CentOS 6 simple server security configuration

Linux is an open system, you can find many off-the-shelf programs and tools on the Web, both for the convenience of users, but also easier for hackers, because they can easily find programs and tools into Linux system, or theft of important information on the Linux system. However, as long as we carefully set the Linux system, plus the necessary security measures, hackers will be inorganic. In General, Linux system security settings including the removal of unnecessary services, restrict remote access, hide important information and repair security vulnerabilities, security tools, as well as regular security checks and so on.

This article is the actual operation may refer to, does not involve principles such as IP spoofing, and security issues don’t count lines can be prevented, this is just a basic security reinforcing method on a Linux system, follow-up with new content added.

Note: back up all files before modifying

cp /etc/passwd{,.dist}

1. disable unused user

Note: not recommended to delete, when you require a user, his back could be in trouble. Can also be locked or user.

/Passwd{,.bak} first a backup before modifying

/Passwd edit, preceding it with # commenting out this line

Note user name:

# cat /etc/passwd|grep ^#
#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
#nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

Annotation group:

# cat /etc/group|grep ^#

2. turn off unused services

# chkconfig –list |grep ‘3:on’

Mail services, use the corporate mail server:

service postfix stop
chkconfig postfix –level 2345 off

Common UNIX print services, useless to the server:

service cups stop
chkconfig cups –level 2345 off

Adjust the CPU speed to save power, commonly used on a Laptop:

service cpuspeed stop
chkconfig cpuspeed –level 2345 off

Bluetooth wireless communications, useless to the server:

service bluetooth stop
chkconfig bluetooth –level 2345 off

Initial setting after the installation of the system, for the first time after you start the system is useless:

service firstboot stop
chkconfig firstboot –level 2345 off

Close the NFS service, and client:

service netfs stop
chkconfig netfs –level 2345 off
service nfslock stop
chkconfig nfslock –level 2345 off

If you want to restore a service, you can perform the following actions:

service acpid start && chkconfig acpid on

You can also use the Setup utility to set
3. disable IPV6

IPv6 is designed to solve the problem of IPv4 address exhaustion, but our servers tend to use it instead of disabling IPv6 will not only speed up the network, will also contribute to reducing management overhead and increasing the level of security, follow these steps to completely disable IPv6 on a CentOS.
Prohibited to load the IPv6 module

System does not load the IPv6 related modules, which require changes in modprobe configuration file, for ease of management, we create a new configuration file/etc/modprobe.d/ipv6off.conf, which reads as follows

alias net-pf-10 off
options ipv6 disable=1

Disable IPv6-based networks, so that it will not be triggered to start:

# vi /etc/sysconfig/network

Disabling the network adapter IPv6 settings to run in IPv4 mode only:

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

Close the ip6tables:

# chkconfig ip6tables off

Restart the system, verify that the entry into force:

# lsmod | grep ipv6
# ifconfig | grep -i inet6

If there is no output IPv6 module is disabled or enabled.
4. iptables rules

Linux firewalls to prohibit illegal access is enabled. Use iptable Rules to filter inbound, outbound, and forward packets. We can source and destination addresses to allow and deny access to specific UDP/TCP ports.

Set iptables rules refer to a blog post about a firewall set up an instance.
5. SSH security settings

If possible, first thing to do is to modify the default port 22 for SSH, change to larger ports such as 20002 will greatly improve safety, reduce the possibility of SSH hack to log on.

Create recognizable applications users such as CRM and systems management user SYSMGR

# useradd crm -d /apps/crm
# passwd crm

# useradd sysmgr
# passwd sysmgr

5.1 allows only wheel group of users user Su switch

# usermod -G wheel sysmgr

# vi /etc/pam.d/su
# Uncomment the following line to require a user to be in the “wheel” group.
auth required pam_wheel.so use_uid

Other switch users root, even if you lose the password prompts su:incorrect password
5.2 the login timeout

Users online 5 minutes no operation timeout disconnects, added to the/etc/profile:

export TMOUT=300
readonly TMOUT

5.3 prohibited direct root remote login

# vi /etc/ssh/sshd_config
PermitRootLogin no

5.4 limit the number of login failures and lock

In/etc/pam.d/login added

auth required pam_tally2.so deny=6 unlock_time=180 even_deny_root root_unlock_time=180

Login failure 5 locks 180 seconds, set including root as needed.
5.5 login IP restrictions

(Due to a fixed IP or IP binding, no setting)
More stringent limit is fixed in the sshd_config allow ssh user and source IP:

