Centos 6.5 Optimization of some basic optimization and security settings

CentOS 6.5 Optimizing this article 18:

1, centos6.5 the minimum start after installation of network card
2, ifconfig query IP SSH link
3, update and upgrade the system source system
4, set system time updates, and timing
5, modify the IP address, gateway, host name, DNS
6, turn off selinux, emptying the iptables
7, create a regular user and sudo privilege management
8, modifying the SSH port number and shield remote root account login
9, locking critical file system (prohibition of non-authorized users access permissions)
10, streamline the post to start the service
11, size a system file descriptor
12, set the system character set
13, clearing landing shows the system and kernel version
14, the kernel parameter optimization
15, regular cleaning/var/spool/clientmqueue
16, delete unnecessary users and groups
17, shut down restart CTL-ALT-DELETE key combination
18, set some global variables

1, start the network card

#Centos6.x after a minimal installation, adapter default is not the boot state
ifup eth0

2, SSH link ifconfig to see IP SSH terminal connections.
3, minimize the update source is no wget installed tool must be installed in modify the source)

yum install wget

A backup of the original system update source

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup

Enter yum.repos.d directory

cd /etc/yum.repos.d

Download NetEase or Sohu mirror source image source

# Download the NetEase image source:
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
# Or
# Download the Sohu mirror source:
wget http://mirrors.sohu.com/help/CentOS-Base-sohu.repo

NetEase Sohu’s source may have a problem.
Refer to the http://blog.CSDN.NET/ichsonx/article/details/8518420

Clear yum cache
yum clean all
Survival cache
yum makecache
Start updating the system and kernel
yum upgrade
Prerequisite software
yum install lrzsz ntpdate sysstat -y

Lrzsz tools common operations: RZ sz upload download
4, set system time updates, and scheduled tasks first: update and writes the BOIS

ntpdate time.windows.com && hwclock -w && hwclock –systohc

Second: update and write timing task

echo ‘*/30 * * * * ntpdate time.windows.com && hwclock -w && hwclock –systohc >/dev/null 2>&1’ >>/var/spool/cron/root

Third: once every 5 minutes and 10 minutes time

echo ‘*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1’ >>/var/spool/cron/root
echo ‘*/10 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1’ >>/var/spool/cron/root

Note: CentOS 6.x time synchronization command path is not the same 6/usr/sbin/ntpdate 5 is/sbin/ntpdate

5, modify the IP address, gateway, host name, DNS #eth0 network adapter settings

mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 # NIC device name
HWADDR=00:0C:29:D0:C7:B5 # corresponds to the physical address of the Ethernet device
TYPE=Ethernet # network type is Ethernet mode
UUID=080a457b-6a53-4a3a-9155-a23c1146c2c6 # universally unique identifier
ONBOOT=yes # boot time activated YES
NM_CONTROLLED=no # device eth0 is the Network Manager graphical management tools managed
BOOTPROTO=dhcp # static IP address for status such as: DHCP to automatically obtain an IP address
IPADDR=192.168.1.10 #IP
IPV6INIT=no
IPV6_AUTOCONF=no
NETMASK=255.255.255.0 # network mask for the network card corresponds to
GATEWAY=192.168.1.1 # the gateway address

Check the network adapter configuration

cat /etc/sysconfig/network-scripts/ifcfg-eth0

Gateway configuration

vi /etc/sysconfig/network
# Indicate that the system is using the network, usually set to Yes. If set to no, you cannot use the network, and many system services will not start
NETWORKING=yes
# Set the host name of the machine, set the host name corresponds to the host name and set in the/etc/hosts
HOSTNAME=c65mini.localdomain
# Set the connection for the IP address of the gateway. For example, a gateway is 10.0.0.1 or 192.168.1.1
GATEWAY=192.168.1.1

Modify the Hosts DNS

vi /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 8.8.8.8
nameserver 4.4.4.4

Modifying HOSTS

vi /etc/hosts
127.0.0.1 c65mini.localdomain
# Use a DNS domain name server to resolve names
order bind hosts
# Host if there is more than one IP
multi on
# If you use reverse-resolve to find host name matching the specified address, and parsing the returned address to confirm that it does match with the address of your query. In order to prevent “cheating” IP address
nospoof on

Service network restart to take effect settings in two ways

service network restart
Or
/etc/init.d/network restart

6, turn off selinux, emptying the iptables services after the server configuration completed successfully after a normal, open SELinux

View the status of SELinux

The first method:/usr/bin/# if: is SELinux status:enabled open
The second method:/SELinux/config # if: SELINUX=enforcing is turned on permissive reminded the status of disabled is off
A third approach: grep SELINUX=/selinux/config
The fourth method: getenforce

Modify the SELinux permanent status if you modify the configuration file, but it must be to restart the system

First:/SELinux/config modified SELINUX=disabled
Second: sed – I’s/SELINUX=enforcing/SELINUX=disabled/g’/etc/SELinux/config

If you want to immediately take effect (if you want to temporarily change) setenforce 0

Setenforce setenforce 0 setting 1 set SELinux into enforcing mode SELinux into permissive mode view state getenforce

Iptables firewall rules clear, customized according to requirements

# Clear the iptables rules
iptables -F
# See the iptables rules
iptables -L
# Save the rule, noted that while empty, and does not save it, reboot, and a rule.
/etc/init.d/iptables save

7, create a regular user and sudo privilege management

Create a regular user modify user password passwd useradd bingoku bingoku

Another way: one-create a user and set the password echo “123456” |passwd–stdin bingoku&&history-c

Bingoku for the user name you created

Open the sudo configuration file of sudo authorization management visudo

# Note: set nu view row, find the 99 lines
root ALL=(ALL) ALL
# Added
bingoku ALL=(ALL) ALL

8, modifying the SSH port number and shield remote root account login

# Backup SSH configuration
cp /etc/ssh/sshd_config sshd_config_bak
# Modify SSH security configuration
vi /etc/ssh/sshd_config
#SSH links to the default port
port 52113
# Banned root account login
PermitRootLogin no
# Prohibit blank passwords
PermitEmptyPasswords no
# Do not use DNS
UseDNS no

/Etc/init.d/sshd reload reload SSH configuration inside the view port if he has just revised the port 52113

netstat -lnt

Or anti-Cha port is the process

lsof -i tcp:52113

Centos6.5 minimize the installation does not need to yum install lsof tool lsof
9, locking critical file system (prohibition of non-authorized users access permissions)

chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow

10, streamline the post to start the service

Note: installing your operating system you can only crond,network,syslog,sshd four service. Late startup based on business needs service # (Centos6.x for rsyslog Cetnos5.x syslog) If you are Chinese. May need to replace 3:on LANG=en or 3: enable

# Turn off all services
for sun in ‘chkconfig –list|grep 3:on|awk ‘{print $1}”;do chkconfig –level 3 $sun off;done

# Or
For Sun in ‘chkconfig–list|grep 3: enable |awk ‘{print $1}”;do chkconfig–level 3 $Sun off;done

# Start need service
for sun in crond rsyslog sshd network;do chkconfig –level 3 $sun on;done

# Or if you need to use a firewall, then you can open the iptables and ip6tables
for sun in crond rsyslog sshd network iptables ip6tables;do chkconfig –level 3 $sun on;done

Query services open under chkconfig-list | Grep 3:on or chkconfig – list|grep 3: enable

[Bingoku@c65mini ~]$ chkconfig–list|grep 3: enable
Crond 0: off 1: off 2:3 is enabled: enables 4:5 is enabled: enable 6: closing
IP6tables 0: off 1: off 2:3 is enabled: enables 4:5 is enabled: enable 6: closing
Iptables 0: off 1: off 2:3 is enabled: enables 4:5 is enabled: enable 6: closing
Network 0: off 1: off 2:3 is enabled: enables 4:5 is enabled: enable 6: closing
Rsyslog 0: off 1: off 2:3 is enabled: enables 4:5 is enabled: enable 6: closing
Sshd 0: off 1: off 2:3 is enabled: enables 4:5 is enabled: enable 6: closing

11, size a file descriptor

# See the file descriptor size
ulimit -n

First: # reference to aliyun host default settings here.

