Simple Security Configuration for CentOS 6 servers
Linux is an open system that allows you to find many ready-made programs and tools on the network. This facilitates both users and hackers, because they can also easily find programs and tools to sneak into the Linux system, or steal important information from the Linux system. However, as long as we carefully set various Linux system functions and add the necessary security measures, hackers will be able to win. In general, security settings for Linux systems include canceling unnecessary services, restricting remote access, hiding important information, fixing security vulnerabilities, using security tools, and regular security checks.
This article is a reference for actual operations. It does not involve principles such as IP spoofing, and security issues can be prevented without several lines of commands, here is only the basic security reinforcement method in Linux, and new content will be added later.
Note: All files must be backed up before modification, as shown in figure
cp/etc/passwd{,.dist}
1. Disable unused users
Note: It is not recommended to delete a user directly. If you need a user, it will be difficult to add it again. You can also lock usermod-L or passwd-l user.
Back up cp/etc/passwd {,. bak} before modification
Vi/etc/passwd: edit the user and add # comment out this line.
Annotated User Name:
#cat/etc/passwd|grep^##adm:x:3:4:adm:/var/adm:/sbin/nologin#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown#halt:x:7:0:halt:/sbin:/sbin/halt#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin#operator:x:11:0:operator:/root:/sbin/nologin#games:x:12:100:games:/usr/games:/sbin/nologin#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin#ftp:x:14:50:FTPUser:/var/ftp:/sbin/nologin#nfsnobody:x:65534:65534:AnonymousNFSUser:/var/lib/nfs:/sbin/nologin#postfix:x:89:89::/var/spool/postfix:/sbin/nologin
Comment group:
#cat/etc/group|grep^##adm:x:4:adm,daemon#lp:x:7:daemon#uucp:x:14:#games:x:20:#gopher:x:30:#video:x:39:#dip:x:40:#ftp:x:50:#audio:x:63:#floppy:x:19:#postfix:x:89:
2. Disable unused services
#chkconfig--list|grep'3:on'
Email Service, using the company email server:
"Shell
Service postfix stop
Chkconfig postfix-level 2345 off
General unix print service, useless to servers: ''' shellservicecupsstopchkconfigcups -- level2345off
Cpu speed adjustment is used to reduce power consumption, which is often used ON Laptop:
servicecpuspeedstopchkconfigcpuspeed--level2345off
Bluetooth wireless communication is useless to servers:
servicebluetoothstopchkconfigbluetooth--level2345off
The initial setting after system installation is useless after the system is started for the first time:
servicefirstbootstopchkconfigfirstboot--level2345off
Disable the nfs service and client:
servicenetfsstopchkconfignetfs--level2345offservicenfslockstopchkconfignfslock--level2345off
To restore a service, perform the following operations:
serviceacpidstart&&chkconfigacpidon
You can also use the setup tool to set
3. Disable IPV6
IPv6 is designed to solve the problem of IPv4 address depletion, but our servers generally do not use it. Disabling IPv6 not only speeds up the network, but also helps reduce management overhead and improve security levels, the following steps completely disable ipv6 on CentOS.
Disable IPv6 module Loading
To prevent the system from loading ipv6-related modules, modify the modprobe configuration file. For ease of management, create a new configuration file/etc/modprobe. d/ipv6off. conf. The content is as follows:
aliasnet-pf-10offoptionsipv6disable=1
Disable the IPv6-based network so that it will not be triggered:
#vi/etc/sysconfig/networkNETWORKING_IPV6=no
Disable the IPv6 settings of the NIC so that it runs only in IPv4 mode:
#vi/etc/sysconfig/network-scripts/ifcfg-eth0IPV6INIT=noIPV6_AUTOCONF=no
Disable ip6tables:
#chkconfigip6tablesoff
Restart the system to verify that it takes effect:
#lsmod|grepipv6#ifconfig|grep-iinet6
If no output is available, the IPv6 module is disabled. Otherwise, the IPv6 module is enabled.
