CentOS Linux server security Settings

  • 2020-05-10 23:23:34
  • OfStack

We must understand: minimum permissions + minimum services = maximum security

Therefore, no matter we configure any server, we must turn off the unused services and set the system permission to the minimum, so as to ensure the maximum security of the server. The following is the CentOS server security Settings for your reference.

1. Comment out unwanted users and groups of users

Note: it is not recommended to delete directly. If you need a user, it will be troublesome to re-add it yourself.

Backup before you modify cp /etc/passwd /etc/passwdbak #
vi /etc/passwd # edits the user and # comments out the line

#adm:x:3:4:adm:/var/adm:/sbin/nologin
#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync:x:5:0:sync:/sbin:/bin/sync
#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
#halt:x:7:0:halt:/sbin:/sbin/halt
#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator:x:11:0:operator:/root:/sbin/nologin
#games:x:12:100:games:/usr/games:/sbin/nologin
#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
# ftp: x: name: FTP User: / var/ftp: / sbin nologin ftp anonymous account # commented
cp /etc/group /etc/groupbak # backup before you modify
vi /etc/group # edit the user group and # comment out the line
#adm:x:4:root,adm,daemon
#lp:x:7:daemon,lp
#uucp:x:14:uucp
#games:x:20:
#dip:x:40:

2. Turn off unwanted services

service acpid stop chkconfig acpid off # stop service, unstart startup # power advance setting, commonly used on Laptop
Deactivate the automatic mount file system and the side device service autofs stop chkconfig autofs off #
service bluetooth stop chkconfig bluetooth off # stop Bluetooth bluetooth
service cpuspeed stop chkconfig cpuspeed off # deactivation control CPU speed is mainly used to save electricity
service cups stop chkconfig cups off # deactivate Common UNIX Printing System system support printer
service ip6tables stop chkconfig ip6tables off # prohibit IPv6
####################################################################################################
If you want to restore a service, do the following
service acpid start chkconfig acpid on

3. The ban root users perform/etc/rc d/init d/system command

chmod -R 700 /etc/rc.d/init.d/*
chmod - 777 / etc rc R. d/init d / * # to restore the default Settings

4. Add unchangeable properties to the following files to prevent unauthorized users from gaining permissions

chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/services # locks the system service port list file to prevent unauthorized deletion or addition of services
lsattr /etc/passwd /etc/shadow/i /etc/gshadow /etc/services # shows the properties of the file
Note: after performing the above permission changes, users cannot be added or deleted.
If you want to add and delete users, you need to cancel the above Settings first, and then execute the above operation after the completion of adding and deleting users
chattr-i /etc/passwd # unlocks the permissions setting
chattr -i /etc/shadow
chattr -i /etc/group
chattr -i /etc/gshadow
chattr-i /etc/services # unlocks the system service port list file
You can now add and delete users, and then lock the directory file

5. Limit permissions on different files

chattr + a.bash_history # avoid deleting.bash_history or redirect to /dev/null
chattr +i .bash_history
chmod 700 /usr/bin restore chmod 555 /usr/bin
chmod 700 /bin/ping restore chmod 4755 /bin/ping
chmod 700 /usr/bin/vim chmod 755 /usr/bin/vim
chmod 700 /bin/netstat restore chmod 755 /bin/netstat
chmod 700 /usr/bin/tail restore chmod 755 /usr/bin/tail
chmod 700 /usr/bin/less restore chmod 755 /usr/bin/less
chmod 700 /usr/bin/head restore chmod 755 /usr/bin/head
chmod 700 /bin/cat restore chmod 755 /bin/cat
chmod 700 /bin/uname restore chmod 755 /bin/uname
chmod 500 /bin/ps restore chmod 755 /bin/ps

6. Do not use Ctrl+Alt+Del to restart the server

cp /etc/inittab /etc/inittabbak
vi /etc/inittab # comments out the following line
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

