If you want to build a Linux server, and want to be able to maintain long-term, you need to consider security performance and speed, and many other factors. A proper Linux basic Security Configuration manual is particularly important. In my article I'll introduce you to the basic Security Configuration manual for Linux servers under Edhat/centos 4,5.
Installation Note
1. Delete the system special user account:
Disable all default accounts that are not required by the operating system itself. When you first install the system should do this check, Linux provides a variety of accounts, you may not need, if you do not need this account, remove it, you have more accounts, the more vulnerable to attack.
#为删除你系统上的用户, use the following command:
[root@c1gstudio]# userdel username
#批量删除方式
#这里删除 "ADM LP sync shutdown halt mail news UUCP operator games FTP" account
#如果你开着ftp等服务可以把ftp账号保留下来.
For I in ADM LP sync shutdown halt Mail news uucp Ope
Rator Games Gopher ftp;d o userdel $i;d One
2. Delete System Special group account number
[root@c1gstudio]# groupdel groupname
#批量删除方式 for
i in ADM LP Mail news UUCP games Dip pppusers pop
users Slipu Sers;d o groupdel $i;d One
3. User Password setting
When installing Linux, the default password minimum length is 5 bytes, but that's not enough to set it to 8 bytes. Modifying the minimum password length requires editing the Login.defs file #vi/etc/login.defs
Pass_max_days 99999 # #密码设置最长有效期 (default)
pass_min_days 0 # #密码设置最短有效期
pass_min_len 5 # #设置密码最小长度, change 5 to 8
Pass_warn_age 7 # #提前多少天警告用户密码即将过期.
then modify the root password
#passwd root
new UNIX password:
Retype new UNIX password:
passwd:all Authentication tokens updated successfully.
4. Modify the automatic cancellation account time
Automatic logoff of account login, in Linux system root account is the highest privilege. If the system administrator forgets to log out of the root account before leaving the system, it will pose a significant security risk and should be automatically logged off. This functionality can be achieved by modifying the "tmout" parameter in the account. Tmout is counted in seconds. Edit your profile file (vi/etc/profile) and add the following line after "histsize=":
tmout=300
300, which means 300 seconds, which means 5 minutes. This allows the system to automatically log out of the account if the user logged on in the system does not move in 5 minutes.
5. Limit shell command record size
By default, the bash shell holds up to 500 command records in the file $home/.bash_history (depending on the system, the default number of records is different). There is one such file under the home directory of each user in the system. Here I strongly recommend limiting the size of the file.
You can edit the/etc/profile file and modify the following options:
histfilesize=30 or histsize=30
#vi/etc/profile
histsize=30
6. Delete command record when logging off
Edit the/etc/skel/.bash_logout file and add the following lines:
Rm-f $HOME/.bash_history
In this way, all users on the system will delete their command records when they log off.
If you only need to set up for a specific user, such as root, you can modify/$HOME/.bash_history files only in that user's home directory, adding the same row.
7. Use the following command to add the required user groups and user accounts
[root@c1gstudio]# Groupadd
For example: increase the website user group, Groupadd website
and then invoke the VIGR command to view the added user group
with the following command plus the required user account
[ root@c1gstudio]# useradd Username–g Website//Add users to the website group (as the normal administrator of the webserver instead of the root administrator)
and then invoke the VIPW command to view the added user
use the following command to change the user password (at least 8-digit combination of letters and numbers of passwords, and record the password in the local machine's special document, in case of forgetting)
[root@c1gstudio]# passwd username
8. Prevent anyone from Su as root
If you don't want anyone to be able to su as root, you can edit/etc/pam.d/su plus the following line:
#vi/etc/pam.d/su
auth sufficient/lib/security/$ISA/pam_rootok.so debug
auth required/lib/security/$ISA/ Pam_wheel.so group=website
means that only users of the website group can be su as root.
9. Modify the SSH service root logon rights
Modify the SSH service profile so that the SSH service does not allow you to log in directly using the root user, thus reducing the chance of a malicious logon attack by the system.
#vi/etc/ssh/sshd_config
Permitrootlogin Yes
After removing the # before the line, modify it to:
Permitrootlogin No
10. Modify the SSH service's sshd port
SSH defaults to listening on port 22 and you can modify to 6022 ports to bypass regular scans.
