Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of Linux basic optimization and security induction, which is very detailed and has a certain reference value. Interested friends must read it!

The first point: try not to use root users in the management of Linux, and use sudo commands to control the management of the system by ordinary users.

Create a new user and use the sudo command to add permissions. The detailed steps are as follows:

(1) add a new user: useradd new user name

(2) check whether it has been successfully added: id new user name

(3) set the user's password: echo 123321 | passwd-- the new user name of stdin

Next, you need to add administrator privileges to the new user, which is equivalent to the administrator.

(4) back up the previous permission file:\ cp / etc/sudoers {, .back}

(5) add new users to administrator privileges:

Echo "New user name ALL= (ALL) NOPASSWD: ALL" > > / etc/sudoers

(6) check whether it has been successfully added: tail-1 / etc/sudoers

(7) configuration takes effect: visudo-c

When the above operation is complete, the new user rights at this time are equal to the root user.

Second point: change the default remote connection SSH service port

(1) modify the configuration file / etc/ssh/sshd_config

Port 22, changed to Port 52113 (range-65535); # # default port is 22

ListenAddress 0.0.0.0, changed to ListenAddress private network IP address; # # listen for private network ip address

PermitRootLogion yes, change to PermitRootLogion no;##root user remote connection)

(2) restart takes effect: / etc/init.d/sshd reload

(3) check the port status: netstat-lntup | grep sshd

The third point: update the server time regularly and automatically to synchronize it with the Internet time

(1) configuration

Echo'# time sync by New user name at 2019-04-01'> > / var/spool/cron/root

Echo'/ 5 / usr/sbin/ntpdate ntp1.aliyun.com > / dev/null 2 > & 1'> > / var/spool/cron/root

# perform synchronization every 5 minutes

# as to which time server is used as the benchmark, you can choose the following address:

Ntp1.aliyun.com

Ntp2.aliyun.com

Ntp3.aliyun.com

Ntp4.aliyun.com

Ntp5.aliyun.com

Ntp6.aliyun.com

Ntp7.aliyun.com

(2) check whether it has been updated: crontab-l

(3) Last backup:\ cp / var/spool/cron/root {, .back}

Point 4: configure the yum configuration source

(1) create a backup file storage directory

Mkdir-p / etc/yum.repos.d/ {default,back}

(2) back up all default configuration files

\ mv / etc/yum.repos.d/repo / etc/yum.repos.d/default

(3) obtain yum source from Aliyun

Wget-O / etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

(4) back up the yum source

\ cp / etc/yum.repos.d/CentOS-Base.repo / etc/yum.repos.d/default

Point 5: shut down selinux and iptables

(1) close iptables:/etc/init.d/iptables stop

(2) check whether it is closed: / etc/init.d/iptables status

(3) set boot not to start automatically: chkconfig iptables off

(4) confirm the configuration: chkconfig-- list iptables

(5) close selinux:

Sed-I "s#SELINUX=enforcing#SELINUX=disabled#g" / etc/selinux/config

(6) View and confirm the configuration: cat / etc/selinux/config

Note: it is permanent and needs to restart the computer. (in the work scene, it is common to open iptables if there is an external IP.)

Point 6: adjust the number of file descriptors appropriately

In view of the fact that the process and file opening will consume file descriptors, so in the process of operation and maintenance, we need to adjust the number of file descriptors in the form of integer numbers (--65535).

Check the default file descriptor: ulimit-n # generally defaults to 1024

Configure in / etc/sercurity/limits.conf:

Echo'*-nofile 65535'> > / etc/security/limits.conf

Tail-1 / etc/security/limits.conf

Point 7: automatically clean up the junk files in the mail directory on a regular basis

Prevent inodes nodes from being full.

Point 8: streamline and retain the necessary boot-up services

(1) only important basic services will be retained and the rest will be closed.

Chkconfig-- list | egrep-v "sysstat | crond | sshd | network | rsyslog" | awk'{print "chkconfig" $1, "off"}'| bash

(2) confirm the configuration: chkconfig-- list | grep 3:on

Point 8: optimize Linux kernel parameters

(1) configuration file / etc/sysctl.conf, add the following command (you can copy and paste directly)

Cat > > / etc/sysctl.conf > / etc/sysconfig/i18n

(4) configuration takes effect: source / etc/sysconfig/i18n

(5) confirm whether the configuration is successful: echo $LANG

Point 10: lock critical system files to prevent tampering

Configuration commands:

Chattr + I / etc/ {passwd,shadow,group,gshadow}

Lsattr-a / etc/ {passwd,shadow,group,gshadow}

Unlock command: chattr-I

Point 11: prohibit the system from being ping

Configuration command: echo "net.ipv4.icmp_echo_ignore_all=1" > > / etc/sysctl.conf

Configuration effective command: sysctl-p

Point 12: upgrade vulnerable software

Check the version number of the related software: rpm-qa openssl openssh bash

Perform upgrade: yum install openssl openssh bash

Point 13: optimize SSH remote connections

(1) back up the configuration file first: cp / etc/ssh/sshd_config {, .back}

(2) Edit ssh service configuration file

Edit the configuration file for the ssh service (vim / etc/ssh/sshd_config) and add the following below line 12:

Port 52113 # uses a port number greater than 10000

PermitRootLogin no # prohibits root from logging in remotely

PermitEmptyPasswords no # forbids empty password login

UseDNS no # does not use dns parsing

GSSAPIAuthentication no # solution configuration for slow connection

(3) confirm the configuration: grep-A 5-I 'Start by new user name' / etc/ssh/sshd_config

(4) restart ssh service: / etc/init.d/sshd restart

(5) confirm whether the configuration is successful: netstat-lntup | grep ssh

The above is all the contents of the article "sample Analysis of Linux basic Optimization and Security Induction". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.