Security Settings under CentOS 5.1 (for all Linux versions) _linux

In general, a typical user can log on to the system administrator-level configuration by performing the "Su-" command and entering the correct root password for the root user. However, in order to further enhance the security of the system, it is necessary to set up a group of administrators to allow only users of this group to perform the "Su-" command to log on as root, leaving other groups of users unable to log in as root even if they perform "Su-" and enter the correct root password. Under UNIX, the name of this group is usually "wheel".
First we create two ordinary users, Tom John.
[Root@www ~]# Useradd Tom
[Root@www ~]# passwd Tom
Enter your password.
[Root@www ~]# Useradd John
[Root@www ~]# passwd John
Enter your password.
[Root@www ~]# usermod-g wheel Tom adds Tom users to the wheel group
[Root@www ~]# vi/etc/pam.d/su← Open this profile to find this sentence in the sixth line before the # comment out
# auth Required pam_wheel.so Use_uid
[Root@www ~]# echo "su_wheel_only yes" >>/etc/login.defs
Then you can log in with Tom and John separately, without adding to the wheel group, performing the Su-command, even if you have entered the correct root password, and cannot login as root
When a system error occurs or an important notification is sent to root, the system is automatically forwarded to the mailbox that we normally use, thus facilitating access to the relevant reports and logs.
[Root@www ~]# vi/etc/aliases
Under these two sentences Mailer-daemon:postmaster
Postmaster:root
Add this sentence root:zy66289214@126.com here write your own mailbox
[Root@www ~]# newaliases Reconstruction Aliasesdb
[Root@www ~]# echo Test | Mail root sends test software to root
[8] The unofficial library of the definition Yum

In the process of building a server, some of the tools we will use do not exist in the official library of Yum in CentOS, so we need to define Yum's unofficial library files so that some of the necessary tools can be installed through Yum.

[Root@sample ~]# vi/etc/yum.repos.d/dag.repo← establishes Dag.repo, defines unofficial libraries

[Dag]
Name=dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
Gpgcheck=1
Enabled=1

[Root@sample ~]# rpm–import http://dag.wieers.com/rpm/packages/rpm-gpg-key.dag.txt← Import into the unofficial library GPG
[9] Stop printing service

If you are not ready to provide a print service, stop the print service that is set to start automatically by default.

[Root@sample ~]#/etc/rc.d/init.d/cups stop← Stop printing service
stopping cups: [OK]← stop service successful, appear "OK"

[Root@sample ~]# chkconfig cups off← disable Print Service auto start

[Root@sample ~]# chkconfig–list cups← confirm Print Service from startup settings status
Cups 0:off 1:off 2:off the 3:off 4:off 5:off all states are off to OK (the current print service is prohibited from starting)
[10] Stop IPv6

In the default state of CentOS, the IPv6 is enabled. Because we don't use IPv6, so stop IPv6 to maximize security and speed.

First again, confirm that the IPv6 feature is not started.

[Root@www ~]# ifconfig-a← lists all network interface information
Sit0 Link encap:ipv6-in-ipv4← confirms that IPv6 is the state of being started
[Root@www ~]# vi/etc/modprobe.conf← Modify the corresponding configuration file, add the following line to the end of the text:
Alias net-pf-10 off
Alias IPv6 off
[root@www ~]# shutdown-r now← reboot the system for the settings to take effect
Modify the/etc/yum.repos.d/centos-base.repo to change the mirror site address to the image site address in China. Otherwise we will be very slow to install the software via Yum. Modified as follows
# Centos-base.repo
#
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
# The Mirror system uses the connecting IP address of the client and the
# Update status of each mirror to pick mirrors, are updated to and
# Geographically close to the client. You are should use this for CentOS updates
# Unless you are manually picking the other mirrors.
#
# If The mirrorlist= does not work for your, as a fall back you can try the
# remarked out Baseurl= line instead.
#
#
[Base]
name=centos-$releasever –base
baseurl=http://mirrors.shlug.org/centos/$releasever/os/$basearch/
Gpgcheck=1
Gpgkey=http://mirror.centos.org/centos/rpm-gpg-key-centos-5
Protect=1
#released Updates
[Updates]
name=centos-$releasever –updates
baseurl=http://mirrors.shlug.org/centos/$releasever/updates/$basearch/
Gpgcheck=1
Gpgkey=http://mirror.centos.org/centos/rpm-gpg-key-centos-5
Protect=1
#packages used/produced in the builds but not released
[Addons]
name=centos-$releasever –addons
baseurl=http://mirrors.shlug.org/centos/$releasever/addons/$basearch/
Gpgcheck=1
Gpgkey=http://mirror.centos.org/centos/rpm-gpg-key-centos-5
Protect=0
#additional packages that useful
[Extras]
name=centos-$releasever –extras
baseurl=http://mirrors.shlug.org/centos/$releasever/extras/$basearch/
Gpgcheck=1
Gpgkey=http://mirror.centos.org/centos/rpm-gpg-key-centos-5
Protect=0
#additional packages that extend functionality of existing packages
[Centosplus]
name=centos-$releasever –plus
baseurl=http://mirrors.shlug.org/centos/$releasever/centosplus/$basearch/
Gpgcheck=1
Enabled=0
Gpgkey=http://mirror.centos.org/centos/rpm-gpg-key-centos-5
Protect=1
#contrib –packages by Centos Users
[Contrib]
name=centos-$releasever –contrib
baseurl=http://mirrors.shlug.org/centos/$releasever/contrib/$basearch/
Gpgcheck=1
Enabled=0
Protect=0
Gpgkey=http://mirror.centos.org/centos/rpm-gpg-key-centos-5

Update system [ROOT@WWW ~] #yum-y upgrade
Some of the security settings
1, use the firewall to shut down any port that does not need, others ping not to the server, the threat naturally reduced half

Ways to prevent others from pinging:

1 The command prompt to hit
Echo 1 >/proc/sys/net/ipv4/icmp_ignore_all

2 Use a firewall to prohibit (or discard) ICMP packets
Iptables-a input-p icmp-j DROP

3 does not respond to all packets with ICMP traffic
Like Ping TRACERT.

2, change the SSH port, preferably to more than 10000, other people scan to the probability of the port will also drop

Vi/etc/ssh/sshd_config
Change port to more than 1000 ports

Also, create a normal logged-on user and cancel the direct root login
Useradd ' username '
passwd ' username '

Vi/etc/ssh/sshd_config
Add the following sentence at the end:
Permitrootlogin No # cancel root direct Telnet

3, delete the system bloated redundant account: Userdel ADM userdel LP Userdel sync Userdel shutdown Userdel halt Userdel news Userdel UUCP Userdel Operato R Userdel Games Userdel Gopher Userdel FTP If you do not allow anonymous FTP, delete this user account Groupdel ADM Groupdel LP Groupdel News Groupdel UUCP Pdel Games Groupdel Dip Groupdel pppusers

4, change the following file permissions, so that no one has changed the account permissions: chattr +i/etc/passwd chattr +i/etc/shadow chattr +i/etc/group chattr +i/etc/gshadow

5, chmod 600/etc/xinetd.conf