CentOS Server Security Configuration Policy

CentOS Server Security Configuration Policy
Recently, the server has been infiltrated frequently. I analyzed the intrusion behavior and sorted out the security policies that need to be implemented:Management Terminal settings:1.The jump server permission is only available to O & M personnelA. the password of the O & M personnel must be reset. The password length must not be less8BitB. The password must contain uppercase and lowercase letters, numbers, and special characters.C. Force90Daily Password ChangeD. Set a password to avoid repeated useE. Set the logon Failure count6Times, once6The account will be locked.2.Root logon is prohibited on the stepping stone, which is updated every week.3.Do not save the logon password, ip address list, or other information on the stepping stone. Set the history record500.4.Modify the password of the PPTP vpn Server account and regularly update the patch.Server Settings:A. the logon Segment configuration is the same as the previous configuration.B. Change the password periodically.C. update patches on the server every week.D. Disable direct root logon and create a separate account for O & M personnel. Use sudo as root for management if necessaryE. The server cannot be pinged to increase security.D. Hide the system version to prevent version information leakage.D. Optimize sysct. conf to prevent DDoS attacksE. Check the main configuration file regularly. Check whether the main directory of the system is abnormal. You can use MD5 verification to resend a copy if any change is found. For example/etc/passwd /etc/shadow /etc/group /etc/sysctl.conf, /bin /Sbin.

The details are as follows: # Set the user's password to be changed for 90 days, with a reminder 7 days in advance UserList=$( ls /home/ | awk '{print$NF}' | grep - v lost+found) for user in $UserList do chage-M90-W7$user done

# Ping prohibited

echo 1> /proc/sys/net/ipv4/icmp_echo_ignore_all

# Set the user expiration time 90. The default password length is 8 characters

cp /etc/login .defs /etc/login .defs.bak sed -i '/PASS_MIN_LEN/s/[0-9]\{1,6\}/90/' /etc/login .defs sed -i '/PASS_MIN_LEN/s/[0-9]\{1,3\}/8/' /etc/login .defs

# Set User Logon. Regular user logon attempts are identified to lock for more than 6 times for 300 s.

echo "accountrequiredpam_tally.sodeny=100no_magic_rootreset" >> /etc/pam .d /system-auth echo "authrequiredpam_tally.soonerr=faildeny=6unlock_time=300" >> /etc/pam .d /system-auth

# Hiding the System Version Number

mv /etc/issue /etc/isseu mv /etc/issue .net /etc/isseu .net mv /etc/redhat-release /etc/rehdat-release

# Optimizing Kernel Parameters

echo ' #KernelsysctlconfigurationfileforRedHatLinux # #Forbinaryvalues,0isdisabled,1isenabled.Seesysctl(8)and #sysctl.conf(5)formoredetails. #ControlsIPpacketforwarding net.ipv4.ip_forward=0 #Controlssourcerouteverification net.ipv4.conf.default.rp_filter=1 #Donotacceptsourcerouting net.ipv4.conf.default.accept_source_route=0 #ControlstheSystemRequestdebuggingfunctionalityofthekernel kernel.sysrq=0 #ControlswhethercoredumpswillappendthePIDtothecorefilename #Usefulfordebuggingmulti-threadedapplications kernel.core_uses_pid=1 #ControlstheuseofTCPsyncookies net.ipv4.tcp_syncookies=1 #Controlsthemaximumsizeofamessage,inbytes kernel.msgmnb=65536 #Controlsthedefaultmaxmimumsizeofamesagequeue kernel.msgmax=65536 #Controlsthemaximumsharedsegmentsize,inbytes kernel.shmmax=68719476736 #Controlsthemaximumnumberofsharedmemorysegments,inpages kernel.shmall=4294967296 #-------------KernelOptimization------------- net.ipv4.tcp_max_tw_buckets=60000 net.ipv4.tcp_sack=1 net.ipv4.tcp_window_scaling=1 net.ipv4.tcp_rmem=4096873804194304 net.ipv4.tcp_wmem=4096163844194304 net.core.wmem_default=8388608 net.core.rmem_default=8388608 net.core.rmem_max=16777216 net.core.wmem_max=16777216 net.core.netdev_max_backlog=262144 net.core.somaxconn=262144 net.ipv4.tcp_max_orphans=3276800 net.ipv4.tcp_max_syn_backlog=262144 net.ipv4.tcp_timestamps=0 net.ipv4.tcp_synack_retries=1 net.ipv4.tcp_syn_retries=1 net.ipv4.tcp_tw_recycle=1 net.ipv4.tcp_tw_reuse=1 net.ipv4.tcp_mem=94500000915000000927000000 net.ipv4.tcp_fin_timeout=1 net.ipv4.tcp_keepalive_time=30 net.ipv4.ip_local_port_range=102465000 net.ipv4.ip_conntrack_max=655360 net.ipv4.netfilter.ip_conntrack_max=655360 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180'>> /etc/sysctl .conf # Effective sysctl-p

# Record history logs

echo ' #history export HISTTIMEFORMAT= "%F%T`whoami`" USER_IP=` who -uami2> /dev/null | awk '{print$NF}' | sed -e 's/[()]//g' ` HISTDIR= /usr/local/bin/ . history if [-z$USER_IP] then USER_IP=` hostname ` fi if [!-d$HISTDIR] then mkdir -p$HISTDIR chmod 777$HISTDIR fi if [!-d$HISTDIR/${LOGNAME}] then mkdir -p$HISTDIR/${LOGNAME} chmod 300$HISTDIR/${LOGNAME} fi export HISTSIZE=4000 DT=` date +%Y%m%d_%H%M%S` export HISTFILE= "$HISTDIR/${LOGNAME}/${USER_IP}.history.$DT" chmod 600$HISTDIR/${LOGNAME}/*. history *2> /dev/null '>> /etc/profile

# Secure Login

/etc/hosts .allow # #hosts.allowThisfiledescribesthenamesofthehostswhichare #allowedtousethelocalINETservices,asdecided #bythe'/usr/sbin/tcpd'server. # sshd:192.168.1.101 /etc/hosts .deny # #hosts.denyThisfiledescribesthenamesofthehostswhichare #*not*allowedtousethelocalINETservices,asdecided #bythe'/usr/sbin/tcpd'server. # #Theportmaplineisredundant,butitislefttoremindyouthat #thenewsecureportmapuseshosts.denyandhosts.allow.Inparticular #youshouldknowthatNFSusesportmap! sshd:all

# Check firewall configuration (open the specified user address to log on | the service address to open the user address segment)

iptables-save

# Create a common user

useradd mdf echo -e 'pwd123456' | passwd mdf--stdin

# Prohibit root logon

sed -i 's/#PermitRootLoginyes/PermitRootLoginno/g' /etc/ssh/sshd_config

# Slow ssh connection Optimization

sed -i 's/GSSAPIAuthenticationyes/GSSAPIAuthenticationno/' /etc/ssh/sshd_config sed -i '/#UseDNSyes/a\UseDNSno' /etc/ssh/sshd_config /etc/init .d /sshd restart