This article takes CentOS 5.4 as an example to explain, for the 5.x version should all be applicable, the other version of the words are mainly the path of the command is different, the idea is consistent.
First step, account security management
1. Modify Password length
| The code is as follows | Copy Code |
| #vi/etc/login.defs Pass_min_len 18 |
|
2. Create a regular user account and set a password so that all operations are performed using the ordinary account
| The code is as follows | Copy Code |
| #useradd ru #passwd ru |
|
3. Linux defaults to provide a lot of accounts, the more accounts, the more vulnerable the system, so should be prohibited all default by the operating system itself and unnecessary to start the account.
You can use VI/ETC/PASSWD to view system accounts and use Vi/etc/group to view the system's user groups.
| The code is as follows | Copy Code |
#userdel ADM |
|
4. Use the CHATTR command to prevent unauthorized users from obtaining permissions by adding the following files to the properties that are not allowed to be changed.
| The code is as follows | Copy Code |
| #chattr +i/etc/passwd #chattr +i/etc/shadow #chattr +i/etc/group #chattr +i/etc/gshadow |
|
After this operation, you will not be able to create accounts and modify passwords, after which you can use the Chattr-i command to restore the operation.
5. Prohibit ctrl+alt+delete restart command
Modify the/etc/inittab file to comment out the following line
| The code is as follows | Copy Code |
| Ca::ctrlaltdel:/sbin/shutdown-t3-r now | |
Then reset the permissions on all files in the/etc/rc.d/init.d/directory, and only the root account can read, write, and execute all of the script files in it:
| The code is as follows | Copy Code |
| #chmod-R 700/etc/rc.d/init.d/* | |
6. Limit su command
Restrict users who have only a specific group of users the ability to use the SU command as root, edit the/etc/pam.d/su file, modify or add the following
| The code is as follows | Copy Code |
| # This line defaults to some Auth sufficient pam_rootok.so # Confirm that the wheel user group exists Auth Required pam_wheel.so Group=wheel |
|
After this setting, only users of the wheel user group can use SU to switch to root. If the system user ru is able to su switch to root, you can run the following command:
| The code is as follows | Copy Code |
| #usermod-g10 ru | |
Note here that the Su-command can be switched to root and the environment variable information for the root is switched, while the SU command is simply a switch to the role but also the original user's environment variable.
Step two, SSH security configuration
SSH as the entrance to the system login, its security is like the gate of the tower, the importance of self-evident.
First check to see if SSH is installed in the system:
#chkconfig--list |grep sshd
If the content appears, the SSHD service is installed, otherwise it is installed using the Yum install SSH command.
Next, back up the original configuration file first
| The code is as follows | Copy Code |
#cp/etc/ssh/sshd_config/etc/ssh/sshd_config.bak Then modify the/etc/ssh/sshd_config file: # Modify SSH port, defaults to 22 |
|
Finally, use service sshd restart to reboot SSH service
Step three, turn off services and ports that are not needed in the system
1. A less-than-one service is less dangerous in the system, the following lists only the services that need to be started, the services that are not listed are closed, and if there are no services below they are ignored directly:
| The code is as follows | Copy Code |
#setup |
|
2. Use the Iptables firewall to open only the specified port
First create the following SH file:
Download: Closeports.sh#!/bin/bash
Iptables-f INPUT
Iptables-p INPUT DROP
| The code is as follows | Copy Code |
| # Open 80 Ports /sbin/iptables-a input-p TCP--dport 80-j ACCEPT # Open the SSH port, this is important, otherwise you can not use SSH, note that 5028 modified to your SSH port /sbin/iptables-a input-p TCP--dport 5028-j ACCEPT |
|
Then save as a closeports.sh file and execute the file using the following command:
| The code is as follows | Copy Code |
| #chmod +x closeports.sh #./closeports.sh |
|
Detailed iptables configuration information is stored in the/etc/sysconfig/iptables file.
Step fourth, prevent attacks
1. Block Ping
Modify the contents of the/proc/sys/net/ipv4/icmp_echo_ignore_all file to 1, but it will revert to 0 if the server reboots.
You can add the following content to the/etc/rc.d/rc.local file:
| The code is as follows | Copy Code |
| Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all | |
2. Prevent IP spoofing attacks
Edit the/etc/host.conf file and add the following lines below:
| The code is as follows | Copy Code |
| #vi/etc/host.conf Order Bind,hosts Multi off Nospoof on |
|
3. Prevent Dos attacks
Setting resource limits on all users of the system can prevent DOS type attacks. such as maximum number of processes and memory usage. Add the following to the/etc/security/limits.conf file:
| The code is as follows | Copy Code |
| # Disable Debug files * Hard Core 0 # Limit Memory usage to 5MB * Hard RSS 5000 # limit the number of processes to 20 * Hard Nproc 20 |
|
You must then edit the/etc/pam.d/login file to confirm that the following line exists, if it does not exist, add it:
| The code is as follows | Copy Code |
| Session required/lib/security/pam_limits.so | |
For DDoS attacks, you can use the DDoS deflate script, which is described in detail in the following resources.
Fifth step, system configuration and performance tuning
1. Modify the system default character set
If you use English to install the system, if the system has Chinese will display garbled, this time need to modify the system default character set:
| The code is as follows | Copy Code |
| #vi/etc/sysconfig/i18n Lang= "ZH_CN. UTF-8 " #source/etc/sysconfig/i18n |
|
Modify the system's encoding to ZH_CN. UTF-8, the next command is to have the modification take effect immediately.
2. Update server time with NTP service
First check to see if the NTP service is installed in the system:
#chkconfig--list |grep NTP
Install and update time using Yum if not installed
| The code is as follows | Copy Code |
| #yum Install NTP #ntpdate time.windows.com |
|
You can also add update commands to cron for automatic Update times:
| The code is as follows | Copy Code |
| #crontab-E * */12 * * * * ntpdate time.windows.com #service Crond Restart |
|
The above operation is automatically updated every 12 hours time, can be viewed through the crontab-l command.
3. Increase server file descriptor
When the system service is turned on, the access is large, and more file descriptors are used. Use the Ulimit–n command to display the current number of file descriptors (you need to switch to the root account using the su– command). You can increase the number of file descriptors using the following methods:
| The code is as follows | Copy Code |
| #vi/etc/security/limits.conf *-Nofile 65536 #在文本的最后一行添加 |
|
After you log on again, you can use the Ulimit–n command to view the file descriptor again and see that changes have taken place.
4. Adjust kernel parameters
| The code is as follows | Copy Code |
| #cp/etc/sysctl.conf/etc/sysctl.conf.bak #vi/etc/sysctl.conf Net.ipv4.tcp_fin_timeout = 2 Net.ipv4.tcp_tw_reuse = 1 Net.ipv4.tcp_tw_recycle = 1 Net.ipv4.tcp_syncookies = 1 Net.ipv4.tcp_keepalive_time = 600 Net.ipv4.ip_local_port_range = 4000 65000 Net.ipv4.tcp_max_syn_backlog = 16384 Net.ipv4.tcp_max_tw_buckets = 36000 Net.ipv4.route.gc_timeout = 100 Net.ipv4.tcp_syn_retries = 1 Net.ipv4.tcp_synack_retries = 1 Net.ipv4.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_max=25000000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120 Net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120 |
|
Finally, use the sysctl–p command to make the above settings take effect immediately.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
