Simple Security Configuration for CentOS 6 servers

Source: Internet
Author: User
Tags gopher openssh server

Simple Security Configuration for CentOS 6 servers

Linux is an open system that allows you to find many ready-made programs and tools on the network. This facilitates both users and hackers, because they can also easily find programs and tools to sneak into the Linux system, or steal important information from the Linux system. However, as long as we carefully set various Linux system functions and add the necessary security measures, hackers will be able to win. In general, security settings for Linux systems include canceling unnecessary services, restricting remote access, hiding important information, fixing security vulnerabilities, using security tools, and regular security checks.

This article is a reference for actual operations. It does not involve principles such as IP spoofing, and security issues can be prevented without several lines of commands, here is only the basic security reinforcement method in Linux, and new content will be added later.

Note: All files must be backed up before modification, as shown in figure

cp/etc/passwd{,.dist}
1. Disable unused users

Note: It is not recommended to delete a user directly. If you need a user, it will be difficult to add it again. You can also lock usermod-L or passwd-l user.

  • Back up cp/etc/passwd {,. bak} before modification

  • Vi/etc/passwd: edit the user and add # comment out this line.

Annotated User Name:

#cat/etc/passwd|grep^##adm:x:3:4:adm:/var/adm:/sbin/nologin#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown#halt:x:7:0:halt:/sbin:/sbin/halt#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin#operator:x:11:0:operator:/root:/sbin/nologin#games:x:12:100:games:/usr/games:/sbin/nologin#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin#ftp:x:14:50:FTPUser:/var/ftp:/sbin/nologin#nfsnobody:x:65534:65534:AnonymousNFSUser:/var/lib/nfs:/sbin/nologin#postfix:x:89:89::/var/spool/postfix:/sbin/nologin

Comment group:

#cat/etc/group|grep^##adm:x:4:adm,daemon#lp:x:7:daemon#uucp:x:14:#games:x:20:#gopher:x:30:#video:x:39:#dip:x:40:#ftp:x:50:#audio:x:63:#floppy:x:19:#postfix:x:89:
2. Disable unused services
#chkconfig--list|grep'3:on'

Email Service, using the company email server:

"Shell
Service postfix stop
Chkconfig postfix-level 2345 off

General unix print service, useless to servers: ''' shellservicecupsstopchkconfigcups -- level2345off

Cpu speed adjustment is used to reduce power consumption, which is often used ON Laptop:

servicecpuspeedstopchkconfigcpuspeed--level2345off

Bluetooth wireless communication is useless to servers:

servicebluetoothstopchkconfigbluetooth--level2345off

The initial setting after system installation is useless after the system is started for the first time:

servicefirstbootstopchkconfigfirstboot--level2345off

Disable the nfs service and client:

servicenetfsstopchkconfignetfs--level2345offservicenfslockstopchkconfignfslock--level2345off

To restore a service, perform the following operations:

serviceacpidstart&&chkconfigacpidon

You can also use the setup tool to set

3. Disable IPV6

IPv6 is designed to solve the problem of IPv4 address depletion, but our servers generally do not use it. Disabling IPv6 not only speeds up the network, but also helps reduce management overhead and improve security levels, the following steps completely disable ipv6 on CentOS.

Disable IPv6 module Loading

To prevent the system from loading ipv6-related modules, modify the modprobe configuration file. For ease of management, create a new configuration file/etc/modprobe. d/ipv6off. conf. The content is as follows:

aliasnet-pf-10offoptionsipv6disable=1

Disable the IPv6-based network so that it will not be triggered:

#vi/etc/sysconfig/networkNETWORKING_IPV6=no

Disable the IPv6 settings of the NIC so that it runs only in IPv4 mode:

#vi/etc/sysconfig/network-scripts/ifcfg-eth0IPV6INIT=noIPV6_AUTOCONF=no

Disable ip6tables:

#chkconfigip6tablesoff

Restart the system to verify that it takes effect:

#lsmod|grepipv6#ifconfig|grep-iinet6

If no output is available, the IPv6 module is disabled. Otherwise, the IPv6 module is enabled.