vi /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535

Second: echo ‘*-nofile 65535’ >>/etc/security/limits.conf

Third: join command to/etc/rc.local 65535, then each time you restart to take effect append commands to RC.local configuration file

cat >>/etc/rc.local</etc/redhat-release
echo >/etc/issue

14, the kernel parameter optimization/sysctl.conf
# Can be used to Apache,nginx,squid a variety of Web applications, such as
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768

net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800

#net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535

# This parameter is the optimization of the centos6.x’s iptables firewall, firewalls do not meet a prompt, you can ignore and do nothing.
# If CentOS5. X need to replace netfilter.nf_conntrack with a IPv4.netfilter.IP
#centos5. X net.IPv4.ip_conntrack_max = 25000000
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

Effective immediately/sbin/centos6.5 may report an error

error: “net.bridge.bridge-nf-call-ip6tables” is an unknown key
error: “net.bridge.bridge-nf-call-iptables” is an unknown key
error: “net.bridge.bridge-nf-call-arptables” is an unknown key

There are reasons for this, no loading bridge bridge module

modprobe bridge
echo “modprobe bridge”>> /etc/rc.local

View bridge lsmod|grep bridge

centos5. X may report an error the error is probably your firewall does not open automatically loads module ip_conntrack or does not load automatically, there are two solutions, one is to open the firewall, and is handled automatically loads module ip_conntrack

error: “net.ipv4.ip_conntrack_max”is an unknown key
error: “net.ipv4.netfilter.ip_conntrack_max”is an unknown key
error: “net.ipv4.netfilter.ip_conntrack_tcp_timeout_established”is an unknown key
error: “net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait”is an unknown key
error: “net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait”is an unknown key
error: “net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait”is an unknown key

centos5. X-solutions:

modprobe ip_conntrack
echo “modprobe ip_conntrack”>> /etc/rc.local

centos6. X may report an error the error is probably your firewall does not open automatically loads module ip_conntrack or does not load automatically, there are two solutions, one is to open the firewall, and is handled automatically loads module ip_conntrack

error: “net.nf_conntrack_max”isan unknown key
error: “net.netfilter.nf_conntrack_max”isan unknown key
error: “net.netfilter.nf_conntrack_tcp_timeout_established”isan unknown key
error: “net.netfilter.nf_conntrack_tcp_timeout_time_wait”isan unknown key
error: “net.netfilter.nf_conntrack_tcp_timeout_close_wait”isan unknown key
error: “net.netfilter.nf_conntrack_tcp_timeout_fin_wait”isan unknown key

centos6. X-solutions:

modprobe nf_conntrack
echo “modprobe nf_conntrack”>> /etc/rc.local

Note: when this up centos6.5 make kernel, the author found that if you do not turn on nf_conntrack ip6tables optimization modules to carry out the above solutions still prompts the error above. So when optimization services, you can choose to leave iptables and ip6tables. Of course, if you don’t use iptables, kernel optimization nf_conntrack settings when you need to remove, in/sbin/are not prompted with errors.

15, if sendmail is installed must be timed to automatically clean up/var/spool/clientmqueue/file to prevent inode node is full

#Centos6.5 is not automatically installed sendmail so there is no need to go this far to optimize
mkdir -p /server/scripts
vi /server/scripts/spool_clean.sh
#!/bin/sh
find/var/spool/clientmqueue/-typef -mtime +30|xargsrm-f

16, delete unnecessary users and groups

# Remove unnecessary users
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
# Remove unnecessary groups
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
groupdel pppusers

17, shut down restart CTL-ALT-DELETE key combination

vi /etc/init/control-alt-delete.conf
# Commented out
#exec /sbin/shutdown -r now “Control-Alt-Deletepressed”

18, set some global variables

# Automatically exit the Terminal, preventing illegal shut down too many SSH clients login process, you can set the number, expressed in seconds
echo “TMOUT=3600″>> /etc/profile
History command # record number is set to 10
sed -i “s/HISTSIZE=1000/HISTSIZE=10/” /etc/profile
# Effect immediately
source /etc/profile