Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux Security and Optimization     - iOS9 new feature - stacked view UIStackView (Programming)

- Eclipse-ee Tomcat browser can not start Tomcat, and Web project service deployment (Server)

- Usage logs Python library (Programming)

- Bash variable expansion modifier (Programming)

- CentOS 7 RHEL 7 to reset the root password (Linux)

- The difference between VMware virtual machine network mode (Linux)

- JavaScript original values and complex values (Programming)

- Quickly locate the mistakes by gdb location (Programming)

- tar decompression problems gzip: stdin: not in gzip format (Linux)

- Cacti installation deployment under CentOS 6.6 (Server)

- Four levels to deal with Linux server attacks (Linux)

- Grading defense against Linux server attacks (Linux)

- Ubuntu rights management common commands (Linux)

- Android memory optimization of the disk cache (Linux)

- Git uses a basic tutorial (Linux)

- Oracle 11g new features and associated SQL TUNING (Database)

- OpenSSL Introduction and compilation steps on Windows, Linux, Mac systems (Linux)

- Shell Script: create a function and specify a directory for download (Programming)

- C ++ inheritance and derived (induction principle) (Programming)

- Linux System Administrator common interview questions and answers 30 (Linux)

 
         
  Linux Security and Optimization
     
  Add Date : 2018-11-21      
         
         
         
 

Introduction:

We must understand: the smallest minimum service + permissions = maximum security

So, whether it is to configure any server, we do not have to shut down the service, the system permissions set to the minimum, then the server so as to ensure maximum safety. Here is CentOS server security settings for your reference.

First, comment out the system does not require users and user groups
Note: not recommended directly deleted when you need a user that he will re-add a lot of trouble.
  cp   / etc / passwd   / etc / passwdbak   to back up
Before # Change   vi / etc / passwd   # edit users, with the # comment out this line in front of the
# adm: x: 3: 4: adm: / var / adm: / sbin / nologin
#lp: x: 4: 7: lp: / var / spool / lpd: / sbin / nologin
# sync: x: 5: 0: sync: / sbin: / bin / sync
#shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown
#halt: x : 7: 0: halt: / sbin: / sbin / halt
#uucp: x: 10: 14: uucp: / var / spool / uucp: / sbin / nologin
#operator: x: 11 : 0: operator: / root: / sbin / nologin
#games: x: 12: 100: games: / usr / games: / sbin / nologin
#gopher: x: 13: 30: gopher : / var / gopher: / sbin / nologin
#ftp: x: 14: 50: FTP User: / var / ftp: / sbin / nologin     # commented anonymous ftp account
cp / etc / group   / etc / groupbak   to back up
before # Change   vi / etc / group   # edit user groups, with the # comment out this line
#adm in front: x: 4 : root, adm, daemon
#lp: x: 7: daemon, lp
#uucp: x: 14: uucp
#games: x: 20:
#dip: x: 40:
Second, the system shut down unnecessary services
service acpid stop   chkconfig acpid off   # out of service, cancel boot   # power Advanced settings, commonly used in Laptop
service autofs stop   chkconfig autofs off   # disable automatically mount file eucalyptus systems and peripheral devices
service bluetooth stop   chkconfig   bluetooth   off   # disable Bluetooth Bluetooth
service cpuspeed stop   chkconfig   cpuspeed   off   # disable control CPU speed is mainly used to power
service cups stop   chkconfig cups off     # disable Common UNIX Printing system allows the system to support printers
service ip6tables stop   chkconfig ip6tables off   # prohibit IPv6
#################################### ################################################## ##############
  If you want to restore a service, you can perform the following operations
  service acpid start   chkconfig acpid on  
three prohibit non-root user to perform system /etc/rc.d/init.d/ under the command
chmod -R 700 /etc/rc.d/init.d/*
chmod -R 777 / etc / rc.d / init.d / *     # restore defaults