4. iptables rules

Enable the linux firewall to prohibit unauthorized program access. Use iptable rules to filter inbound, outbound, and forwarded packets. We can permit and deny access to specific udp/tcp ports for the source and target addresses.

For more information about how to Set firewall rules, see the blog article iptables frequently used instance settings.

5. SSH Security Settings

If possible, the first thing is to modify ssh's default port 22. changing it to a large port such as 20002 will greatly increase the security factor and reduce the possibility of ssh cracking logon.

Create recognizable application users such as crm and system management users sysmgr

#useraddcrm-d/apps/crm#passwdcrm#useraddsysmgr#passwdsysmgr
5.1 only allow su switching for users in the wheel User Group
#usermod-Gwheelsysmgr#vi/etc/pam.d/su#Uncommentthefollowinglinetorequireausertobeinthe"wheel"group.authrequiredpam_wheel.souse_uid

If another user switches to the root user, the system will prompt su: incorrect password even if the password is incorrect.

5.2 logon timeout

If the user is online for 5 minutes without operation, the connection times out and is disconnected. Add the following in/etc/profile:

exportTMOUT=300readonlyTMOUT
5.3 prohibit direct remote login by root
#vi/etc/ssh/sshd_configPermitRootLoginno
5.4 restrict logon failures and lock

Add

authrequiredpam_tally2.sodeny=6unlock_time=180even_deny_rootroot_unlock_time=180

Logons fail to be locked for 5 times for 180 seconds. Set whether to include root as needed.

5.5 logon IP address limit

(It is not set because it is bound to a fixed IP address or IP segment)
The stricter limit is that ssh users and source ip addresses are disabled in sshd_config:

##allowedsshuserssysmgrAllowUserssysmgr@172.29.73.*

Or use tcpwrapper:

vi/etc/hosts.denysshd:all
vi/etc/hosts.allowsshd:172.29.73.23sshd:172.29.73.
6. The configuration can only be logged on using the key file

Replacing ordinary simple password authentication with key files also greatly improves security:

[Dir @ username ~] $ Ssh-keygen-trsa-b2048Generatingpublic/privatersakeypair. enterfileinwhichtosavethekey (/root /. ssh/id_rsa): // default path. Press ENTER Enterpassphrase (emptyfornopassphrase): // enter your key phrase and use Entersamepassphraseagain: Youridentificationhasbeensavedin/root /. ssh/id_rsa.Yourpublickeyhasbeensavedin/root /. ssh/id_rsa.pub.Thekeyfingerprintis: 3e: fd: fc: e5: d3: 22: 86: 8e: 2c: 4b: a7: 3d: 92: 18: 9f: 64root@ibpak.tp-link.netThekey 'srandomartima Geis: + -- [RSA2048] ---- + |... | O ++ o... oo... o | + ----------------- +

Rename the public key as authorized_key:

$mv~/.ssh/id_rsa.pub~/.ssh/authorized_keys$chmod600~/.ssh/authorized_keys

Download the private key file id_rsa to the local device (for easier identification, You can rename it hostname_username_id_rsa) and save it to a safe place. In the future, the username user will have to use this private key to log on to this host and use the password phrase to log on (no longer using the username user's own password)

Modify the/etc/ssh/sshd_config file to open the comment.

RSAAuthenticationyesPubkeyAuthenticationyesAuthorizedKeysFile.ssh/authorized_keys

We require username users (who can switch to other users, especially root users) to log on using the ssh key file, while other common users can log on using the password directly. Therefore, you must add the following content at the end of the sshd_config file:

MatchUseritsectionPasswordAuthenticationno

Restart the sshd service sshd restart. In addition, the public key and private key must be separately stored on another machine, the loss of the public key on the server or the loss of the private key (or key phrase) on the connection end may lead to the failure to log on to the server to obtain the root permission!

