Shulou(Shulou.com)06/01 Report--

Editor to share with you the example analysis of the regular initialization operation of the CentOS system, I believe that most people do not know much about it, so share this article for your reference. I hope you will gain a lot after reading this article. Let's go to know it together.

Environmental preparation:

1) set the local internationalization language to en_US.UTF-8

[root@c58 ~] # sed-I's / ^\ (LANG=\). * $/\ 1 "en_US.UTF-8" /'/ etc/sysconfig/i18n

[root@c58 ~] # cat / etc/sysconfig/i18n

LANG= "en_US.UTF-8"

[root@c58 ~] # LANG=en_US.UTF-8

2) Update the system software package

Back up the default yum source:

Find / etc/yum.repos.d-name'* .repo'- exec mv {}. Bak\

Add 163yum source:

Redhat5 or centos5:

Wget http://mirrors.163.com/.help/CentOS5-Base-163.repo-P / etc/yum.repos.d

Redhat6 or centos6

Wget http://mirrors.163.com/.help/CentOS6-Base-163.repo-P / etc/yum.repos.d

To add an epel yum source:

Redhat5.x 32bit:

Rpm-ivh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

Redhat5.x 64bit:

Rpm-ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

Redhat6.x 32bit:

Rpm-ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Redhat6.x 64bit:

Rpm-ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

>

Update the certificate:

Yum-y upgrade ca-certificates-- disablerepo=epel

Update all software packages of the system:

Yum clean allyum makecacheyum-y upgrade

Take redhat5/centos5 as an example below

I. the principle of service minimization

Turn off all boot self-startup services, turn on only sshd, crond, network, iptables, syslog (redhat5), rsyslog (redhat6), and then add services that need to be booted as needed.

1) turn off all self-starting services

[root@c58 ~] # for i in `chkconfig-- list | awk'{if ($1mm / ^ $/) {exit 0;} else {print $1}}'`; do chkconfig $i off; done

2) enable basic services

[root@c58 ~] # for i in sshd network syslog crond iptables; do chkconfig $i on; done

3) View the enabled services

[root@c58 ~] # chkconfig-- list | grep '3von'

Crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Network 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off

II. User login restrictions

1) users using root are prohibited from using remote ssh

[root@c58 ~] # cd / etc/ssh

[root@c58 ssh] # cp sshd_config sshd_config~

[root@c58 ssh] # sed-I's sshd_config #\ (PermitRootLogin\) yes/\ 1Noamp 'sshd_config

[root@c58 ssh] # grep 'PermitRoot' / etc/ssh/sshd_config

PermitRootLogin no

2) disable login prompts

[root@c58 ssh] # > / etc/motd

3) modify the default listening port (tcp:22) of ssh

# here it is changed to port 11983 of tcp

[root@c58 ssh] # sed-I's sshd_config #\ (Port\) 22 /\ 11983 Universe

[root@c58 ssh] # grep 'Port' sshd_config

Port 11983

4) only the specified ip is allowed to ssh (optional)

Method 1 (using tcpwrapper):

# only allow ip of network segment 192.168.124.0 to use ssh

Echo "sshd:192.168.124.0/255.255.255.0" > > / etc/hosts.allow

Echo "sshd:ALL" > > / etc/hosts.deny

Method 2 (using iptables):

# Note: be careful when operating remotely, so as not to reject yourself and make it impossible to connect remotely. If only all ip of the 192.168.1.0 network segment are allowed to ssh, all other ip refuse # to allow their own ip first to avoid being accidentally hurt by later operations.

Iptables-I INPUT-s 10.0.0.1-p tcp-- dport 22-j ACCEPT

# allow 192.168.1.0 network segment

Iptables-I 2 INPUT-s 192.168.1.0 pound 24-p tcp-- dport 22-j ACCEPT

# reject all

Iptables-I 3 INPUT-p tcp-- dport 22-j DROP

# Save the settings of iptables:

Cp / etc/sysconfig/iptables / etc/sysconfig/iptables~

Iptables-save > / etc/sysconfig/iptables

Finally, restart the sshd service to make the above configuration take effect (don't worry that the connection of the open remote terminal will be disconnected when you restart, the restart will only take effect on the newly opened terminal)

[root@c58 ssh] # / etc/init.d/sshd restart

Stopping sshd: [OK]