4. iptables rules
Enable the linux firewall to prohibit unauthorized program access. Use iptable rules to filter inbound, outbound, and forwarded packets. We can permit and deny access to specific udp/tcp ports for the source and target addresses.
For more information about how to Set firewall rules, see the blog article iptables frequently used instance settings.
5. SSH Security Settings
If possible, the first thing is to modify ssh's default port 22. changing it to a large port such as 20002 will greatly increase the security factor and reduce the possibility of ssh cracking logon.
Create recognizable application users such as crm and system management users sysmgr
#useraddcrm-d/apps/crm#passwdcrm#useraddsysmgr#passwdsysmgr
5.1 only allow su switching for users in the wheel User Group
#usermod-Gwheelsysmgr#vi/etc/pam.d/su#Uncommentthefollowinglinetorequireausertobeinthe"wheel"group.authrequiredpam_wheel.souse_uid
If another user switches to the root user, the system will prompt su: incorrect password even if the password is incorrect.
5.2 logon timeout
If the user is online for 5 minutes without operation, the connection times out and is disconnected. Add the following in/etc/profile:
exportTMOUT=300readonlyTMOUT
5.3 prohibit direct remote login by root
#vi/etc/ssh/sshd_configPermitRootLoginno
5.4 restrict logon failures and lock
Add
authrequiredpam_tally2.sodeny=6unlock_time=180even_deny_rootroot_unlock_time=180
Logons fail to be locked for 5 times for 180 seconds. Set whether to include root as needed.
5.5 logon IP address limit
(It is not set because it is bound to a fixed IP address or IP segment)
The stricter limit is that ssh users and source ip addresses are disabled in sshd_config:
##allowedsshuserssysmgrAllowUserssysmgr@172.29.73.*
Or use tcpwrapper:
vi/etc/hosts.denysshd:all
vi/etc/hosts.allowsshd:172.29.73.23sshd:172.29.73.
6. The configuration can only be logged on using the key file
Replacing ordinary simple password authentication with key files also greatly improves security:
[Dir @ username ~] $ Ssh-keygen-trsa-b2048Generatingpublic/privatersakeypair. enterfileinwhichtosavethekey (/root /. ssh/id_rsa): // default path. Press ENTER Enterpassphrase (emptyfornopassphrase): // enter your key phrase and use Entersamepassphraseagain: Youridentificationhasbeensavedin/root /. ssh/id_rsa.Yourpublickeyhasbeensavedin/root /. ssh/id_rsa.pub.Thekeyfingerprintis: 3e: fd: fc: e5: d3: 22: 86: 8e: 2c: 4b: a7: 3d: 92: 18: 9f: 64root@ibpak.tp-link.netThekey 'srandomartima Geis: + -- [RSA2048] ---- + |... | O ++ o... oo... o | + ----------------- +
Rename the public key as authorized_key:
$mv~/.ssh/id_rsa.pub~/.ssh/authorized_keys$chmod600~/.ssh/authorized_keys
Download the private key file id_rsa to the local device (for easier identification, You can rename it hostname_username_id_rsa) and save it to a safe place. In the future, the username user will have to use this private key to log on to this host and use the password phrase to log on (no longer using the username user's own password)
Modify the/etc/ssh/sshd_config file to open the comment.
RSAAuthenticationyesPubkeyAuthenticationyesAuthorizedKeysFile.ssh/authorized_keys
We require username users (who can switch to other users, especially root users) to log on using the ssh key file, while other common users can log on using the password directly. Therefore, you must add the following content at the end of the sshd_config file:
MatchUseritsectionPasswordAuthenticationno
Restart the sshd service sshd restart. In addition, the public key and private key must be separately stored on another machine, the loss of the public key on the server or the loss of the private key (or key phrase) on the connection end may lead to the failure to log on to the server to obtain the root permission!
