Secure deployment of Linux systems for Web server security settings

The common methods of server security setting for Linux system and the security optimization of server are introduced in detail to the security settings of Novice Linux system, security is no trivial matter, as a full-time system administrator, to build a secure Linux system is a basic quality of administrators, The following 15 are the Sinesafe for customers to deploy these security settings and optimization method, if you want to deep professional security settings Deployment Recommendations Consulting Professional do security companies, domestic recommended Sinesafe, Green League, Venus Chen and so on.

One, comment out the system does not need users and user groups

Note: It is not recommended to delete it directly, and it will be cumbersome to re-add it when you need a user.

Cp/etc/passwd/etc/passwdbak #修改之前先备份

VI/ETC/PASSWD #编辑用户, add # comment off this line in front

#adm: X:3:4:adm:/var/adm:/sbin/nologin

#lp: X:4:7:lp:/var/spool/lpd:/sbin/nologin

#sync: X:5:0:sync:/sbin:/bin/sync

#shutdown: X:6:0:shutdown:/sbin:/sbin/shutdown

#halt: X:7:0:halt:/sbin:/sbin/halt

#uucp: X:10:14:uucp:/var/spool/uucp:/sbin/nologin

#operator: X:11:0:operator:/root:/sbin/nologin

#games: X:12:100:games:/usr/games:/sbin/nologin

#gopher: X:13:30:gopher:/var/gopher:/sbin/nologin

#ftp: X:14:50:ftp user:/var/ftp:/sbin/nologin #注释掉ftp匿名账号

Cp/etc/group/etc/groupbak #修改之前先备份

Vi/etc/group #编辑用户组, add # comment off this line in front

#adm: X:4:root,adm,daemon

#lp: X:7:DAEMON,LP

#uucp: X:14:UUCP

#games: x:20:

#dip: x:40:

Second, the system does not need to shut down services

Service acpid stop Chkconfig acpid off #停止服务, cancel boot boot #电源进阶设定, commonly used on Laptop

Service AutoFS stop chkconfig autofs off #停用自动挂载档桉系统与週边装置

Service bluetooth stop chkconfig bluetooth off #停用Bluetooth蓝芽

Service cpuspeed stop chkconfig cpuspeed off #停用控制CPU速度主要用来省电

Service cups stop chkconfig cups off #停用 Common UNIX Printing system Support Printer

Service ip6tables stop chkconfig ip6tables off #禁止IPv6

###########################################################################

If you want to restore a service, you can do the following

Service Acpid start Chkconfig acpid on

Iii. prohibit non-root users from executing system commands under/etc/rc.d/init.d/

Chmod-r 700/etc/rc.d/init.d/*

Chmod-r 777/etc/rc.d/init.d/* #恢复默认设置

Iv. add an immutable attribute to the following file to prevent unauthorized users from gaining access

Chattr +i/etc/passwd

Chattr +i/etc/shadow

Chattr +i/etc/group

Chattr +i/etc/gshadow

Chattr +i/etc/services #给系统服务端口列表文件加锁 to prevent unauthorized deletion or addition of services

Lsattr/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/services #显示文件的属性

Note: After you perform the above permissions modification, you cannot add a delete user.

If you want to add a delete user, you need to first cancel the above settings, and so on after the user adds the delete completes, then performs the above action

Chattr-i/etc/passwd #取消权限锁定设置

Chattr-i/etc/shadow

Chattr-i/etc/group

Chattr-i/etc/gshadow

Chattr-i/etc/services #取消系统服务端口列表文件加锁

You can now add and delete users, and then lock the catalog files after you have finished the operation.

V. Restricting permissions for different files

Chattr +a. bash_history #避免删除. Bash_history or Redirect to/dev/null

Chattr +i. bash_history

chmod 700/usr/bin Recovery chmod 555/usr/bin

chmod 700/bin/ping Recovery chmod 4755/bin/ping

chmod 700/usr/bin/vim Recovery chmod 755/usr/bin/vim

chmod 700/bin/netstat Recovery chmod 755/bin/netstat

chmod 700/usr/bin/tail Recovery chmod 755/usr/bin/tail

chmod 700/usr/bin/less Recovery chmod 755/usr/bin/less

chmod 700/usr/bin/head Recovery chmod 755/usr/bin/head

chmod 700/bin/cat Recovery chmod 755/bin/cat

chmod 700/bin/uname Recovery chmod 755/bin/uname

chmod 500/bin/ps Recovery chmod 755/bin/ps

Vi. Disable the use of Ctrl+alt+del shortcut keys to restart the server

Cp/etc/inittab/etc/inittabbak

Vi/etc/inittab #注释掉下面这一行

#ca:: Ctrlaltdel:/sbin/shutdown-t3-r now

VII. update the system without upgrading the kernel when using Yum Update, update only the package

Due to system and hardware compatibility issues, it is possible to upgrade the kernel after the server does not start normally, this is very scary, no special need, it is recommended not to upgrade the kernel arbitrarily.

