Linux system VPS Security and optimization settings collation

VPS Security Settings

First, user rights security settings

Root permissions are too high, misoperation is very dangerous, so day-to-day operations using the ordinary account, only a specific time to use SU switch to root identity.
①, new ordinary users, such as Zhangge
Useradd Zhangge
②, modify password
passwd Zhangge
③, add account number to wheel group
Usermod-g Wheel Zhangge
④, set to allow only the account of this group, use the SU command to switch to root
Vim/etc/pam.d/su
Find #auth required pam_wheel.so Use_uid
Remove the line at the beginning of the comment # and then use: Wq Save exit
Then Vim/etc/login.defs.
At the bottom add su_wheel_only Yes, and then use: Wq save exit.
Ps: Execute echo "Su_wheel_only yes" >>/etc/login.defs also.
Now, to create a new normal account, you can not use the SU command to switch to the root group, interested in testing the effect.

⑤, removing unwanted users and user groups

All default and unnecessary accounts that are started by the operating system itself are prohibited, and the more the account number, the more vulnerable the system will be.

Userdel Adm.
Userdel LP
Userdel Sync
Userdel shutdown
Userdel Halt
Userdel News
Userdel UUCP
Userdel operator
Userdel Games
Userdel Gopher
Userdel FTP
Groupdel LP
Groupdel News
Groupdel UUCP
Groupdel Games
Groupdel Dip
Groupdel pppusers
⑥, lock password file

You can prevent unauthorized users from obtaining permissions by executing the chattr command to add a non-changed attribute to the file below.
Shell

Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +i/etc/gshadow

Second, SSH security settings

①, modifying SSH ports
The default SSH port is 22 ports, so it is well known that we need to customize the port number that only we know, and to increase the difficulty of those malicious scan ports, we recommend that you change the SSH port to more than 10000, such as using 23212, as follows:
Ps: Before modifying, please perform IPTABLES-NL Verify that the firewall does not set a non-22/80 access restriction rule, or it may result in a modified inability to use a custom port connection. It's tragic!
Vim/etc/ssh/sshd_config Edit SSH configuration file
I find #port 22, remove #, and add Port 23212 below (save 22 ports, 23212 successful connections and then remove 22, insurance practices)
Ii. Continue to find #usedns Yes, change to Usedns No, you can improve the connection speed of SSH;
Iii. find #permitrootlogin Yes to Permitrootlogin no prohibit root remote SSH logon
Iv. find To #permitemptypasswords No, remove #, prohibit null password login
Finally, use: Wq save exit, then perform service sshd restart Restart SSH service can take effect.
At this point, you can open a new terminal, test whether through the 23212-Port line, if you can delete the previously reserved port 22.
 
Third, firewall simple security settings

This VPS is a direct use of public network IP, firewall or a simple set up.
Pre-planning as follows:
Only use as a Web server, so just open the SSH and HTTP ports, that is, as long as the 23212 and 80 ports defined above, because not using FTP, this example does not refer to Port 21st, the actual use please pay attention to distinguish.
①, preparatory work
Because the operation of the firewall has a certain risk of misoperation, it is likely to lead to their own is also blocked out of the tragedy, so before the operation of the firewall must first establish a shutdown firewall planning tasks, such as:
Executive CRONTAB-E Join:

1
*/5 * * * root/etc/init.d/iptables stop
That every 5 minutes to stop the firewall, in case of misoperation to block themselves outside, even if there are misoperation, within 5 minutes will stop, and will not cause tragedy, this is a skill!
②, firewall settings script
The following code I am correct, please rest assured that the use of policy description:
I. Only open http (80) and SSH (automatic crawl) port, the other refused access! You can add additional ports on line 10th, such as FTP 21 ports, SMTP25 ports, and so on, according to the actual needs.
Ii. one-way ban ping settings, that is, external IP can not ping your public network IP.

Shell

#!/bin/bash
Ssh_port= ' NETSTAT-NUTLP | grep sshd | grep 0.0.0.0 | awk ' {print $} ' | Cut-d ":"-f2 '
Iptables-f
Iptables-f-T NAT
Iptables-x
Iptables-p INPUT DROP
Iptables-p OUTPUT ACCEPT
Iptables-p FORWARD DROP
Iptables-a input-i lo-j ACCEPT
Iptables-a input-m State--state established,related-j ACCEPT
Iptables-a input-p tcp-m multiport--dport, $ssh _port-j ACCEPT
Iptables-a input-p ICMP--icmp-type 0-j ACCEPT
/etc/init.d/iptables Save
Exit 0

Remember to cancel the task plan in step ① after confirming the error.
Like my VPS firewall rules are as follows:

Iv. Other security settings

①, Ban Ping

Execute the following command:

Shell

Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
Then use your computer ping server IP can see the effect!
Of course, if you use the above firewall script, you have already banned ping function. The difference between the two methods is as follows:
In the above method, ping can return the message (provided the firewall does not have a blocking rule, or it will timeout):

Using the firewall method, the direct timeout is:

Ps: Personally recommended using the above firewall script settings, more thorough.
②, open TCP SYN cookie protection
Execute echo 1 >/proc/sys/net/ipv4/tcp_syncookies.
Do here, your VPS has a good security, when the Internet does not have absolute security, we must always pay attention to the network security dynamics, at any time to have exposed and potential security vulnerabilities to repair.

