There are many things we need to pay attention to when building a Linux server. A safe configuration table is the most important thing for a server builder and maintainer to master. In this article, you will see a complete Linux server security building manual. If you want to build a Linux server and want long-term maintenance, you need to consider many factors, such as security performance and speed. A correct linux basic security configuration manual is particularly important. In this article, I will introduce the basic security configuration manual of Linux server under edhat/centos 4,5.

1. Delete the special user account of the system:

Prohibit all default accounts that are started by the operating system itself and not needed. You should do this check when you first install the system. Linux provides various accounts that you may not need. If you do not need this account, remove it. The more accounts you have, the more vulnerable you are to attacks.

#To delete users on your system, use the following command:
[ root@c1gstudio ]# userdel username
#Batch deletion method # Delete the "adm lp sync shutdown halt mail news uucp operator games gopher ftp" account here # If you open ftp and other services, you can keep the ftp account. for i in adm lp sync shutdown halt mail news uucp operator games gopher ftp; do userdel $i; done2. Delete the special group account of the system

[ root@c1gstudio ]# groupdel groupname
#Batch deletion method
for i in adm lp mail news uucp games dip pppusers pop
users slipusers ; do groupdel $i ; Done3. User password setting

When installing Linux, the default minimum password length is 5 bytes, but this is not enough. It should be set to 8 bytes. To modify the minimum password length, you need to edit the login.defs file # vi/etc/login.defs

PASS_MAX_DAYS 99999 # # Maximum valid period of password setting (default value)
PASS_MIN_DAYS 0 # # Minimum valid period of password setting
PASS_MIN_LEN 5 # # Set the minimum password length and change 5 to 8
PASS_WARN_AGE 7 # # Warn users how many days in advance that their passwords are about to expire.
Then change the root password
#passwd root
New UNIX password:
Retype new UNIX password:
Passwd: all authentication tokens updated successfully. 4. Modify the automatic account cancellation time

The root account has the highest privileges in the Linux system. If the system administrator forgets to log off the root account before leaving the system, it will bring great security risks, and the system should be automatically logged off. This function can be realized by modifying the "TMOUT" parameter in the account. TMOUT is calculated in seconds. Edit your profile file (vi/etc/profile) and add the following line after "HISTSIZE=":

TMOUT=300

300 means 300 seconds, that is, 5 minutes. In this way, if the logged in user does not act within 5 minutes, the system will automatically log off the account.
5. Limit the shell command record size

By default, the bash shell will store up to 500 command records in the file $HOME/. bash_history (the default number of records varies depending on the specific system). There is one such file in the home directory of each user in the system. The author strongly recommends limiting the size of this file.
You can edit the/etc/profile file and modify its options as follows:

HISTFILESIZE=30 or HISTSIZE=30
#vi /etc/profile
HISTSIZE=306. Delete command record when logging off

Edit the/etc/skel/. bash_logout file and add the following line:

rm -f $HOME/.bash_history
In this way, all users in the system will delete their command records when logging off.
If you only need to set for a specific user, such as root, you can only modify the/$HOME/. bash_history file in the user's home directory and add the same line.

7. Add the required user group and user account with the following command

[ root@c1gstudio ]# groupadd
For example: add a website user group, groupadd website
Then call the vigr command to view the added user groups
Use the following command to add the required user account
[ root@c1gstudio ]#Useradd username – g website//Add users to the website group (as the general administrator of the webserver, not the root administrator)
Then call the vipw command to view the added users
Use the following command to change the user password (input the password of at least 8 letters and numbers, and record the password in the special file of the local machine to prevent forgetting)
[ root@c1gstudio ]#Passwd username8. Prevent anyone from su as root

If you don't want anyone to be able to su as root, you can edit/etc/pam.d/su and add the following line:

#vi /etc/pam.d/su
auth sufficient /lib/security/$ISA/pam_rootok.so debug
auth required /lib/security/$ISA/pam_wheel.so group=website
It means that only users in the website group can su as root. 9. Modify the root login permission of the ssh service

Modify the ssh service configuration file so that the ssh service is not allowed to log in directly using the root user, thus reducing the chances of the system being attacked by malicious login.

