Linux security and Optimization
Introduction:
We must understand: Minimum permissions + minimum services = maximum security
Therefore, whether it is to configure any server, we must disable unused services and set system permissions to the minimum level so as to ensure the maximum security of the server. The following is the CentOS server security settings for your reference.
1. Comment out unnecessary users and user groups.
Note: It is not recommended to delete a user directly. If you need a user, it will be difficult to add it again.
Cp/etc/passwd/etc/passwdbak # backup before modification
Vi/etc/passwd # edit the user and add # comment out this line
# Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
# Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
# Sync: x: 5: 0: sync:/sbin:/bin/sync
# Shutdown: x: 6: 0: shutdown:/sbin/shutdown
# Halt: x: 7: 0: halt:/sbin/halt
# Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
# Operator: x: 11: 0: operator:/root:/sbin/nologin
# Games: x: 12: 100: games:/usr/games:/sbin/nologin
# Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
# Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin # comment out the ftp Anonymous Account
Cp/etc/group/etc/groupbak # back up before modification
Vi/etc/group # edit the user group and add # comment out this row
# Adm: x: 4: root, adm, daemon
# Lp: x: 7: daemon, lp
# Uucp: x: 14: uucp
# Games: x: 20:
# Dip: x: 40:
2. Shut down services not required by the system
Service acpid stop chkconfig acpid off # stop service, cancel startup # advanced settings of power supply, usually on Laptop
Service autofs stop chkconfig autofs off # disable the automatic mounting system and edge mounting Device
Service bluetooth stop chkconfig bluetooth off # disable Bluetooth bluetooth
Service cpuspeed stop chkconfig cpuspeed off # stop to control CPU speed mainly for power saving
Service cups stop chkconfig cups off # disable Common UNIX Printing System to enable System support for printers
Service ip6tables stop chkconfig ip6tables off # Disable IPv6
######################################## ######################################## ####################
To restore a service, perform the following operations:
Service acpid start chkconfig acpid on
3. Prohibit Non-root users from executing system commands under/etc/rc. d/init. d/
Chmod-R 700/etc/rc. d/init. d /*
Chmod-R 777/etc/rc. d/init. d/* # restore default settings
4. Add unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.
Chattr + I/etc/passwd
Chattr + I/etc/shadow
Chattr + I/etc/group
Chattr + I/etc/gshadow
Chattr + I/etc/services # Lock the System Service port list file to prevent unauthorized deletion or addition of services
Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/services # display file attributes
Note: After the preceding permissions are modified, users cannot be added or deleted.
If you want to add or delete a user, you need to cancel the preceding settings. After the user is added or deleted, perform the preceding operations.
Chattr-I/etc/passwd # cancel permission lock settings
Chattr-I/etc/shadow
Chattr-I/etc/group
Chattr-I/etc/gshadow
Chattr-I/etc/services # unlock the System Service port list file
Now you can add or delete users. After the operation, lock the directory file.
5. Restrict the permissions of different files
Chattr + a. bash_history # avoid deleting. bash_history or redirecting to/dev/null
Chattr + I. bash_history
Chmod 700/usr/bin restore chmod 555/usr/bin
Chmod 700/bin/ping restore chmod 4755/bin/ping
Chmod 700/usr/bin/vim restore chmod 755/usr/bin/vim
Chmod 700/bin/netstat resume chmod 755/bin/netstat
Chmod 700/usr/bin/tail restore chmod 755/usr/bin/tail
Chmod 700/usr/bin/less restore chmod 755/usr/bin/less
Chmod 700/usr/bin/head resume chmod 755/usr/bin/head
Chmod 700/bin/cat restore chmod 755/bin/cat
Chmod 700/bin/uname restore chmod 755/bin/uname
Chmod 500/bin/ps restore chmod 755/bin/ps
6. Do not restart the server by pressing Ctrl + Alt + Del.
Cp/etc/inittab/etc/inittabbak
Vi/etc/inittab # comment out the following line
# Ca: ctrlaltdel:/sbin/shutdown-t3-r now
7. Use yum update to update the system without updating the kernel. Only the software package is updated.
Due to the compatibility problem between the system and hardware, it is possible that the server cannot be started normally after the kernel is upgraded. This is terrible and there is no special need. We recommend that you do not upgrade the kernel at will.
Cp/etc/yum. conf/etc/yum. confbak
1. Modify the yum configuration file vi/etc/yum. conf and add exclude = kernel * at the end of [main *
2. Add the following parameters directly after the yum command:
Yum -- exclude = kernel * update
View the system version cat/etc/issue
View kernel version uname-
8. Disable Automatic Centos update
Chkconfig -- list yum-updatesd # display the current system status
Yum-updatesd 0: Disable 1: Disable 2: Enable 3: Enable 4: Enable 5: Enable 6: Disable
Service yum-updatesd stop # Turn off the Enable parameter to start
Stop yum-updatesd: [OK]
Service yum-updatesd status # check whether it is disabled
Yum-updatesd stopped
Chkconfig -- level 35 yum-updatesd off # enable/disable (System Mode: 3 or 5)
Chkconfig yum-updatesd off # enable/disable all startup modes)
Chkconfig -- list yum-updatesd # display the current system status
Yum-updatesd 0: Disable 1: Disable 2: Enable 3: Disable 4: Enable 5: Disable 6: Disable
9. Disable redundant virtual consoles
We know switching from the console to the X Window, usually using Alt-F7, why? Because the system defines six virtual consoles by default,
So X is 7th. In fact, many people generally do not need so many virtual consoles. Modify the/etc/inittab and comment out the ones you don't need.
Cp/etc/inittab/etc/inittabbak
Vi/etc/inittab
# Run gettys in standard runlevels
1: 2345: respawn:/sbin/mingetty tty1
#2: 2345: respawn:/sbin/mingetty tty2
#3: 2345: respawn:/sbin/mingetty tty3
#4: 2345: respawn:/sbin/mingetty tty4
#5: 2345: respawn:/sbin/mingetty tty5
#6: 2345: respawn:/sbin/mingetty tty6
For more details, please continue to read the highlights on the next page: