Shulou(Shulou.com)06/01 Report--

This article is to share with you about CentOS 6.5 server security reinforcement and performance optimization is how, the editor feels very practical, so share with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

Often play Linux system friends more or less know some system parameters optimization and how to enhance system security, some of the system default parameters are relatively conservative, so we can adjust system parameters to improve the system memory, CPU, kernel resources occupation, by disabling unnecessary services, ports, to improve system security, better play the availability of the system. Through my own understanding of Linux, the system tuning is summarized as follows:

Operating system: CentOS 6.5_x64 minimized installation

1. Hostname setting

The code is as follows:

[root@localhost~] # vi / etc/sysconfig/network

HOSTNAME=test.com

[root@localhost~] # hostname test.com # is effective temporarily

2. Close SELinux

The code is as follows:

[root@localhost~] # vi / etc/selinux/config

SELINUX=disabled

[root@localhost~] # setenforce # is effective temporarily

[root@localhost~] # getenforce # View selinux status

3. Clear the firewall and set the rules

The code is as follows:

[root@localhost~] # iptables-F # clear firewall rules

[root@localhost~] # iptables-L # View Firewall rules

[root@localhost~] # iptables-An INPUT-p tcp-- dport 80-j ACCEPT

[root@localhost~] # iptables-An INPUT-p tcp-- dport 22-j ACCEPT

[root@localhost~] # iptables-An INPUT-p tcp-- dport 53-j ACCEPT

[root@localhost~] # iptables-An INPUT-p udp-- dport 53-j ACCEPT

[root@localhost~] # iptables-An INPUT-p udp-- dport 123-j ACCEPT

[root@localhost~] # iptables-An INPUT-p icmp-j ACCEPT

[root@localhost~] # iptables-P INPUT DROP

[root@localhost~] # / etc/init.d/iptables save

# Open the corresponding port according to the demand

4. Add ordinary users and manage sudo authorization

The code is as follows:

[root@localhost~] # useradd user

[root@localhost~] # echo "123456" | passwd-- stdin user # set password

[root@localhost~] # vi / etc/sudoers # or visudo open to add all permissions of the user user

Root ALL= (ALL) ALL

User ALL= (ALL) ALL

5. Disable root remote login

The code is as follows:

[root@localhost~] # vi / etc/ssh/sshd_config

PermitRootLoginno

PermitEmptyPasswords no # forbids empty password login

UseDNSno # close DNS query

6. Turn off unnecessary boot self-startup service

7. Delete unnecessary system users

8. Close and restart the ctl-alt-delete key combination

The code is as follows:

[root@localhost ~] # vi / etc/init/control-alt-delete.conf

# exec / sbin/shutdown-r now "Control-Alt-Deletepressed" # comment out

9. Resize the file descriptor

The code is as follows:

[root@localhost ~] # ulimit-n # defaults to 1024

1024

[root@localhost ~] # echo "ulimit-SHn 102400" > > / etc/rc.local # setting boot takes effect automatically

10. Remove information related to the system

The code is as follows:

[root@localhost ~] # echo "Welcome to Server" > / etc/issue

[root@localhost ~] # echo "Welcome to Server" > / etc/redhat-release

11. Modify history record

The code is as follows:

[root@localhost ~] # vi / etc/profile # modify 10 records

HISTSIZE=10

12. Synchronize system time

The code is as follows:

[root@localhost ~] # cp / usr/share/zoneinfo/Asia/Shanghai/etc/localtime # set Shanghai time zone

[root@localhost ~] # ntpdate cn.pool.ntp.org; hwclock-w # synchronization time and write blos hardware time

[root@localhost ~] # crontab-e # set the task schedule to synchronize once a day at zero

0 * / usr/sbin/ntpdate cn.pool.ntp.org; hwclock-w

13. Kernel parameter optimization

The code is as follows:

Add the following parameters at the end of [root@localhost ~] # vi / etc/sysctl.conf #

Net.ipv4.tcp_syncookies = 1 # 1: enable SYN Cookies. When SYN waiting queue overflow occurs, enable Cookies to prevent a small number of SYN attacks. Default is 0.

Net.ipv4.tcp_tw_reuse = 1 # 1 enables reuse and allows TIME_AIT sockets to be reused for new TCP connections. The default is 0.

Net.ipv4.tcp_tw_recycle = number of failed retransmissions of 1 # TCP. Default is 15. Reducing the number of times frees kernel resources.

Net.ipv4.ip_local_port_range = 4096 65000 # range of ports available to applications

Net.ipv4.tcp_max_tw_buckets = 5000 # the system also maintains the maximum number of TIME_WAIT sockets. If this number is exceeded, the TIME_WATI socket will be cleared immediately and a warning message will be printed. The default is 180000.

Net.ipv4.tcp_max_syn_backlog = 4096 # enter the maximum request queue of SYN Bao. Default is 1024

Net.core.netdev_max_backlog = 10240 # maximum device queue of packets allowed to be sent to the queue, default is 10240

Net.core.somaxconn = 2048 # maximum number of listen pending requests. Default is 128,

Net.core.wmem_default = 8388608 # default value for send cache size

Net.core.rmem_default = 8388608 # accept the default socket buffer size in bytes

Net.core.rmem_max = 16777216 # maximum receive buffer size

Net.core.wmem_max = 16777216 # maximum send buffer size

Net.ipv4.tcp_synack_retries = 2 # SYN-ACK handshake status retries. Default is 5.

Net.ipv4.tcp_syn_retries = 2 # outward SYN handshake retries. Default is 4.

Net.ipv4.tcp_tw_recycle = 1 # enables fast recycling of TIME_WAIT sockets in TCP connections. Default is 0.

Net.ipv4.tcp_max_orphans = 3276800 # the maximum number of TCP sockets in the system is not associated with any user file handle. If this number is exceeded, the orphan connection will immediately reset and print a warning message.

Net.ipv4.tcp_mem = 94500000 915000000 927000000

Net.ipv4.tcp_mem [0]: below this value, TCP has no memory pressure

Net.ipv4.tcp_mem [1]: enter the memory pressure phase at this value

Net.ipv4.tcp_mem [2]: above this value, TCP refuses to assign socket. The memory units are pages, which can be adjusted according to the physical memory size, and can be adjusted upwards appropriately if the memory is large enough. The above memory units are pages, not bytes.

At this point, the CentOS 6.5_x64 minimization installation system has been basically optimized and adjusted, and the system needs to be rebooted.

These are the security reinforcement and performance optimization of CentOS 6.5. the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.