#vi /etc/ssh/sshd_config
PermitRootLogin yes Remove the # in front of this line and change it to:

PermitRootLogin no
10. Modify the sshd port of the ssh service

SSH will listen on port 22 by default. You can change it to port 6022 to avoid regular scanning.
Note: Modifying the port error may cause you to fail to connect to the server next time. You can open port 22 and port 6022 at the same time, and then close port 22;
Restarting sshd will not pop up your current connection. You can open another client to test the service;

#vi /etc/ssh/sshd_config
#Add/Modify
#Port 22 # Close port 22
Port 6022 # Add 6022 ports
#Restart the sshd service
service sshd restart
Check whether the sshd listening port is correct
netstat -lnp|grep ssh
#Iptables opens port 6022 of sshd
vi /etc/sysconfig/iptables
#If the red hat default rule is used, add
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 6022 -j ACCEPT
#Or
iptables -A INPUT -p tcp –dport 6022 -j ACCEPT
Iptables - A OUTPUT - p udp – sport 6022 - j ACCEPT Restart the iptables service

service iptables restart
#Test whether the two ports can be connected, and then delete port 22 after connecting. For details, refer to:
Modification method of SSH default port 22 under Linux operating system
11. Turn off services not used by the system:

Cd/etc/init. d # Enter the system init process startup directory
There are two methods to shut down the services in the init directory,

1、 Change the file name mv in the init directory into the file name of the *. old class, that is, modify the file name. The purpose is to find the startup file of this service when the system starts.

2、 Use the chkconfig system command to turn off system startup level services.

Note: When using any of the following methods, please first check whether the service to be shut down is the service that the server needs to start to support, so as to prevent the normal service from being shut down.

Use the chkcofig command to shut down unused system services (the level is preceded by two minus signs). To understand how many services are running before modifying the startup script, enter:

Ps aux | wc - l Then modify the startup script, restart the system, and enter the above command again to calculate how many services have been reduced. The fewer services running, the better the security. In addition, run the following command to know how many services are running:

Netstat - na – Stop the service in batch mode

for i in acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmai
l setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd ; do service $i stop; done

Turn off startup service

for i in acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmai
l setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd ; do chkconfig $i off; done

The following is the manual mode and explanation. It is unnecessary to execute the batch mode

Chkconfig – level 345 apmd off # # Notebook needs
Chkconfig – level 345 netfs off # # nfs client
Chkconfig – level 345 yppasswdd off # # NIS server, this service has many vulnerabilities
Chkconfig – level 345 ypserv off # # NIS server, this service has many vulnerabilities
Chkconfig – level 345 dhcpd off # # dhcp service
Chkconfig – level 345 portmap off # # Required to run rpc (port 111) service
Chkconfig – level 345 lpd off # # Print Service
Chkconfig – level 345 nfs off # # NFS server, extremely vulnerable
Chkconfig – level 345 sendmail off # # mail service, with many vulnerabilities
Chkconfig – level 345 snmpd off # # SNMP, from which remote users can obtain many system information
Chkconfig – level 345 rstatd off # # Avoid running r service, and remote users can obtain a lot of information from it
Chkconfig – level 345 atd off
Note: 3 and 5 in the above chkcofig command are the types of system startup, and the following numbers represent the meaning
0: Power on (please do not switch to this level)
1: Single user mode text interface
2: Multi user mode text interface, without NFS function
3: Multi user mode text interface with Network File System (NFS) function
4: Some distributions of linux use this level to enter the x windows system
5: Some distributions of linux use this level to enter the x windows system
6: If the – level single on and off switches are not specified during restart, the system is only valid for operation levels 3, 4 and 5 by default

Chkconfig cups off # Printer
Chkconfig bluetooth off # Bluetooth
Chkconfig hidden off # Bluetooth
chkconfig ip6tables off # ipv6
chkconfig ipsec off # vpn
Chkconfig auditd off # User space monitor
Chkconfig autofs off # CD, floppy disk, hard disk and other auto loading services
Chkconfig avahi daemon off # It is mainly used for Zero Configuration Networking. It is generally useless. It is recommended to close it
Chkconfig avahi dnsconfd off # It is mainly used for Zero Configuration Networking. As above, it is recommended to close it
Chkconfig cpuspeed off # The process of dynamically adjusting the CPU frequency. It is recommended to close this process in the server system
chkconfig isdn off #isdn
Chkconfig kudzu off # Hardware automatic monitoring service
Chkconfig nfslock off # NFS document locking function. Document sharing support can be turned off unnecessarily
Chkconfig nscd off # Be responsible for querying passwords and groups, which is required when NIS services are available
Chkconfig pcscd off # Smart card support, if not, it can be closed
Chkconfig yum updatesd off # yum Update
chkconfig acpid off
chkconfig autofs off
chkconfig firstboot off
chkconfig mcstrans off #selinux
chkconfig microcode_ctl off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig setroubleshoot off
chkconfig xfs off
chkconfig xinetd off
chkconfig messagebus off
Chkconfig gpm off # Mouse
chkconfig restorecond off #selinux
chkconfig haldaemon off
chkconfig sysstat off
chkconfig readahead_early off
Chkconfig anacron off Services to be reserved

