Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux Security and Optimization     - RHEL 6.5 KVM analytical use (Server)

- Oracle 11g users to create, authorize and import dmp file (Database)

- Python function arguments * args and ** kwargs usage (Programming)

- DDOS Attacks and Prevention (Linux)

- Linux security settings Notes (Linux)

- Zookeeper cluster deployment (Server)

- Linux virtual memory and physical memory (Linux)

- NFS installation process under the CentOS (Linux)

- Oracle 11g tracking and monitoring system-level triggers to drop misuse (Database)

- Limit the use of the request being Nginx Flood attack (Linux)

- Recover accidentally deleted Nginx logs (Server)

- Linux Variable content removal and replacement (Linux)

- Ten linux version of the system (Linux)

- Oracle GoldenGate Installation and Configuration Tutorial Introduction (Database)

- How to identify memory leaks in Java (Programming)

- CentOS 6.5 makes the LAN http source (Linux)

- C language programming entry - macro definitions and enum (Programming)

- CentOS network configuration 7, and set the host name and IP-bound problems (Linux)

- Python Socket Network Programming (Programming)

- Binary tree traversal algorithm summary (recursive and non-recursive) (Programming)

 
         
  Linux Security and Optimization
     
  Add Date : 2018-11-21      
         
         
         
 

Introduction:

We must understand: the smallest minimum service + permissions = maximum security

So, whether it is to configure any server, we do not have to shut down the service, the system permissions set to the minimum, then the server so as to ensure maximum safety. Here is CentOS server security settings for your reference.

First, comment out the system does not require users and user groups
Note: not recommended directly deleted when you need a user that he will re-add a lot of trouble.
  cp   / etc / passwd   / etc / passwdbak   to back up
Before # Change   vi / etc / passwd   # edit users, with the # comment out this line in front of the
# adm: x: 3: 4: adm: / var / adm: / sbin / nologin
#lp: x: 4: 7: lp: / var / spool / lpd: / sbin / nologin
# sync: x: 5: 0: sync: / sbin: / bin / sync
#shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown
#halt: x : 7: 0: halt: / sbin: / sbin / halt
#uucp: x: 10: 14: uucp: / var / spool / uucp: / sbin / nologin
#operator: x: 11 : 0: operator: / root: / sbin / nologin
#games: x: 12: 100: games: / usr / games: / sbin / nologin
#gopher: x: 13: 30: gopher : / var / gopher: / sbin / nologin
#ftp: x: 14: 50: FTP User: / var / ftp: / sbin / nologin     # commented anonymous ftp account
cp / etc / group   / etc / groupbak   to back up
before # Change   vi / etc / group   # edit user groups, with the # comment out this line
#adm in front: x: 4 : root, adm, daemon
#lp: x: 7: daemon, lp
#uucp: x: 14: uucp
#games: x: 20:
#dip: x: 40:
Second, the system shut down unnecessary services
service acpid stop   chkconfig acpid off   # out of service, cancel boot   # power Advanced settings, commonly used in Laptop
service autofs stop   chkconfig autofs off   # disable automatically mount file eucalyptus systems and peripheral devices
service bluetooth stop   chkconfig   bluetooth   off   # disable Bluetooth Bluetooth
service cpuspeed stop   chkconfig   cpuspeed   off   # disable control CPU speed is mainly used to power
service cups stop   chkconfig cups off     # disable Common UNIX Printing system allows the system to support printers
service ip6tables stop   chkconfig ip6tables off   # prohibit IPv6
#################################### ################################################## ##############
  If you want to restore a service, you can perform the following operations
  service acpid start   chkconfig acpid on  
three prohibit non-root user to perform system /etc/rc.d/init.d/ under the command
chmod -R 700 /etc/rc.d/init.d/*
chmod -R 777 / etc / rc.d / init.d / *     # restore defaults

Fourth, to add the following file attributes can not be changed to prevent unauthorized users access privileges
chattr + i / etc / passwd
chattr + i / etc / shadow
chattr + i / etc / group
chattr + i / etc / gshadow
chattr + i / etc / services     # system service ports to the list of file locking to prevent unauthorized deletion or addition of services
lsattr   / etc / passwd   / etc / shadow   / etc / group   / etc / gshadow   / etc / services   attribute
  Note: the execution of these permissions after revision, it Unable to add and delete a user. After
If you want to add and then delete a user, you need to cancel the above settings, add and delete users, etc. is complete, then perform the above operation
chattr -i / etc / passwd     # remove permissions lock settings
  chattr -i / etc / shadow
  chattr -i / etc / group
  chattr -i / etc / gshadow
  chattr -i / etc / services   # list file system service ports cancel lock
You can now add and delete users, and then lock the operation after the catalog file
five different file permissions restrict
chattr + a .bash_history           # avoid deleting .bash_history or redirected to / dev / null
chattr + i .bash_history
chmod 700 / usr / bin                 restore   chmod 555 / usr / bin
chmod 700 / bin / ping               restore   chmod 4755 / bin / ping
chmod 700 / usr / bin / vim         restore   chmod 755 / usr / bin / vim
chmod 700 / bin / netstat           restore   chmod 755 / bin / netstat
chmod 700 / usr / bin / tail           restore   chmod 755 / usr / bin / tail
chmod 700 / usr / bin / less         restore   chmod 755 / usr / bin / less
chmod 700 / usr / bin / head       restore   chmod 755 / usr / bin / head
chmod 700 / bin / cat                 restore   chmod 755 / bin / cat
chmod 700 / bin / uname           recovery   chmod 755 / bin / uname
chmod 500 / bin / ps                 restore   chmod 755 / bin / ps
Sixth, prohibit the use of Ctrl + Alt + Del to reboot the server shortcuts
cp / etc / inittab   / etc / inittabbak
vi / etc / inittab     # comment out this line
#ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
seven, do not upgrade using yum update to update your system kernel, only update packages

