Linux Security and Optimization - linux - newfreesoft.com

Home

PC Games

Linux

Windows

Database

Network

Programming

Server

Mobile


	Home \ Linux \ Linux Security and Optimization			- Linux system performance and usage activity monitoring tools -Sysstat (Linux) - Linux kernel likely and unlikely to resolve macro definitions (Linux) - Oracle 11g Export guide problem not an empty table (Database) - Nginx + uWSGI + Django + Python Application Architecture Deployment (Server) - Rails project prepared some tips small experience (Linux) - Examples of safety testing system notes for RedHat Linux (Linux) - Network security system (Network) - Rely on IP chain established Linux firewall (Linux) - To_explore Linux system boot process (Linux) - Installation Mesos + Marathon + Zookeeper under CentOS 7 (Server) - How to display a dialog Bash Shell script (Programming) - MySQL Data Types (Database) - Python extension module Ganglia 3.1.x (Linux) - Linux Task Scheduler (at, crontab) (Linux) - Ubuntu system process is bound CPU core (Linux) - MongoDB Learning the notes (Database) - Open remote MySQL database connection managed under CentOS (Database) - Git build a team development environment operating drills (Linux) - Difference Redhat5 and 6 YUM source configuration (Linux) - Install Ubuntu text editor KKEdit 0.2.10 (Linux)

