Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux Security and Optimization     - CentOS / Linux kernel upgrade (Linux)

- Oracle SDE and maintain common commands - Display space (Database)

- Oracle 11g creates virtual private directory RMAN-06004 ORA-00942 error handling (Database)

- Android Studio Personalization (Linux)

- Ubuntu install driver manager Mint Driver Manager and Device Driver Manager (Linux)

- Android system source code and compile the kernel source code (Programming)

- Linux environment has been running Tomcat how to deploy the new Tomcat (Server)

- Using Python to find a particular file extension directory (Programming)

- C # how to generate a folder or file automatically rename (Programming)

- Oracle to start to solve the error ORA-27102 (Database)

- Configuring Allatori code confusion when developing general Java applications in NetBeans (Programming)

- To solve the Mac in question invalid BASH under configuration environment variable (Linux)

- Linux system performance tuning of Analysis (Linux)

- N1QL bring SQL-like query NoSQL database experience (Database)

- Hadoop 1 and 2.x installation notes (Server)

- Traffic monitor Linux Python Version (Programming)

- CentOS 7 update source - the use of domestic sources 163 yum (Linux)

- About Linux backdoor (Linux)

- Linux use glibc2 library and crypt () function to generate the user password (Programming)

- RedHat6.4 installation tutorial --- Minimal Edition (Linux)

 
         
  Linux Security and Optimization
     
  Add Date : 2018-11-21      
         
         
         
 

Introduction:

We must understand: the smallest minimum service + permissions = maximum security

So, whether it is to configure any server, we do not have to shut down the service, the system permissions set to the minimum, then the server so as to ensure maximum safety. Here is CentOS server security settings for your reference.

First, comment out the system does not require users and user groups
Note: not recommended directly deleted when you need a user that he will re-add a lot of trouble.
  cp   / etc / passwd   / etc / passwdbak   to back up
Before # Change   vi / etc / passwd   # edit users, with the # comment out this line in front of the
# adm: x: 3: 4: adm: / var / adm: / sbin / nologin
#lp: x: 4: 7: lp: / var / spool / lpd: / sbin / nologin
# sync: x: 5: 0: sync: / sbin: / bin / sync
#shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown
#halt: x : 7: 0: halt: / sbin: / sbin / halt
#uucp: x: 10: 14: uucp: / var / spool / uucp: / sbin / nologin
#operator: x: 11 : 0: operator: / root: / sbin / nologin
#games: x: 12: 100: games: / usr / games: / sbin / nologin
#gopher: x: 13: 30: gopher : / var / gopher: / sbin / nologin
#ftp: x: 14: 50: FTP User: / var / ftp: / sbin / nologin     # commented anonymous ftp account
cp / etc / group   / etc / groupbak   to back up
before # Change   vi / etc / group   # edit user groups, with the # comment out this line
#adm in front: x: 4 : root, adm, daemon
#lp: x: 7: daemon, lp
#uucp: x: 14: uucp
#games: x: 20:
#dip: x: 40:
Second, the system shut down unnecessary services
service acpid stop   chkconfig acpid off   # out of service, cancel boot   # power Advanced settings, commonly used in Laptop
service autofs stop   chkconfig autofs off   # disable automatically mount file eucalyptus systems and peripheral devices
service bluetooth stop   chkconfig   bluetooth   off   # disable Bluetooth Bluetooth
service cpuspeed stop   chkconfig   cpuspeed   off   # disable control CPU speed is mainly used to power
service cups stop   chkconfig cups off     # disable Common UNIX Printing system allows the system to support printers
service ip6tables stop   chkconfig ip6tables off   # prohibit IPv6
#################################### ################################################## ##############
  If you want to restore a service, you can perform the following operations
  service acpid start   chkconfig acpid on  
three prohibit non-root user to perform system /etc/rc.d/init.d/ under the command
chmod -R 700 /etc/rc.d/init.d/*
chmod -R 777 / etc / rc.d / init.d / *     # restore defaults

