CentOS or Red Had Enterprise Linux 4 users should first open SElinux, by modifying the / etc / selinux / config file SELINUX = "" is enforcing. It can ensure that your system is not abnormal collapse. Some people think we should close, and I strongly recommend, of course, only be used to play the centos, not for the actual server does not matter.
2, enable the iptables firewall to increase system security has many advantages. Setting rules for good firewall.
3, execute setup close those unnecessary services, remember to open a small service, less a danger.
4, prohibiting Control-Alt-Delete keyboard shutdown command
Comment out this line (using #) in the "/ etc / inittab" file:
ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
#ca :: ctrlaltdel: / sbin / shutdown -t3 -r now
To make this change work, enter the following command:
# / Sbin / init q
5, to "/etc/rc.d/init.d" under the script file to set permissions
Or close the program to execute the script executed at startup file to set permissions.
# Chmod -R 700 /etc/rc.d/init.d/*
This means that only root is allowed to read, write, execute script files in the directory.
6, modify the "/etc/host.conf" file
"/etc/host.conf" Shows how to resolve the address. Edit "/etc/host.conf" file (vi /etc/host.conf), add the following line:
# Lookup names via DNS first then fall back to / etc / hosts.
order bind, hosts
# We have machines with multiple IP addresses.
# Check for IP address spoofing.
The first setting first resolves the IP address via DNS, and then analyzed by the hosts file. The second entry is set to detect whether "/ etc / hosts" file whether the host has multiple IP addresses (for example, there are multiple Ethernet NICs). The third set of instructions to pay attention to the machine unauthorized spoofing.
7, so that "/ etc / services" file immunization
So that "/ etc / services" file immunization to prevent unauthorized deletion or addition of services:
# Chattr + i / etc / services
8. prevent your system to respond to any ping request from external / internal come.
Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command line to /etc/rc.d/rc.local, so to run automatically each time you start.
echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_all
9, all user settings on your system resource limits can prevent the type of DoS attacks (denial of service attacks)
Such as the maximum number of processes, amount of memory. For example, all users like the following restrictions:
The following code example, all users in each session is limited to 10 MB, and allow four simultaneous logins. The third line disables everyone's core dump. The fourth line removes all limits users to the bin. ftp allows 10 concurrent sessions (especially useful for anonymous ftp account); the number of members of the process group of managers is limited to 40. developers have 64 MB of memlock restrictions, members wwwusers can not create a file larger than 50 MB.
Listing 3. Setting quotas and restrictions
* Hard rss 10000
* Hard maxlogins 4
* Hard core 0
ftp hard maxlogins 10
@managers hard nproc 40
@developers hard memlock 64000
@wwwusers hard fsize 50000
To activate these limits, you need to add the following /etc/pam.d/login bottom line: session required /lib/security/pam_limits.so.
10. Comment out unnecessary users and groups.
root: x: 0: 0: root: / root: / bin / bash
bin: x: 1: 1: bin: / bin: / sbin / nologin
daemon: x: 2: 2: daemon: / sbin: / sbin / nologin
adm: x: 3: 4: adm: / var / adm: / sbin / nologin
lp: x: 4: 7: lp: / var / spool / lpd: / sbin / nologin
sync: x: 5: 0: sync: / sbin: / bin / sync
shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown
halt: x: 7: 0: halt: / sbin: / sbin / halt
mail: x: 8: 12: mail: / var / spool / mail: / sbin / nologin
news: x: 9: 13: news: / etc / news:
uucp: x: 10: 14: uucp: / var / spool / uucp: / sbin / nologin
operator: x: 11: 0: operator: / root: / sbin / nologin
games: x: 12: 100: games: / usr / games: / sbin / nologin
gopher: x: 13: 30: gopher: / var / gopher: / sbin / nologin
ftp: x: 14: 50: FTP User: / var / ftp: / sbin / nologin
nobody: x: 99: 99: Nobody: /: / sbin / nologin
dbus: x: 81: 81: System message bus: /: / sbin / nologin
vcsa: x: 69: 69: virtual console memory owner: / dev: / sbin / nologin
rpm: x: 37: 37 :: / var / lib / rpm: / sbin / nologin
haldaemon: x: 68: 68: HAL daemon: /: / sbin / nologin
netdump: x: 34: 34: Network Crash Dump user: / var / crash: / bin / bash
nscd: x: 28: 28: NSCD Daemon: /: / sbin / nologin
sshd: x: 74: 74: Privilerpc: x: 32: 32: Portmapper RPC user: /: / sbin / nologin
rpcuser: x: 29: 29: RPC Service User: / var / lib / nfs: / sbin / nologin
nfsnobody: x: 65534: 65534: Anonymous NFS User: / var / lib / nfs: / sbin / nologin
mailnull: x: 47: 47 :: / var / spool / mqueue: / sbin / nologin
smmsp: x: 51: 51 :: / var / spool / mqueue: / sbin / nologin
pcap: x: 77: 77 :: / var / arpwatch: / sbin / nologin
xfs: x: 43: 43: X Font Server: / etc / X11 / fs: / sbin / nologin
ntp: x: 38: 38 :: / etc / ntp: / sbin / nologin
gdm: x: 42: 42 :: / var / gdm: / sbin / nologin
pegasus: x: 66: 65: tog-pegasus OpenPegasus WBEM / CIM services: / var / lib / Pegasus: / sbin / nologin
htt: x: 100: 101: IIIMF Htt: / usr / lib / im: / sbin / nologin
wangjing: x: 500: 500 :: / home / wangjing: / bin / bash
mysql: x: 101: 102: MySQL server: / var / lib / mysql: / bin / bash
apache: x: 48: 48: Apache: / var / www: / sbin / nologin
ge-separated SSH: / var / empty / sshd: / sbin / nologin
Users do not need to add all # commented out. Note that I do not recommend directly deleted when you need a user for some reason he again will be very troublesome.
