Linux is an open system, you can find many off-the-shelf programs and tools on the Web, both for the convenience of users, but also easier for hackers, because they can easily find programs and tools into Linux system, or theft of important information on the Linux system. However, as long as we carefully set the Linux system, plus the necessary security measures, hackers will be inorganic. In General, Linux system security settings including the removal of unnecessary services, restrict remote access, hide important information and repair security vulnerabilities, security tools, as well as regular security checks and so on.
This article is the actual operation may refer to, does not involve principles such as IP spoofing, and security issues don’t count lines can be prevented, this is just a basic security reinforcing method on a Linux system, follow-up with new content added.
Note: back up all files before modifying
cp /etc/passwd{,.dist}
1. disable unused user
Note: not recommended to delete, when you require a user, his back could be in trouble. Can also be locked or user.
/Passwd{,.bak} first a backup before modifying
/Passwd edit, preceding it with # commenting out this line
Note user name:
# cat /etc/passwd|grep ^#
#adm:x:3:4:adm:/var/adm:/sbin/nologin
#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
#halt:x:7:0:halt:/sbin:/sbin/halt
#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator:x:11:0:operator:/root:/sbin/nologin
#games:x:12:100:games:/usr/games:/sbin/nologin
#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
#nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
#postfix:x:89:89::/var/spool/postfix:/sbin/nologin
Annotation group:
# cat /etc/group|grep ^#
#adm:x:4:adm,daemon
#lp:x:7:daemon
#uucp:x:14:
#games:x:20:
#gopher:x:30:
#video:x:39:
#dip:x:40:
#ftp:x:50:
#audio:x:63:
#floppy:x:19:
#postfix:x:89:
2. turn off unused services
# chkconfig –list |grep ‘3:on’
Mail services, use the corporate mail server:
“shell
service postfix stop
chkconfig postfix –level 2345 off
Common UNIX print services, useless to the server:
”’shell
service cups stop
chkconfig cups –level 2345 off
Adjust the CPU speed to save power, commonly used on a Laptop:
service cpuspeed stop
chkconfig cpuspeed –level 2345 off
Bluetooth wireless communications, useless to the server:
service bluetooth stop
chkconfig bluetooth –level 2345 off
Initial setting after the installation of the system, for the first time after you start the system is useless:
service firstboot stop
chkconfig firstboot –level 2345 off
Close the NFS service, and client:
service netfs stop
chkconfig netfs –level 2345 off
service nfslock stop
chkconfig nfslock –level 2345 off
If you want to restore a service, you can perform the following actions:
service acpid start && chkconfig acpid on
You can also use the Setup utility to set
3. disable IPV6
IPv6 is designed to solve the problem of IPv4 address exhaustion, but our servers tend to use it instead of disabling IPv6 will not only speed up the network, will also contribute to reducing management overhead and increasing the level of security, follow these steps to completely disable IPv6 on a CentOS.
Prohibited to load the IPv6 module
System does not load the IPv6 related modules, which require changes in modprobe configuration file, for ease of management, we create a new configuration file/etc/modprobe.d/ipv6off.conf, which reads as follows
alias net-pf-10 off
options ipv6 disable=1
Disable IPv6-based networks, so that it will not be triggered to start:
# vi /etc/sysconfig/network
NETWORKING_IPV6=no
Disabling the network adapter IPv6 settings to run in IPv4 mode only:
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=no
IPV6_AUTOCONF=no
Close the ip6tables:
# chkconfig ip6tables off
Restart the system, verify that the entry into force:
# lsmod | grep ipv6
# ifconfig | grep -i inet6
If there is no output IPv6 module is disabled or enabled.
4. iptables rules
Linux firewalls to prohibit illegal access is enabled. Use iptable Rules to filter inbound, outbound, and forward packets. We can source and destination addresses to allow and deny access to specific UDP/TCP ports.
Set iptables rules refer to a blog post about a firewall set up an instance.
5. SSH security settings
If possible, first thing to do is to modify the default port 22 for SSH, change to larger ports such as 20002 will greatly improve safety, reduce the possibility of SSH hack to log on.
Create recognizable applications users such as CRM and systems management user SYSMGR
# useradd crm -d /apps/crm
# passwd crm
# useradd sysmgr
# passwd sysmgr
5.1 allows only wheel group of users user Su switch
# usermod -G wheel sysmgr
# vi /etc/pam.d/su
# Uncomment the following line to require a user to be in the “wheel” group.
auth required pam_wheel.so use_uid
Other switch users root, even if you lose the password prompts su:incorrect password
5.2 the login timeout
Users online 5 minutes no operation timeout disconnects, added to the/etc/profile:
export TMOUT=300
readonly TMOUT
5.3 prohibited direct root remote login
# vi /etc/ssh/sshd_config
PermitRootLogin no
5.4 limit the number of login failures and lock
In/etc/pam.d/login added
auth required pam_tally2.so deny=6 unlock_time=180 even_deny_root root_unlock_time=180
Login failure 5 locks 180 seconds, set including root as needed.
