Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux Security and Optimization     - Boost notes --Asio - (1) a simple small example of synchronous communication (Programming)

- Talk Packages (Linux)

- Examples of Exploration Class File (Programming)

- Deploy the project to the server from GitHub (Server)

- Linux operating system log system (Linux)

- Three methods easy data encryption on Linux (Linux)

- Via Twitter how open source library to be used anywhere Emoji emoticons (Linux)

- rsync server set up (Server)

- How to disable IPv6 on Ubuntu, Linux Mint, Debian (Linux)

- Analysis of memory mapping process in Linux x86-32 mode (Linux)

- DupeGuru- find and remove duplicate files (Linux)

- IronPython and C # to interact (Programming)

- How to use the beta / unstable version of the software in Debian library (Linux)

- Spark parquet merge metadata problem (Server)

- Log analysis is done with Grafana Elasticsearch (Server)

- Binding unofficial Google Drive and Ubuntu 14.04 LTS (Linux)

- To deploy MySQL database with separate read and write OneProxy (Database)

- Linux bash: scp: command not found the problem (Linux)

- Detailed PHP code optimization [section] (explain reasons) (Programming)

- Linux Getting Started Tutorial: How to set up a static MAC address on VMware ESXi virtual machine (Mobile)

 
         
  Linux Security and Optimization
     
  Add Date : 2018-11-21      
         
         
         
 

Introduction:

We must understand: the smallest minimum service + permissions = maximum security

So, whether it is to configure any server, we do not have to shut down the service, the system permissions set to the minimum, then the server so as to ensure maximum safety. Here is CentOS server security settings for your reference.

First, comment out the system does not require users and user groups
Note: not recommended directly deleted when you need a user that he will re-add a lot of trouble.
  cp   / etc / passwd   / etc / passwdbak   to back up
Before # Change   vi / etc / passwd   # edit users, with the # comment out this line in front of the
# adm: x: 3: 4: adm: / var / adm: / sbin / nologin
#lp: x: 4: 7: lp: / var / spool / lpd: / sbin / nologin
# sync: x: 5: 0: sync: / sbin: / bin / sync
#shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown
#halt: x : 7: 0: halt: / sbin: / sbin / halt
#uucp: x: 10: 14: uucp: / var / spool / uucp: / sbin / nologin
#operator: x: 11 : 0: operator: / root: / sbin / nologin
#games: x: 12: 100: games: / usr / games: / sbin / nologin
#gopher: x: 13: 30: gopher : / var / gopher: / sbin / nologin
#ftp: x: 14: 50: FTP User: / var / ftp: / sbin / nologin     # commented anonymous ftp account
cp / etc / group   / etc / groupbak   to back up
before # Change   vi / etc / group   # edit user groups, with the # comment out this line
#adm in front: x: 4 : root, adm, daemon
#lp: x: 7: daemon, lp
#uucp: x: 14: uucp
#games: x: 20:
#dip: x: 40:
Second, the system shut down unnecessary services
service acpid stop   chkconfig acpid off   # out of service, cancel boot   # power Advanced settings, commonly used in Laptop
service autofs stop   chkconfig autofs off   # disable automatically mount file eucalyptus systems and peripheral devices
service bluetooth stop   chkconfig   bluetooth   off   # disable Bluetooth Bluetooth
service cpuspeed stop   chkconfig   cpuspeed   off   # disable control CPU speed is mainly used to power
service cups stop   chkconfig cups off     # disable Common UNIX Printing system allows the system to support printers
service ip6tables stop   chkconfig ip6tables off   # prohibit IPv6
#################################### ################################################## ##############
  If you want to restore a service, you can perform the following operations
  service acpid start   chkconfig acpid on  
three prohibit non-root user to perform system /etc/rc.d/init.d/ under the command
chmod -R 700 /etc/rc.d/init.d/*
chmod -R 777 / etc / rc.d / init.d / *     # restore defaults