Fourth, to add the following file attributes can not be changed to prevent unauthorized users access privileges
chattr + i / etc / passwd
chattr + i / etc / shadow
chattr + i / etc / group
chattr + i / etc / gshadow
chattr + i / etc / services     # system service ports to the list of file locking to prevent unauthorized deletion or addition of services
lsattr   / etc / passwd   / etc / shadow   / etc / group   / etc / gshadow   / etc / services   attribute
  Note: the execution of these permissions after revision, it Unable to add and delete a user. After
If you want to add and then delete a user, you need to cancel the above settings, add and delete users, etc. is complete, then perform the above operation
chattr -i / etc / passwd     # remove permissions lock settings
  chattr -i / etc / shadow
  chattr -i / etc / group
  chattr -i / etc / gshadow
  chattr -i / etc / services   # list file system service ports cancel lock
You can now add and delete users, and then lock the operation after the catalog file
five different file permissions restrict
chattr + a .bash_history           # avoid deleting .bash_history or redirected to / dev / null
chattr + i .bash_history
chmod 700 / usr / bin                 restore   chmod 555 / usr / bin
chmod 700 / bin / ping               restore   chmod 4755 / bin / ping
chmod 700 / usr / bin / vim         restore   chmod 755 / usr / bin / vim
chmod 700 / bin / netstat           restore   chmod 755 / bin / netstat
chmod 700 / usr / bin / tail           restore   chmod 755 / usr / bin / tail
chmod 700 / usr / bin / less         restore   chmod 755 / usr / bin / less
chmod 700 / usr / bin / head       restore   chmod 755 / usr / bin / head
chmod 700 / bin / cat                 restore   chmod 755 / bin / cat
chmod 700 / bin / uname           recovery   chmod 755 / bin / uname
chmod 500 / bin / ps                 restore   chmod 755 / bin / ps
Sixth, prohibit the use of Ctrl + Alt + Del to reboot the server shortcuts
cp / etc / inittab   / etc / inittabbak
vi / etc / inittab     # comment out this line
#ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
seven, do not upgrade using yum update to update your system kernel, only update packages

Because the system and hardware compatibility problems that may cause the server after upgrading the kernel does not start, it is very scary, is not particularly required, it is recommended not free to upgrade the kernel.
cp /etc/yum.conf    /etc/yum.confbak
1, modify yum configuration file vi /etc/yum.conf  in the [main] last add exclude = kernel *
2, plus the following parameters directly behind the yum command:
yum --exclude = kernel * update
Display system version   cat / etc / issue
See the kernel version   uname -a
eight, close Centos automatic updates
chkconfig --list yum-updatesd   # to display the current system status
yum-updatesd     0: Close   1: Close   2: enable   3: enable   4: enable   5: enable   6: Close
service yum-updatesd stop       # turn off   open the parameter start
stop yum-updatesd:                                         [OK]
service yum-updatesd status   # see if closed
yum-updatesd has stopped
chkconfig --level 35 yum-updatesd off   # is prohibited from turning start (system mode 3,5)
chkconfig yum-updatesd off   # is prohibited from turning start (all startup mode completely banned)
chkconfig --list yum-updatesd   # to display the current system status
yum-updatesd     0: Close   1: Close   2: enable   3: Close   4: enable   5: Close   6: Close
nine, close the extra virtual console
we know that from control Taiwan to switch to the X window, generally use Alt-F7, why? Because the system default defined six virtual consoles,
so X has become the first seven. In fact, many people generally do not need as much virtual console, modify / etc / inittab, comment out the ones you do not need.
cp   / etc / inittab   / etc / inittabbak
vi / etc / inittab
# Run gettys in standard runlevels
1: 2345: respawn: / sbin / mingetty tty1
# 2: 2345: respawn: / sbin / mingetty tty2
# 3: 2345: respawn: / sbin / mingetty tty3
# 4: 2345: respawn: / sbin / mingetty tty4
# 5: 2345: respawn: / sbin / mingetty tty5
# 6: 2345: respawn: / sbin / mingetty tty6