Because the system and hardware compatibility problems that may cause the server after upgrading the kernel does not start, it is very scary, is not particularly required, it is recommended not free to upgrade the kernel.
cp /etc/yum.conf    /etc/yum.confbak
1, modify yum configuration file vi /etc/yum.conf  in the [main] last add exclude = kernel *
2, plus the following parameters directly behind the yum command:
yum --exclude = kernel * update
Display system version   cat / etc / issue
See the kernel version   uname -a
eight, close Centos automatic updates
chkconfig --list yum-updatesd   # to display the current system status
yum-updatesd     0: Close   1: Close   2: enable   3: enable   4: enable   5: enable   6: Close
service yum-updatesd stop       # turn off   open the parameter start
stop yum-updatesd:                                         [OK]
service yum-updatesd status   # see if closed
yum-updatesd has stopped
chkconfig --level 35 yum-updatesd off   # is prohibited from turning start (system mode 3,5)
chkconfig yum-updatesd off   # is prohibited from turning start (all startup mode completely banned)
chkconfig --list yum-updatesd   # to display the current system status
yum-updatesd     0: Close   1: Close   2: enable   3: Close   4: enable   5: Close   6: Close
nine, close the extra virtual console
we know that from control Taiwan to switch to the X window, generally use Alt-F7, why? Because the system default defined six virtual consoles,
so X has become the first seven. In fact, many people generally do not need as much virtual console, modify / etc / inittab, comment out the ones you do not need.
cp   / etc / inittab   / etc / inittabbak
vi / etc / inittab
# Run gettys in standard runlevels
1: 2345: respawn: / sbin / mingetty tty1
# 2: 2345: respawn: / sbin / mingetty tty2
# 3: 2345: respawn: / sbin / mingetty tty3
# 4: 2345: respawn: / sbin / mingetty tty4
# 5: 2345: respawn: / sbin / mingetty tty5
# 6: 2345: respawn: / sbin / mingetty tty6

Ten, delete MySQL user login history
databases will also be recorded in the user directory MySQL .mysql_history file.
If the database user to modify the password database using SQL statements, also due .mysql_history documents leak.
So we landed in the shell, and backup when not directly add password after -p, but at the prompt and then enter the database password.
In addition these two documents we should not let it record our operation, just in case.
cd
cp .bash_history   .bash_historybak   # backup
cp .mysql_history .mysql_historybak
rm .bash_history .mysql_history
ln -s / dev / null .bash_history
ln -s / dev / null .mysql_history

Eleven, modify the command history records
cp / etc / profile   / etc / profilebak
vi / etc / profile
find HISTSIZE = 1000 to HISTSIZE = 50

Twelve, hidden server system information
By default, when you log in to a linux system, it will tell you the name of the linux distribution name, version, kernel version of the server.
In order to prevent these default information leaked out, we have to carry out the following operations, it only displays a "login:" prompt.
delete / etc / issue and /etc/issue.net these two files, or rename these two files, the effect is the same.
mv   / etc / issue / etc / issuebak
mv   /etc/issue.net  /etc/issue.netbak

XIII optimized Linux kernel parameters
cp /etc/sysctl.conf  /etc/sysctl.confbak
vi /etc/sysctl.conf    # at the end of the file, add the following
net.ipv4.ip_forward = 1 # amended to 1
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.netfilter.ip_conntrack_max = 131072
net.ipv4 .netfilter.ip_conntrack_tcp_timeout_established = 180
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_conntrack_max = 819200
net.ipv4.ip_local_port_range = 10024   65535
net.ipv4 .tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4. tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
/ sbin / sysctl -p   # configuration makes immediately

fourteen, CentOS system optimization
cp   / etc / profile   / etc / profilebak2
vi / etc / profile       # at the end of the file, add the following
ulimit -c unlimited
ulimit -s unlimited
ulimit -SHn 65535
ulimit -S -c 0
export LC_ALL = C
source   / etc / profile     # make the configuration take effect immediately
ulimit -a     # display the current user process various restrictions
fifteen servers prohibit ping
cp   /etc/rc.d/rc.local  /etc/rc.d/rc.localbak
vi   /etc/rc.d/rc.local        # at the end of the file add the following line
echo 1 > / proc / sys / net / ipv4 / icmp_echo_ignore_all
parameter 0 Permits   1 is disabled.

So far, CentOS Linux server security settings basically completed, and after I set up more than the actual test (CentOS-5.5-x86_64) fully available, more security, and server optimization settings, please also self-testing.

     
         
         
         
  More:      
 
- Detailed installation of CentOS 6.x (Linux)
- Enterprise Hadoop cluster architecture - Hadoop installation (Server)
- Puppet Detailed centralized configuration management system (Server)
- Protect your files, modify the Linux value Umask (Linux)
- Fedora 20 users install the Mate 1.8 desktop (Linux)
- Replace element and non-replaced elements of learning (Programming)
- CUDA (including GPU card driver) installation process under Ubuntu (Linux)
- Get and Post requests Comments (Linux)
- SSH service configuration to use a certificate login Linux server (Server)
- Detailed LVM2 (Linux)
- dmidecode command Detailed (Hardware information) (Linux)
- Large site architecture study notes (Server)
- Android will save the picture to see the album and timely (Programming)
- Use Markdown editor for document work under Linux (Linux)
- Linux Shell introduces (Linux)
- Linux command execution judge sentences -;, &&, || (Linux)
- How to use the character in C ++ without pressing the Enter key to enter the Show (Programming)
- Java Set and List in the relationship and difference (Programming)
- Oracle Data Pump Example (Database)
- To install and use the Doxygen under Linux (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.