CentOS6 system server security settings (entry level)

Source: Internet
Author: User
Tags auth chmod syslog touch ssh centos iptables ssh port

Most hosts attacked on the network are targeted by hackers who use scanning tools for a wide range of scans. Therefore, in order to avoid being scanned, all ports, such as Web, FTP, and SSH, should be disabled. It is worth mentioning that I strongly recommend that you disable icmp ports and set rules to discard icmp packets. In this way, if someone else cannot Ping your server, the threat will be reduced by half. To discard an icmp packet, add the following to iptables:

-A input-p icmp-j DROP

2. Linux SSH security policy 2: Change the SSH Port

The default SSH port is 22. We strongly recommend that you change it to 10000 or above. In this way, the chances of other users scanning ports are also greatly reduced. Modification method:

# Edit/etc/ssh/ssh_configvi/etc/ssh/ssh_config # Add a new Port value under Host. Take 18439 as an example (the same below): Port 22 Port 18439 # Edit/etc/ssh/sshd_configvi/etc/ssh/sshd_config # Add a new Port value Port 22 Port 18439 # save, restart the SSH service: service sshd restart

Here, I set two ports to prevent SSH from being unable to be accessed again due to modification errors. Change the connection Port of your SSH client (for example, Putty) and test the connection. If the new Port can be connected successfully, edit the above two files and delete the configuration of Port 22. If the connection fails, use Port 22 to connect and then reconfigure it.

After the port is successfully set, note that port 22 should be deleted from iptables, Port 18439 of the new configuration should be added, and iptables should be restarted.

If the SSH logon password is weak, you should set a complicated password. On the Google Blog, I wrote an article emphasizing password security: Does your password pass the test?

3. Linux SSH security policy 3: restrict IP login

If you can connect to your server using a fixed IP address, you can set to allow only a specific IP address to log on to the server. For example, I log on to the server through my own VPN. The settings are as follows:

# Edit/etc/hosts. allowvi/etc/hosts. allow # for example, only 123.45.67.89 logon to sshd: 123.45.67.89 is allowed

4. Linux SSH security policy 4: Use certificates to log on to SSH

It is safer to use a certificate than to log on with a password. Tap water coffee has written a detailed tutorial, with the consent of it, reproduced as follows:

Configure SSH certificate login verification for CentOS

Help the company's network administrator remotely detect the email server, a CentOS 5.1 instance, and use OpenSSH for remote management. When checking the security log, we found that there were a bunch of IP addresses every day to guess the password over the past few days. It seems that it is better to change the logon authentication method to certificate authentication.

In case of protection, a VNC is enabled temporarily, so that sshd cannot be restarted without configuration. (Later I found it redundant, as long as I open a putty first and don't close it)

Follow these steps:

1) first add a maintenance account: msa

2) then su-msa

3) ssh-keygen-t rsa: After specifying the key path and entering the password, the public key and private key are generated in/home/msa/. ssh/: id_rsa id_rsa.pub

4) cat id_rsa.pub> authorized_keys: Why is this file generated? This is what is written in sshd_config. Then chmod 400 authorized_keys will be slightly protected.

5) use psftp to pull id_rsa back to the local machine, and then kill id_rsa and id_rsa.pub on the server.

6) configure/etc/ssh/sshd_configProtocol 2 ServerKeyBits 1024 PermitRootLogin no # prohibit root login, which is irrelevant to this article, plus security # There is nothing to change in the following three lines, remove the default # Comment. RSAAuthentication yesPubkeyAuthentication yesAuthorizedKeysFile. ssh/authorized_keysPasswordAuthentication noPermitEmptyPasswords no

7) restart sshd/sbin/service sshd restart

8) convert the certificate format. Run puttygen in putty to convert id_rsa to the ppk certificate file of putty.

9) configure putty to log on to connection-SSH-Auth, click Browse, and select the certificate you just converted. Then fill in auto login username in connection-Data. For example, if I enter the server IP address in the session of msa, if I'm happy, I can save it.

10) If you solve this problem with a little bit of trouble, you may be very happy. At this time, you will be eager to log on. Maybe you won't be able to log in: No supported authentication methods available. Then you can modify sshd_config, change PasswordAuthentication no to PasswordAuthentication yes and restart sshd to log on successfully. After logging out, change the value of PasswordAuthentication to no and restart sshd. After you log on, you will be asked about the password of your key file, and you will be able to log in happily. For the psftp command, add the-I parameter and specify the certificate file path.

