General initialization after CentOS is installed
Environment preparation:
1) set local international language as en_US.UTF-8
[root@c58~]
#sed-i's/^\(LANG=\).*$/\1"en_US.UTF-8"/'/etc/sysconfig/i18n
[root@c58~]
#cat/etc/sysconfig/i18n
LANG=
"en_US.UTF-8"
[root@c58~]
#LANG=en_US.UTF-8
2) update the system software package
Backup default yum Source:
find
/etc/yum
.repos.d-name
'*.repo'
-
exec
mv
{}{}.bak\;
Add 163yum Source:
Redhat5 or centos5:
wgethttp:
//mirrors
.163.com/.help
/CentOS5-Base-163
.repo-P
/etc/yum
.repos.d
Redhat6 or centos6
wgethttp:
//mirrors
.163.com/.help
/CentOS6-Base-163
.repo-P
/etc/yum
.repos.d
Add an epel yum Source:
Redhat5.x 32bit:
rpm-ivhhttp:
//dl
.fedoraproject.org
/pub/epel/5/i386/epel-release-5-4
.noarch.rpm
Redhat5.x 64bit:
rpm-ivhhttp:
//dl
.fedoraproject.org
/pub/epel/5/x86_64/epel-release-5-4
.noarch.rpm
Redhat6.x 32bit:
rpm-ivhhttp:
//dl
.fedoraproject.org
/pub/epel/6/i386/epel-release-6-8
.noarch.rpm
Redhat6.x 64bit:
rpm-ivhhttp:
//dl
.fedoraproject.org
/pub/epel/6/x86_64/epel-release-6-8
.noarch.rpm
Update certificate:
yum-yupgradeca-certificates--disablerepo=epel
Update all system software packages:
yumcleanallyummakecacheyum-yupgrade
The following uses redhat5/centos5 as an example.
I. Principle of minimizing services
Disable all auto-start services, and only enable sshd, crond, network, iptables, syslog (redhat5), and rsyslog (redhat6). Then, add the services to be started on demand.
1) Disable all auto-start services
1
[root@c58~]
#foriin`chkconfig--list|awk'{if($1~/^$/){exit0;}else{print$1}}'`;dochkconfig$ioff;done
2) enable basic services
[root@c58~]
#foriinsshdnetworksyslogcrondiptables;dochkconfig$ion;done
3) view the Enabled Services
[root@c58~]
#chkconfig--list|grep'3:on'
crond0:off1:off2:on3:on4:on5:on6:off
iptables0:off1:off2:on3:on4:on5:on6:off
network0:off1:off2:on3:on4:on5:on6:off
sshd0:off1:off2:on3:on4:on5:on6:off
syslog0:off1:off2:on3:on4:on5:on6:off
Ii. User Logon Restrictions
1) prohibit root users from using remote ssh
[root@c58~]
#cd/etc/ssh
[root@c58
ssh
]
#cpsshd_configsshd_config~
[root@c58
ssh
]
#sed-i's/#\(PermitRootLogin\)yes/\1no/'sshd_config
[root@c58
ssh
]
#grep'PermitRoot'/etc/ssh/sshd_config
PermitRootLoginno
2) Disable logon prompt information
[root@c58
ssh
]
#>/etc/motd
3) modify the default listening port of ssh (tcp: 22)
# Here, change it to tcp port 11983.
[root@c58
ssh
]
#sed-i's/#\(Port\)22/\11983/'sshd_config
[root@c58
ssh
]
#grep'Port'sshd_config
Port11983
4) Only the specified ip address is allowed for ssh (optional)
Method 1 (using tcpwrapper ):
# Only ip addresses in the 192.168.124.0 CIDR block can use ssh
echo
"sshd:192.168.124.0/255.255.255.0"
>>
/etc/hosts
.allow
echo
"sshd:ALL"
>>
/etc/hosts
.deny
Method 2 (using iptables ):
# Note: Pay attention to remote operations to prevent remote connection failure due to rejection. If only all ip addresses in the 192.168.1.0 CIDR block are allowed for ssh, all other ip addresses are rejected. # Allow your own ip addresses first to prevent subsequent operations from being accidentally hurt.
iptables-IINPUT-s10.0.0.1-ptcp--dport22-jACCEPT
#192.168.1.0 network segment allowed
iptables-I2INPUT-s192.168.1.0
/24
-ptcp--dport22-jACCEPT
# Reject all
iptables-I3INPUT-ptcp--dport22-jDROP
# Save iptables settings:
cp
/etc/sysconfig/iptables
/etc/sysconfig/iptables
~
iptables-save>
/etc/sysconfig/iptables
Finally, restart the sshd service to make the above configuration take effect (do not worry that the remote terminal that has been opened will be disconnected during the restart, And the restart will only take effect for the new terminal)
[root@c58
ssh
]
#/etc/init.d/sshdrestart
Stoppingsshd:[OK]
Startingsshd:[OK]
Iii. Minimal user and Command Permissions
Create a common user tom and add the user to the sudo group as the system administrator.