Fourth, to add the following file attributes can not be changed to prevent unauthorized users access privileges
chattr + i / etc / passwd
chattr + i / etc / shadow
chattr + i / etc / group
chattr + i / etc / gshadow
chattr + i / etc / services     # system service ports to the list of file locking to prevent unauthorized deletion or addition of services
lsattr   / etc / passwd   / etc / shadow   / etc / group   / etc / gshadow   / etc / services   attribute
  Note: the execution of these permissions after revision, it Unable to add and delete a user. After
If you want to add and then delete a user, you need to cancel the above settings, add and delete users, etc. is complete, then perform the above operation
chattr -i / etc / passwd     # remove permissions lock settings
  chattr -i / etc / shadow
  chattr -i / etc / group
  chattr -i / etc / gshadow
  chattr -i / etc / services   # list file system service ports cancel lock
You can now add and delete users, and then lock the operation after the catalog file
five different file permissions restrict
chattr + a .bash_history           # avoid deleting .bash_history or redirected to / dev / null
chattr + i .bash_history
chmod 700 / usr / bin                 restore   chmod 555 / usr / bin
chmod 700 / bin / ping               restore   chmod 4755 / bin / ping
chmod 700 / usr / bin / vim         restore   chmod 755 / usr / bin / vim
chmod 700 / bin / netstat           restore   chmod 755 / bin / netstat
chmod 700 / usr / bin / tail           restore   chmod 755 / usr / bin / tail
chmod 700 / usr / bin / less         restore   chmod 755 / usr / bin / less
chmod 700 / usr / bin / head       restore   chmod 755 / usr / bin / head
chmod 700 / bin / cat                 restore   chmod 755 / bin / cat
chmod 700 / bin / uname           recovery   chmod 755 / bin / uname
chmod 500 / bin / ps                 restore   chmod 755 / bin / ps
Sixth, prohibit the use of Ctrl + Alt + Del to reboot the server shortcuts
cp / etc / inittab   / etc / inittabbak
vi / etc / inittab     # comment out this line
#ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
seven, do not upgrade using yum update to update your system kernel, only update packages

Because the system and hardware compatibility problems that may cause the server after upgrading the kernel does not start, it is very scary, is not particularly required, it is recommended not free to upgrade the kernel.
cp /etc/yum.conf    /etc/yum.confbak
1, modify yum configuration file vi /etc/yum.conf  in the [main] last add exclude = kernel *
2, plus the following parameters directly behind the yum command:
yum --exclude = kernel * update
Display system version   cat / etc / issue
See the kernel version   uname -a
eight, close Centos automatic updates
chkconfig --list yum-updatesd   # to display the current system status
yum-updatesd     0: Close   1: Close   2: enable   3: enable   4: enable   5: enable   6: Close
service yum-updatesd stop       # turn off   open the parameter start
stop yum-updatesd:                                         [OK]
service yum-updatesd status   # see if closed
yum-updatesd has stopped
chkconfig --level 35 yum-updatesd off   # is prohibited from turning start (system mode 3,5)
chkconfig yum-updatesd off   # is prohibited from turning start (all startup mode completely banned)
chkconfig --list yum-updatesd   # to display the current system status
yum-updatesd     0: Close   1: Close   2: enable   3: Close   4: enable   5: Close   6: Close
nine, close the extra virtual console
we know that from control Taiwan to switch to the X window, generally use Alt-F7, why? Because the system default defined six virtual consoles,
so X has become the first seven. In fact, many people generally do not need as much virtual console, modify / etc / inittab, comment out the ones you do not need.
cp   / etc / inittab   / etc / inittabbak
vi / etc / inittab
# Run gettys in standard runlevels
1: 2345: respawn: / sbin / mingetty tty1
# 2: 2345: respawn: / sbin / mingetty tty2
# 3: 2345: respawn: / sbin / mingetty tty3
# 4: 2345: respawn: / sbin / mingetty tty4
# 5: 2345: respawn: / sbin / mingetty tty5
# 6: 2345: respawn: / sbin / mingetty tty6

