Linux Security settings

Source: Internet
Author: User
Tags chmod gopher

One, comment out the system does not need users and user groups

Note: It is not recommended to delete it directly, and it will be cumbersome to re-add it when you need a user.
Cp/etc/passwd/etc/passwdbak #修改之前先备份
VI/ETC/PASSWD #编辑用户, add # comment off this line in front
#adm: X:3:4:adm:/var/adm:/sbin/nologin
#lp: X:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync: X:5:0:sync:/sbin:/bin/sync
#shutdown: X:6:0:shutdown:/sbin:/sbin/shutdown
#halt: X:7:0:halt:/sbin:/sbin/halt
#uucp: X:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator: X:11:0:operator:/root:/sbin/nologin
#games: X:12:100:games:/usr/games:/sbin/nologin
#gopher: X:13:30:gopher:/var/gopher:/sbin/nologin
#ftp: X:14:50:ftp user:/var/ftp:/sbin/nologin #注释掉ftp匿名账号
Cp/etc/group/etc/groupbak #修改之前先备份
Vi/etc/group #编辑用户组, add # comment off this line in front
#adm: X:4:root,adm,daemon
#lp: X:7:DAEMON,LP
#uucp: X:14:UUCP
#games: x:20:
#dip: x:40:
second, the system does not need to shut down services
Service acpid stop Chkconfig acpid off #停止服务, cancel boot boot #电源进阶设定, commonly used on Laptop
Service AutoFS stop chkconfig autofs off #停用自动挂载档桉系统与週边装置
Service bluetooth stop chkconfig bluetooth off #停用Bluetooth蓝芽
Service cpuspeed stop chkconfig cpuspeed off #停用控制CPU速度主要用来省电
Service cups stop chkconfig cups off #停用 Common UNIX Printing system Support Printer
Service ip6tables stop chkconfig ip6tables off #禁止IPv6
####################################################################################################
If you want to restore a service, you can do the following
Service Acpid start Chkconfig acpid on
Iii. prohibit non-root users from executing system commands under/etc/rc.d/init.d/
Chmod-r 700/etc/rc.d/init.d/*
Chmod-r 777/etc/rc.d/init.d/* #恢复默认设置
System operation and maintenance warm reminder: qihang01 original content copyright, reproduced please indicate the source and the original link
Iv. Add an immutable attribute to the following file to prevent unauthorized users from gaining access
Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +i/etc/gshadow
Chattr +i/etc/services #给系统服务端口列表文件加锁 to prevent unauthorized deletion or addition of services
Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/services #显示文件的属性
Note: After you perform the above permissions modification, you cannot add a delete user.
If you want to add a delete user, you need to first cancel the above settings, and so on after the user adds the delete completes, then performs the above action
Chattr-i/etc/passwd #取消权限锁定设置
Chattr-i/etc/shadow
Chattr-i/etc/group
Chattr-i/etc/gshadow
Chattr-i/etc/services #取消系统服务端口列表文件加锁
You can now add and delete users, and then lock the catalog files after you have finished the operation.
v. Restricting permissions for different files
Chattr +a. bash_history #避免删除. Bash_history or Redirect to/dev/null
Chattr +i. bash_history
chmod 700/usr/bin Recovery chmod 555/usr/bin
chmod 700/bin/ping Recovery chmod 4755/bin/ping
chmod 700/usr/bin/vim Recovery chmod 755/usr/bin/vim
chmod 700/bin/netstat Recovery chmod 755/bin/netstat
chmod 700/usr/bin/tail Recovery chmod 755/usr/bin/tail
chmod 700/usr/bin/less Recovery chmod 755/usr/bin/less
chmod 700/usr/bin/head Recovery chmod 755/usr/bin/head
chmod 700/bin/cat Recovery chmod 755/bin/cat
chmod 700/bin/uname Recovery chmod 755/bin/uname
chmod 500/bin/ps Recovery chmod 755/bin/ps
Vi. Disable the use of Ctrl+alt+del shortcut keys to restart the server
Cp/etc/inittab/etc/inittabbak
Vi/etc/inittab #注释掉下面这一行
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now
vii. Update the system without upgrading the kernel when using Yum Update, update only the package

