System Security Configuration after CentOS Installation

This article uses CentOS 5.4 as an example to describe that the 5.x version should be applicable. For other versions, the command paths are different and the idea is the same.
You can use the script configured after the initial installation of Linux for batch processing. Note that you should modify the script to suit your needs before execution.
Step 1. Account Security Management
1. Change the password length
1. [root @ localhost/] # vi/etc/login. defs
2. PASS_MIN_LEN 182. Create a common user account and set the password, so that all operations are performed using this common account.
1. [root @ localhost/] # useradd ru
2. [root @ localhost/] # passwd ru3. by default, many accounts are provided in Linux. The more accounts there are, the more vulnerable the system will be to attacks, therefore, all default accounts started by the operating system and unnecessary accounts should be prohibited.
AvailableVi/etc/passwdView the system account and useVi/etc/groupView the user group of the system.
1. [root @ localhost/] # userdel adm
2. [root @ localhost/] # userdel lp
3. [root @ localhost/] # userdel sync
4. [root @ localhost/] # userdel shutdown
5. [root @ localhost/] # userdel halt
6. [root @ localhost/] # userdel news
7. [root @ localhost/] # userdel uucp
8. [root @ localhost/] # userdel operator
9. [root @ localhost/] # userdel games
10. [root @ localhost/] # userdel gopher
11. [root @ localhost/] # userdel ftp
12.
13. [root @ localhost/] # groupdel adm
14. [root @ localhost/] # groupdel lp
15. [root @ localhost/] # groupdel news
16. [root @ localhost/] # groupdel uucp
17. [root @ localhost/] # groupdel games
18. [root @ localhost/] # groupdel dip
19. [root @ localhost/] # groupdel pppusers4. restrict the su command
Only users in a specific user group can use the su command as the root permission. You can edit the/etc/pam. d/su file, modify or add the following content.
# This line is available by default.
Auth sufficient pam_rootok.so
# Comment out the following line, followed by group = wheel. Pay attention to the order.
# Auth required pam_wheel.so use_uid
Auth required pam_wheel.so use_uid group = wheel
In this way, only the user of the wheel user group can switch to the root user using su. If the system user ru can switch su to root, run the following command:
1. [root @ localhost/] # usermod-G10 ru Note: You can use the su-command to switch to the root user and switch the root environment variable information, the su command is only used to switch roles but is still the environment variable of the original user. You can useEcho $ PATH.
5. Use the chattr command to add unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.
1. [root @ localhost/] # chattr + I/etc/passwd
2. [root @ localhost/] # chattr + I/etc/shadow
3. [root @ localhost/] # chattr + I/etc/group
4. [root @ localhost/] # After chattr + I/etc/gshadow, you cannot create an account or change the password. You can use the chattr-I command to restore the account and then perform the operation.
6. Disable the Ctrl + Alt + Delete restart command
Modify the/etc/inittab file and comment out the following line.
Ca: ctrlaltdel:/sbin/shutdown-t3-r now
7. Set/etc/profile
1. # set to automatically exit the terminal to prevent excessive Logon Processes due to the illegal close of the ssh client. You can set a larger value in seconds.
2. [root @ localhost/] # echo "TMOUT = 3600">/etc/profile
3. # set the number of historical Command records to 10
4. [root @ localhost/] # sed-I "s/HISTSIZE = 1000/HISTSIZE = 10/"/etc/profile
5. [root @ localhost/] # source/etc/profile8. reset/etc/rc. d/init. d. Permission for all files in the directory. Only the root account can read, write, and execute all script files:
1. [root @ localhost/] # chmod-R 700/etc/rc. d/init. d /*Step 2,SSHSecurity Configuration
As the portal for system login, SSH is secure like the gate of the city tower. The importance of SSH is self-evident.
First, check whether SSH is installed in the system:
1. [root @ localhost/] # chkconfig -- list | grep sshd if the content appears, the sshd service is installed; otherwiseYum install sshCommand.
Next, back up the original configuration file.
1. [root @ localhost/] # cp/etc/ssh/sshd_config/etc/ssh/sshd_config.bak and then modify the/etc/ssh/sshd_config file:
# Modify the SSH port. The default value is 22.
Port 5028
# Change # protocol 2 to 1
Protocol 2
# The root user is not allowed to log on directly.
PermitRootLogin no
# Logon with a blank password is not allowed
PermitEmptyPasswords no
# Not applicable to DNS
UseDns no
Last useService sshd restartRestart the SSH service
Step 3: disable unnecessary services and ports in the system
1. Opening one service in the system is less risky. The following lists only the services to be started, and all unlisted services are disabled. If the following services are not available, ignore them directly:
1. [root @ localhost/] # setup
2. acpid
3. anacron
4. cpuspeed
5. crond
6. iptables
7. irqbalance \ is enabled only when the server CPU is in the S. M.P architecture or supports dual-core, HT technology. Otherwise, it is disabled.
8. microcode_ctl
9. network
10. random
11. sendmail
12. sshd
13. syslog
14. # automatic CentOS update
15. yum-updatesd2. Use iptables firewall to open only the specified port
First, create the following sh file:
 
1 .#! /Bin/bash
2. iptables-F INPUT
3. iptables-P INPUT DROP
4. # Open Port 80
5./sbin/iptables-a input-p tcp -- dport 80-j ACCEPT
6. # Open the SSH port. This is very important. Otherwise, SSH cannot be used. Change 5028 to your SSH port.