Ten, delete MySQL user login history
databases will also be recorded in the user directory MySQL .mysql_history file.
If the database user to modify the password database using SQL statements, also due .mysql_history documents leak.
So we landed in the shell, and backup when not directly add password after -p, but at the prompt and then enter the database password.
In addition these two documents we should not let it record our operation, just in case.
cd
cp .bash_history   .bash_historybak   # backup
cp .mysql_history .mysql_historybak
rm .bash_history .mysql_history
ln -s / dev / null .bash_history
ln -s / dev / null .mysql_history

Eleven, modify the command history records
cp / etc / profile   / etc / profilebak
vi / etc / profile
find HISTSIZE = 1000 to HISTSIZE = 50

Twelve, hidden server system information
By default, when you log in to a linux system, it will tell you the name of the linux distribution name, version, kernel version of the server.
In order to prevent these default information leaked out, we have to carry out the following operations, it only displays a "login:" prompt.
delete / etc / issue and /etc/issue.net these two files, or rename these two files, the effect is the same.
mv   / etc / issue / etc / issuebak
mv   /etc/issue.net  /etc/issue.netbak

XIII optimized Linux kernel parameters
cp /etc/sysctl.conf  /etc/sysctl.confbak
vi /etc/sysctl.conf    # at the end of the file, add the following
net.ipv4.ip_forward = 1 # amended to 1
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.netfilter.ip_conntrack_max = 131072
net.ipv4 .netfilter.ip_conntrack_tcp_timeout_established = 180
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_conntrack_max = 819200
net.ipv4.ip_local_port_range = 10024   65535
net.ipv4 .tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4. tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
/ sbin / sysctl -p   # configuration makes immediately

fourteen, CentOS system optimization
cp   / etc / profile   / etc / profilebak2
vi / etc / profile       # at the end of the file, add the following
ulimit -c unlimited
ulimit -s unlimited
ulimit -SHn 65535
ulimit -S -c 0
export LC_ALL = C
source   / etc / profile     # make the configuration take effect immediately
ulimit -a     # display the current user process various restrictions
fifteen servers prohibit ping
cp   /etc/rc.d/rc.local  /etc/rc.d/rc.localbak
vi   /etc/rc.d/rc.local        # at the end of the file add the following line
echo 1 > / proc / sys / net / ipv4 / icmp_echo_ignore_all
parameter 0 Permits   1 is disabled.

So far, CentOS Linux server security settings basically completed, and after I set up more than the actual test (CentOS-5.5-x86_64) fully available, more security, and server optimization settings, please also self-testing.

     
         
         
         
  More:      
 
- C ++ class implementation date operator overloading (Programming)
- To compile and install Clang 3.5.0 in Linux CentOS (Linux)
- Ubuntu and Archlinux install Notepadqq 0.50.2 (Linux)
- Java threads and thread pools (Programming)
- The traffic monitoring system: cacti (Linux)
- How to fix Ubuntu / Mint can not add PPA source of error (Linux)
- To create a secure network firewall with iptables Under Linux (Linux)
- WebLogic administrator account and reset the password (Database)
- Camouflage Nginx Web server version to prevent invasion (Linux)
- MySQL 5.7 perfectly distributed transaction support (Database)
- Linux, C programming language library file handling and preparation of Makefile (Programming)
- Debian GNU / Linux service list acquisition, shutting down services or run (Linux)
- Chrome plug-in management, online-offline installation, part of the plug presentations (Linux)
- The several technical presentation Raid under Linux (Linux)
- Android system source code and compile the kernel source code (Programming)
- shell-like program (Programming)
- How to monitor Linux system performance Nmon (Linux)
- Swift acquaintance of values and references, the circular reference, Agent Precautions (Programming)
- A script to make your Ubuntu 14.04 Memory screen brightness (Linux)
- Generated characters using Java Videos (Programming)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.