Security Settings in centos 5.1 (applicable to all Linux versions)

Source: Internet
Author: User
Tags gpg ssh port

Generally, you can log on as the root user to configure the system as Administrator by executing the "Su-" command and entering the correct root password. However, in order to further enhance the security of the system, it is necessary to establish an Administrator group that only allows users in this group to execute the "Su-" command to log on as the root user, users in other groups cannot Log On As root even if they execute "Su-" and enter the correct root password. In UNIX, the group name is usually "Wheel ".
First, we create two common users, Tom John.
[Root @ WWW ~] # Useradd Tom
[Root @ WWW ~] # Passwd Tom
Enter your password
[Root @ WWW ~] # Useradd John
[Root @ WWW ~] # Passwd John
Enter your password
[Root @ WWW ~] # Usermod-G wheel Tom Add the Tom user to the wheel group
[Root @ WWW ~] # Vi/etc/PAM. d/su Hei open the configuration file and find the statement in front of the sixth line # comment out
# Auth required use_uid
[Root @ WWW ~] # Echo "su_wheel_only yes">/etc/login. defs
Then you can log in with Tom and John respectively. If you are not added to the wheel group, run the "Su-" command. Even if you enter the correct root password, you cannot log on as the root user.
When an error occurs in the system or an important notification is sent to the root user, let the system automatically forward the email to our usual mailbox, so that you can easily check the relevant reports and logs.
[Root @ WWW ~] # Vi/etc/aliases
Below these two sentences, Mailer-daemon: Postmaster
Postmaster: Root
Add this sentence root: write your own mailbox here
[Root @ WWW ~] # Newaliases rebuilding aliasesdb
[Root @ WWW ~] # Echo test | mail root sends the test software to root
[8] unofficial database defining yum

During server construction, some of the tools we will use do not exist in the official Yum library of centos. Therefore, we need to define the unofficial library file of yum, install necessary tools through yum.

[Root @ sample ~] # Vi/etc/yum. Repos. d/Dag. Repo creating Dag. Repo, defining unofficial Libraries

Name = Dag RPM repository for Red Hat Enterprise Linux
Baseurl =
Gpgcheck = 1
Enabled = 1

[Root @ sample ~] # Rpm-import imports GPG from unofficial Libraries
[9] stopping the printing service

If you do not want to provide the printing service, stop the printing service that is set to auto start by default.

[Root @ sample ~] #/Etc/rc. d/init. d/cups stop slave stop printing service
Stopping CUPS: [OK] The slave instance stops the service successfully. "OK" appears"

[Root @ sample ~] # Chkconfig cups off schedule disable auto start of the Print Service

[Root @ sample ~] # Chkconfig-list cups startup confirm the status of the Service self-starting setting
Cups 0: off 1: off 2: off 3: off 4: off 5: off 6: off running 0-6 are all off status OK (the current printing service is disabled since it is started)
[10] stopping IPv6

In the default centos status, IPv6 is enabled. Because we do not use IPv6, stop IPv6 to maximize security and speed.

First, check whether the IPv6 feature is enabled.

[Root @ WWW ~] # Ifconfig-A Networks: list all network interfaces
Sit0 link encap: The IPv6-in-IPv4 consumer confirms that IPv6 is in the started status
[Root @ WWW ~] # Vi/etc/modprobe. conf modify the corresponding configuration file and add the following line to the end of the text:
Alias net-pf-10 off
Alias IPv6 off
[Root @ WWW ~] # Shutdown-R now restart the system to make the settings take effect
Modify/etc/yum. Repos. d/CentOS-Base.repo to change the image site address to the image site address in China. Otherwise, the software installation speed will be extremely slow through yum. Modify as follows:
# CentOS-Base.repo
# This file uses a new release list system developed by Lance Davis for centos.
# The mirror system uses the connecting IP address of the client and
# Update Status of each mirror to pick mirrors that are updated to and
# Geographically close to the client. You shoshould use this for centos updates
# Unless you are manually picking other mirrors.
# If the specified list = does not work for you, as a fall back you can try
# Remarked out baseurl = line instead.
Name = centos-$ releasever-Base
Baseurl = OS /?basearch/
Gpgcheck = 1
Gpgkey =
Protect = 1
# Released updates
Name = centos-$ releasever-Updates
Baseurl =
Gpgcheck = 1
Gpgkey =
Protect = 1
# Packages used/produced in the build but not released
Name = centos-$ releasever-Addons
Baseurl =
Gpgcheck = 1
Gpgkey =
Protect = 0
# Additional packages that may be useful
Name = centos-$ releasever-extras
Baseurl =
Gpgcheck = 1
Gpgkey =
Protect = 0
# Additional packages that extend functionality of existing packages
Name = centos-$ releasever-plus
Baseurl =
Gpgcheck = 1
Enabled = 0
Gpgkey =
Protect = 1
# Contrib-packages by centos users
Name = centos-$ releasever-contrib
Baseurl =
Gpgcheck = 1
Enabled = 0
Protect = 0
Gpgkey =

Update the system [root @ WWW ~] # Yum-y upgrade
Some Security Settings
1. Use a firewall to close unnecessary ports. If someone else fails to ping the server, the threat is naturally reduced by more than half.

Methods To prevent ping by others:

1) at the command prompt
Echo 1>/proc/sys/NET/IPv4/icmp_ignore_all

2) use a firewall to prohibit (or discard) ICMP Packets
Iptables-A input-p icmp-J Drop

3) do not respond to all ICMP Packets
For example, Ping tracert.

2. Change the ssh port to over 10000, and the chances of others scanning the port will also decrease.

Change port to port 1000 or above

Create a Common Logon user and cancel direct root logon.
Useradd 'username'
Passwd 'username'

Add the following sentence at the end:
Permitrootlogin no # cancel root direct remote login

3. Delete redundant accounts with a bloated system: userdel ADM userdel LP userdel sync userdel shutdown userdel halt userdel news userdel uucp userdel operator userdel games userdel gopher userdel ftp if you do not allow anonymous FTP, delete this user account groupdel ADM groupdel LP groupdel news groupdel uucp groupdel games groupdel dip groupdel pppusers

4. Change the following file permissions so that no one has the permission to change the account: chattr + I/etc/passwd chattr + I/etc/shadow chattr + I/etc/group chattr + I/etc/gshadow

5. chmod 600/etc/xinetd. conf

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.