Crond, irqbalance, microcode_cl, network, sshd, and syslog Because some services are already running, restart them after setting

chkconfig
/*Syntax: chkconfig [– add] [– del] [– list] [system service] or chkconfig [– level<level code>] [system service] [on/off/reset]

Supplementary note: This is a program developed by Red Hat following the GPL rules. It can query which system services the operating system will execute at each execution level, including various resident services.

Parameters:

– add adds the specified system service so that the chkconfig command can manage it, and at the same time adds relevant data in the system startup narrative file.
– del deletes the specified system service, which is no longer managed by the chkconfig command, and at the same time deletes the relevant data in the system startup narrative file.
– level<level code>specifies the execution level at which the read system service is to be started or closed
*/12. Prevent the system from responding to any external/internal ping request

Since no one can ping your machine and receive a response, you can greatly enhance the security of your site. You can add the following command to/etc/rc.d/rc.local to make it run automatically after each startup.

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#This can be omitted. 13. Modify the "/etc/host. conf" file

"/etc/host. conf" explains how to resolve addresses. Edit the "/etc/host. conf" file (vi/etc/host. conf) and add the following line:
# Lookup names via DNS first then fall back to /etc/hosts.
order hosts,bind
# We have machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
The first setting of nospoof on first resolves the IP address through DNS, and then through the hosts file. The second setting checks whether the host in the "/etc/hosts" file has multiple IP addresses (such as multiple Ethernet cards). The third setting indicates that you should pay attention to the unauthorized electronic deception of this machine.

14. Root login from different consoles is not allowed

The "/etc/securetty" file allows you to define which TTY device root can log in from. You can edit the "/etc/securetty" file, and add the "#" flag in front of the TTY device that does not need to log in, to prohibit root login from the TTY device.

In the/etc/inittab file, there is the following paragraph:

# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6: 2345: respawn:/sbin/singletty6 By default, the system can use six consoles, that is, Alt+F1, Alt+F2... Here, add "#" in front of 3, 4, 5, and 6 to comment on this sentence. Now there are only two consoles available, and it is better to keep two. Then restart the init process, and the changes will take effect!

15. Disable Control Alt Delete keyboard closing command

In the "/etc/inittab" file, comment out the following line (use #): ca:: ctrlaltdel:/sbin/shutdown - t3 - r now and change it to: # ca:: ctrlaltdel:/sbin/shutdown - t3 - r now To make this change work, enter the following command: #/sbin/init q16. Use the chatter command to add an unchangeable attribute to the following file.

[ root@c1gstudio ]# chattr +i /etc/passwd
[ root@c1gstudio ]# chattr +i /etc/shadow
[ root@c1gstudio ]# chattr +i /etc/group
[ root@c1gstudio ]#Chat+i/etc/gshadow

Note: This command can change the file or directory attributes stored on the ext2 file system. These attributes have the following eight modes:

a: Make files or directories for additional purposes only.
b: Do not update the last access time of a file or directory.
c: Compress and store the file or directory.
d: Excludes files or directories from dumping operations.
i: Do not arbitrarily change files or directories.
s: Confidentiality Delete files or directories.
S: Updates files or directories on the fly.
u: Non preventive deletion. Parameters:

-R Recursive processing, which processes all files and subdirectories under the specified directory.
-V<version number>set the file or directory version.
-V shows the instruction execution process.
+<Attribute>Open the attribute of the file or directory.
-<Attribute>Close the attribute of the file or directory.
=<Attribute>Specify the attribute of the file or directory.

17. Lock the system service port list file

Main function: prevent unauthorized deletion or addition of services

chattr +i /etc/services
[View method: lsattr/etc/services, revoke to chat – i/etc/services] 18. Modify the system file permissions

Linux file system security is mainly achieved by setting file permissions. Each Linux file or directory has three sets of attributes, which define the owner of the file or directory, the user group and the permission of others (read-only, writable, executable, SUID allowed, SGID allowed, etc.). Special attention should be paid to executable files with SUID and SGID permissions, which will give the process the owner's permissions during the process of running the program. If they are found and used by hackers, they will cause harm to the system.