If you modify the preceding configuration on a remote server, be sure to exercise caution in each step and avoid errors. If the configuration is incorrect and the SSH connection fails, the problem may be solved.


1. Disable unnecessary services

The fewer services, the fewer resources the system occupies. Therefore, you should disable unnecessary services. The advantage of this is to reduce the memory and CPU usage. The command is as follows: # list the services to be started under ntsysv. All services not listed are disabled.

Crond
Scheduled task service in Linux.
Irqbalance
Enabling the irqbalance service can improve performance and reduce energy consumption. Irqbalance is used to optimize interrupt allocation. It automatically collects system data for analysis and usage mode, and places the work in Performance mode or Power-save mode based on the system load status. In Performance mode, irqbalance distributes interruptions evenly to each CPU core as much as possible to make full use of multiple CPU cores and improve Performance. In Power-save mode, irqbalance distributes interrupts to the first CPU in a centralized manner to ensure the sleep time of other idle CPUs and reduce energy consumption. Currently, the mainstream servers are both dual-core and quad-core. Therefore, we recommend that you keep this item.
Network
Sshd
Syslog
This is a Linux log system and must be started. Otherwise, the cause cannot be found when the machine encounters a problem.
Let's talk about two special services, iptables and SELinux. Because the website and system have a hardware firewall, you can choose to disable it if you do not have special requirements. To disable them, you can operate them in command setup or command line.

The code for disabling iptables is as follows: service iptables stop & # chkconfig iptables off the method for disabling SELinux is as follows: vim/etc/selinux/config and then change selinux = "in the file to disabled, and restart. If you do not want to restart the system, run setenforce 0 to temporarily disable SELinux.

Setenforce 1 sets SELinux to enforcing mode; setenforce 0 sets SELinux to permissive mode.

In addition, add selinux = 0 to the startup parameters of lilo or grub to disable SELinux.

2. Disable unwanted tty

Edit the/etc/inittab and find the following command:
1: 2345: respawn:/sbin/mingetty tty1
2: 2345: respawn:/sbin/mingetty tty2
3: 2345: respawn:/sbin/mingetty tty3
4: 2345: respawn:/sbin/mingetty tty4
5: 2345: respawn:/sbin/mingetty tty5
6: 2345: respawn:/sbin/mingetty tty6

This command enables init to open six consoles for you. You can use [ALT + F1] to access [ALT + F6. By default, the six consoles reside in the memory. You can use the ps-aux command to view the six processes, as shown below:
[Root @ localhost ~] # Ps-aux | grep tty
Warning: bad syntax, perhaps a bogu '-'? See/usr/share/doc/procps-3.2.7/FAQ
Root 3219 0.0 0.0 3792 488 tty1 Ss + Mar16/sbin/mingetty tty1
Root 3220 0.0 0.0 3792 484 tty2 Ss + Mar16/sbin/mingetty tty2
Root 3221 0.0 0.0 3792 488 tty3 Ss + Mar16/sbin/mingetty tty3
Root 3222 0.0 0.0 3792 488 tty4 Ss + Mar16/sbin/mingetty tty4
Root 3224 0.0 0.0 3792 488 tty5 Ss + Mar16/sbin/mingetty tty5
Root 3226 0.0 0.0 3792 488 tty6 Ss + Mar16/sbin/mingetty tty6
Root 3325 0.0 0.1 90548 6264 tty7 Ss + Mar16/usr/bin/Xorg: 0-br-audit 0-auth/var/TPD/: 0. Xauth-nolisten tcp vt7
Root 6767 0.0 0.0 68284 1564 tty8 Ss + Mar17/bin/bash
Root 31179 0.0 0.0 63372 756 pts/2 S + grep tty

In fact, there is no need to use so much. How should we close unnecessary processes? Usually we can keep the first two consoles, comment out the last four with #, and do not need to restart, just execute the init q command, as shown below:
Init q

3. Adjust the TCP/IP network parameters

Adjust the TCP/IP network parameters to enhance the anti-SYN Flood capability. The command is as follows:
# Echo 'Net. ipv4.tcp _ syncookies = 1 & prime;>/etc/sysctl. conf
# Sysctl-p

4. Modify the number of history records of shell commands

The command to modify the history record is as follows:
# Vi/etc/profile

Find histsize = 1000 and change it to histsize = 100 (this can be determined based on the actual situation ).

It can take effect without restarting the system, as shown below:
Source/etc/profile

5. Timed calibration of server time

We can regularly correct the server time by using the following command:
# Yum install ntp
# Crontab-e

Add the following line:
*/5 * ntpdate ntp. api. bz

# Ntp. api. bz is a group of NTP server clusters with six servers. This service is the second free api service for API. bz following the free SMS sending interface of http://sms.api.bz mobile mail.

6. Stop the printing service.

If you do not want to provide the printing service, you can stop the printing service that is set to auto-start by default. The command is as follows:
[Root @ sample ~] #/Etc/rc. d/init. d/cups stop & larr; stop the print service Stopping cups: [OK] & larr; the service is stopped successfully, and "OK" is displayed"
[Root @ sample ~] # Chkconfig cups off & larr; Disable auto start of the print service
[Root @ sample ~] # Chkconfig-list cups & larr; confirm the status of the auto-start setting of the service.
Cups0: off 1: off 2: off 3: off 4: off 5: off 6: off & larr; 0 ~ If the values are both off, OK (the current printing service is disabled when it is started)

7. Stop ipv6

In Centos6.3, ipv6 is enabled by default. Because we do not use ipv6, we can stop ipv6 to maximize security and speed. First, check whether ipv6 is in the starting status. [Root @ sample ~] # Ifconfig-a & larr; list all network interface information
Eth0 Link encap: Ethernet HWaddr 00: 0C: 29: B6: 16: A3
Inet addr: 192.168.0.13 Bcast: 192.168.0.255 Mask: 255.255.255.0
Inet6 addr: fe80: 20c: 29ff: feb6: 16a3/64 Scope: Link
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 84 errors: 0 dropped: 0 overruns: 0 frame.: 0
TX packets: 93 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 fig: 1000
RX bytes: 10288 (10.0 KiB) TX bytes: 9337 (9.1 KiB)
Interrupt: 185 Base address: 0 ×1400

Lo Link encap: Local Loopback
Inet addr: 127.0.0.1 Mask: 255.0.0.0
Inet6 addr: 1/128 Scope: Host
Up loopback running mtu: 16436 Metric: 1
RX packets: 12 errors: 0 dropped: 0 overruns: 0 frame.: 0
TX packets: 12 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 txqueuelen: 0
RX bytes: 952 (952.0 B) TX bytes: 952 (952.0 B)
Sit0 Link encap: IPv6-in-IPv4 & larr; confirm ipv6 is started
Noarp mtu: 1480 Metric: 1
RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame.: 0
TX packets: 0 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 txqueuelen: 0
RX bytes: 0 (0.0 B) TX bytes: 0 (0.0 B)

Then modify the corresponding configuration file to stop ipv6, as shown below:
[Root @ sample ~] # Vi/etc/modprobe. conf & larr; modify the configuration file and add the following content:
Alias net-pf-10 off
Alias ipv6 off
Echo "IPV6INIT = no">/etc/sysconfig/network-scripts/ifcfg-eth0
[Root @ sample ~] # Shutdown-r now & larr; restart the system to make the settings take effect.

Finally, confirm that the ipv6 function has been disabled, as shown below:

[Root @ sample ~] # Ifconfig-a & larr; list all network interface information
Eth0 Link encap: Ethernet HWaddr 00: 0C: 29: B6: 16: A3
Inet addr: 192.168.0.13 Bcast: 192.168.0.255 Mask: 255.255.255.0
Inet6 addr: fe80: 20c: 29ff: feb6: 16a3/64 Scope: Link
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 84 errors: 0 dropped: 0 overruns: 0 frame.: 0
TX packets: 93 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 fig: 1000
RX bytes: 10288 (10.0 KiB) TX bytes: 9337 (9.1 KiB)
Interrupt: 185 Base address: 0 × 1400lo Link encap: Local Loopback
Inet addr: 127.0.0.1 Mask: 255.0.0.0
Inet6 addr: 1/128 Scope: Host
Up loopback running mtu: 16436 Metric: 1
RX packets: 12 errors: 0 dropped: 0 overruns: 0 frame.: 0
TX packets: 12 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 txqueuelen: 0
RX bytes: 952 (952.0 B) TX bytes: 952 (952.0 B)

Check that ipv6 information is not listed, indicating that ipv6 is disabled.