7. Reduce history Command records
The more historical Command records that have been executed, the easier maintenance will be to some extent, but it will also be accompanied by security issues.
vi/etc/profile
Change HISTSIZE = 1000 to HISTSIZE = 50, or clear history, history-c every time you exit.
8. Enhance special File Permissions
Add unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions.
Chattr + I/etc/passwdchattr + I/etc/shadowchattr + I/etc/groupchattr + I/etc/gshadowchattr + I/etc/services # Lock the System Service port list file, prevents unauthorized deletion or addition of the chattr + I/etc/pam service. d/suchattr + I/etc/ssh/sshd_config
Display file attributes
lsattr/etc/passwd/etc/shadow/etc/services/etc/ssh/sshd_config
Note: After the chattr permission is modified, the user cannot be added or deleted.
If you want to add or delete a user, you need to cancel the preceding settings. After the user is added and deleted, you can perform the preceding operations, for example, canceling the read-only permission chattr-I/etc/passwd. (Remember to reset read-only)
9. Prevent General Network Attacks
Network attacks cannot be avoided by setting several lines. The following are simple ways to minimize the possibility of attacks, which increases the difficulty of attacks but cannot be completely prevented.
9.1 ping prohibited
Prevent ping. If no one can ping your system, the security will naturally increase, effectively preventing ping flood. Therefore, you can add the following line to the/etc/rc. d/rc. local file:
#echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all
Or use iptable to disable ping:
iptables-AINPUT-picmp--icmp-type0-s0/0-jDROP
Other hosts cannot be pinged:
iptables-AOUTPUT-picmp--icmp-type8-jDROP
9.2. prevent IP Spoofing
Edit the/etc/host. conf file and add the following lines to prevent IP spoofing attacks.
Orderhosts, bind # name explanation sequence multion # Allow the host to have multiple IP addresses nospoofon # Disable IP Address Spoofing
9.3 prevent DoS Attacks
Setting resource limits for all users of the system can prevent DoS attacks, such as the maximum number of processes and memory usage.
You can add the following lines in/etc/security/limits. conf:
*softcore0*softnproc2048*hardnproc16384*softnofile1024*hardnofile65536
Core 0 indicates that you cannot create a core file.
Nproc 128 limits the maximum number of processes to 20
Nofile 64 indicates that the maximum number of files simultaneously opened by a user is 64
* Indicates all users logged on to the system, excluding the root user.
Then, you must edit the/etc/pam. d/login file to check whether the following row exists.
sessionrequiredpam_limits.so
The limits. conf parameter value needs to be adjusted according to the actual situation.
10. Fixed known Security Vulnerabilities
In linux, destruction-level vulnerabilities such as udev, heartbleed, shellshock, and ghost are occasionally exposed. If the server is exposed to the Internet, it must be fixed in time.
11. Perform regular log security checks
Move logs to a dedicated log server, which prevents intruders from easily modifying local logs. The following are common linux default log files and their usage:
/Var/log/message-records system logs or current activity logs
/Var/log/auth. log-identity authentication log
/Var/log/cron-Crond log (cron task)
/Var/log/maillog-mail server log
/Var/log/secure-authentication log
/Var/log/wtmp historical logon, logout, start, stop logs, and lastb commands can be used to view users who have failed to log on.
/Var/run/utmp logs of user information currently logged on. The information of the w and who commands is derived from this
/Var/log/yum. logYum log
Refer to in-depth parsing CentOS for log reverse intrusion detection.
11.1 install logwatch
Logwatch is a log analysis tool developed using Perl. Logtail can analyze Linux Log Files and automatically send emails to related administrators. You can customize the requirements.
Logwatch's mail function uses the mail server that comes with the host system to send emails. Therefore, the system needs to install the mail server, such as sendmail, postfix, and Qmail.
For the installation and configuration methods, see the blog Linux Log monitoring LogWatch.
12. web Server Security
When configuring server programs such as apache or tomcat, you can refer to the document for security reinforcement if any security problem exists. Add new articles later.
Reference: Top 20 OpenSSH Server Best Security Practices