7. Update the system with yum update without upgrading the kernel, only the software package

Due to the compatibility between the system and the hardware, it is possible to upgrade the kernel and cause the server to fail to start normally. This is very terrible, and there is no special need. It is recommended not to upgrade the kernel at will.
cp /etc/yum.conf /etc/yum.confbak
1. Modify the configuration file vi /etc/ yum. conf adds exclude=kernel* at the end of [main]
2. Directly after the yum command, add the following parameters:
yum --exclude=kernel* update
View system version cat /etc/issue
See the kernel version uname-a

8. Turn off the automatic update of Centos

chkconfig --list yum-updatesd # displays the current system state
yum-updatesd 0: closed 1: closed 2: enabled 3: enabled 4: enabled 5: enabled 6: closed
service yum-updatesd stop # close opening parameter is start
Stop yum-updatesd: [ok]
service yum-updatesd status # check to see if it is off
yum - updatesd has stopped
chkconfig --level 35 yum-updatesd off # do not enable startup (system mode 3, 5)
chkconfig yum-updatesd off # disable startup (all startup modes are disabled)
chkconfig --list yum-updatesd # displays the current system state
yum-updatesd 0: close 1: close 2: enable 3: close 4: enable 5: close 6: close

9. Close the redundant virtual console

We know that when we switch from the console to the X window, Alt-F7 is usually used for 1. Why? Because the system defines six virtual consoles by default,
So X becomes the seventh. In fact, a lot of people don't need as many virtual consoles as they do, modify /etc/inittab, comment out the ones you don't need.


cp /etc/inittab /etc/inittabbak
vi /etc/inittab
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6

10. Delete MySQL history

The SQL command executed by the user after logging into the database is also recorded by MySQL in the.mysql_history file in the user directory.
If the database user changes the database password with the SQL statement, the.mysql_history file will also be compromised.
Therefore, when logging in and backing up shell, we do not add the password directly after -p, but enter the database password after the prompt.
The other two files we should also not allow it to record our operations, in case of 10,000.


cd
cp .bash_history .bash_historybak # The backup 
cp .mysql_history .mysql_historybak
rm .bash_history .mysql_history
ln -s /dev/null .bash_history
ln -s /dev/null .mysql_history

101. Modify the history command record


cp /etc/profile /etc/profilebak
vi /etc/profile
 find  HISTSIZE=1000  Instead of  HISTSIZE=50

Hide server system information

By default, when you log in to the linux system, it will tell you the name, version, kernel version, and server name of the linux distribution.
To prevent this default information from leaking out, do the following to make it display only one "login:" prompt.
Delete /etc/issue and /etc/ issue.net, or rename these two files, the effect will be the same.
mv /etc/issue /etc/issuebak
mv /etc/issue.net /etc/issue.netbak

103. Optimize Linux kernel parameters


cp /etc/sysctl.conf /etc/sysctl.confbak
vi /etc/sysctl.conf # Add the following at the end of the file 

net.ipv4.ip_forward = 1 # Modified to 1
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.netfilter.ip_conntrack_max = 131072
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_conntrack_max = 819200
net.ipv4.ip_local_port_range = 10024 65535
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000

/sbin/sysctl -p # Enable the configuration to take effect immediately 

104. CentOS system optimization


cp /etc/profile /etc/profilebak2
vi /etc/profile # Add the following at the end of the file 
ulimit -c unlimited
ulimit -s unlimited
ulimit -SHn 65535
ulimit -S -c 0
export LC_ALL=C
source /etc/profile # Enable the configuration to take effect immediately 
ulimit -a # Displays the current various user process restrictions 

105. Server disables ping


cp /etc/rc.d/rc.local /etc/rc.d/rc.localbak
vi /etc/rc.d/rc.local # Add this at the end of the file 1 line 
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
 parameter 0 Said to allow  1 Ban said 

106. SSH security

If possible, the first thing to do is to change ssh's default port 22 to a larger port like 20002, which will greatly improve security and reduce the likelihood that ssh will hack the login.

