CentOS6.5 system security reinforcement and performance optimization

Users who often play with Linux systems know more or less about system parameter optimization and how to enhance system security. some of the default system parameters are conservative, therefore, we can adjust system parameters to increase the usage of system memory, CPU, and kernel resources. by disabling unnecessary services and ports, we can improve system security and make full use of system availability.

Users who often play with Linux systems know more or less about system parameter optimization and how to enhance system security. some of the default system parameters are conservative, therefore, we can adjust system parameters to increase the usage of system memory, CPU, and kernel resources, and disable unnecessary services and ports to improve system security, make full use of the availability of the system. I learned about Linux and made the following summary on system optimization:

Operating system:CentOS 6.5 _ x64 minimal installation

1. host name settings

[Root @ localhost ~] # Vi/etc/sysconfig/network

HOSTNAME = test.com

[Root @ localhost ~] # Hostname test.com # temporarily effective

2. disable SELinux

[Root @ localhost ~] # Vi/etc/selinux/config

SELINUX = disabled

[Root @ localhost ~] # Setenforce # temporary effect

[Root @ localhost ~] # Getenforce # View selinux status

3. clear the firewall and set rules

[Root @ localhost ~] #Iptables-F # clear firewall rules

[Root @ localhost ~] # Iptables-L # View firewall rules

[Root @ localhost ~] # Iptables-a input-p tcp -- dport 80-jACCEPT

[Root @ localhost ~] # Iptables-a input-p tcp -- dport 22-jACCEPT

[Root @ localhost ~] # Iptables-a input-p tcp -- dport 53-jACCEPT

[Root @ localhost ~] # Iptables-a input-p udp -- dport 53-jACCEPT

[Root @ localhost ~] # Iptables-a input-p udp -- dport 123-jACCEPT

[Root @ localhost ~] # Iptables-a input-p icmp-j ACCEPT

[Root @ localhost ~] # Iptables-P INPUT DROP

[Root @ localhost ~] #/Etc/init. d/iptables save

# Enable the corresponding port as needed

4. add common users and perform sudo authorization management

[Root @ localhost ~] # Useradd user

[Root @ localhost ~] # Echo "123456" | passwd -- stdin user # set the password

[Root @ localhost ~] # Vi/etc/sudoers # Open the Command with "do" or add all user permissions

Root ALL = (ALL) ALL

User ALL = (ALL) ALL

5. disable root remote logon.

[Root @ localhost ~] # Vi/etc/ssh/sshd_config

PermitRootLoginno

PermitEmptyPasswords no # Disable empty password logon

UseDNSno # Disable DNS query

6. disable auto-start services that do not need to be started

7. delete unnecessary system users

8. disable and restart the ctl-alt-delete key combination.

[Root @ localhost ~] # Vi/etc/init/control-alt-delete.conf

# Exec/sbin/shutdown-r now "Control-Alt-Deletepressed" # Comment out

9. adjust the file descriptor size

[Root @ localhost ~] # Ulimit? N # The default value is 1024.

1024

[Root @ localhost ~] # Echo "ulimit-SHn 102400">/etc/rc. local # set automatic start to take effect

10. remove system-related information

[Root @ localhost ~] # Echo "Welcome to Server">/etc/issue

[Root @ localhost ~] # Echo "Welcome to Server">/etc/redhat-release

11. modify the history record

[Root @ localhost ~] # Vi/etc/profile #10 change Records

HISTSIZE = 10

12. synchronize system time

[Root @ localhost ~] # Cp/usr/share/zoneinfo/Asia/Shanghai/etc/localtime # set the Shanghai Time zone

[Root @ localhost ~] # Ntpdate cn.pool.ntp.org; hwclock? W # synchronization time and write blos hardware Time

[Root @ localhost ~] # Crontab? E # set the task plan to be synchronized once every day

0 ***/usr/sbin/ntpdate cn.pool.ntp.org; hwclock-w

13. kernel parameter optimization

[Root @ localhost ~] # Vi/etc/sysctl. conf # add the following parameters at the end

Net. ipv4.tcp _ syncookies = 1 #1: enable SYNCookies. when a SYN wait queue overflows, enable Cookies to prevent a small number of SYN attacks. The default value is 0.

Net. ipv4.tcp _ tw_reuse = 1 #1 is to enable reuse and allow TIME_AITsockets to be reused for new TCP connections. the default value is 0.

Net. ipv4.tcp _ tw_recycle = 1 # Number of TCP retransmission failures. the default value is 15. you can release kernel resources by reducing the number of times.

Net. ipv4.ip _ local_port_range = 4096 65000 # port range available for applications

Net. ipv4.tcp _ max_tw_buckets = 5000 # The system maintains the maximum number of TIME_WAIT sockets at the same time. if this number is exceeded, the TIME_WATI socket is immediately cleared and warning information is printed. the default value is 180000.

Net. ipv4.tcp _ max_syn_backlog = 4096 # enter the maximum request queue of SYN flood. the default value is 1024.

Net. core. netdev_max_backlog = 10240 # maximum device queue of data packets allowed to be sent to the queue. the default value is 300.

Net. core. somaxconn = 2048 # maximum number of listen pending requests. the default value is 128.

Net. core. wmem_default = 8388608 # default value of the size of the sending cache

Net. core. rmem_default = 8388608 # accept the default value of the socket buffer size (in bytes)

Net. core. rmem_max = 16777216 # maximum size of the receiving buffer

Net. core. wmem_max = 16777216 # maximum size of the sending buffer

Net. ipv4.tcp _ synack_retries = 2 # Number of retries in the SYN-ACK handshake status. the default value is 5.

Net. ipv4.tcp _ syn_retries = 2 # Number of external SYN handshake retries. the default value is 4.

Net. ipv4.tcp _ tw_recycle = 1 # enable quick recovery of TIME_WAITsockets in TCP connections. the default value is 0.

Net. ipv4.tcp _ max_orphans = 3276800 # the maximum number of TCP sockets in the system is not associated with any user file handle. if this number is exceeded, the orphan connection is reset immediately and a warning message is printed.

Net. ipv4.tcp _ mem = 94500000 915000000 927000000

Net. ipv4.tcp _ mem [0]: lower than this value, TCP has no memory pressure;

Net. ipv4.tcp _ mem [1]: Enter the memory pressure stage;

Net. ipv4.tcp _ mem [2]: higher than this value, TCP rejects socket allocation. The memory unit is page, which can be adjusted based on the physical memory size. if the memory is large enough, you can adjust it accordingly. The above memory unit is page, not byte.

So far, the basic optimization and adjustment of CentOS 6.5 _ x64 minimal installation system have been completed, and the system needs to be restarted.