General initialization after CentOS is installed

General initialization after CentOS is installed
Environment preparation:

1) set local international language as en_US.UTF-8

[root@c58~] #sed-i's/^\(LANG=\).*$/\1"en_US.UTF-8"/'/etc/sysconfig/i18n [root@c58~] #cat/etc/sysconfig/i18n LANG= "en_US.UTF-8" [root@c58~] #LANG=en_US.UTF-8

2) update the system software package

Backup default yum Source:

find /etc/yum .repos.d-name '*.repo' - exec mv {}{}.bak\;

Add 163yum Source:

Redhat5 or centos5:

wgethttp: //mirrors .163.com/.help /CentOS5-Base-163 .repo-P /etc/yum .repos.d

Redhat6 or centos6

wgethttp: //mirrors .163.com/.help /CentOS6-Base-163 .repo-P /etc/yum .repos.d

Add an epel yum Source:

Redhat5.x 32bit:

rpm-ivhhttp: //dl .fedoraproject.org /pub/epel/5/i386/epel-release-5-4 .noarch.rpm

Redhat5.x 64bit:

rpm-ivhhttp: //dl .fedoraproject.org /pub/epel/5/x86_64/epel-release-5-4 .noarch.rpm

Redhat6.x 32bit:

rpm-ivhhttp: //dl .fedoraproject.org /pub/epel/6/i386/epel-release-6-8 .noarch.rpm

Redhat6.x 64bit:

rpm-ivhhttp: //dl .fedoraproject.org /pub/epel/6/x86_64/epel-release-6-8 .noarch.rpm

Update certificate:

yum-yupgradeca-certificates--disablerepo=epel

Update all system software packages:

yumcleanallyummakecacheyum-yupgrade

The following uses redhat5/centos5 as an example.

I. Principle of minimizing services

Disable all auto-start services, and only enable sshd, crond, network, iptables, syslog (redhat5), and rsyslog (redhat6). Then, add the services to be started on demand.

1) Disable all auto-start services

1 [root@c58~] #foriin`chkconfig--list|awk'{if($1~/^$/){exit0;}else{print$1}}'`;dochkconfig$ioff;done

2) enable basic services

[root@c58~] #foriinsshdnetworksyslogcrondiptables;dochkconfig$ion;done

3) view the Enabled Services

[root@c58~] #chkconfig--list|grep'3:on' crond0:off1:off2:on3:on4:on5:on6:off iptables0:off1:off2:on3:on4:on5:on6:off network0:off1:off2:on3:on4:on5:on6:off sshd0:off1:off2:on3:on4:on5:on6:off syslog0:off1:off2:on3:on4:on5:on6:off

Ii. User Logon Restrictions

1) prohibit root users from using remote ssh

[root@c58~] #cd/etc/ssh [root@c58 ssh ] #cpsshd_configsshd_config~ [root@c58 ssh ] #sed-i's/#\(PermitRootLogin\)yes/\1no/'sshd_config [root@c58 ssh ] #grep'PermitRoot'/etc/ssh/sshd_config PermitRootLoginno

2) Disable logon prompt information

[root@c58 ssh ] #>/etc/motd

3) modify the default listening port of ssh (tcp: 22)

# Here, change it to tcp port 11983. [root@c58 ssh ] #sed-i's/#\(Port\)22/\11983/'sshd_config [root@c58 ssh ] #grep'Port'sshd_config Port11983

4) Only the specified ip address is allowed for ssh (optional)

Method 1 (using tcpwrapper ):

# Only ip addresses in the 192.168.124.0 CIDR block can use ssh echo "sshd:192.168.124.0/255.255.255.0" >> /etc/hosts .allow echo "sshd:ALL" >> /etc/hosts .deny

Method 2 (using iptables ):

# Note: Pay attention to remote operations to prevent remote connection failure due to rejection. If only all ip addresses in the 192.168.1.0 CIDR block are allowed for ssh, all other ip addresses are rejected. # Allow your own ip addresses first to prevent subsequent operations from being accidentally hurt. iptables-IINPUT-s10.0.0.1-ptcp--dport22-jACCEPT #192.168.1.0 network segment allowed iptables-I2INPUT-s192.168.1.0 /24 -ptcp--dport22-jACCEPT # Reject all iptables-I3INPUT-ptcp--dport22-jDROP # Save iptables settings: cp /etc/sysconfig/iptables /etc/sysconfig/iptables ~ iptables-save> /etc/sysconfig/iptables