Note: Modifying port errors may cause you to not connect to the server next time, you can open 22 and 60,222 ports at the same time, and then turn off the 22 port;
Restart sshd will not bounce off your current connection, you can open a separate client to test the service;
#vi/etc/ssh/sshd_config
#增加修改
#Port #关闭22端口
Port 6022 #增加6022端口
#重启sshd服务
service sshd Restart
Check sshd's listening port right
netstat-lnp|grep ssh
#iptables开放sshd的6022端口
vi/etc/sysconfig/ Iptables
#如果使用redhat默认规则则增加
-A rh-firewall-1-input-m State--state new-m tcp-p TCP--dport 6022-j accept
#或
iptables-a input-p tcp--dport 6022-j ACCEPT iptables-a
output-p UDP--sport 6022-j ACCEPT
Restart the Iptables service
Service iptables Restart
#测试两个端口是否都能连上, then remove port 22 after connecting
Detailed reference:
SSH default 22 port modification method under Linux OS
11. Turn off services not used by the system:
CD/ETC/INIT.D #进入到系统init进程启动目录
Here are two ways to turn off the services in the Init directory,
First, the init directory of the file name MV into the *.old class file name, that is, to modify the file name, the role is in the system startup can not find the startup file of this service.
Second, use the Chkconfig system command to turn off the system boot level service.
Note: When using any of the following methods, check to see if the service you want to shut down is a service that the server specifically needs to start supporting to prevent the service from shutting down.
Use the Chkcofig command to turn off unused system services (2 minus signs before level) to see how many services are running before modifying the startup script, enter:
PS aux | Wc-l
Then, after modifying the startup script, restart the system and enter the above command again to calculate how many services have been reduced. The less service is running, the better the security. Also run the following command to see how many more services are running:
Netstat-na--ip
Batch mode stop service first
For i in Acpid anacron apmd ATD auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm Hald Aemon hidd ip6tables IPSec ISDN kudzu LPD Mcstrans messagebus Microcode_ctl netfs NFS nfslock nscd pcscd portmap readahead _early restorecond RPCGSSD RPCIDMAPD rstatd Sendmai
L setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd;d o service $i stop;done
Turn off Start service
For i in Acpid anacron apmd ATD auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm Hald Aemon hidd ip6tables IPSec ISDN kudzu LPD Mcstrans messagebus Microcode_ctl netfs NFS nfslock nscd pcscd portmap readahead _early restorecond RPCGSSD RPCIDMAPD rstatd Sendmai
L setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd;d o chkconfig $i off;done
The following manual methods and explanations, the implementation of the batch method does not need to be executed
Chkconfig--level 345 apmd off # #笔记本需要
chkconfig--level 345 netfs off # # NFS Clients chkconfig--level 345 YPPASSWDD
o FF # # NIS server, this service vulnerability many
chkconfig--level 345 ypserv off # # NIS server, which has many vulnerabilities Chkconfig--level 345 dhcpd off
# # DHCP service C4/>chkconfig--level 345 portmap off # #运行rpc (111 port) service required
chkconfig--level LPD off # #打印服务
345 Chkconfig 34 5 NFS Off # # NFS server, vulnerable
chkconfig--level 345 sendmail off # #邮件服务, vulnerabilities chkconfig--level 345 snmpd off
# # SNMP, far Process users can get a lot of system information from
chkconfig--level 345 rstatd off # #避免运行r服务, remote users can get a lot of information Chkconfig--level 345 atd off
# # The service note of a timed run program that is similar to cron
: the 3 and 5 of the above Chkcofig commands are the type of system boot, the following is the number representing meaning
0: power-on (please do not switch to this level)
1: Single user mode text interface
2: Multi-user mode text interface, not with Network Archive System (NFS) feature
3: Multiplayer user mode text interface, with Network Archive System (NFS) feature
4: Some distributions of Linux use this level to enter X Windows system
5: Some distributions of Linux use this level to enter X Windows system
6: Reboot
If the--level single on and off switches are not specified, the system defaults to only the run level 3,4,5
Chkconfig cups off #打印机 chkconfig bluetooth off # bluetooth chkconfig hidd off # bluetooth chkconfig ip6tables off # ipv6 chkconfig ipse C Off # VPN chkconfig auditd off #用户空间监控程序 chkconfig autofs off #光盘软盘硬盘等自动加载服务 chkconfig avahi-daemon off #主要用于Zero Config Uration networking, generally nothing with the proposal to close Chkconfig AVAHI-DNSCONFD off #主要用于Zero Configuration networking, IBID., recommended to close Chkconfig Cpuspee D off #动态调整CPU频率的进程, this process is recommended in the server system to turn off the Chkconfig ISDN off #isdn chkconfig the kudzu off #硬件自动监测服务 the chkconfig nfslock off #NFS文档锁定功 Yes. Document sharing support, eliminates the need to turn off the chkconfig nscd off #负责密码和组的查询, requires chkconfig pcscd off #智能卡支持 when NIS services are available, and if not, Chkconfig yum-updatesd off #y Um update chkconfig acpid off chkconfig autofs off Chkconfig firstboot off Chkconfig mcstrans off #selinux chkconfig microcode_
CTL off Chkconfig rpcgssd off Chkconfig rpcidmapd off Chkconfig setroubleshoot off chkconfig xfs/chkconfig xinetd off Chkconfig messagebus off chkconfig gpm off #鼠标 chkconfig restorecond off #selinux chkconfig haldaemon off Chkconfig Syssta T off Chkconfig ReadaheAd_early off Chkconfig Anacron off
Services that need to be retained
Crond, Irqbalance, Microcode_ctl, Network, sshd, syslog
Because some services are already running, reboot is required after Setup
Chkconfig/
*
Syntax: chkconfig [--add][--del][--list][system Services] or Chkconfig [--level < rank code >][system Services][on/off/reset]
Supplemental Note: This is a program developed by Red Hat Company under the GPL, which can query the system services that the operating system performs in each execution level, including all kinds of resident services.
