Shulou(Shulou.com)06/01 Report--

This article focuses on "Security configuration of CentOS 6". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn the security configuration of CentOS 6.

I. system security record file

The record file inside the operating system is an important clue to detect whether there is a network intrusion. If your system is directly connected to Internet and you find that many people are trying to log in to your system with Telnet/FTP, you can run "# more / var/log/secure | grep refused" to check for attacks on your system so that you can take appropriate countermeasures, such as replacing Telnet/rlogin with SSH.

II. Startup and login security

1.BIOS security

Set the BIOS password and change the boot order to prevent the system from booting from the floppy disk.

2. User password

User password is a basic starting point of Linux security. The user password used by many people is too simple, which is tantamount to opening the door to the intruder. Although in theory, as long as there is enough time and resources to use, there is no user password that can not be cracked, but it is difficult to choose a proper password. A better user password is a string of characters that only he can easily remember and understand, and never write it anywhere.

To change the password length, you need to compile the login.defs file.

Vi / etc/login.defs

PASS_MIN_LEN 8

3. Comment out unwanted users and user groups

All default and unnecessary accounts started by the operating system itself should be disabled, as you should do when you install the system for the first time. Linux provides many default accounts, and the more accounts, the more vulnerable the system will be.

The code is as follows:

Vi / etc/passwd

# userdel adm

# userdel lp

# userdel sync

# userdel shutdown

# userdel halt

# userdel news

# userdel uucp

# userdel operator

# userdel games

# userdel gopher

# userdel ftp

Vi / etc/group

# groupdel adm

# groupdel lp

# groupdel news

# groupdel uucp

# groupdel games

# groupdel dip

# groupdel pppusers

4. Password file

The chattr command adds an immutable attribute to the following file to prevent unauthorized users from gaining permissions.

The code is as follows:

# chattr + I / etc/passwd

# chattr + I / etc/shadow

# chattr + I / etc/group

# chattr + I / etc/gshadow

5. Prohibit Ctrl Alt Delete from restarting the machine command

Modify the / etc/inittab file to comment out the line "ca::ctrlaltdel:/sbin/shutdown-T3-r now". Then reset the permissions for all files in the / etc/rc.d/init.d/ directory and run the following command:

The code is as follows:

# chmod-R 700 / etc/rc.d/init.d/*

This leaves only root to read, write, or execute all of the above script files.

6. Restrict the su command

If you don't want anyone to be able to su as root, you can edit the / etc/pam.d/su file by adding the following two lines:

The code is as follows:

Auth sufficient / lib/security/pam_rootok.so debug

Auth required / lib/security/pam_wheel.so group=isd

At this point, only users of the isd group can su as root. After that, if you want the user admin to be able to su as root, you can run the following command:

# usermod-G10 admin # Note the id number of the isd group is not necessarily 10, so please proceed with caution. There is no group with isd in centos 6!

If you want to restrict the right of su to switch to root users and only allow specified user groups to use su, you can edit / etc/pam.d/su with the following comments

The code is as follows:

# Uncomment the following line to require a user to be in the "wheel" group.

# auth required pam_wheel.so use_uid

Modify the second behavior as follows, save

The code is as follows:

Auth required pam_wheel.so group=mysugroup

Create a mysugroup user group and add the appropriate users to the group, and only this group of users will be able to switch to root. Su. On the actual server, it is best to restrict root users from logging in remotely with ssh.

7. Delete login information

By default, login prompts include the Linux release, kernel version name, server hostname, and so on. This leaks too much information for a machine with high security requirements. You can edit / etc/rc.d/rc.local to comment out the output line of system information, such as the following line. (note: under centos 6, this file does not contain the following)

The code is as follows:

# This will overwrite / etc/issue at every boot. So, make any changes you

# want to make to / etc/issue here or you will lose them when you reboot.

# echo "" > / etc/issue

# echo "$R" > > / etc/issue

# echo "Kernel $(uname-r) on $a $(uname-m)" > > / etc/issue

# cp-f / etc/issue / etc/issue.net

# echo > > / etc/issue

Then, do the following:

The code is as follows:

# rm-f / etc/issue

# rm-f / etc/issue.net

# touch / etc/issue

# touch / etc/issue.net

8. To change the SSH port, it is best to change it to more than 10000, and the probability of others scanning the port will also be reduced.

Lower versions of the SSH protocol are not allowed

Vi / etc/ssh/sshd_config

Change # protocol 2 to 1

Protocol 2

(note: the lower version protocol has been cancelled by default under centos 6)

Change PORT to more than 1000 ports

Vi / etc/ssh/sshd_config

Port 10000

At the same time, create a normal login user and cancel direct root login

Useradd 'username'

Passwd 'username'

Vi / etc/ssh/sshd_config

PermitRootLogin no # cancel root direct remote login

X11Forwarding no # (the server usually does not open X, so do not turn on X forwarding) cancel X11 forwarding

9. Turn off those services you don't need, and remember that if you open one less service, you will be less dangerous.

The following lists only the services that need to be started, and all services that are not listed are turned off:

The code is as follows:

# setup

Acpid

Anacron

Cpuspeed

Crond

Irqbalance # needs to be turned on only if the server CPU is in S.M.P architecture or supports dual-core and HT technology, otherwise it is turned off.