Finally, restart the sshd service to make the above configuration take effect (do not worry that the remote terminal that has been opened will be disconnected during the restart, And the restart will only take effect for the new terminal)

[root@c58 ssh ] #/etc/init.d/sshdrestart Stoppingsshd:[OK] Startingsshd:[OK]

Iii. Minimal user and Command Permissions

Create a common user tom and add the user to the sudo group as the system administrator.

groupadd sudo # Create a sudo Group useradd -G sudo tom # Create a tom user and join the sudo Group passwd tom # Set the logon password of the tom user

Modify the sudo configuration file and authorize users in the sudo group to execute all commands as root (different command execution permissions can be granted to different users. All commands can be executed here, in the production environment, the system administrator should assign as few executable commands as possible to the user as needed to minimize permissions ), all sudo operations performed by the user are recorded in/var/log/sudo. log to facilitate future security event troubleshooting. Run the following command:

[root@cloud~] #cat>>/etc/sudoers<<EOF >% sudo ALL=(root)ALL >Defaultslogfile= /var/log/sudo .log >EOF [root@cloud~] #visudo-c [root@cloud~] #echo"local2.debug/var/log/sudo.log">>/etc/syslog.conf [root@cloud~] #/etc/init.d/syslogrestart

Note: The "cmddo-c" command is used to check the syntax correctness of the/etc/sudoers file.

Iv. kernel security parameter settings vim /etc/sysctl .conf # Add the following content: # Disable the response to the ping packet (optional, generally not recommended because it is inconvenient to troubleshoot network faults) net.ipv4.icmp_echo_ignore_all=1 # Disable the broadcast ping response net.ipv4.icmp_echo_ignore_broadcasts=1 # Enable syncookie to prevent synflood attacks. When the syn wait queue overflows (the number of syn exceeds the value set in tcp_max_syn_backlog), enable cookie processing, the server requests the client to reply to a serial number before replying to syn_ack. The serial number must contain the information in the original syn Packet. If the serial number is incorrect, the server ignores the syn connection. net.ipv4.tcp_syncookies=1 # Sets the maximum number of re-transmissions of sync_ack. The default value is 5. The value range is 0-255. The retransmission time is about 180 s. net.ipv4.tcp_synack_retries=3 # Set the sending interval of the keepalive message when keepalive is enabled. The default value is 2 hours. (due to the current network attacks and other factors, this vulnerability causes frequent attacks, if a connection is established on both sides, and no data or rst/fin messages are sent, the duration is 2 hours, resulting in an empty connection attack. tcp_keepalive_time is used to prevent this situation .) net.ipv4.tcp_keepalive_time=1200

After saving and exiting, run the "sysctl-p" command to load the preceding settings to the kernel for immediate effect.

V. kernel performance-related parameter settings (optional)

vim /etc/sysctl .conf # Add the following content: # Set the length of the syn wait queue. For machines with a memory greater than 1024 MB, the default value is. This value can be increased when the number of concurrent requests is large. net.ipv4.tcp_max_syn_backlog # Enable timewait reuse. Allow time_waitsocket to be re-used for a New tcp Connection net.ipv4.tcp_tw_reuse=1 # Enable quick recovery of time_waitsocket in tcp Connection net.ipv4.tcp_tw_recycle=1 # Send a keepalive test over TCP to determine the number of times the connection has been disconnected. The default value is 9. net.ipv4.tcp_keepalive_probes=5 # Specify the frequency at which the probe message is sent. Multiply this value by tcp_keepalive_probes to get the time required from the start detection to the deletion of the connection. The default value is 75, indicating that no active connections will be dropped after about 11 minutes. (For common applications, this value is too large and can be changed as needed. Especially for web servers, this value needs to be changed to a smaller value. 15 is a suitable value) net.ipv4.tcp_keepalive_intvl=15 # Indicates that the system maintains the maximum number of TIME_WAITsocket at the same time. If this number is exceeded, the TIME_WAIT socket is immediately cleared and the warning message is output. The default value is 180000, Which is changed to 5000. For the squid server, this parameter can control the maximum number of TIME_WAIT sockets to prevent the squid server from being dragged to death by a large number of TIME_WAITsocket. net.ipv4.tcp_max_tw_buckets=5000 # Indicates the port range of the outbound connection. The default value is small: 32768 ~ 61000, changed to 1024 ~ 65000 net.ipv4.ip_local_port_range=102465000

After saving and exiting, run the "sysctl-p" command to load the preceding settings to the kernel for immediate effect.