Parameters:
--add adds the specified system service, allows the chkconfig instruction to manage it, and adds the relevant data to the system-initiated narrative file.
--del Deletes the specified system service, is no longer managed by the Chkconfig command, and deletes the relevant data in the system-initiated narration file.
--level< Level code > Specify which execution level the service is to be opened or closed.
12. Prevent the system from responding to any external/internal ping requests
Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following line of command to/etc/rc.d/rc.local so that it runs automatically after each boot.
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
#这个可以不做哈
13. Modify the "/etc/host.conf" file
"/etc/host.conf" explains how to resolve an address. Edit the "/etc/host.conf" file (vi/etc/host.conf) and join this line:
# Lookup names via DNS-then fall back to/etc/hosts.
Order Hosts,bind
# We have machines with multiple IP addresses.
Multi on
# Check for IP address spoofing.
Nospoof on
The first setting first resolves the IP address through DNS and then resolves it through the Hosts file. The second setting detects whether the host in the "/etc/hosts" file has more than one IP address (for example, multiple Ethernet network adapters). The third setting describes the need to pay attention to unauthorized electronic spoofing of the machine.
14. Do not allow root logging from different consoles
The "/etc/securetty" file allows you to define that the root user can log in from that TTY device. You can edit the "/etc/securetty" file, no longer need to log on the TTY device before adding "#" flag, to prohibit from the TTY device for root landing.
In the/etc/inittab file, there are the following paragraphs:
# Run Gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2 #3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty Tty5
#6:2345:respawn:/sbin/mingetty tty6
The system defaults to the use of 6 consoles, alt+f1,alt+f2 ..., where you add "#" to the front of the 3,4,5,6 and annotate the sentence so that there are only two consoles available, preferably two. Then restart the init process and the changes will take effect!
15. Disable Control-alt-delete keyboard shutdown command
Comment out the following line in the "/etc/inittab" file (using #):
Ca::ctrlaltdel:/sbin/shutdown-t3-r now
To
#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now
To make this change work, enter the following command:
#/sbin/init Q
16. Use the CHATTR command to add a non-change attribute to the following file.
[root@c1gstudio]# chattr +i/etc/passwd
[root@c1gstudio]# chattr +i/etc/shadow
[root@c1gstudio]# chattr +i/ Etc/group
[root@c1gstudio]# chattr +i/etc/gshadow
"Note: chattr is the command to change the file attributes, and parameter I represents no arbitrary changes to the file or directory, where I is not modifiable bit (immutable)." View method: lsattr/etc/passwd, undo to Chattr–i/etc/group "
Supplemental Note: This directive changes the file or directory properties stored on the ext2 file system, which have the following 8 modes:
A: Make a file or directory for additional use only.
B: Do not update the last access time for the file or directory.
C: Compress the file or directory and store it.
d: Exclude files or directories from dumping operations.
I: Do not arbitrarily change the file or directory.
s: Confidentiality deletes files or directories.
S: Update files or directories immediately.
u: Prevention is removed.
Parameters:
-R recursive processing of all files and subdirectories under the specified directory.
-v< Version number > set file or directory version.
-V Displays the instruction execution process.
+< Property > Opens the property of the file or directory.
-< Property > Closes this property of a file or directory.
=< Property > Specifies the property of the file or directory.