Microcode_ctl

Network

Random # (this service is not available in centos 6)

Sendmail

Sshd

Syslog

Yum-updatesd

10. Enabling iptables firewall has many benefits to increase system security. Set up the rules for the firewall.

The code is as follows:

Vi / etc/sysconf/iptables

* filter

: INPUT DROP [0:0]

: FORWARD DROP [0:0]

: OUTPUT ACCEPT [0:0]

# allow local loopback connections

-An INPUT-I lo-j ACCEPT

# drop INVALID connections

-An INPUT-m state-- state INVALID-j DROP

-An OUTPUT-m state-- state INVALID-j DROP

-A FORWARD-m state-- state INVALID-j DROP

# allow all established and related

-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

# add anymore rules here

COMMIT

III. Restrictions on network access

1.NFS access

If you are using the NFS network file system service, you should ensure that your / etc/exports has the strictest access settings, which means that you do not use any wildcards, do not allow root write permissions, and can only be installed as a read-only file system. Edit the file / etc/exports and add the following two lines.

/ dir/to/export host1.mydomain.com (ro,root_squash)

/ dir/to/export host2.mydomain.com (ro,root_squash)

/ dir/to/export is the directory you want to output, host.mydomain.com is the name of the machine that logs in to this directory, ro means that mount is a read-only system, and root_squash forbids root from writing to this directory. For the changes to take effect, run the following command.

# / usr/sbin/exportfs-a

2.Inetd Settin

The first step is to verify that the owner of / etc/inetd.conf is root and that the file permissions are set to 600. After the setup is complete, you can use the "stat" command to check.

# chmod 600 / etc/inetd.conf

Then, the editor / etc/inetd.conf disables the following services.

Ftp telnet shell login exec talk ntalk imap pop-2 pop-3 finger auth

If you have ssh/scp installed, you can also disable Telnet/FTP. For the changes to take effect, run the following command:

# killall-HUP inetd

By default, most Linux systems allow all requests, but it's easy to use TCP_WRAPPERS to enhance system security, and you can modify / etc/hosts.deny and / etc/hosts.allow to increase access restrictions. For example, setting / etc/hosts.deny to "ALL: ALL" denies all access by default. Then add the allowed access to the / etc/hosts.allow file. For example, "sshd: 192.168.1.10 gate.openarch.com 255.255.255.0" means that the IP address 192.168.1.10 and the hostname gate.openarch.com are allowed to connect through SSH.

After the configuration is complete, you can check with tcpdchk:

# tcpdchk

Tcpchk is a TCP_Wrapper configuration check tool that checks your tcp wrapper configuration and reports any potential / existing problems found.

3. Login terminal settings

The / etc/securetty file specifies the tty device that allows root login, which is read by the / bin/login program in the format of a list of allowed names, and you can edit / etc/securetty and comment out the following lines.

The code is as follows:

Tty1

# tty2

# tty3

# tty4

# tty5

# tty6

At this point, root can only log in at the tty1 terminal.

4. Avoid displaying system and version information.

If you want remotely logged in users not to see the system and version information, you can change the / etc/inetd.conf file by doing the following:

Telnet stream tcp nowait root / usr/sbin/tcpd in.telnetd-h

Adding-h means that telnet does not display system information, but only "login:".

5. Modify the appropriate configuration file to stop ipv6.

# vi / etc/modprobe.conf

Alias net-pf-10 off

Alias ipv6 off

# shutdown-r now

IV. Prevent attacks

1. Block ping if no one can ping your system, security will naturally increase. To do this, add the following line to the / etc/rc.d/rc.local file:

# echo 1 > / proc/sys/net/ipv4/icmp_echo_ignore_all

2. Prevent IP spoofing

Edit the host.conf file and add the following lines to prevent IP spoofing attacks.

Order bind,hosts

Multi off

Nospoof on

3. Prevent DoS attacks

Setting resource limits on all users of the system can prevent DoS type attacks. Such as the maximum number of processes and memory usage and so on. For example, you can add the following lines to / etc/security/limits.conf:

* hard core 0

* hard rss 5000 # (this line may not be useful, man limits.conf shows maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)

* hard nproc 50

Then you must edit the / etc/pam.d/login file to check that the following line exists.

Session required / lib/security/pam_limits.so

The above command disables debugging of files, limits the number of processes to 50, and limits memory usage to 5MB.

With the above settings, your Linux server is immune to most known security problems and network attacks, but a good system administrator should always pay attention to network security developments and fix exposed and potential security vulnerabilities at any time.

V. Adjustment of kernel parameters

The settings in this section seem to be different from those under centos 6, please refer to them as appropriate

(centos6 can be found in this article)

The code is as follows:

# vi / etc/sysctl.conf

Sysctl-w net.ipv4.conf.default.accept_source_route=0

Sysctl-w net.ipv4.icmp_echo_ignore_broadcasts=1

# sysctl-w net.ipv4.icmp_echo_ignore_all=1

Sysctl-w net.ipv4.icmp_ignore_bogus_error_responses=1

Sysctl-w net.ipv4.ip_conntrack_max=65535

Sysctl-w net.ipv4.tcp_syncookies=1

Sysctl-w net.ipv4.tcp_syn_retries=1

Sysctl-w net.ipv4.tcp_fin_timeout=5

Sysctl-w net.ipv4.tcp_synack_retries=1

Sysctl-w net.ipv4.tcp_syncookies=1

Sysctl-w net.ipv4.route.gc_timeout=100

Sysctl-w net.ipv4.tcp_keepalive_time=500

Sysctl-w net.ipv4.tcp_max_syn_backlog=10000

At this point, I believe you have a deeper understanding of "CentOS 6 security configuration", might as well come to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.