Due to system and hardware compatibility issues, it is possible to upgrade the kernel after the server does not start normally, this is very scary, no special need, it is recommended not to upgrade the kernel arbitrarily.
Cp/etc/yum.conf/etc/yum.confbak
1. Modify the Yum configuration file vi/etc/yum.conf add exclude=kernel* at the end of [main]
2. Add the following parameters directly after the Yum command:
Yum--exclude=kernel* Update
View System version Cat/etc/issue
View Kernel version uname-a
Eight, turn off CentOS Automatic Update
Chkconfig--list yum-updatesd #显示当前系统状态
YUM-UPDATESD 0: Off 1: Off 2: Enable 3: Enable 4: Enable 5: Enable 6: Off
Service YUM-UPDATESD Stop #关闭 turn on parameter to start
Stop yum-updatesd: [OK]
Service YUM-UPDATESD Status #查看是否关闭
YUM-UPDATESD has stopped
Chkconfig--level yum-updatesd off #禁止开启启动 (System mode 3, 5)
Chkconfig yum-updatesd off #禁止开启启动 (all boot modes are disabled)
Chkconfig--list yum-updatesd #显示当前系统状态
YUM-UPDATESD 0: Off 1: Off 2: Enabled 3: Off 4: Enabled 5: Off 6: Off
Nine, close the redundant Virtual Console
We know that switching from the console to the X window, generally using ALT-F7, why? Because the system defines 6 virtual consoles by default,
So X is the 7th one. In fact, many people do not normally need so many virtual consoles, modify/etc/inittab, and comment out the ones you don't need.
Cp/etc/inittab/etc/inittabbak
Vi/etc/inittab
# Run Gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty Tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty Tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
10. Delete MySQL History
System operation and maintenance warm reminder: qihang01 original content copyright, reproduced please indicate the source and the original link

The SQL command executed after the user logs in to the database is also recorded in the. mysql_history file of the user directory by MySQL.
If the database user modifies the database password with an SQL statement, it is also compromised by the. mysql_history file.
So we do not in the shell landing and backup when the password directly after-p, but after the prompt and then enter the database password.
In addition to these two files we should also not let it record our operation, just in case.
Cd
CP. bash_history. Bash_historybak #备份
CP. Mysql_history. Mysql_historybak
Rm. bash_history. mysql_history
Ln-s/dev/null. bash_history
Ln-s/dev/null. mysql_history
11. Change history Command Record
Cp/etc/profile/etc/profilebak
Vi/etc/profile
Find histsize=1000 instead of histsize=50
12. Hide Server System Information
By default, when you log in to a Linux system, it will tell you the name, version, kernel version, and server name of the Linux distribution.
In order not to let the default information leak out, let's do the following to show it only a "login:" prompt.
Delete the/etc/issue and/etc/issue.net two files, or rename the 2 files, the effect is the same.
Mv/etc/issue/etc/issuebak
Mv/etc/issue.net/etc/issue.netbak
13. Optimizing Linux Kernel Parameters
Cp/etc/sysctl.conf/etc/sysctl.confbak
Vi/etc/sysctl.conf #在文件末尾添加以下内容
Net.ipv4.tcp_max_syn_backlog = 65536
Net.core.netdev_max_backlog = 32768
Net.core.somaxconn = 32768
Net.core.wmem_default = 8388608
Net.core.rmem_default = 8388608
Net.core.rmem_max = 16777216
Net.core.wmem_max = 16777216
Net.ipv4.tcp_timestamps = 0
Net.ipv4.tcp_synack_retries = 2
Net.ipv4.tcp_syn_retries = 2
Net.ipv4.tcp_tw_recycle = 1
#net. Ipv4.tcp_tw_len = 1
Net.ipv4.tcp_tw_reuse = 1
Net.ipv4.tcp_mem = 94500000 915000000 927000000
Net.ipv4.tcp_max_orphans = 3276800
#net. ipv4.tcp_fin_timeout = 30
#net. Ipv4.tcp_keepalive_time = 120
Net.ipv4.ip_local_port_range = 10024 65535 # (indicates the range of ports used for outward connections.) The default is small: 32768 to 61000 Note: Do not set the minimum value too low, otherwise it may take off the normal port! )
/sbin/sysctl-p #使配置立即生效
System operation and maintenance warm reminder: qihang01 original content copyright, reproduced please indicate the source and the original link
14. CentOS System Optimization
Cp/etc/profile/etc/profilebak2
Vi/etc/profile #在文件末尾添加以下内容
Ulimit-c Unlimited
Ulimit-s Unlimited
Ulimit-shn 65535
Source/etc/profile #使配置立即生效
Ulimit-a #显示当前的各种用户进程限制
15. The server disables ping
Cp/etc/rc.d/rc.local/etc/rc.d/rc.localbak
Vi/etc/rc.d/rc.local #在文件末尾增加下面这一行
Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
A parameter of 0 means that 1 is allowed to disallow

Linux Security settings

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.