Ten, delete MySQL user login history
databases will also be recorded in the user directory MySQL .mysql_history file.
If the database user to modify the password database using SQL statements, also due .mysql_history documents leak.
So we landed in the shell, and backup when not directly add password after -p, but at the prompt and then enter the database password.
In addition these two documents we should not let it record our operation, just in case.
cd
cp .bash_history   .bash_historybak   # backup
cp .mysql_history .mysql_historybak
rm .bash_history .mysql_history
ln -s / dev / null .bash_history
ln -s / dev / null .mysql_history

Eleven, modify the command history records
cp / etc / profile   / etc / profilebak
vi / etc / profile
find HISTSIZE = 1000 to HISTSIZE = 50

Twelve, hidden server system information
By default, when you log in to a linux system, it will tell you the name of the linux distribution name, version, kernel version of the server.
In order to prevent these default information leaked out, we have to carry out the following operations, it only displays a "login:" prompt.
delete / etc / issue and /etc/issue.net these two files, or rename these two files, the effect is the same.
mv   / etc / issue / etc / issuebak
mv   /etc/issue.net  /etc/issue.netbak

XIII optimized Linux kernel parameters
cp /etc/sysctl.conf  /etc/sysctl.confbak
vi /etc/sysctl.conf    # at the end of the file, add the following
net.ipv4.ip_forward = 1 # amended to 1
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.netfilter.ip_conntrack_max = 131072
net.ipv4 .netfilter.ip_conntrack_tcp_timeout_established = 180
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_conntrack_max = 819200
net.ipv4.ip_local_port_range = 10024   65535
net.ipv4 .tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4. tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
/ sbin / sysctl -p   # configuration makes immediately

fourteen, CentOS system optimization
cp   / etc / profile   / etc / profilebak2
vi / etc / profile       # at the end of the file, add the following
ulimit -c unlimited
ulimit -s unlimited
ulimit -SHn 65535
ulimit -S -c 0
export LC_ALL = C
source   / etc / profile     # make the configuration take effect immediately
ulimit -a     # display the current user process various restrictions
fifteen servers prohibit ping
cp   /etc/rc.d/rc.local  /etc/rc.d/rc.localbak
vi   /etc/rc.d/rc.local        # at the end of the file add the following line
echo 1 > / proc / sys / net / ipv4 / icmp_echo_ignore_all
parameter 0 Permits   1 is disabled.

So far, CentOS Linux server security settings basically completed, and after I set up more than the actual test (CentOS-5.5-x86_64) fully available, more security, and server optimization settings, please also self-testing.

     
         
         
         
  More:      
 
- Emacs install clojure development environment (Linux)
- Java reflection summary (Programming)
- Android graphic introduction NDK installation and simple jni demo implementation (Linux)
- Debian users to install FFmpeg 2.2.2 (Linux)
- Ubuntu 14.04 install Nmap 6.46.1 (Linux)
- Spring use Cache (Programming)
- Oracle database physical file backup / restore (Database)
- Linux variable learning experience (Linux)
- Ubuntu 12.04 install RTL8723BE wireless network card driver (Programming)
- MySQL uses mysqld_multi to deploy stand-alone multi-instance detail procedures (Database)
- Disk partition MBR (Linux)
- Getting Started with Linux system to learn: how to use tcpdump to capture TCP SYN, ACK and FIN packets (Linux)
- Struts2 interceptor simulation (Programming)
- About DataGuard three protected mode test (Database)
- Java NIO2: Buffer (Programming)
- Linux learning portal: CentOS 6.4 system kernel upgrade (Linux)
- Linux network monitoring strategy (Linux)
- Easily solve the MySQL database connection error too many (Database)
- Phoenix agents use P2P WebRTC development (Programming)
- SendMail version of Java implementation with attachments (Programming)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.