Simple configuration of centos System Security

1. Minimal installation:
Choose custom installation when installing the centos system. Do not install the graphical interface, select the installed Service or none based on your needs, after installation is complete, install and select the tools and libraries required for software compilation and installation.
2. Install the system patch:
We recommend that you use the yum tool that comes with centos for installation.
[Root @ localhost ~] # Rpm-import/etc/pki/rpm-GPG/RPM-GPG-KEY *
[Root @ localhost ~] # Yum update
3. Account and logon security:
Set a strong password for the root user;
Create a non-Administrator account;
Prohibit root users from directly logging on to and changing the default ssh port;
[Root @ localhost ~] # Vi/etc/ssh/sshd_config
14th "# port 22" at the line, remove "#", and change 22 to the SSH port you want to set, such as 22110;
Add a row of permitrootlogin no to disable SSH logon for the root user.
4. Enable the Linux Firewall and only open the application port.
Enable centos firewall. SELinux is disabled by default;
It is best to set the firewall policy by yourself and open the corresponding port according to your application (the following configuration is the status detection firewall ).
VI iptables_rule.sh
#! /Bin/bash
Iptables-F
Iptables-x
Iptables-z
Iptables-P input drop
Iptables-A input-I lo-J accept
Iptables-A input-p icmp-type any-J accept
Iptables-A input-p udp-dport 161-J accept
Iptables-A input-M State-State established, related-J accept
Iptables-A input-p tcp-M State-State new-dport 22110-J accept
Iptables-A input-p tcp-M State-State new-dport 80-J accept
After the release is saved, set iptables_rule.sh to an executable file.
[Root @ localhost ~] #./Iptable_rule.sh
[Root @ localhost ~] # Servcie iptables save
5. disable unnecessary services, such as Sendmail.

￥ Basic security measures
1. disable unnecessary users and groups in the system
Passwd-l zhangsan (account locked)
Passwd-u zhangsan (unlock account)
Or directly modify the shadow file and add "!" to the password string of the zhangsan user. .
2. Confirm Program Or the logon shell of the service user is unavailable.
Usermod-S/sbin/nologin rpm
Or directly modify the passwd file.
3. Restrict the password Validity Period
Chage-M 30 zhangsan
Or directly modify the login. defs file.
4. Specify that the user must change the password upon next login
Chage-M 0 zhangsan
5. Restrict the minimum length of the User Password
# Vi/etc/PAM. d/system-auth
Password requisite pam_cracklib.so try_first_pass retry = 3 minlen = 12
6. Limit the number of records in command history
# Vi/etc/profile
History Size = 100
7. Set the current user to automatically clear command history after logging out.
# Echo "history-c" >> ~ /. Bash_logout
8. set idle timeout to automatically log out of the terminal
# Vi/etc/profile
Export tmout = 600

￥ Use Su to switch user identities
* Allows the zhangsan user to switch to the root identity through the su command,
* Prohibit other users from using the su command to switch user identities
# Gpasswd-A zhangsan Wheel
# Vi/etc/PAM. d/su
Auth required pam_wheel.so use_uid

$ Use Sudu to enhance execution Permissions
1. Authorize root user Jerry to execute the ifconfig command with Root User Permissions
# Paidu
Jerry localhost =/sbin/ifconfig
2. Set custom aliases for user, host, and command
User_alias operators = Jerry, Tom, tsengyia
Host_alias mailservers = SMTP, pop
Cmnd_alias software =/bin/RPM,/usr/bin/yum
3. Define a group of commands by alias and authorize Tom to use the reorganization command
# Paidu
Cmnd_alias sysvctrl =/sbin/service,/bin/kill,/bin/killall
Tom localhost = sysvctrl
4. Authorize a user in the wheel group to execute all commands without having to verify the password.
# Paidu
% Wheel all = (all) nopasswd: All
5. the authorized user Mike can call all commands in the/sbin and/usr/bin directories through Sudu, but cannot call the/sbin/ifconfig command to modify the eth0 parameter, disable the/usr/bin/Vim command to prevent configuration files from being modified.
# Paidu
Mike localhost =/sbin/*,/usr/bin /*,! /Sbin/ifconfig eth0 ,! /Usr/bin/Vim
6. Enable log for Sudu
# Paidu
Defaults logfile = "/var/log/sudo"
# Vi/etc/syslog. conf
Local2.debug/var/log/sudo
# Service syslog restart
* Due to the heavy workload of system management, you need to assign the user account management work to a dedicated management group member.
*. Set up a group account "managers" to authorize all member users in the Group to add, delete, and change user accounts.
# Groupadd managers
# Gpasswd-M zhangsan, Lisi managers
# Paidu
Cmnd_alias useradm =/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod
% Managers localhost = useradm

$ Security optimization at the file system level
1. Lock files that do not want to be changed
# Chattr + I/etc/service/etc/passwd/boot/grub. conf
2. Unlock the locked file
# Chattr-I/etc/passwd

￥ System guidance and system security Optimization
1. Adjust BIOS boot settings
2. Prevent the user from restarting the system through CTRL + ALT + DEL Hot Key
# Vi/etc/inittab
# CA:/ctrlaltdel:/sbin/shutdown-T3-R now
# Init Q
3. encryption of the grub boot menu
# Vi/boot/GRUB/grub. conf
Password 123456
4. Set the MD5 encrypted password string in the grub. conf file.
# Grub-md5-crypt
5. Prohibit normal user login in real time
# Touch/etc/nologin
6. Control the TTY terminal opened by the server
# Vi/etc/inittab
7. Control tty terminals that allow root users to log on
# Vi/etc/securetty
# Tty2
# Tty3
8. Change the system logon prompt to hide the kernel version information.
# Vi/etc/issue
Welcome to server.
# Cp-F/etc/issue/etc/issue.net
9. Use pam_access authentication to control user logon locations
Do not allow users other than root users to log on to the system from the tty1 terminal.
# Vi/etc/PAM. d/login
Account required pam_access.so
# Vi/etc/security/access. conf
-: All privileges t root: tty1
Remote logon from 192.168.1.0/24 or 172.16.0.0/8 is prohibited for root users.
# Vi/etc/PAM. d/sshd
Account required pam_access.so
# Vi/etc/security/access. conf
-: Root: 192.168.1.0/24 172.16.0.0/8