groupadd
sudo
# Create a sudo Group
useradd
-G
sudo
tom
# Create a tom user and join the sudo Group
passwd
tom
# Set the logon password of the tom user
Modify the sudo configuration file and authorize users in the sudo group to execute all commands as root (different command execution permissions can be granted to different users. All commands can be executed here, in the production environment, the system administrator should assign as few executable commands as possible to the user as needed to minimize permissions ), all sudo operations performed by the user are recorded in/var/log/sudo. log to facilitate future security event troubleshooting. Run the following command:
[root@cloud~]
#cat>>/etc/sudoers<<EOF
>%
sudo
ALL=(root)ALL
>Defaultslogfile=
/var/log/sudo
.log
>EOF
[root@cloud~]
#visudo-c
[root@cloud~]
#echo"local2.debug/var/log/sudo.log">>/etc/syslog.conf
[root@cloud~]
#/etc/init.d/syslogrestart
Note: The "cmddo-c" command is used to check the syntax correctness of the/etc/sudoers file.
Iv. kernel security parameter settings
vim
/etc/sysctl
.conf
# Add the following content:
# Disable the response to the ping packet (optional, generally not recommended because it is inconvenient to troubleshoot network faults)
net.ipv4.icmp_echo_ignore_all=1
# Disable the broadcast ping response
net.ipv4.icmp_echo_ignore_broadcasts=1
# Enable syncookie to prevent synflood attacks. When the syn wait queue overflows (the number of syn exceeds the value set in tcp_max_syn_backlog), enable cookie processing, the server requests the client to reply to a serial number before replying to syn_ack. The serial number must contain the information in the original syn Packet. If the serial number is incorrect, the server ignores the syn connection.
net.ipv4.tcp_syncookies=1
# Sets the maximum number of re-transmissions of sync_ack. The default value is 5. The value range is 0-255. The retransmission time is about 180 s.
net.ipv4.tcp_synack_retries=3
# Set the sending interval of the keepalive message when keepalive is enabled. The default value is 2 hours. (due to the current network attacks and other factors, this vulnerability causes frequent attacks, if a connection is established on both sides, and no data or rst/fin messages are sent, the duration is 2 hours, resulting in an empty connection attack. tcp_keepalive_time is used to prevent this situation .)
net.ipv4.tcp_keepalive_time=1200
After saving and exiting, run the "sysctl-p" command to load the preceding settings to the kernel for immediate effect.
V. kernel performance-related parameter settings (optional)
vim
/etc/sysctl
.conf
# Add the following content:
# Set the length of the syn wait queue. For machines with a memory greater than 1024 MB, the default value is. This value can be increased when the number of concurrent requests is large.
net.ipv4.tcp_max_syn_backlog
# Enable timewait reuse. Allow time_waitsocket to be re-used for a New tcp Connection
net.ipv4.tcp_tw_reuse=1
# Enable quick recovery of time_waitsocket in tcp Connection
net.ipv4.tcp_tw_recycle=1
# Send a keepalive test over TCP to determine the number of times the connection has been disconnected. The default value is 9.
net.ipv4.tcp_keepalive_probes=5
# Specify the frequency at which the probe message is sent. Multiply this value by tcp_keepalive_probes to get the time required from the start detection to the deletion of the connection. The default value is 75, indicating that no active connections will be dropped after about 11 minutes. (For common applications, this value is too large and can be changed as needed. Especially for web servers, this value needs to be changed to a smaller value. 15 is a suitable value)
net.ipv4.tcp_keepalive_intvl=15
# Indicates that the system maintains the maximum number of TIME_WAITsocket at the same time. If this number is exceeded, the TIME_WAIT socket is immediately cleared and the warning message is output. The default value is 180000, Which is changed to 5000. For the squid server, this parameter can control the maximum number of TIME_WAIT sockets to prevent the squid server from being dragged to death by a large number of TIME_WAITsocket.
net.ipv4.tcp_max_tw_buckets=5000
# Indicates the port range of the outbound connection. The default value is small: 32768 ~ 61000, changed to 1024 ~ 65000
net.ipv4.ip_local_port_range=102465000
After saving and exiting, run the "sysctl-p" command to load the preceding settings to the kernel for immediate effect.