7./sbin/iptables-a input-p tcp -- dport 5028-j ACCEPT
8. # Open the external DNS port of the server
9. iptables-a output-p udp -- dport 53-j ACCEPT
10. iptables-a input-p udp -- sport 53-j ACCEPT
11. iptables-a input-p udp -- dport 53-j ACCEPT
12. iptables-a output-p udp -- sport 53-j ACCEPT and save it as the closeports. sh file. Run the following command to execute the file:
1. [root @ localhost/home/ru] # chmod + x closeports. sh
2. [root @ localhost/home/ru] #./closeports. sh
3. # Save the rule
4. [root @ localhost/home/ru] #/etc/init. d/iptables save
5. # restart iptables
6. [root @ localhost/home/ru] #/etc/init. d/iptables restart
7. # Use lsof-I: xx to check whether the port is valid
8. [root @ localhost/home/ru] # lsof-I: 81 detailed iptables configuration information is stored in/Etc/sysconfig/iptablesFile.
Step 4: Prevent Attacks
1. Stop ping
Modify the content of the/proc/sys/net/ipv4/icmp_echo_ignore_all file to 1. However, if the server is restarted, it will be restored to 0.
You can add the following content/Etc/rc. d/rc. localFile:
Echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
2. prevent IP spoofing attacks
Edit the/etc/host. conf file and add the following lines below:
1. [root @ localhost/] # vi/etc/host. conf
2. order bind, hosts
3. multi off
4. nospoof on www.2cto. com3. prevent DoS Attacks
Setting resource limits for all users of the system can prevent DoS attacks. Such as the maximum number of processes and memory usage. Add the following content to the/etc/security/limits. conf file:
1. # disable debugging files
2. * hard core 0
3. # The maximum memory usage is 5 MB.
4. * hard rss 5000
5. # restrict the number of processes to 20
6. * hard nproc 20 next, you must edit the/etc/pam. d/login file to check whether the following line exists. If not, add it:
1. session required/lib/security/pam_limits.so can use the DDos deflate script for DDoS attacks. For details, see the references below.
Step 5: system configuration and Performance Tuning
1. Modify the default Character Set of the system
If the system is installed in English and garbled characters are displayed in Chinese, you need to modify the default Character Set of the system:
1. [root @ localhost/] # vi/etc/sysconfig/i18n
2. LANG = "zh_CN.UTF-8"
3.
4. [root @ localhost/] # source/etc/sysconfig/i18n change the system code to a zh_CN.UTF-8, and the following command is to make the change take effect immediately.
2. Use the ntp service to update the server time
First, check whether the ntp service is installed in the system:
1. [root @ localhost/] # chkconfig -- list | grep ntp if not installed, use yum for installation and update time
1. [root @ localhost/] # yum install ntp
2. [root @ localhost/] # ntpdate time.windows.com can also add the update command to cron for automatic update time:
1. [root @ localhost/] # crontab-e
2. **/12 *** ntpdate time.windows.com
3.
4. The [root @ localhost/] # service crond restart operation automatically updates the time every 12 hours. You can run the crontab-l command to check the time.
3. Increase the server file descriptor
When the system service is enabled, more file descriptors will be used as the traffic increases. UseUlimit-nCommand to display the number of file descriptors (you need to use the su-command to switch to the root account ). You can use the following method to increase the number of file descriptors:
1. [root @ localhost/] # vi/etc/security/limits. conf
2. *-nofile 65536 # after the last line of the text is added and re-logged on, you can run the ulimit-n command to view the file descriptor again.
4. Adjust Kernel Parameters
1. [root @ localhost/] # cp/etc/sysctl. conf/etc/sysctl. conf. bak
2. [root @ localhost/] # vi/etc/sysctl. conf
3.
4. net. ipv4.tcp _ fin_timeout = 2
5. net. ipv4.tcp _ tw_reuse = 1
6. net. ipv4.tcp _ tw_recycle = 1
7. net. ipv4.tcp _ syncookies = 1
8. net. ipv4.tcp _ keepalive_time = 600
9. net. ipv4.ip _ local_port_range = 4000 65000
10. net. ipv4.tcp _ max_syn_backlog = 16384
11. net. ipv4.tcp _ max_tw_buckets = 36000
12. net. Route 4.route. gc_timeout = 100
13. net. ipv4.tcp _ syn_retries = 1
14. net. ipv4.tcp _ synack_retries = 1
15. net. ipv4.ip _ conntrack_max = 25000000
16. net. ipv4.netfilter. ip_conntrack_max = 25000000
17. net. ipv4.netfilter. ip_conntrack_tcp_timeout_established = 180
18. net. ipv4.netfilter. ip_conntrack_tcp_timeout_time_wait = 120
19. net. ipv4.netfilter. ip_conntrack_tcp_timeout_close_wait = 60
20. net. ipv4.netfilter. ip_conntrack_tcp_timeout_fin_wait = 120. Finally, run the sysctl-p command to make the preceding settings take effect immediately.