Fourth, to add the following file attributes can not be changed to prevent unauthorized users access privileges
chattr + i / etc / passwd
chattr + i / etc / shadow
chattr + i / etc / group
chattr + i / etc / gshadow
chattr + i / etc / services     # system service ports to the list of file locking to prevent unauthorized deletion or addition of services
lsattr   / etc / passwd   / etc / shadow   / etc / group   / etc / gshadow   / etc / services   attribute
  Note: the execution of these permissions after revision, it Unable to add and delete a user. After
If you want to add and then delete a user, you need to cancel the above settings, add and delete users, etc. is complete, then perform the above operation
chattr -i / etc / passwd     # remove permissions lock settings
  chattr -i / etc / shadow
  chattr -i / etc / group
  chattr -i / etc / gshadow
  chattr -i / etc / services   # list file system service ports cancel lock
You can now add and delete users, and then lock the operation after the catalog file
five different file permissions restrict
chattr + a .bash_history           # avoid deleting .bash_history or redirected to / dev / null
chattr + i .bash_history
chmod 700 / usr / bin                 restore   chmod 555 / usr / bin
chmod 700 / bin / ping               restore   chmod 4755 / bin / ping
chmod 700 / usr / bin / vim         restore   chmod 755 / usr / bin / vim
chmod 700 / bin / netstat           restore   chmod 755 / bin / netstat
chmod 700 / usr / bin / tail           restore   chmod 755 / usr / bin / tail
chmod 700 / usr / bin / less         restore   chmod 755 / usr / bin / less
chmod 700 / usr / bin / head       restore   chmod 755 / usr / bin / head
chmod 700 / bin / cat                 restore   chmod 755 / bin / cat
chmod 700 / bin / uname           recovery   chmod 755 / bin / uname
chmod 500 / bin / ps                 restore   chmod 755 / bin / ps
Sixth, prohibit the use of Ctrl + Alt + Del to reboot the server shortcuts
cp / etc / inittab   / etc / inittabbak
vi / etc / inittab     # comment out this line
#ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
seven, do not upgrade using yum update to update your system kernel, only update packages

Because the system and hardware compatibility problems that may cause the server after upgrading the kernel does not start, it is very scary, is not particularly required, it is recommended not free to upgrade the kernel.
cp /etc/yum.conf    /etc/yum.confbak
1, modify yum configuration file vi /etc/yum.conf  in the [main] last add exclude = kernel *
2, plus the following parameters directly behind the yum command:
yum --exclude = kernel * update
Display system version   cat / etc / issue
See the kernel version   uname -a
eight, close Centos automatic updates
chkconfig --list yum-updatesd   # to display the current system status
yum-updatesd     0: Close   1: Close   2: enable   3: enable   4: enable   5: enable   6: Close
service yum-updatesd stop       # turn off   open the parameter start
stop yum-updatesd:                                         [OK]
service yum-updatesd status   # see if closed
yum-updatesd has stopped
chkconfig --level 35 yum-updatesd off   # is prohibited from turning start (system mode 3,5)
chkconfig yum-updatesd off   # is prohibited from turning start (all startup mode completely banned)
chkconfig --list yum-updatesd   # to display the current system status
yum-updatesd     0: Close   1: Close   2: enable   3: Close   4: enable   5: Close   6: Close
nine, close the extra virtual console
we know that from control Taiwan to switch to the X window, generally use Alt-F7, why? Because the system default defined six virtual consoles,
so X has become the first seven. In fact, many people generally do not need as much virtual console, modify / etc / inittab, comment out the ones you do not need.
cp   / etc / inittab   / etc / inittabbak
vi / etc / inittab
# Run gettys in standard runlevels
1: 2345: respawn: / sbin / mingetty tty1
# 2: 2345: respawn: / sbin / mingetty tty2
# 3: 2345: respawn: / sbin / mingetty tty3
# 4: 2345: respawn: / sbin / mingetty tty4
# 5: 2345: respawn: / sbin / mingetty tty5
# 6: 2345: respawn: / sbin / mingetty tty6