Starting sshd: [OK]

Third, minimize the authority of users and commands

Create a normal user tom and join it to the sudo group as the system administrator

Groupadd sudo # create a sudo group

Useradd-G sudo tom # create tom users and join the sudo group

Passwd tom # set the login password for tom users

Modify the sudo configuration file so that users who authorize the sudo group can execute all commands as root (different command execution permissions can be granted to different users, where all commands are allowed to be executed, and the system administrator in the production environment should assign as few executable commands as needed to the user to minimize permissions), and all sudo operations performed by the user will be recorded in / var/log/sudo.log So that future security incidents can be investigated. Execute the command as follows:

[root@cloud ~] # cat > > / etc/sudoers Defaults logfile=/var/log/sudo.log

> EOF

[root@cloud] # visudo-c

[root@cloud ~] # echo "local2.debug / var/log/sudo.log" > > / etc/syslog.conf

[root@cloud ~] # / etc/init.d/syslog restart

Note: the "visudo-c" command is used to check the syntax correctness of the / etc/sudoers file.

IV. Setting of kernel security parameters

Vim / etc/sysctl.conf # adds the following:

# turn off responses to ping packets (optional, generally not recommended, because it is not convenient to troubleshoot network failures)

Net.ipv4.icmp_echo_ignore_all = 1

# turn off response to broadcast ping

Net.ipv4.icmp_echo_ignore_broadcasts = 1

# enable syncookie to prevent syn flood attacks. When there is an overflow of syn waiting queue (the number of syn exceeds the set value of tcp_max_syn_backlog), enable cookie to handle it. Before replying to syn_ack, server will request client to reply to a serial number, which requires that the information in the original syn packet be included. If the serial number is incorrect, the server will ignore this syn connection.

Net.ipv4.tcp_syncookies = 1

# set the maximum number of retransmissions for sync_ack. The default value is 5. The range is 0-255.The time for five retransmissions is about 180 seconds.

Net.ipv4.tcp_synack_retries = 3

# set the sending interval of keepalive messages to 2 hours when keepalive is open. (due to current network attacks and other factors, attacks using this are very frequent. If both sides establish a connection and then do not send any data or rst/fin messages, then the duration is 2 hours, resulting in an empty connection attack. Tcp_keepalive_time is to prevent this situation.)

Net.ipv4.tcp_keepalive_time = 1200

After saving and exiting, execute the "sysctl-p" command to load the above settings into the kernel to take effect immediately

Fifth, kernel performance-related parameter settings (optional)

Vim / etc/sysctl.conf # adds the following:

# set the length of the syn waiting queue. For machines with memory greater than 128m, the default value is 1024, which can be increased when concurrent requests are large.

Net.ipv4.tcp_max_syn_backlog

# enable timewait reuse. Allow time_wait socket to be reused for new tcp connections

Net.ipv4.tcp_tw_reuse = 1

# enable quick recovery of time_wait socket in tcp connection

Net.ipv4.tcp_tw_recycle = 1

# TCP sends a keepalive probe to determine the number of times the connection has been disconnected. The default is 9.

Net.ipv4.tcp_keepalive_probes = 5

# specify the frequency at which the probe message is sent, which is multiplied by tcp_keepalive_probes to get the time it takes from the start of the probe to the time the connection is deleted. The default value is 75, which means that inactive connections will be discarded in about 11 minutes. For ordinary applications, this value is a little too large and can be reduced as needed. In particular, web servers need to reduce this value, 15 is a more appropriate value)

Net.ipv4.tcp_keepalive_intvl = 15

# indicates that the system maintains the maximum number of TIME_WAIT socket at the same time, and if this number is exceeded, the TIME_WAIT socket will be cleared immediately and a warning message will be output. The default is 180000, which changes to 5000. For squid servers, this parameter controls the maximum number of TIME_WAIT sockets to prevent the squid server from being dragged to death by a large number of TIME_WAIT socket.

Net.ipv4.tcp_max_tw_buckets = 5000

# indicates the range of ports connected outward. The default value is very small: 32768061000, changed to 1024065000

Net.ipv4.ip_local_port_range=1024 65000

After saving and exiting, execute the "sysctl-p" command to load the above settings into the kernel to take effect immediately

The above is all the contents of the article "sample Analysis of General initialization Operations of CentOS system". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.