VPS Optimization Settings

One, increase the swap partition

VPS (Virtual Private server) technology, the division of a server into a number of virtual exclusive server services. Each VPS can be assigned independent public network IP address, independent operating system, independent super space, independent memory, independent execution program and independent system configuration.
Here are some of the notes in the configuration process:
VPS has only one root partition, no swap swap partition. The VPS has little memory, so I added a swap file for it.
1, into a directory
cd/var/
2, get 256M of File Block:
DD If=/dev/zero of=swapfile bs=1024 count=262144
3. Create swap file
/sbin/mkswap Swapfile
4. Activate swap file
/sbin/swapon Swapfile
5. Check to see if swap is correct:
/sbin/swapon-s
6, add to the Fstab file to allow the system to boot automatically
Vi/etc/fstab
Add the following at the end:
/var/swapfile Swap Defaults 0 0
Ps: This method in the previous article in the Marth Pavilion has also been sorted, see: For installed Linux add Swap swap partition.
--------------------------------------------------------------------------------
Second, modify the Linux system time zone

The system defaults to US Eastern time, modifies the Linux time zone to East eight area
Cp-f/usr/share/zoneinfo/asia/shanghai/etc/localtime
Three, Linux kernel parameter optimization

Linux kernel parameter optimization can be done using the SYSCTL command, but the command only takes effect temporarily, and to permanently retain the configuration, we have to edit the sysctl.conf file. Please attach sysctl.conf detailed parameter description
Parameter setting and reference recommended value in sysctl.conf file

Click Expand Code
Need to optimize the friend, can refer to the above parameter description, and according to the actual server load to customize your sysctl.conf file, the following affixed to the Nginx kernel parameter optimization example, for reference only (to be added):

Net.ipv4.ip_forward = 0
Net.ipv4.conf.default.rp_filter = 1
Net.ipv4.conf.default.accept_source_route = 0
KERNEL.SYSRQ = 0
Kernel.core_uses_pid = 1
Net.ipv4.tcp_syncookies = 1
KERNEL.MSGMNB = 65536
Kernel.msgmax = 65536
Kernel.shmmax = 68719476736
Kernel.shmall = 4294967296
Net.ipv4.tcp_max_tw_buckets = 6000
Net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
Net.ipv4.tcp_rmem = 4096 87380 4194304
Net.ipv4.tcp_wmem = 4096 16384 4194304
Net.core.wmem_default = 8388608
Net.core.rmem_default = 8388608
Net.core.rmem_max = 16777216
Net.core.wmem_max = 16777216
Net.core.netdev_max_backlog = 262144
Net.core.somaxconn = 262144
Net.ipv4.tcp_max_orphans = 3276800
Net.ipv4.tcp_max_syn_backlog = 262144
Net.ipv4.tcp_timestamps = 0
Net.ipv4.tcp_synack_retries = 1
Net.ipv4.tcp_syn_retries = 1
Net.ipv4.tcp_tw_recycle = 1
Net.ipv4.tcp_tw_reuse = 1
Net.ipv4.tcp_mem = 94500000 915000000 927000000
Net.ipv4.tcp_fin_timeout = 1
Net.ipv4.tcp_keepalive_time = 30
Net.ipv4.ip_local_port_range = 1024 65000
Add the above code to the end of the sysctl.conf file, and then execute the/sbin/sysctl-p to take effect.

Third, close redundant TTY, free memory

Linux by default will start 6 TTY console, all need resident memory (1tty occupy 4M many appearance), in fact, there is no need to use so many TTY, personal VPS, only need to 1~2 a TTY can.
centos5.* Set TTY Number:
①, edit/etc/inittab, find TTY [1-6] change to TTY [1-2]
②, edit/etc/sysconfig/init, also changed TTY [1-6] to TTY [1-2]
Restart the system to take effect (we recommend not to restart, and so on after the completion of the operation can be restarted);
CentOS 6.* Set TTY number:
CentOS 6.0 The configuration of the TTY is changed from/etc/inittab to/etc/init/start-ttys.conf, so the first ① step above becomes:
①, edit/etc/init/start-ttys.conf, find TTY [1-6] change to TTY [1-2]
② Ditto Edit can
Four, close IPv6

IPv6 generally can not be used, completely closed.
Edit/etc/modprobe.d/dist.conf file, append at last:
Alias net-pf-10 off
Alias IPv6 off
Then reboot the system (some distributions may be/etc/modprobe.conf files).
V. Close redundant Startup items

Executive Chkconfig--list | Grep:on List Startup items:

Then locate the item that does not need to be started, and execute the CHKCONFIG program name off.
For example, Ip6tables is a IPv6 firewall, does not use, executes chkconfig ip6tables off, and then executes the service ip6tables stop to completely shut down ip6tables this redundant process.
The rest of the process, please check the role first, and then to operate to avoid errors.
For the time being to organize so much, follow-up found more optimization settings, and then to append ~