Ten, delete MySQL user login history
databases will also be recorded in the user directory MySQL .mysql_history file.
If the database user to modify the password database using SQL statements, also due .mysql_history documents leak.
So we landed in the shell, and backup when not directly add password after -p, but at the prompt and then enter the database password.
In addition these two documents we should not let it record our operation, just in case.
cd
cp .bash_history   .bash_historybak   # backup
cp .mysql_history .mysql_historybak
rm .bash_history .mysql_history
ln -s / dev / null .bash_history
ln -s / dev / null .mysql_history

Eleven, modify the command history records
cp / etc / profile   / etc / profilebak
vi / etc / profile
find HISTSIZE = 1000 to HISTSIZE = 50

Twelve, hidden server system information
By default, when you log in to a linux system, it will tell you the name of the linux distribution name, version, kernel version of the server.
In order to prevent these default information leaked out, we have to carry out the following operations, it only displays a "login:" prompt.
delete / etc / issue and /etc/issue.net these two files, or rename these two files, the effect is the same.
mv   / etc / issue / etc / issuebak
mv   /etc/issue.net  /etc/issue.netbak

XIII optimized Linux kernel parameters
cp /etc/sysctl.conf  /etc/sysctl.confbak
vi /etc/sysctl.conf    # at the end of the file, add the following
net.ipv4.ip_forward = 1 # amended to 1
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.netfilter.ip_conntrack_max = 131072
net.ipv4 .netfilter.ip_conntrack_tcp_timeout_established = 180
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_conntrack_max = 819200
net.ipv4.ip_local_port_range = 10024   65535
net.ipv4 .tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4. tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
/ sbin / sysctl -p   # configuration makes immediately

fourteen, CentOS system optimization
cp   / etc / profile   / etc / profilebak2
vi / etc / profile       # at the end of the file, add the following
ulimit -c unlimited
ulimit -s unlimited
ulimit -SHn 65535
ulimit -S -c 0
export LC_ALL = C
source   / etc / profile     # make the configuration take effect immediately
ulimit -a     # display the current user process various restrictions
fifteen servers prohibit ping
cp   /etc/rc.d/rc.local  /etc/rc.d/rc.localbak
vi   /etc/rc.d/rc.local        # at the end of the file add the following line
echo 1 > / proc / sys / net / ipv4 / icmp_echo_ignore_all
parameter 0 Permits   1 is disabled.

So far, CentOS Linux server security settings basically completed, and after I set up more than the actual test (CentOS-5.5-x86_64) fully available, more security, and server optimization settings, please also self-testing.

     
         
         
         
  More:      
 
- Apache Spark1.1.0 deployment and development environment to build (Server)
- ethtool implementation framework and application in Linux (Linux)
- Ubuntu use three methods to install Ruby (Linux)
- To learn from scratch OpenWrt perfect tutorial (Linux)
- The Java way to stop a thread of execution (Programming)
- Gitlab installation under CentOS 7 (Linux)
- Linux Command Tutorial: du command to view disk space (Linux)
- Oracle delete table space prompted ORA-00604 and ORA-38301 (Database)
- CentOS installation pycurl (Linux)
- Github Getting Started Basic Course (Linux)
- HTML5 postMessage cross-domain data exchange (Programming)
- Create your own YUM repository (Linux)
- After installing Ubuntu 15.04, to do a few things (Linux)
- Linux Creating a new user error Creating mailbox file: File exists (Linux)
- CentOS 6.5 opens the Xmanager Remote Desktop login (Linux)
- Ubuntu 15.04 installed Nvidia Quadro series graphics driver (Linux)
- Install NetBeans IDE 8.0 on Ubuntu, Linux Mint, Elementary OS, and Debian (Linux)
- To upgrade combat MongoDB database replication sets and split versions (Database)
- After installing minimize RHEL / CentOS 7 need to do some things (Linux)
- SQL Server 2008 database synchronization Notes (Database)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.