Security configuration for CentOS 6 (CentOS Linux server security settings)


1、 System safety record file

The record file inside the operating system is an important clue to detect whether there is network intrusion. If your system is directly connected to the Internet, you find that many people try telnet / ftp login to your system. You can run “#more / var / log / secure | grep rejected” to check the attacks on the system, so as to take corresponding countermeasures, such as replacing telnet / rlogin with SSH.

2、 Startup and login security

1. BIOS security

Setting the BIOS password and changing the boot order prevents the system from starting from the floppy disk.

2. User password

User password is a basic starting point of Linux security. The user password used by many people is too simple, which opens the door to intruders. Although in theory, as long as there is enough time and resources to use, there is no user password that can not be cracked, but it is difficult to crack a proper password. A good user password is a string of characters that only he can easily remember and understand, and never write it anywhere.

To modify the password length, you need to compile the login.defs file
vi /etc/login.defs

3. Comment out unnecessary users and user groups

All default and unnecessary accounts started by the operating system itself should be prohibited. You should do this when you first install the system. Linux provides many default accounts, and the more accounts, the more vulnerable the system is to attack.

Copy code

The code is as follows:

vi /etc/passwd
#userdel adm
#userdel lp
#userdel sync
#userdel shutdown
#userdel halt
#userdel news
#userdel uucp
#userdel operator
#userdel games
#userdel gopher
#userdel ftp
vi /etc/group
#groupdel adm
#groupdel lp
#groupdel news
#groupdel uucp
#groupdel games
#groupdel dip
#groupdel pppusers

4. Password file

The chatr command adds an unchangeable attribute to the following files to prevent unauthorized users from gaining permissions.

Copy code

The code is as follows:

# chattr +i /etc/passwd
# chattr +i /etc/shadow
# chattr +i /etc/group
# chattr +i /etc/gshadow

5. Disable Ctrl Alt delete restart machine command

Modify the / etc / inittab file and comment out the line “CA:: Ctrl altdel: / SBIN / shutdown – T3 – r now”. Then reset the permission of all files in / etc / rc.d/init.d/ directory, and run the following command:

Copy code

The code is as follows:

# chmod -R 700 /etc/rc.d/init.d/*

In this way, only root can read, write, or execute all of the above script files.

6. Limit Su command

If you don’t want anyone to Su as root, you can edit the / etc / pam.d/su file and add the following two lines:

Copy code

The code is as follows:

auth sufficient /lib/security/ debug
auth required /lib/security/ group=isd

At this time, only users of the ISD group can su act as root. After that, if you want user admin to Su act as root, you can run the following command:
# usermod -G10 admin   # Note: the ID number of the ISD group is not necessarily 10, so please be careful. CentOS 6 does not have its own ISD group!

If you want to restrict Su’s power to switch to root and only allow the specified user group to use Su, you can edit / etc / pam.d/su, which has the following comments

Copy code

The code is as follows:

# Uncomment the following line to require a user to be in the “wheel” group.
#auth required use_uid

Modify the second behavior as follows and save

Copy code

The code is as follows:

auth required group=mysugroup

Create mysugroup user group and add appropriate users to this group. In the future, only this group of users can use Su to switch to root. On the actual server, it is better to restrict root users from SSH Remote Login.

7. Delete login information

By default, the login prompt includes Linux distribution, kernel version name, server host name, etc. For a machine with high security requirements, this leaks too much information. You can edit / etc / rc.d/rc.local to comment out the downlink of the output system information. (Note: under CentOS 6, the document does not contain the following contents)

Copy code

The code is as follows:

# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
# echo “” > /etc/issue
# echo “$R” >> /etc/issue
# echo “Kernel $(uname -r) on $a $(uname -m)” >> /etc/issue
# cp -f /etc/issue /etc/
# echo >> /etc/issue

Then, do the following:

Copy code

The code is as follows:

# rm -f /etc/issue
# rm -f /etc/
# touch /etc/issue
# touch /etc/

8. It is better to change the SSH port to more than 10000, and the probability of others scanning the port will also decrease

Lower versions of SSH protocol are not allowed
vi /etc/ssh/sshd_config
Change #protocol 2,1 to
protocol 2
(Note: the lower version protocol has been cancelled by default under CentOS 6)

Change port to more than 1000 ports
vi /etc/ssh/sshd_config
Port 10000

At the same time, create a normal login user and cancel the direct root login
useradd ‘username’
passwd ‘username’

vi /etc/ssh/sshd_config
PermitRootLogin no        # Cancel root direct remote login
X11Forwarding no   # (the server usually does not turn on X, so don’t turn on X forwarding.) cancel X11 forwarding

9. Turn off those services you don’t need. Remember that if you open one less service, you will have one less danger.

Only the services that need to be started are listed below, and all unlisted services are closed:

Copy code

The code is as follows:

Irqbalance # only needs to be turned on when the server CPU is in s.m.p architecture or supports dual core and HT Technology, otherwise it will be turned off.
Random # (this service is not available in CentOS 6)