5.5 login IP restrictions
(Due to a fixed IP or IP binding, no setting)
More stringent limit is fixed in the sshd_config allow ssh user and source IP:
## allowed ssh users sysmgr
AllowUsers sysmgr@172.29.73.*
Or use the tcpwrapper:
vi /etc/hosts.deny
sshd:all
vi /etc/hosts.allow
sshd:172.29.73.23
sshd:172.29.73.
6. Configuration only key files can be used to log on
Simple password authentication using key files instead of normal will greatly improve security:
[dir@username ~]$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa)://the default path, enter
Enter passphrase (empty for no passphrase)://enter your key phrase, used at login
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
3e:fd:fc:e5:d3:22:86:8e:2c:4b:a7:3d:92:18:9f:64 root@ibpak.tp-link.net
The key’s randomart image is:
+–[ RSA 2048]—-+
| |
…
| o++o.. oo.. o|
+—————–+
Rename the key to authorized_key:
$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
Download id_rsa private key file to the local (in order to be more easily identified, can be renamed to hostname_username_id_rsa), save it to a safe place. Username the user after login this host must use the private key, with the passphrase to login (username user password is no longer used)
Also, modify the/etc/ssh/sshd_config file, open the note
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
We request the username the user (you can switch to a different user, particularly root) must log in with SSH key file, and other common login the user can directly. Therefore needed in the sshd_config file add:
Match User itsection
PasswordAuthentication no
Restart the sshd Service service sshd restart, a word of warning, this is the public key and the private key must be stored separately in another machine, missing public key on the server or the connection end is missing the private key (or key phrases), may lead to obtain root privileges can no longer login to the server!
7. reducing the history command history
Executed the command history recording more to some extent will bring easy to maintain, but also with security issues
vi /etc/profile
Find HISTSIZE=1000 to HISTSIZE=50, or clear history every time you exit,
8. special file permissions
Add cannot be changed to the following file properties in order to prevent unauthorized user access permissions
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
Chattr +/services # the system services list, file lock preventing unauthorized deletion or adding a service
chattr +i /etc/pam.d/su
chattr +i /etc/ssh/sshd_config
Display file properties
lsattr /etc/passwd /etc/shadow /etc/services /etc/ssh/sshd_config
Note: after executing chattr over rights amendment, you cannot add/remove users.
If you want to add or remove a user, you need to cancel this setting, users added after the removal is complete, and then perform the above operation, such as removal of read-only access to/etc/passwd. (Remember to reset the read-only)
9. Prevention of network attacks
Network attacks are not a few rows can be avoided, the following are some simple will minimize the possibility, increasing the difficulty of attacks but did not stop.
9.1 ban ping
Stop ping if no one can ping your system, natural increase security can be effective against ping floods. You can do this in/etc/rc.d/rc.local file to add the following line:
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Or use iptable ban Ping:
iptables -A INPUT -p icmp –icmp-type 0 -s 0/0 -j DROP
Ping other hosts are not allowed:
iptables -A OUTPUT -p icmp –icmp-type 8 -j DROP
9.2. to prevent IP spoofing
Edit the/etc/host.conf file and add the following lines to prevent IP spoofing attacks.
Order hosts,bind # order of name interpretation
Multi on # allowed host has multiple IP addresses
Nospoof on # banned IP address spoofing
9.3 preventing DoS attacks
For all system users to set resource limits can prevent a DoS type attack, such as the maximum number of processes and memory usage, and so on.
Add the following lines to/etc/security/limits.conf:
* soft core 0
* soft nproc 2048
* hard nproc 16384
* soft nofile 1024
* hard nofile 65536
Core 0 prevents the creation of core files
Nproc 128 20 limit the maximum number of processes to
Nofile 64 indicates that open at the same time the maximum number of files a user is limited to 64
* Indicates all users who are logged on to the system, excluding the root
Check that the following line exists then you must edit the/etc/pam.d/login file.
session required pam_limits.so
Limits.conf parameter values need to be adjusted according to the specific circumstances.
10. fix known security vulnerabilities
Occasionally burst into destruction level of vulnerability in the Linux, like udev, heartbleed, ShellShock, Ghost, etc, if the server is exposed to network, must be repaired in a timely manner.
11. periodic log security
Move the log to a dedicated log server, this prevents intruders to easily change the local log. Common Linux and use the default log file is the following:
/Var/log/message – record the system or current activity logs
/Var/log/auth.log – authentication log
/Var/log/cron – Crond logging (cron task)
/Var/log/maillog – mail server log
/Var/log/secure – certification journal
/Var/log/wtmp history log and logon, logoff, startup, shutdown, lastb command to view the users logon failure
/Var/run/utmp of the currently logged on user’s Infolog, w, who commands the information source and the
/Var/log/yum.logYum log
Reference to-depth CentOS anti-Cha invasion through journals.
11.1 install LogWatch
Logwatch is a log analysis tool developed using Perl. Linux log files can be analyzed and automatically send mail to the relevant personnel, may have custom-made the demand.
Logwatch mail function using the host system’s mail server email, the system need to install mail server, such as sendmail,postfix,Qmail and so on.
Installation and configuration methods, see blog Linux LogWatch log monitoring.
12. Web server security
Services like Apache or Tomcat server configuration, if there is a security problem you can check out the document for security reinforcement. Time added a new article in the future.
The post CentOS 6 simple server security configuration appeared first on VULTR Coupons.