vi / etc / group
root: x: 0: root
bin: x: 1: root, bin, daemon
daemon: x: 2: root, bin, daemon
sys: x: 3: root, bin, adm
adm: x: 4: root, adm, daemon
tty: x: 5:
disk: x: 6: root
lp: x: 7: daemon, lp
mem: x: 8:
kmem: x: 9:
wheel: x: 10: root
mail: x: 12: mail
news: x: 13: news
uucp: x: 14: uucp
man: x: 15:
games: x: 20:
gopher: x: 30:
dip: x: 40:
ftp: x: 50:
lock: x: 54:
nobody: x: 99:
users: x: 100:
dbus: x: 81:
floppy: x: 19:
vcsa: x: 69:
rpm: x: 37:
haldaemon: x: 68:
utmp: x: 22:
netdump: x: 34:
nscd: x: 28:
slocate: x: 21:
sshd: x: 74:
rpc: x: 32:
rpcuser: x: 29:
nfsnobody: x: 65534:
mailnull: x: 47:
smmsp: x: 51:
pcap: x: 77:
xfs: x: 43:
ntp: x: 38:
gdm: x: 42:
pegasus: x: 65:
htt: x: 101:
wangjing: x: 500:
mysql: x: 102:
apache: x: 48:
For all groups of users do not need a # commented out. Note that I do not recommend directly deleted, when for some reason you need a user group that he would be in trouble again.
11, with the chattr command to add the following file attributes can not be changed.
[Root @ deep] # chattr + i / etc / passwd
[Root @ deep] # chattr + i / etc / shadow
[Root @ deep] # chattr + i / etc / group
[Root @ deep] # chattr + i / etc / gshadow
Note that the implementation of this action, as root user can not add to or modify the system password. If we want to add a user or change the password. You should first use the chattr -i / etc / passwd and other command disarmament can not be written to set before proceeding.
12, change the default port sshd
SSHD is the default port 22, the Earth people know that the best method is usually in the absence of precise targets hacker case to find Linux machine is the machine to scan all open ports 22 and then placed in a list, one by one to explore its vulnerability.
Nmap4 new features such as nmap -v -iR 10000 -P0 -p 22 random in 10000 IP 22 machine to go to find open ports. Of course, it can also be targeted to ip of Japan or other countries add another scan.
Usually in accordance with the corresponding regular service ports to scan, unless the use of full-port 1-65535, but unless it is focused on a scanning machine, otherwise this is not efficient. www.britepic.org
The default port is changed to step 60022 as follows:
vi / etc / ssh / sshd_config
Find #Port 22, identifies the default port 22, you need to change to 8888 to remove the comment symbol # in front revised as: Port 60022
Then restart the service process
# /etc/init.d/sshd Restart
sshd_config other security options
The #PermitRootLogin yes to PermitRootLogin no to prevent root remote landing
The change #Protocol 1,2 Protocol 2, without SSH protocol 1 protocol, using only 2
Of course, there are some options, as required, such as: Banner forgery, after failed login lock time, whether to allow empty account login password, and other bits of server key, allowing the user landing and IP.
13, the kernel parameter adjustment
sysctl -w net.ipv4.conf.default.accept_source_route = 0
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts = 1
#sysctl -w net.ipv4.icmp_echo_ignore_all = 1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses = 1
sysctl -w net.ipv4.ip_conntrack_max = 65535
sysctl -w net.ipv4.tcp_syncookies = 1
sysctl -w net.ipv4.tcp_syn_retries = 1
sysctl -w net.ipv4.tcp_fin_timeout = 5
sysctl -w net.ipv4.tcp_synack_retries = 1
sysctl -w net.ipv4.tcp_syncookies = 1
sysctl -w net.ipv4.route.gc_timeout = 100
sysctl -w net.ipv4.tcp_keepalive_time = 500
sysctl -w net.ipv4.tcp_max_syn_backlog = 10000
14, regularly check the system log. Located in the main system log / var / log / directory. Preventive measures.
The above settings of your system in general is more secure. Of course, security and insecurity is the Road and demons fight.