CentOS 6.5 server security reinforcement and performance optimization

Time:2021-7-25

Friends who often play Linux system know more or less about system parameter optimization and how to enhance system security. Some default parameters of the system are relatively conservative, so we can improve the occupation of system memory, CPU and kernel resources by adjusting system parameters, and improve system security by disabling unnecessary services and ports, Give better play to the availability of the system. Through my understanding of Linux, I summarized the system tuning as follows:
Operating system: CentOS 6.5_ X64 minimize installation

1. Host name settings

Copy code

The code is as follows:

[[email protected]~]# vi /etc/sysconfig/network
HOSTNAME=test.com
[ [email protected] ~]#Hostname test.com # temporarily effective

2. SELinux off

Copy code

The code is as follows:

[[email protected]~]# vi /etc/selinux/config
SELINUX=disabled
[ [email protected] ~]#Setenforce # provisional
[ [email protected] ~]#Getenforce # view SELinux status

3. Clear firewall and set rules

Copy code

The code is as follows:

[ [email protected] ~]#Iptables – F # clear firewall rules
[ [email protected] ~]#Iptables – L # view firewall rules
[[email protected]~]# iptables -A INPUT -p tcp –dport 80 -j ACCEPT
[[email protected]~]# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
[[email protected]~]# iptables -A INPUT -p tcp –dport 53 -j ACCEPT
[[email protected]~]# iptables -A INPUT -p udp –dport 53 -j ACCEPT
[[email protected]~]# iptables -A INPUT -p udp –dport 123 -j ACCEPT
[[email protected]~]# iptables -A INPUT -p icmp -j ACCEPT
[[email protected]~]# iptables -P INPUT DROP
[[email protected]~]# /etc/init.d/iptables save

#Open the corresponding port as required

4. Add ordinary users and perform sudo authorization management

Copy code

The code is as follows:

[[email protected]~]# useradd user
[ [email protected] ~]#Echo “123456” | passwd — stdin user # set password
[ [email protected] ~]#Open VI / etc / sudoers # or visudo and add all permissions of user
root ALL=(ALL) ALL
user ALL=(ALL) ALL

5. Disable root remote login

Copy code

The code is as follows:

[[email protected]~]# vi /etc/ssh/sshd_config
PermitRootLoginno
Permitemptypasswords no # prohibit login with empty password
Usednsno # turns off DNS queries

6. Turn off unnecessary startup self startup service

7. Delete unnecessary system users

8. Close restart CTL ALT delete key combination

Copy code

The code is as follows:

[[email protected] ~]# vi /etc/init/control-alt-delete.conf
#Exec / SBIN / shutdown – r now “control ALT deletepressed” # comment out

9. Resize file descriptor

Copy code

The code is as follows:

[ [email protected] ~]#Ulimit – n # default is 1024
1024
[ [email protected] ~]#Echo “ulimit – SHN 102400” > > / etc / rc.local # setting takes effect automatically after startup

10. Remove system related information

Copy code

The code is as follows:

[[email protected] ~]# echo “Welcome to Server” >/etc/issue
[[email protected] ~]# echo “Welcome to Server” >/etc/redhat-release

11. Modify history record

Copy code

The code is as follows:

[ [email protected] ~]#VI / etc / profile # modify 10 records
HISTSIZE=10

12. Synchronize system time

Copy code

The code is as follows:

[ [email protected] ~]#CP / usr / share / zoneinfo / Asia / Shanghai / etc / Localtime # sets the time zone of Shanghai
[ [email protected] ~]# ntpdate cn.pool.ntp.org ; Hwlock – w # synchronize time and write Blos hardware time
[ [email protected] ~]#Crontab – e # set the task schedule to synchronize at zero every day
0 * * * * /usr/sbin/ntpdate cn.pool.ntp.org ; hwclock -w

13. Kernel parameter optimization

Copy code

The code is as follows:

[ [email protected] ~]#Add the following parameters at the # end of VI / etc / sysctl.conf
net.ipv4.tcp_ Syncookies = 1 #1 is to enable syn cookies. When syn waiting queue overflow occurs, enable cookies for processing, which can prevent a small number of syn attacks. The default is 0
net.ipv4.tcp_ tw_ Reuse = 1 #1 is to enable reuse, and time is allowed_ AIT sockets are reused for new TCP connections. The default is 0
net.ipv4.tcp_ tw_ Recycle = 1 #1 number of failed TCP retransmissions, which is 15 by default. Reducing the number of retransmissions can release kernel resources
net.ipv4.ip_ local_ port_ Range = range of ports available to 4096 65000 # applications
net.ipv4.tcp_ max_ tw_ Buckets = 5000 # system keeps time at the same time_ The maximum number of wait sockets. If this number is exceeded, time_ The wati socket will be cleared immediately and a warning message will be printed. The default value is 180000
net.ipv4.tcp_ max_ syn_ Backlog = 4096 # enter the maximum request queue of syn Bao. The default is 1024
net.core.netdev_ max_ Backlog = 10240 # maximum device queue of packets allowed to be sent to the queue, 300 by default
Net.core.somaxconn = 2048 #listen maximum number of pending requests, 128 by default
net.core.wmem_ Default = 8388608 # send buffer size default
net.core.rmem_ Default = 8388608 # accepts the default value of the socket buffer size in bytes
net.core.rmem_ Max = 16777216 # maximum receive buffer size
net.core.wmem_ Max = 16777216 # maximum send buffer size
net.ipv4.tcp_ synack_ Retries = 2 #syn-ack handshake state retries, default 5
net.ipv4.tcp_ syn_ Retries = 2 # outward syn handshake retries, 4 by default
net.ipv4.tcp_ tw_ Recycle = 1 # enable time in TCP connection_ Fast recovery of wait sockets. The default is 0
net.ipv4.tcp_ max_ Orphans = how many TCP sockets are not associated with any user file handle in 3276800 # system? If this number is exceeded, the orphan connection will be reset immediately and a warning message will be printed
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_ MEM [0]: below this value, TCP has no memory pressure;
net.ipv4.tcp_ MEM [1]: under this value, enter the memory pressure stage;
net.ipv4.tcp_ MEM [2]: above this value, TCP refuses to allocate socket. The memory unit is page, which can be adjusted according to the physical memory size. If the memory is large enough, it can be raised appropriately. The above memory units are pages, not bytes.

So far, CentOS 6.5_ The x64 minimal installation system is basically optimized and adjusted, and the system needs to be restarted.

This article comes from the “Penguin” blog.