(1) Modify the init directory file execution permissions:

Chmod - R 700/etc/init. d/* (recursive processing, owner has rwx, group none, others none) (2) Permission to modify SUID and SGID of some system files:

chmod a-s /usr/bin/chage
chmod a-s /usr/bin/gpasswd
chmod a-s /usr/bin/wall
chmod a-s /usr/bin/chfn
chmod a-s /usr/bin/chsh
chmod a-s /usr/bin/newgrp
chmod a-s /usr/bin/write
chmod a-s /usr/sbin/usernetctl
chmod a-s /usr/sbin/traceroute
chmod a-s /bin/mount
chmod a-s /bin/umount
Chmod a-s/sbin/netreport (3) Modify the system boot file

chmod 600 /etc/grub.conf
chattr +i /etc/grub.conf
[View method: lsattr/etc/grub.conf, revoke as chattr – i/etc/grub.conf] 19. Add dns

#vi /etc/resolv.conf
nameserver 8.8.8.8 #google dns
Nameserver 8.8.4.420.hostname modification

#Please stop mysql, postfix and other services
1.hostname servername
2.vi /etc/sysconfig/network
service network restart
3. vi/etc/hosts21.selinux modification

Enabling selinux can increase security, but you may encounter some strange problems when installing software
The following is the closing method

#Vi/etc/selinux/config changed to disabled

22. Turn off ipv6

Echo "alias net-pf-10 off">>/etc/modprobe. conecho "alias ipv6 off">>/etc/modprobe. conf # vi/etc/sysconfig/networkNETWORKING_IPV6=no Restart the service

Service ip6tables stop
Service network restart shuts down and starts automatically

Chkconfig – level 235 ip6tables off23. Set iptables

Iptables Default Security Rule Script

Restart the system

Most of the above settings can be completed by running scripts. Linux security setting shortcut script

Restart the system after setting

Other settings

Method of adjusting system time zone/time in linux

Make a soft link between the corresponding time zone in/usr/share/zoneinfo and/etc/localtime. For example, when using the Shanghai time zone: ln - s/usr/share/zoneinfo/Asia/Shanghai/etc/localtime If you want to use UTC timing, you should change the setting of UTC=TRUE in the/etc/sysconfig/lock file: use the date command and the s parameter to modify. Note that the time format of Linux is "month, day, hour, year", You can also only modify the time date - s 22:30:20. If you modify the date and time in the format of "month, day, hour, year, second", 2007-03-18 11:01:56, it should be written as "date - s 031811012007.56 Hardware time and current time update: hwclock – systohc If UTC is used for hardware timing, it is hwclock – systohc – utc

Method of adjusting system time zone/time in linux

1) Find the corresponding time zone file

/Usr/share/zoneinfo/Asia/Shanghai uses this file to replace the current/etc/localtime file.
Step: cp – i/usr/share/zoneinfo/Asia/Shanghai/etc/localtime

Select Overrides

2) Modify the/etc/sysconfig/lock file to:

ZONE=”Asia/Shanghai”UTC=falseARC=false3)
The order set as August 30, 2005 is as follows:

#The date - s 08/30/2005 command to set the system time to 6:40:00pm is as follows:

#Date - s 18:40:004) Synchronize the BIOS clock and force the system time to be written to CMOS. The command is as follows:

#Clock - w install ntpd

#yum install ntp
#chkconfig –levels 235 ntpd on
#Ntpdate ntp. api. bz # Calibrate manually first
#Service ntpd start Set language

English language, Chinese support

#Vi/etc/sysconfig/i18nLANG="en_US. UTF-8" SUPPORTED="zh_CN. UTF-8: zh_CN: zh" SYSFONT="latacyrheb-sun16" tmpwatch Scheduled Clearing

Suppose the server has customized the session and upload directory of PHP

#vi /etc/cron.daily/tmpwatch
Increase before 240/tmp
-x /tmp/session -x /tmp/upload
#mkdir /tmp/session
#mkdir /tmp/upload
#chown nobody:nobody /tmp/upload
#chmod 0770 /tmp/upload

Original article reprint please specify: reprint from Seven Travelers Blog

Fixed link of this article: https://www.qxzxp.com/3883.html