10. Enabling iptables firewall has many benefits for increasing system security. Set firewall rules.

Copy code

The code is as follows:

vi /etc/sysconf/iptables
# allow local loopback connections
-A INPUT -i lo -j ACCEPT
# drop INVALID connections
-A INPUT -m state –state INVALID -j DROP
-A OUTPUT -m state –state INVALID -j DROP
-A FORWARD -m state –state INVALID -j DROP
# allow all established and related
# add anymore rules here

3、 Restrict network access

1. NFS access

If you use NFS network file system service, you should ensure that your / etc / exports has the most stringent access permission settings, which means that you do not use any wildcards, do not allow root write permission, and can only be installed as a read-only file system. Edit the file / etc / exports and add the following two lines.


/Dir / to / export is the directory you want to output. is the name of the machine logging in to this directory. Ro means mount is a read-only system and root_ Squash prevents root from writing to this directory. In order for the changes to take effect, run the following command.

# /usr/sbin/exportfs -a

2. Inetd settings

First, confirm that the owner of / etc / inetd.conf is root and the file permission is set to 600. After setting, you can use the “stat” command to check.
# chmod 600 /etc/inetd.conf
Then, edit / etc / inetd.conf to disable the following services.
ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth

If you have SSH / SCP installed, you can also disable telnet / FTP. In order for the change to take effect, run the following command:
#killall -HUP inetd

By default, most Linux systems allow all requests instead of TCP_ Wrappers is a small effort to enhance system security. You can modify / etc / hosts.deny and / etc / hosts.allow to increase access restrictions. For example, setting / etc / hosts.deny to “all: all” can deny all access by default. Then add the allowed access in the / etc / hosts.allow file. For example, “sshd: / gate. Openarch. Com” means that IP address and host name are allowed to connect through SSH.

After configuration, you can use tcpdchk to check:
# tcpdchk

Tcpchk is TCP_ Wrapper configuration check tool, which checks your TCP wrapper configuration and reports all potential / existing problems found.

3. Login terminal settings

/The / etc / securetty file specifies the TTY device that allows root to log in. It is read by the / bin / login program. Its format is a list of allowed names. You can edit / etc / securetty and comment out the following lines.

Copy code

The code is as follows:

# tty2
# tty3
# tty4
# tty5
# tty6

At this time, root can only log in at tty1 terminal.

4. Avoid displaying system and version information.

If you want the remote login user not to see the system and version information, you can change the / etc / inetd.conf file through the following operations:

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h

Plus – H means telnet does not display system information, but only displays “login:”.

5. Modify the corresponding configuration file to stop IPv6.
#vi /etc/modprobe.conf
alias net-pf-10 off
alias ipv6 off
#shutdown -r now

4、 Prevent attack

1. Prevent Ping. If no one can ping your system, the security will naturally increase. To do this, you can add the following line to the / etc / rc.d/rc.local file:

#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

2. Prevent IP spoofing

Edit the host.conf file and add the following lines to prevent IP spoofing attacks.
order bind,hosts
multi off
nospoof on

3. Prevent DoS attacks

Setting resource limits for all users of the system can prevent DOS type attacks. Such as the maximum number of processes and memory usage. For example, you can add the following lines in / etc / security / limits.conf:

* hard core 0
* hard rss 5000   # (this line may be useless. Man limits.conf displays maximum resident set size (KB) (ignored in Linux 2.4.30 and higher)
* hard nproc 50

Then you must edit the / etc / pam.d/login file to check if the following line exists.

session required /lib/security/

The above command prohibits debugging files, limits the number of processes to 50, and limits the memory usage to 5MB.

Through the above settings, your Linux server can be immune to most known security problems and network attacks, but an excellent system administrator should always pay attention to the network security dynamics and repair the exposed and potential security vulnerabilities at any time.

5、 Kernel parameter adjustment

The settings in this section seem to be different from those under CentOS 6. Please refer to them as appropriate
(centos6 see this article)

Copy code

The code is as follows:

#vi /etc/sysctl.conf
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
#sysctl -w net.ipv4.icmp_echo_ignore_all=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.ip_conntrack_max=65535
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_syn_retries=1
sysctl -w net.ipv4.tcp_fin_timeout=5
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.route.gc_timeout=100
sysctl -w net.ipv4.tcp_keepalive_time=500
sysctl -w net.ipv4.tcp_max_syn_backlog=10000

Recommended Today

The selector returned by ngrx store createselector performs one-step debugging of fetching logic

Test source code: import { Component } from ‘@angular/core’; import { createSelector } from ‘@ngrx/store’; export interface State { counter1: number; counter2: number; } export const selectCounter1 = (state: State) => state.counter1; export const selectCounter2 = (state: State) => state.counter2; export const selectTotal = createSelector( selectCounter1, selectCounter2, (counter1, counter2) => counter1 + counter2 ); // […]