Cp/etc/yum.conf/etc/yum.confbak

1. Modify the Yum configuration file vi/etc/yum.conf add exclude=kernel* at the end of [main]

2. Add the following parameters directly after the Yum command:

Yum--exclude=kernel* Update

View System version Cat/etc/issue

View Kernel version uname-a

Eight, turn off CentOS Automatic Update

Chkconfig--list yum-updatesd #显示当前系统状态

YUM-UPDATESD 0: Off 1: Off 2: Enable 3: Enable 4: Enable 5: Enable 6: Off

Service YUM-UPDATESD Stop #关闭 turn on parameter to start

Stop yum-updatesd: [OK]

Service YUM-UPDATESD Status #查看是否关闭

YUM-UPDATESD has stopped

Chkconfig--level yum-updatesd off #禁止开启启动 (System mode 3, 5)

Chkconfig yum-updatesd off #禁止开启启动 (all boot modes are disabled)

Chkconfig--list yum-updatesd #显示当前系统状态

YUM-UPDATESD 0: Off 1: Off 2: Enabled 3: Off 4: Enabled 5: Off 6: Off

Nine, close the redundant Virtual Console

We know that switching from the console to the X window, generally using ALT-F7, why? Because the system defines 6 virtual consoles by default,

So X is the 7th one. In fact, many people do not normally need so many virtual consoles, modify/etc/inittab, and comment out the ones you don't need.

Cp/etc/inittab/etc/inittabbak

Vi/etc/inittab

Run Gettys in Standard runlevels

1:2345:respawn:/sbin/mingetty tty1

#2:2345:respawn:/sbin/mingetty Tty2

#3:2345:respawn:/sbin/mingetty tty3

#4:2345:respawn:/sbin/mingetty Tty4

#5:2345:respawn:/sbin/mingetty tty5

#6:2345:respawn:/sbin/mingetty tty6

X. Delete MySQL History

The SQL command executed after the user logs in to the database is also recorded in the. mysql_history file of the user directory by MySQL.

If the database user modifies the database password with an SQL statement, it is also compromised by the. mysql_history file.

So we do not in the shell landing and backup when the password directly after-p, but after the prompt and then enter the database password.

In addition to these two files we should also not let it record our operation, just in case.

Cd

CP. bash_history. Bash_historybak #备份

CP. Mysql_history. Mysql_historybak

Rm. bash_history. mysql_history

Ln-s/dev/null. bash_history

Ln-s/dev/null. mysql_history

Xi. Modify the history command record

Cp/etc/profile/etc/profilebak

Vi/etc/profile

Find histsize=1000 instead of histsize=50

12. Hide Server System Information

By default, when you log in to a Linux system, it will tell you the name, version, kernel version, and server name of the Linux distribution.

In order not to let the default information leak out, let's do the following to show it only a "login:" prompt.

Delete the/etc/issue and/etc/issue.net two files, or rename the 2 files, the effect is the same.

Mv/etc/issue/etc/issuebak

Mv/etc/issue.net/etc/issue.netbak

13. Optimizing Linux Kernel Parameters

Cp/etc/sysctl.conf/etc/sysctl.confbak

Vi/etc/sysctl.conf #在文件末尾添加以下内容

Net.ipv4.ip_forward = 1 #修改为1

Net.core.somaxconn = 262144

Net.core.netdev_max_backlog = 262144

Net.core.wmem_default = 8388608

Net.core.rmem_default = 8388608

Net.core.rmem_max = 16777216

Net.core.wmem_max = 16777216

Net.ipv4.netfilter.ip_conntrack_max = 131072

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180

Net.ipv4.route.gc_timeout = 20

Net.ipv4.ip_conntrack_max = 819200

Net.ipv4.ip_local_port_range = 10024 65535

Net.ipv4.tcp_retries2 = 5

Net.ipv4.tcp_fin_timeout = 30

Net.ipv4.tcp_syn_retries = 1

Net.ipv4.tcp_synack_retries = 1

Net.ipv4.tcp_timestamps = 0

Net.ipv4.tcp_tw_recycle = 1

Net.ipv4.tcp_tw_len = 1

Net.ipv4.tcp_tw_reuse = 1

Net.ipv4.tcp_keepalive_time = 120

Net.ipv4.tcp_keepalive_probes = 3

NET.IPV4.TCP_KEEPALIVE_INTVL = 15

Net.ipv4.tcp_max_tw_buckets = 36000

Net.ipv4.tcp_max_orphans = 3276800

Net.ipv4.tcp_max_syn_backlog = 262144

Net.ipv4.tcp_wmem = 8192 131072 16777216

Net.ipv4.tcp_rmem = 32768 131072 16777216

Net.ipv4.tcp_mem = 94500000 915000000 927000000

/sbin/sysctl-p #使配置立即生效

14. CentOS System Optimization

Cp/etc/profile/etc/profilebak2

Vi/etc/profile #在文件末尾添加以下内容

Ulimit-c Unlimited

Ulimit-s Unlimited

Ulimit-shn 65535

Ulimit-s-C 0

Export Lc_all=c

Source/etc/profile #使配置立即生效

Ulimit-a #显示当前的各种用户进程限制

XV, server disable ping

Cp/etc/rc.d/rc.local/etc/rc.d/rc.localbak

Vi/etc/rc.d/rc.local #在文件末尾增加下面这一行

Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

A parameter of 0 means that 1 is allowed to disallow

Secure deployment of Linux systems for Web server security settings