system, the security will naturally increase. Therefore, you can add the following line to the/etc/rc. d/rc. local file:

# Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

2. prevent IP spoofing

Edit the host. conf file and add the following lines to prevent IP spoofing attacks.
Order bind, hosts
Multi off
Nospoof on

3. prevent DoS attacks

Setting resource limits for all users of the system can prevent DoS attacks. Such as the maximum number of processes and memory usage. For example, you can add the following lines in/etc/security/limits. conf:

* Hard core 0
* Hard rss 5000 # (this line may be useless. man limits. conf displays maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)
* Hard nproc 50

Then, you must edit the/etc/pam. d/login file to check whether the following row exists.

Session required/lib/security/pam_limits.so

The preceding command prohibits debugging files. The maximum number of processes is 50 and the memory usage is 5 MB.

After the preceding settings, your Linux server can be immune to the vast majority of known security issues and network attacks. However, a good system administrator must always pay attention to network security trends, fix exposed and potential security vulnerabilities at any time.

V. kernel parameter adjustment

The settings in this section seem different from those in centos 6. For more information, see
(For details about centos6, refer to this article)


Copy codeThe code is as follows:
# Vi/etc/sysctl. conf
Sysctl-w net. ipv4.conf. default. accept_source_route = 0
Sysctl-w net. ipv4.icmp _ echo_ignore_broadcasts = 1
# Sysctl-w net. ipv4.icmp _ echo_ignore_all = 1
Sysctl-w net. ipv4.icmp _ ignore_bogus_error_responses = 1
Sysctl-w net. ipv4.ip _ conntrack_max = 65535
Sysctl-w net. ipv4.tcp _ syncookies = 1
Sysctl-w net. ipv4.tcp _ syn_retries = 1
Sysctl-w net. ipv4.tcp _ fin_timeout = 5
Sysctl-w net. ipv4.tcp _ synack_retries = 1
Sysctl-w net. ipv4.tcp _ syncookies = 1
Sysctl-w net. ipv4.route. gc_timeout = 100
Sysctl-w net. ipv4.tcp _ keepalive_time = 500
Sysctl-w net. ipv4.tcp _ max_syn_backlog = 10000