7. Reduce history Command records

The more historical Command records that have been executed, the easier maintenance will be to some extent, but it will also be accompanied by security issues.

vi/etc/profile

Change HISTSIZE = 1000 to HISTSIZE = 50, or clear history, history-c every time you exit.

8. Enhance special File Permissions

Add unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.

Chattr + I/etc/passwdchattr + I/etc/shadowchattr + I/etc/groupchattr + I/etc/gshadowchattr + I/etc/services # Lock the System Service port list file, prevents unauthorized deletion or addition of the chattr + I/etc/pam service. d/suchattr + I/etc/ssh/sshd_config

Display file attributes

lsattr/etc/passwd/etc/shadow/etc/services/etc/ssh/sshd_config

Note: After the chattr permission is modified, the user cannot be added or deleted.

If you want to add or delete a user, you need to cancel the preceding settings. After the user is added and deleted, you can perform the preceding operations, for example, canceling the read-only permission chattr-I/etc/passwd. (Remember to reset read-only)

9. Prevent General Network Attacks

Network attacks cannot be avoided by setting several lines. The following are simple ways to minimize the possibility of attacks, which increases the difficulty of attacks but cannot be completely prevented.

9.1 ping prohibited

Prevent ping. If no one can ping your system, the security will naturally increase, effectively preventing ping flood. Therefore, you can add the following line to the/etc/rc. d/rc. local file:

#echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all

Or use iptable to disable ping:

iptables-AINPUT-picmp--icmp-type0-s0/0-jDROP

Other hosts cannot be pinged:

iptables-AOUTPUT-picmp--icmp-type8-jDROP
9.2. prevent IP Spoofing

Edit the/etc/host. conf file and add the following lines to prevent IP spoofing attacks.

Orderhosts, bind # name explanation sequence multion # Allow the host to have multiple IP addresses nospoofon # Disable IP Address Spoofing
9.3 prevent DoS Attacks

Setting resource limits for all users of the system can prevent DoS attacks, such as the maximum number of processes and memory usage.
You can add the following lines in/etc/security/limits. conf:

*softcore0*softnproc2048*hardnproc16384*softnofile1024*hardnofile65536
  • Core 0 indicates that you cannot create a core file.

  • Nproc 128 limits the maximum number of processes to 20

  • Nofile 64 indicates that the maximum number of files simultaneously opened by a user is 64

  • * Indicates all users logged on to the system, excluding the root user.

Then, you must edit the/etc/pam. d/login file to check whether the following row exists.

sessionrequiredpam_limits.so

The limits. conf parameter value needs to be adjusted according to the actual situation.

10. Fixed known Security Vulnerabilities

In linux, destruction-level vulnerabilities such as udev, heartbleed, shellshock, and ghost are occasionally exposed. If the server is exposed to the Internet, it must be fixed in time.

11. Perform regular log security checks

Move logs to a dedicated log server, which prevents intruders from easily modifying local logs. The following are common linux default log files and their usage:

  • /Var/log/message-records system logs or current activity logs

  • /Var/log/auth. log-identity authentication log

  • /Var/log/cron-Crond log (cron task)

  • /Var/log/maillog-mail server log

  • /Var/log/secure-authentication log

  • /Var/log/wtmp historical logon, logout, start, stop logs, and lastb commands can be used to view users who have failed to log on.

  • /Var/run/utmp logs of user information currently logged on. The information of the w and who commands is derived from this

  • /Var/log/yum. logYum log

Refer to in-depth parsing CentOS for log reverse intrusion detection.

11.1 install logwatch

Logwatch is a log analysis tool developed using Perl. Logtail can analyze Linux Log Files and automatically send emails to related administrators. You can customize the requirements.

Logwatch's mail function uses the mail server that comes with the host system to send emails. Therefore, the system needs to install the mail server, such as sendmail, postfix, and Qmail.

For the installation and configuration methods, see the blog Linux Log monitoring LogWatch.

12. web Server Security

When configuring server programs such as apache or tomcat, you can refer to the document for security reinforcement if any security problem exists. Add new articles later.

Reference: Top 20 OpenSSH Server Best Security Practices

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.