	Linux Security and Optimization
	Add Date : 2018-11-21



	Introduction: We must understand: the smallest minimum service + permissions = maximum security So, whether it is to configure any server, we do not have to shut down the service, the system permissions set to the minimum, then the server so as to ensure maximum safety. Here is CentOS server security settings for your reference. First, comment out the system does not require users and user groups Note: not recommended directly deleted when you need a user that he will re-add a lot of trouble. cp / etc / passwd / etc / passwdbak to back up Before # Change vi / etc / passwd # edit users, with the # comment out this line in front of the # adm: x: 3: 4: adm: / var / adm: / sbin / nologin #lp: x: 4: 7: lp: / var / spool / lpd: / sbin / nologin # sync: x: 5: 0: sync: / sbin: / bin / sync #shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown #halt: x : 7: 0: halt: / sbin: / sbin / halt #uucp: x: 10: 14: uucp: / var / spool / uucp: / sbin / nologin #operator: x: 11 : 0: operator: / root: / sbin / nologin #games: x: 12: 100: games: / usr / games: / sbin / nologin #gopher: x: 13: 30: gopher : / var / gopher: / sbin / nologin #ftp: x: 14: 50: FTP User: / var / ftp: / sbin / nologin # commented anonymous ftp account cp / etc / group / etc / groupbak to back up before # Change vi / etc / group # edit user groups, with the # comment out this line #adm in front: x: 4 : root, adm, daemon #lp: x: 7: daemon, lp #uucp: x: 14: uucp #games: x: 20: #dip: x: 40: Second, the system shut down unnecessary services service acpid stop chkconfig acpid off # out of service, cancel boot # power Advanced settings, commonly used in Laptop service autofs stop chkconfig autofs off # disable automatically mount file eucalyptus systems and peripheral devices service bluetooth stop chkconfig bluetooth off # disable Bluetooth Bluetooth service cpuspeed stop chkconfig cpuspeed off # disable control CPU speed is mainly used to power service cups stop chkconfig cups off # disable Common UNIX Printing system allows the system to support printers service ip6tables stop chkconfig ip6tables off # prohibit IPv6 #################################### ################################################## ############## If you want to restore a service, you can perform the following operations service acpid start chkconfig acpid on three prohibit non-root user to perform system /etc/rc.d/init.d/ under the command chmod -R 700 /etc/rc.d/init.d/* chmod -R 777 / etc / rc.d / init.d / * # restore defaults Fourth, to add the following file attributes can not be changed to prevent unauthorized users access privileges chattr + i / etc / passwd chattr + i / etc / shadow chattr + i / etc / group chattr + i / etc / gshadow chattr + i / etc / services # system service ports to the list of file locking to prevent unauthorized deletion or addition of services lsattr / etc / passwd / etc / shadow / etc / group / etc / gshadow / etc / services attribute Note: the execution of these permissions after revision, it Unable to add and delete a user. After If you want to add and then delete a user, you need to cancel the above settings, add and delete users, etc. is complete, then perform the above operation chattr -i / etc / passwd # remove permissions lock settings chattr -i / etc / shadow chattr -i / etc / group chattr -i / etc / gshadow chattr -i / etc / services # list file system service ports cancel lock You can now add and delete users, and then lock the operation after the catalog file five different file permissions restrict chattr + a .bash_history # avoid deleting .bash_history or redirected to / dev / null chattr + i .bash_history chmod 700 / usr / bin restore chmod 555 / usr / bin chmod 700 / bin / ping restore chmod 4755 / bin / ping chmod 700 / usr / bin / vim restore chmod 755 / usr / bin / vim chmod 700 / bin / netstat restore chmod 755 / bin / netstat chmod 700 / usr / bin / tail restore chmod 755 / usr / bin / tail chmod 700 / usr / bin / less restore chmod 755 / usr / bin / less chmod 700 / usr / bin / head restore chmod 755 / usr / bin / head chmod 700 / bin / cat restore chmod 755 / bin / cat chmod 700 / bin / uname recovery chmod 755 / bin / uname chmod 500 / bin / ps restore chmod 755 / bin / ps Sixth, prohibit the use of Ctrl + Alt + Del to reboot the server shortcuts cp / etc / inittab / etc / inittabbak vi / etc / inittab # comment out this line #ca :: ctrlaltdel: / sbin / shutdown -t3 -r now seven, do not upgrade using yum update to update your system kernel, only update packages Because the system and hardware compatibility problems that may cause the server after upgrading the kernel does not start, it is very scary, is not particularly required, it is recommended not free to upgrade the kernel. cp /etc/yum.conf /etc/yum.confbak 1, modify yum configuration file vi /etc/yum.conf in the [main] last add exclude = kernel * 2, plus the following parameters directly behind the yum command: yum --exclude = kernel * update Display system version cat / etc / issue See the kernel version uname -a eight, close Centos automatic updates chkconfig --list yum-updatesd # to display the current system status yum-updatesd 0: Close 1: Close 2: enable 3: enable 4: enable 5: enable 6: Close service yum-updatesd stop # turn off open the parameter start stop yum-updatesd: [OK] service yum-updatesd status # see if closed yum-updatesd has stopped chkconfig --level 35 yum-updatesd off # is prohibited from turning start (system mode 3,5) chkconfig yum-updatesd off # is prohibited from turning start (all startup mode completely banned) chkconfig --list yum-updatesd # to display the current system status yum-updatesd 0: Close 1: Close 2: enable 3: Close 4: enable 5: Close 6: Close nine, close the extra virtual console we know that from control Taiwan to switch to the X window, generally use Alt-F7, why? Because the system default defined six virtual consoles, so X has become the first seven. In fact, many people generally do not need as much virtual console, modify / etc / inittab, comment out the ones you do not need. cp / etc / inittab / etc / inittabbak vi / etc / inittab # Run gettys in standard runlevels 1: 2345: respawn: / sbin / mingetty tty1 # 2: 2345: respawn: / sbin / mingetty tty2 # 3: 2345: respawn: / sbin / mingetty tty3 # 4: 2345: respawn: / sbin / mingetty tty4 # 5: 2345: respawn: / sbin / mingetty tty5 # 6: 2345: respawn: / sbin / mingetty tty6 Ten, delete MySQL user login history databases will also be recorded in the user directory MySQL .mysql_history file. If the database user to modify the password database using SQL statements, also due .mysql_history documents leak. So we landed in the shell, and backup when not directly add password after -p, but at the prompt and then enter the database password. In addition these two documents we should not let it record our operation, just in case. cd cp .bash_history .bash_historybak # backup cp .mysql_history .mysql_historybak rm .bash_history .mysql_history ln -s / dev / null .bash_history ln -s / dev / null .mysql_history Eleven, modify the command history records cp / etc / profile / etc / profilebak vi / etc / profile find HISTSIZE = 1000 to HISTSIZE = 50 Twelve, hidden server system information By default, when you log in to a linux system, it will tell you the name of the linux distribution name, version, kernel version of the server. In order to prevent these default information leaked out, we have to carry out the following operations, it only displays a "login:" prompt. delete / etc / issue and /etc/issue.net these two files, or rename these two files, the effect is the same. mv / etc / issue / etc / issuebak mv /etc/issue.net /etc/issue.netbak XIII optimized Linux kernel parameters cp /etc/sysctl.conf /etc/sysctl.confbak vi /etc/sysctl.conf # at the end of the file, add the following net.ipv4.ip_forward = 1 # amended to 1 net.core.somaxconn = 262144 net.core.netdev_max_backlog = 262144 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.netfilter.ip_conntrack_max = 131072 net.ipv4 .netfilter.ip_conntrack_tcp_timeout_established = 180 net.ipv4.route.gc_timeout = 20 net.ipv4.ip_conntrack_max = 819200 net.ipv4.ip_local_port_range = 10024 65535 net.ipv4 .tcp_retries2 = 5 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_len = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_keepalive_time = 120 net.ipv4. tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_wmem = 8192 131072 16777216 net.ipv4.tcp_rmem = 32768 131072 16777216 net.ipv4.tcp_mem = 94500000 915000000 927000000 / sbin / sysctl -p # configuration makes immediately fourteen, CentOS system optimization cp / etc / profile / etc / profilebak2 vi / etc / profile # at the end of the file, add the following ulimit -c unlimited ulimit -s unlimited ulimit -SHn 65535 ulimit -S -c 0 export LC_ALL = C source / etc / profile # make the configuration take effect immediately ulimit -a # display the current user process various restrictions fifteen servers prohibit ping cp /etc/rc.d/rc.local /etc/rc.d/rc.localbak vi /etc/rc.d/rc.local # at the end of the file add the following line echo 1 > / proc / sys / net / ipv4 / icmp_echo_ignore_all parameter 0 Permits 1 is disabled. So far, CentOS Linux server security settings basically completed, and after I set up more than the actual test (CentOS-5.5-x86_64) fully available, more security, and server optimization settings, please also self-testing.



	More:
	- Camera-based face recognition OpenCV crawl and storage format (Python) (Linux) - Linux system Perl Lite netstat (Linux) - Linux compiler installation Redis (Database) - The virtual memory (Linux) - Math objects easily overlooked but very convenient method --JavaScript (Programming) - Ubuntu install the camera driver (Linux) - Linux / BSD firewall M0n0wall Profile (Linux) - Mumble installation source VoIP application on Ubuntu (Linux) - CentOS 6.5 configuration SSDB 1.8.0 (Server) - Make command tutorial (Linux) - Linux Getting Started tutorial: Experience QEMU virtual machine articles (Linux) - SUSE Firewall Configuration (Linux) - Installation and deployment of MariaDB under CentOS (Database) - IBM Data Studio to use ---- window displays all rows (Database) - ORA-28000 the account is locked fault simulation (Database) - Linux server security settings to close unused ports (Linux) - Android SDK Manager can not update the domestic solutions (Linux) - To install MySQL 5.6 binary packages under CentOS 6.4 64bit (Database) - NFS installation process under the CentOS (Linux) - Ubuntu install video conversion tool Selene (Linux)


	CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.