Create recognizable application users such as crm and system administration users sysmgr

[

#useradd crm -d /apps/crm
#passwd crm

#useradd sysmgr
#passwd sysmgr

]

107. Configuration can only be logged in using key files

Using a key file instead of a simple password can also greatly improve security:

[

[dir@username ~]$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (. / root/ssh/id_rsa) : / / the default path, enter
Enter passphrase (empty for no passphrase): // enter your key phrase and use it when logging in
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
3e:fd:fc:e5:d3:22:86:8e:2c:4b:a7:3d:92:18:9f:64 root@ibpak.tp-link.net
The key's randomart image is:
+--[ RSA 2048]----+
| |
...
| o++o..oo..o|
+-----------------+

]

Rename the public key to authorized_key:

[

$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys

]

Download the private key file id_rsa locally (rename it hostname_username_id_rsa for easier identification) and save it to a secure location. In the future, username users must use this private key and password phrase to log in to the host (username users' own password is no longer used).

In addition, the file /etc/ssh/sshd_config has to be modified

Open the annotation

[

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

]

We require that username users (who can switch to other users, root in particular) must log in using the ssh key file, while other normal users can log in with a password. Therefore, at the end of the sshd_config file:

[

Match User itsection
PasswordAuthentication no

]

Restart the sshd service

[

service sshd restart

]

If the server loses the public key or the connection side loses the private key (or the key phrase), it may be impossible to login to the server and obtain the root permission.

108. Prevent 1 type of cyber attack

Network attacks can't be avoided with a few lines of Settings. The following are simple ways to minimize the possibility and increase the difficulty of attacks, but they can't be prevented completely.

1 the forbidden ping
If no one can connect ping to your system, the security will naturally increase, effectively preventing the flooding of ping. Therefore, can be in/etc/rc d/rc local file line increase 1 as follows:

#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Or use iptable to ban ping:

iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -j DROP

Other hosts of ping are not allowed:

iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

Prevent IP spoofing
Edit the /etc/ host.conf file and add the following lines to prevent an IP spoofing attack.

order hosts,bind # name interpretation order
multi on # allows a host to have multiple IP addresses
nospoof on # prohibits spoofing of IP addresses

3 to prevent DoS attacks
Setting resource limits on all users of the system prevents DoS type attacks, such as maximum number of processes and memory usage.
Can be in/etc security/limits conf to add the following lines:

*       soft       core       0
*       soft       nproc     2048
*       hard       nproc     16384
*       soft       nofile 1024
*       hard       nofile   65536

core 0 means creation of core file is prohibited; nproc 128 limits the maximum number of processes to 20; nofile 64 means limiting the maximum number of files open by one user to 64; * represents all users logged into the system, excluding root

Must then edit/etc/pam d/login file check below 1 row exists.

session       required         pam_limits.so

The value of the limits.conf parameter needs to be adjusted according to the specific situation.

Do regular log security checks

Move the log to a dedicated log server, which prevents intruders from easily altering the local log. Here are the default log files for common linux and their USES:

[

/var/log/message the system log or the current activity log.
/ var log/auth log � authentication logs.
/var/log/cron/Crond logs (cron tasks).
/var/log/maillog E-mail server logs.
/var/log/secure
The var/log/wtmp historical logon, logout, startup, shutdown log and, lastb command can view users who failed to log in
/var/run/utmp log of user information currently logged in, which is the source of information for the w and who commands
/ var log/yum log Yum log.

]

Install logwatch
Logwatch is a log analysis tool developed using Perl. It can analyze the log files of Linux and automatically send mail to the relevant handlers, which can be customized.

The mail function of Logwatch is to send emails with the help of mail server which comes with the host system, so the system needs to install mail server, such as sendmail,postfix,Qmail and so on

210. web server security

When configuring server-side programs such as apache or tomcat, you can refer to the documentation for security reinforcement if there is a security problem.
See blog post tomcat security configuration for installation and configuration methods

So far, CentOS Linux server security Settings are basically completed, more security Settings and server optimization, please test by yourself.

So far, CentOS Linux server security Settings are basically completed, the above Settings are fully available after the author's field test (CentOS-5.5-x86_64), more security Settings and server optimization, please test by yourself.


Related articles: