Shulou(Shulou.com)06/01 Report--

This article focuses on "installing Linux system tuning and security settings". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn the method of installing Linux system tuning and security settings.

1.1 turn off SElinux function

Sed-I'/ SELINUX/s/enforcing/disabled/' / etc/selinux/config

Setenforce 0

1.2 set run level to 3 (text mode)

/ etc/inittab

Systemctl get-default multi-user.target

1.3 streamlined boot system boot sshd, rsyslog, network, crond, sysstat

Centos6:

LANG=en

Chkconfig-list

Chkconfig-- list | grep "3:on" | grep-E "sshd | rsyslog | network | crond | sysstat" | awk'{print "chkconfig" $1 "on"}'| bash

Chkconfig-- list | grep "3:on" | grep-vE "sshd | rsyslog | network | crond | sysstat" | awk'{print "chkconfig" $1 "off"}'| bash

Centos7:

1.4 turn off iptables Firewall

Systemctl stop firewalld.service

Systemctl disable firewalld.service

1.5 change the configuration of remote login for the SSH server

Port 52113

UseDNS no

PermitRootLogin yes

PermitEmptyPasswords no

GSSAPIAuthentication no

1.6 use sudo to control the user's right to use system commands

Visudo (/ etc/sudoers)

Glk All= (All) NOPASSWD:All

1.7 Linux Chinese display Settings

Cat / etc/sysconfg/i18n

Echo 'LANG= "zh_CN.UTF-8" > / etc/sysconfg/i18n

1.8 set Linux server time synchronization

/ usr/sbin/ntpdate ntp1.aliyun.com

Echo "* / 5 * / usr/sbin/ntpdate ntp1.aliyun.com & > / dev/null" > > / var/spool/cron/root

1.9 History and login timeout environment variable settings

1. Set limit account timeout export TMOUT=10

two。 Set the number of history records on the command line of Linux export HISTSIZE=1000

3. The command quantity variable export HISTFILESIZE=1000 for the history file

1.10 adjust the number of Linux system file descriptors

View ulimit-n

Echo "*-nofile 65535" > > / etc/security/limits.conf

1.11 Optimization of kernel parameters of Linux server

Net.core.rmem_default = 262144

Net.core.rmem_max = 16777216

Net.core.wmem_default = 262144

Net.core.wmem_max = 16777216

Net.core.somaxconn = 262144

Net.core.netdev_max_backlog = 262144

Net.ipv4.tcp_max_orphans = 262144

Net.ipv4.tcp_max_syn_backlog = 262144

Net.ipv4.tcp_max_tw_buckets = 10000

Net.ipv4.ip_local_port_range = 1024 65500

Net.ipv4.tcp_tw_recycle = 1

Net.ipv4.tcp_tw_reuse = 1

Net.ipv4.tcp_syncookies = 1

Net.ipv4.tcp_synack_retries = 1

Net.ipv4.tcp_syn_retries = 1

Net.ipv4.tcp_fin_timeout = 30

Net.ipv4.tcp_keepalive_time = 1200

Net.ipv4.tcp_mem = 786432 1048576 1572864

1.12 regularly clean up the temporary directory junk files of the mail server

Centos6:

Find / var/spool/postfix/maildrop/-type f | xargs rm-rf

Centos5:

Find / var/spool/postfix/clientmqueue/-type f | xargs rm-rf

1.13 hide Linux version information

> / etc/issue

> / etc/issue.net

1.14 Lock critical system files to prevent tampering with claimed rights

Lock command: chattr + I / etc/passwd / etc/shadow / etc/group / etc/gshadow / etc/inittab

Unlock command: chattr-I / etc/passwd / etc/shadow / etc/group / etc/gshadow / etc/inittab

1.15 clear the redundant system virtual account

Unnecessary account: bin adm lp halt mail uucp operator games gopher ftp dbus vcsa abrt ntp saslauth postfix tcpdump

1.16 encrypt the grub menu

1./sbin/grub-md5-crypt generates MD5 password string

two。 Put the password string between the grub.conf files splashimage and title

Password-- md5 $1 $hoY96 $dM9G1bjKLbi/GV8J9neOm1

1.17 prohibit Linux systems from being ping

Kernel-level ban on ping:

Echo "net.ipv4.icmp_echo_ignore_all = 1" > / etc/sysctl.conf

Lift kernel-level ban on ping:

Delete "net.ipv4.icmp_echo_ignore_all = 1" in / etc/sysctl.conf and execute the following command after saving:

Echo 0 > / proc/sys/net/ipv4/icmp_echo_ignore_all

Disable ping at firewall level:

Iptables-t filter-I INPUT-p icmp- icmp-type 8-I eth0-s 192.168.1.0 24-j ACCEPT

1.18 upgrade software versions with typical vulnerabilities

Rpm-qa openssl openssh bash

Yum-y install openssl openssh bash

At this point, I believe you have a deeper understanding of "installing Linux system tuning and security setting method". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.