8. Adjust the maximum number of opened files in Linux.

You need to adjust the maximum number of opened files in Linux. Otherwise, squid performs very poorly under high load. In addition, when you deploy an application in Linux, you may encounter issues such as Socket/File: Can't open so Program files. This value also affects the maximum number of concurrent requests on the server. In fact, Linux has file handle restrictions, but the default value is not very high. Generally, it is 1024. The production server can easily reach this value, so you need to change this value. At the beginning, I used the vim/etc/security/limit. conf command and added the following code in the last line:
* Soft nofile 60000
* Hard nofile 65535

But after the restart, everything is restored.

The following command line should be added to the/etc/rc. local file of Centos6.3:
Ulimit-SHn 65535

Of course, we can also add this command line in some monitoring scripts of Nginx in real time, so that the restart can also take effect.

In addition, the ulimit-n command does not really display the maximum number of opened files. You can view the following script:
#! /Bin/bash
For pid in 'PS aux | grep nginx | grep-v grep | awk '{print $2 }"
Do
Cat/proc/$ {pid}/limits | grep 'Max open files'
Done

9. Start the NIC

When you configure the network card for Centos6.3, it is easy to ignore that the network card is not started at Linux startup. The consequence is that your Linux machine will never have an IP address, the following is the configuration of an online server: [root @ localhost ~] # Vim/etc/sysconfig/network-scripts/ifcfg-eth0

# Intel Corporation 82541GI Gigabit Ethernet Controller
DEVICE = eth0
BOOTPROTO = none
HWADDR = 00: 14: 22: 1B: 71: 20
IPV6INIT = yes
IPV6_AUTOCONF = yes
ONBOOT = yes & rarr; this item must be remembered as yes. It will start your Nic device at system boot.
NETMASK = 255.255.255.255.192
IPADDR = 203.93.236.146
GATEWAY = 203.93.236.129
TYPE = Ethernet
PEERDNS = yes & rarr; allow the DNS obtained from DHCP to overwrite the local DNS
USERCTL = no ~ & Rarr; normal users are not allowed to modify the NIC.

10. Disable the write disk I/O function of Centos6.3.

A Linux file has three times by default.

Atime: the access time to this file.
Ctime: the time when inode of this file changes.
Mtime: the time when the file was modified.
If there are multiple small files (for example, there are multiple small images on the Web server page), there is usually no need to record the file access time, which can reduce disk write I/O. How should we configure this?

First, modify the file system configuration file vim/etc/fstab. Then, use the noatime and nodiratime commands in the partitions that contain a large number of small files. For example, when files such as/dev/sda5/data/pics ext3 noatime and nodiratime 0 0 are accessed, no disk I/O will be generated.

1. System security record files

Recording files in the operating system are important clues for detecting network intrusion. If your system is directly connected to the Internet, you find that many people try to Telnet or FTP your system, you can run "# more/var/log/secure | grep refused" to check the system's attacks and take corresponding countermeasures, such as replacing Telnet/rlogin with SSH.

II. Startup and login security

1. BIOS security

Set the BIOS password and modify the boot sequence to disable system startup from a floppy disk.

2. User password

The user password is a basic starting point for Linux security. The user password used by many people is too simple, which opens the door to the intruders, although theoretically speaking, as long as you have enough time and resources to use, there is no user password that cannot be cracked, but it is difficult to choose a proper password. A good user password is a string of characters that can only be easily remembered and understood by him, and should never be written anywhere.

To change the password length, compile the login. defs file.
Vi/etc/login. defs
PASS_MIN_LEN 8

3. Comment out unnecessary users and user groups

All default accounts that are started by the operating system itself and are not necessary should be prohibited. This should be done when you install the system for the first time. Linux provides many default accounts, and the more accounts, the more vulnerable the system is.

Vi/etc/passwd
# Userdel adm
# Userdel lp
# Userdel sync
# Userdel shutdown
# Userdel halt
# Userdel news
# Userdel uuucp
# Userdel operator
# Userdel games
# Userdel gopher
# Userdel ftp
Vi/etc/group
# Groupdel adm
# Groupdel lp
# Groupdel news
# Groupdel uuucp
# Groupdel games
# Groupdel dip
# Groupdel pppusers

4. Password file

The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.

