Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail "how to set up security under centos5.1". The content is detailed, the steps are clear, and the details are handled properly. I hope this article "how to set up security under centos5.1" can help you solve your doubts.

In general, the average user can log in as a root user to configure the system at the administrator level by executing the "su -" command and entering the correct root password. However, in order to further strengthen the security of the system, it is necessary to establish a group of administrators, which only allows users of this group to log in as root users by executing the "su -" command, while users of other groups cannot log in as root users even if they execute "su -" and enter the correct root password. Under unix, the name of this group is usually "wheel".

First, let's create two ordinary user tom john

[root@www ~] # useradd tom

[root@www ~] # passwd tom

Enter your password

[root@www ~] # useradd john

[root@www ~] # passwd john

Enter your password

[root@www ~] # usermod-g wheel tom adds tom users to the wheel group

[root@www ~] # vi / etc/pam.d/su ← Open this configuration file and find this sentence and comment out the # preceding it on line 6

# auth required pam_wheel.so use_uid

[root@www ~] # echo "su_wheel_only yes" > > / etc/login.defs

Then you can log in with tom and john respectively. Users who have not joined the wheel group can execute the "su -" command. Even if they enter the correct root password, they will not be able to log in as root users.

When there is an error in the system or an important notification is sent to root, let the system automatically forward it to the mailbox we usually use, so that it is easy to consult the relevant reports and logs.

[root@www ~] # vi / etc/aliases

Under these two sentences, mailer-daemon: postmaster

Postmaster: root

Add this sentence root: zy66289214@126.com write your own email here

[root@www ~] # newaliases rebuild aliasesdb

[root@www ~] # echo test | mail root sends test software to root

[8] define the unofficial library of yum

In the process of building the server, some of the tools we will use do not exist in the official library of yum in centos, so we need to define the unofficial library files of yum so that some necessary tools can be installed through yum.

[root@sample ~] # vi / etc/yum.repos.d/dag.repo ← establishes dag.repo and defines unofficial database

[dag]

Name=dag rpm repository for red hat enterprise linux

Baseurl= http://apt.sw.be/redhat/el$releasever/en/$basearch/dag

Gpgcheck=1

Enabled=1

[root@sample ~] # rpm-import http://dag.wieers.com/rpm/packages/rpm-gpg-key.dag.txt ← imports gpg of unofficial library

[9] stop printing service

If you are not going to provide a printing service, stop the printing service that is set to start automatically by default.

[root@sample ~] # / etc/rc.d/init.d/cups stop ← stops printing service

Stopping cups: [ok] ← stopped service successfully with "ok" appearing

[root@sample ~] # chkconfig cups off ← prohibits printing service from starting automatically

[root@sample ~] # chkconfig-list cups ← confirms the print service self-startup setting status

Cups 0:off 1:off 2:off 3:off 4:off 5:off 6:off ← 0-6 is ok if the status is off (the current printing service self-startup is prohibited)

[10] stop ipv6

Ipv6 is enabled by default in centos. Because we don't use ipv6, stop ipv6 to maximize security and speed.

First of all, reconfirm that the ipv6 function is enabled.

[root@www ~] # ifconfig-a ← lists all network interface information

Sit0 link encap:ipv6-in-ipv4 ← confirms that ipv6 is started.

[root@www ~] # vi / etc/modprobe.conf ← modify the configuration file and add the following line to the end of the text:

Alias net-pf-10 off

Alias ipv6 off

[root@www ~] # shutdown-r now ← restart the system for the settings to take effect

Modify / etc/yum.repos.d/centos-base.repo to change the mirror site address to the mirror site address in China. Otherwise, we will be very slow to install software through yum. Modify as follows

# centos-base.repo

#

# this file uses a new mirrorlist system developed by lance davis for centos.

# the mirror system uses the connecting ip address of the client and the

# update status of each mirror to pick mirrors that are updated to and

# geographically close to the client. You should use this for centos updates

# unless you are manually picking other mirrors.

#

# if the mirrorlist= does not work for you, as a fall back you can try the

# remarked out baseurl= line instead.

#

#

[base]

Name=centos-$releasever-base

Baseurl= http://mirrors.shlug.org/centos/$releasever/os/$basearch/

Gpgcheck=1

Gpgkey= http://mirror.centos.org/centos/rpm-gpg-key-centos-5

Protect=1

# released updates

[updates]

Name=centos-$releasever-updates

Baseurl= http://mirrors.shlug.org/centos/$releasever/updates/$basearch/

Gpgcheck=1

Gpgkey= http://mirror.centos.org/centos/rpm-gpg-key-centos-5

Protect=1

# packages used/produced in the build but not released

[addons]

Name=centos-$releasever-addons

Baseurl= http://mirrors.shlug.org/centos/$releasever/addons/$basearch/

Gpgcheck=1

Gpgkey= http://mirror.centos.org/centos/rpm-gpg-key-centos-5

Protect=0

# additional packages that may be useful

[extras]

Name=centos-$releasever-extras

Baseurl= http://mirrors.shlug.org/centos/$releasever/extras/$basearch/

Gpgcheck=1

Gpgkey= http://mirror.centos.org/centos/rpm-gpg-key-centos-5

Protect=0

# additional packages that extend functionality of existing packages

[centosplus]

Name=centos-$releasever-plus

Baseurl= http://mirrors.shlug.org/centos/$releasever/centosplus/$basearch/

Gpgcheck=1

Enabled=0

Gpgkey= http://mirror.centos.org/centos/rpm-gpg-key-centos-5

Protect=1

# contrib-packages by centos users

[contrib]

Name=centos-$releasever-contrib

Baseurl= http://mirrors.shlug.org/centos/$releasever/contrib/$basearch/

Gpgcheck=1

Enabled=0

Protect=0

Gpgkey= http://mirror.centos.org/centos/rpm-gpg-key-centos-5

Update system [root@www ~] # yum-y upgrade

Some safe settings

1. If you use a firewall to close any unnecessary ports, other people's ping will not reach the server, and the threat will naturally be reduced by more than half.

Ways to prevent others from ping:

1) type at the command prompt

Echo 1 > / proc/sys/net/ipv4/icmp_ignore_all

2) disable (or discard) icmp packets with a firewall

Iptables-an input-p icmp-j drop

3) do not respond to all packets that communicate with icmp

Like ping tracert.

2. To change the ssh port, it is best to change it to more than 10000, and the probability of others scanning the port will also be reduced.

Vi / etc/ssh/sshd_config

Change port to more than 1000 ports

At the same time, create a normal login user and cancel direct root login

Useradd 'username'

Passwd 'username'

Vi / etc/ssh/sshd_config

At the end, add the following sentence:

Permitrootlogin no # cancel root direct remote login

3. Delete the bloated and redundant accounts of the system: userdel adm userdel lp userdel sync userdel shutdown userdel halt userdel news userdel uucp userdel operator userdel games userdel gopher userdel ftp. If you do not allow anonymous ftp, delete the user account groupdel adm groupdel lp groupdel news groupdel uucp groupdel games groupdel dip groupdel pppusers.

4. Change the following file permissions so that no one has the permission to change the account: chattr + I / etc/passwd chattr + I / etc/shadow chattr + I / etc/group chattr + I / etc/gshadow

5 、 chmod 600 / etc/xinetd.conf

After reading this, the article "how to set Security under centos5.1" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself. If you want to know more about related articles, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.