17. Lock the system service Port list file
Primary role: Prevent unauthorized deletion or addition of services
Chattr +i/etc/services
"View Method: Lsattr/etc/services, undo to Chattr–i/etc/services"
18. System File Permission modification
The security of the Linux file system is primarily achieved by setting permissions on the file. Each Linux file or directory has 3 sets of properties that define the owner of the file or directory, user groups, and other people's permissions (read only, writable, executable, allow suid, allow sgid, etc.). Special attention, permissions for suid and Sgid executable files, in the process of running, will give the process to the owner of the permissions, if the hacker found and exploited will cause harm to the system.
(1) Modify the Init directory file execution permissions:
Chmod-r 700/etc/init.d/* (Recursive processing, owner has rwx,group none, others none)
(2) Modify the Suid and Sgid permissions of some system files:
chmod a-s/usr/bin/chage
chmod a-s/usr/bin/gpasswd
chmod a-s/usr/bin/wall chmod a-s/USR/BIN/CHFN chmod a-s/usr/bin/chsh
chmod a-s/usr/bin/newgrp chmod a-s/usr/bin/write chmod a-s/usr/sbin/usernetctl<
C7/>chmod a-s/usr/sbin/traceroute
chmod a-s/bin/mount chmod a-s/bin/umount chmod a-s/sbin/netreport
(3) Modify the system boot file
chmod 600/etc/grub.conf
chattr +i/etc/grub.conf
"View Method: Lsattr/etc/grub.conf, undo to Chattr–i/etc/grub.conf"
19. Add DNS
#vi/etc/resolv.conf
nameserver 8.8.8.8 #google DNS
nameserver 8.8.4.4
20.hostname modification
#注意需先把mysql, Postfix and other services have stopped
1.hostname servername
2.vi/etc/sysconfig/network Service
Network restart
3.vi/etc/hosts
21.selinux modification
Opening selinux can increase security, but you may encounter some strange problems when installing software
The following is the Shutdown method
#vi/etc/selinux/config
Change into disabled
22. Close IPv6
echo "Alias net-pf-10 off" >>/etc/modprobe.conf
echo "Alias IPv6 off" >>/etc/modprobe.conf
#vi/etc/sysconfig/network
Networking_ipv6=no
Restart Service
Service ip6tables Stop
service network restart
Turn off automatic startup
Chkconfig--level 235 Ip6tables off
23. Set Iptables
Iptables default Security Rule script
Reboot system
Most of the above settings can be run by scripts to complete. Linux security Settings Shortcut scripts
Reboot the system when Setup is complete
Other Setup Items
How Linux Adjusts the system time zone/Time
Make a soft link with/etc/localtime in the corresponding time zone in the/usr/share/zoneinfo. For example, time to use the Shanghai time zone: Ln-s/usr/share/zoneinfo/asia/shanghai/etc/ LocalTime If you want to use the UTC timing method, you should change the setting of the utc=true time in the/etc/sysconfig/clock file: Use the date command plus the s parameter modification, note that the Linux time format is "Month Day and year", You can also modify the time date-s 22:30:20, if the change is the date and time, the format is "Day of the month.", 2007-03-18 11:01:56 should be written as "date-s 031811012007.56 hardware time and current time update: Hwclock--SYSTOHC If the hardware is in UTC, then Hwclock--SYSTOHC--UTC
How Linux Adjusts the system time zone/Time
1 Find the appropriate time zone file
/usr/share/zoneinfo/asia/shanghai
Replace the current/etc/localtime file with this file.
Step: Cp–i/usr/share/zoneinfo/asia/shanghai/etc/localtime
Select Overlay
2) Modify the/etc/sysconfig/clock file and modify it to:
Zone= "Asia/shanghai"
Utc=false
Arc=false
3)
The time set for the August 30, 2005 order is as follows:
#date-S 08/30/2005
The command to set the system time to 6:40 P.M. 0 seconds is as follows:
#date-S 18:40:00
4 synchronization of the BIOS clock, forcing the system time to write to the CMOS, the command is as follows:
#clock-W
Install NTPD
#yum install NTP
#chkconfig--levels 235 ntpd on
#ntpdate ntp.api.bz #先手动校准下
#service ntpd start
Set Language
English language, Chinese support
#vi/etc/sysconfig/i18n
Lang= "en_US. UTF-8 "
Supported= "ZH_CN. Utf-8:zh_cn:zh "
Sysfont= "Latarcyrheb-sun16"
Tmpwatch timed Purge
Suppose the server customizes the PHP session and upload Directory
#vi/etc/cron.daily/tmpwatch
increased
-x/tmp/session-x/tmp/upload
#mkdir/tmp/session
#mkdir before 240/tmp Tmp/upload
#chown nobody:nobody/tmp/upload
#chmod 0770/tmp/upload