# Chattr + I/etc/passwd
# Chattr + I/etc/shadow
# Chattr + I/etc/group
# Chattr + I/etc/gshadow


5. Disable Ctrl Alt Delete to restart the machine Command

Modify the/etc/inittab file and comment out the line "ca: ctrlaltdel:/sbin/shutdown-t3-r now. Then reset the permission for all files in the/etc/rc. d/init. d/directory and run the following command:

# Chmod-R 700/etc/rc. d/init. d /*


In this way, only the root user can read, write, or execute all the above script files.

6. Restrict su commands

If you do not want anyone to use su as the root user, you can edit the/etc/pam. d/su file and add the following two lines:

Auth sufficient/lib/security/pam_rootok.so debug
Auth required/lib/security/pam_wheel.so group = isd

In this case, only users in the isd group can use su as the root user. After that, if you want the user admin to su as the root user, you can run the following command:
# Usermod-G10 admin # note that the ID number of the isd Group is not necessarily 10, so proceed with caution. No isd Group exists in centos 6!

If you want to restrict su's power to the root user, and only allow the specified user group to use su, you can edit/etc/pam. d/su, which has the following annotations:

# Uncomment the following line to require a user to be in the "wheel" group.
# Auth required pam_wheel.so use_uid


Modify the second action as follows: Save


Auth required pam_wheel.so group = mysugroup


Create a mysugroup user group and add appropriate users to the group. Later, only users in the group can use su to switch to root. on the actual server, it is recommended that the root user cannot log on remotely through ssh.


7. Delete logon information

By default, the logon prompt includes the Linux release, kernel version, and server host name. For a machine with high security requirements, too much information is leaked. You can edit/etc/rc. d/rc. local to comment out the following lines of output system information. (Note: In centos 6, the file does not contain the following content)

# This will overwrite/etc/issue at every boot. So, make any changes you
# Want to make to/etc/issue here or you will lose them when you reboot.
# Echo "">/etc/issue
# Echo "$ R">/etc/issue
# Echo "Kernel $ (uname-r) on $ a $ (uname-m)">/etc/issue
# Cp-f/etc/issue/etc/issue.net
# Echo>/etc/issue

Then, perform the following operations:

# Rm-f/etc/issue
# Rm-f/etc/issue.net
# Touch/etc/issue
# Touch/etc/issue.net


8. Change the SSH port to 10000 or above, and the chances of others scanning the port will also decrease.

Earlier versions of SSH Protocol are not allowed
Vi/etc/ssh/sshd_config
Change # protocol 2, 1
Protocol 2
(Note: The earlier version protocol has been canceled by default in centos 6)

Change PORT to PORT 1000 or above
Vi/etc/ssh/sshd_config
Port 10000

Create a common logon user and cancel direct root logon.
Useradd 'username'
Passwd 'username'

Vi/etc/ssh/sshd_config
PermitRootLogin no # cancel root direct remote login
X11Forwarding no # (the server generally does not enable X, so do not enable X forwarding) cancel X11 forwarding

9. Shut down services that are not needed. Remember to open one service less, it is less dangerous.

Only services to be started are listed below, and all services not listed are closed:

 

The code is as follows: Copy code
# Setup
Acpid
Anacron
Cpuspeed
Crond
Irqbalance # must be enabled only when the server CPU is in the S. M.P architecture or supports dual-core, HT technology. Otherwise, it must be disabled.
Microcode_ctl
Network
Random # (this service is not available in centos 6)
Sendmail
Sshd
Syslog
Yum-updatesd


10. Enabling the iptables firewall has many benefits for increasing system security. Set firewall rules.

The code is as follows: Copy code

Vi/etc/sysconf/iptables
* Filter
: Input drop [0: 0]
: Forward drop [0: 0]
: Output accept [0: 0]
# Allow local loopback connections
-A input-I lo-j ACCEPT
# Drop INVALID connections
-A input-m state -- state INVALID-j DROP
-A output-m state -- state INVALID-j DROP
-A forward-m state -- state INVALID-j DROP
# Allow all established and related
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Add anymore rules here
COMMIT


3. Restrict network access

1. NFS access

If you use the NFS network file system service, make sure that your/etc/exports has the strictest access permission settings, that is to say, do not use any wildcard characters, do not allow root write permissions, and can only be installed as a read-only file system. Edit the/etc/exports file and add the following two lines.

/Dir/to/export host1.mydomain.com (ro, root_squash)
/Dir/to/export host2.mydomain.com (ro, root_squash)

/Dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs on to this directory, ro means to mount it into a read-only system, and root_squash prohibits root from writing it to this directory. To make the changes take effect, run the following command.

