[Collection] Summary of general security configuration of Centos system

Safety is relative. Generally speaking, you have to pay careful attention to avoid some hazards. For example, drunk driving is a manifestation of irresponsibility for yourself and others. The Linux system is indeed safer than the Win system, with better stability and performance, but some simple necessary security still needs to be set up, so today I will summarize the general security configuration of the CentOS system.

1. System security record files
#more /var/log/secure
Statistics of access IP and times.
#grep -oP ‘(\d+\.){3}\d+’ /var/log/secure |sort |uniq -c
2. Startup and login security
1. User password
Modify password length/etc/login.defs
#vi /etc/login.defs
PASS_MIN_LEN 8
2. Comment out unnecessary users and user groups
vi /etc/passwd
vi /etc/group
3. Password file
The chattr command adds unchangeable attributes to the following files to prevent unauthorized users from gaining permissions.
#chattr +i /etc/passwd
#chattr +i /etc/shadow
#chattr +i /etc/group
#chattr +i /etc/gshadow
4． Disable CtrlAltDelete restart machine command
Modify the /etc/inittab file and comment out the line ca::ctrlaltdel:/sbin/shutdown -t3 -r now".
Then reset the permissions of all files in the /etc/rc.d/init.d/ directory and run the following command:
#chmod -R 700 /etc/rc.d/init.d/*
This way only root can read, write or execute all the above script files.
5. Limit su command
If you don’t want anyone to be able to su as root, you can edit the /etc/pam.d/su file and add the following two lines:
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group=isd
At this time, only users in the isd group can su as root. Afterwards, if you want user admin to be able to su as root, you can run the following command:
#usermod -G10 admin
6. Change the SSH port, preferably to more than 10,000. The probability of others scanning the port will also decrease
The use of lower versions of the SSH protocol is not allowed
vi /etc/ssh/ssd_config
Will #protocol2,1
Change to protocol2
Change PORT to a port above 1000
vi /etc/ssh/sshd_config
Port 10000
At the same time, create a normal login user and cancel the direct root login
useradd ‘username’
passwd ‘username’
vi /etc/ssh/sshd_config
PermitRootLogin no
#Cancel root direct remote login
7. Close unnecessary services. Remember, one less service opened means one less danger.
Only the services that need to be started are listed below, and all services not listed will be shut down:
#setup
acpid
anacron
cpuspeed
crond
irqbalance\\ Only needs to be turned on when the server CPU is S.M.P architecture or supports dual core and HT technology, otherwise it is turned off.
microcode_ctl
network
random
sendmail
sshd
syslog
yum-updatesd
8. Enabling iptables firewall has many benefits for increasing system security. Set up firewall rules.
/etc/init.d/iptables start
3. Restrict network access
1. NFS access
When using the NFS network file system service, you should ensure that /etc/exports has the most restrictive access permission settings, which means do not use any wildcards, do not allow root write permissions, and can only be mounted as a read-only file system. Edit the file /etc/exports and add the following two lines.
/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)
/dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs into this directory, ro means mount as a read-only system, and root_squash prevents root from writing to the directory. In order for the changes to take effect, run the following command.
#/usr/sbin/exportfs-a
2. TCP_WRAPPERS settings
By default, most Linux systems allow all requests, and using TCP_WRAPPERS to enhance system security is a piece of cake. You can modify /etc/hosts.deny and /etc/hosts.allow to increase access restrictions. For example, set /etc/hosts.deny to "ALL:ALL" to deny all access by default, and then add allowed access in the /etc/hosts.allow file.
For example, "sshd:192.168.10.10/255.255.255.0 gate.openarch.com" means
Allow IP address 192.168.10.10 and hostname gate.openarch.com to allow connections via SSH.
3. Login Terminal Settings
The /etc/securetty file specifies the tty device that allows root login. It is read by the /bin/login program. Its format is a list of allowed names. You can edit /etc/securetty and comment out the following lines.
tty1
#tty2
#tty3
#tty4
#tty5
#tty6
At this time, root can only log in at the tty1 terminal.
4. Prevent attacks
1. Block ping If no one can ping the system, security will naturally increase. To do this, we can add the following line to the /etc/rc.d/rc.local file
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
2. Prevent IP spoofing
Edit the host.conf file and add the following lines to prevent IP spoofing attacks.
order bind, hosts resolution order
multi on allows multi-faceted networks (multiple network cards enabled)
nospoof on Reject IP spoofing
3. Prevent DoS attacks
Setting resource limits for all users of the system can prevent DoS type attacks, such as the maximum number of processes and memory usage.
For example, you can add the following lines to /etc/security/limits.conf:
* hard core 0
* hard rss 5000
* hard nproc 20
Then you must edit the /etc/pam.d/login file to check whether the following line exists.
session required /lib/security/pam_limits.so
core 0 means prohibiting the creation of core files,
nproc 20 limits the maximum number of processes to 20
* represents all users logged into the system
rss 5000 means that except root, other users can only use up to 5M of memory. This can better control the user's usage of processes, core files and memory in the system.

Note: All the above content comes from excerpts from the book "Familiar with Linux System Security and Optimization".

Recommended site search: vps foreign server, registration, free cloud host, domain name registrar, php space recommendation, server rental, Hong Kong cloud host, mobile server hosting, foreign vps server rental, website icp registration,