#/Usr/sbin/exportfs-

2. Inetd settings

First, make sure that the owner of/etc/inetd. conf is root and the file permission is set to 600. After the settings are complete, run the "stat" command to check the settings.
# Chmod 600/etc/inetd. conf
Edit/etc/inetd. conf to disable the following services.
Ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth

If you have installed ssh/scp, you can disable Telnet/FTP. To make the change take effect, run the following command:
# Killall-HUP inetd

By default, most Linux systems allow all requests, and using TCP_WRAPPERS to enhance system security is a breeze. You can modify/etc/hosts. deny and/etc/hosts. allow to add access restrictions. For example, setting/etc/hosts. deny to "ALL: ALL" can deny ALL access by default. Then add the allowed access to the/etc/hosts. allow file. For example, "sshd: 192.168.1.10/255.255.255.0 gate.openarch.com" indicates that the IP address 192.168.1.10 and the host name gate.openarch.com are allowed to be connected through SSH.

After the configuration is complete, you can use tcpdchk to check:
# Tcpdchk

Tcpchk is a TCP_Wrapper configuration check tool that checks your tcp wrapper configuration and reports all detected potential/existing problems.

3. Logon terminal settings

The/etc/securetty file specifies the tty device that allows root login, which is read by the/bin/login program in the format of a list of permitted names, you can edit/etc/securetty and comment out the following lines.


Tty1
# Tty2
# Tty3
# Tty4
# Tty5
# Tty6

In this case, root can only log on to the tty1 terminal.

4. Avoid displaying system and version information.

If you want the remote login user to see the system and version information, you can change the/etc/inetd. conf file through the following operations:

Telnet stream tcp nowait root/usr/sbin/tcpd in. telnetd-h

Adding-h indicates that telnet does not display system information, but only displays "login :".

5. Modify the corresponding configuration file to stop ipv6.
# Vi/etc/modprobe. conf
Alias net-pf-10 off
Alias ipv6 off
# Shutdown-r now

4. Prevent attacks

1. Prevent ping. If no one can ping your system, the security will naturally increase. Therefore, you can add the following line to the/etc/rc. d/rc. local file:

# Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

2. Prevent IP spoofing

Edit the host. conf file and add the following lines to prevent IP spoofing attacks.

The code is as follows: Copy code
Order bind, hosts
Multi off
Nospoof on

3. Prevent DoS attacks

Setting resource limits for all users of the system can prevent DoS attacks. Such as the maximum number of processes and memory usage. For example, you can add the following lines in/etc/security/limits. conf:

The code is as follows: Copy code

* Hard core 0
* Hard rss 5000 # (this line may be useless. man limits. conf displays maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)
* Hard nproc 50

Then, you must edit the/etc/pam. d/login file to check whether the following row exists.

Session required/lib/security/pam_limits.so

The preceding command prohibits debugging files. The maximum number of processes is 50 and the memory usage is 5 MB.

After the preceding settings, your Linux server can be immune to the vast majority of known security issues and network attacks. However, a good system administrator must always pay attention to network security trends, fix exposed and potential security vulnerabilities at any time.

V. Kernel parameter adjustment

The settings in this section seem different from those in centos 6. For more information, see
(For details about centos6, refer to this article)

The code is as follows: Copy code


# Vi/etc/sysctl. conf
Sysctl-w net. ipv4.conf. default. accept_source_route = 0
Sysctl-w net. ipv4.icmp _ echo_ignore_broadcasts = 1
# Sysctl-w net. ipv4.icmp _ echo_ignore_all = 1
Sysctl-w net. ipv4.icmp _ ignore_bogus_error_responses = 1
Sysctl-w net. ipv4.ip _ conntrack_max = 65535
Sysctl-w net. ipv4.tcp _ syncookies = 1
Sysctl-w net. ipv4.tcp _ syn_retries = 1
Sysctl-w net. ipv4.tcp _ fin_timeout = 5
Sysctl-w net. ipv4.tcp _ synack_retries = 1
Sysctl-w net. ipv4.tcp _ syncookies = 1
Sysctl-w net. ipv4.route. gc_timeout = 100
Sysctl-w net. ipv4.tcp _ keepalive_time = 500
Sysctl-w net. ipv4.tcp _ max_syn_backlog = 10000

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.