## allowed ssh users sysmgr
AllowUsers sysmgr@172.29.73.*

Or use the tcpwrapper:

vi /etc/hosts.deny

vi /etc/hosts.allow

6. Configuration only key files can be used to log on

Simple password authentication using key files instead of normal will greatly improve security:

[dir@username ~]$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa)://the default path, enter
Enter passphrase (empty for no passphrase)://enter your key phrase, used at login
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
3e:fd:fc:e5:d3:22:86:8e:2c:4b:a7:3d:92:18:9f:64 root@ibpak.tp-link.net
The key’s randomart image is:
+–[ RSA 2048]—-+
| |

| o++o.. oo.. o|

Rename the key to authorized_key:

$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys

Download id_rsa private key file to the local (in order to be more easily identified, can be renamed to hostname_username_id_rsa), save it to a safe place. Username the user after login this host must use the private key, with the passphrase to login (username user password is no longer used)

Also, modify the/etc/ssh/sshd_config file, open the note

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

We request the username the user (you can switch to a different user, particularly root) must log in with SSH key file, and other common login the user can directly. Therefore needed in the sshd_config file add:

Match User itsection
PasswordAuthentication no

Restart the sshd Service service sshd restart, a word of warning, this is the public key and the private key must be stored separately in another machine, missing public key on the server or the connection end is missing the private key (or key phrases), may lead to obtain root privileges can no longer login to the server!
7. reducing the history command history

Executed the command history recording more to some extent will bring easy to maintain, but also with security issues

vi /etc/profile

Find HISTSIZE=1000 to HISTSIZE=50, or clear history every time you exit,
8. special file permissions

Add cannot be changed to the following file properties in order to prevent unauthorized user access permissions

chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
Chattr +/services # the system services list, file lock preventing unauthorized deletion or adding a service
chattr +i /etc/pam.d/su
chattr +i /etc/ssh/sshd_config

Display file properties

lsattr /etc/passwd /etc/shadow /etc/services /etc/ssh/sshd_config

Note: after executing chattr over rights amendment, you cannot add/remove users.

If you want to add or remove a user, you need to cancel this setting, users added after the removal is complete, and then perform the above operation, such as removal of read-only access to/etc/passwd. (Remember to reset the read-only)
9. Prevention of network attacks

Network attacks are not a few rows can be avoided, the following are some simple will minimize the possibility, increasing the difficulty of attacks but did not stop.
9.1 ban ping

Stop ping if no one can ping your system, natural increase security can be effective against ping floods. You can do this in/etc/rc.d/rc.local file to add the following line:

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Or use iptable ban Ping:

iptables -A INPUT -p icmp –icmp-type 0 -s 0/0 -j DROP

Ping other hosts are not allowed:

iptables -A OUTPUT -p icmp –icmp-type 8 -j DROP

9.2. to prevent IP spoofing

Edit the/etc/host.conf file and add the following lines to prevent IP spoofing attacks.

Order hosts,bind # order of name interpretation
Multi on # allowed host has multiple IP addresses
Nospoof on # banned IP address spoofing

9.3 preventing DoS attacks

For all system users to set resource limits can prevent a DoS type attack, such as the maximum number of processes and memory usage, and so on.
Add the following lines to/etc/security/limits.conf:

* soft core 0
* soft nproc 2048
* hard nproc 16384
* soft nofile 1024
* hard nofile 65536

Core 0 prevents the creation of core files

Nproc 128 20 limit the maximum number of processes to

Nofile 64 indicates that open at the same time the maximum number of files a user is limited to 64

* Indicates all users who are logged on to the system, excluding the root

Check that the following line exists then you must edit the/etc/pam.d/login file.

session required pam_limits.so

Limits.conf parameter values need to be adjusted according to the specific circumstances.
10. fix known security vulnerabilities

Occasionally burst into destruction level of vulnerability in the Linux, like udev, heartbleed, ShellShock, Ghost, etc, if the server is exposed to network, must be repaired in a timely manner.
11. periodic log security

Move the log to a dedicated log server, this prevents intruders to easily change the local log. Common Linux and use the default log file is the following:

/Var/log/message – record the system or current activity logs

/Var/log/auth.log – authentication log

/Var/log/cron – Crond logging (cron task)

/Var/log/maillog – mail server log

/Var/log/secure – certification journal

/Var/log/wtmp history log and logon, logoff, startup, shutdown, lastb command to view the users logon failure

/Var/run/utmp of the currently logged on user’s Infolog, w, who commands the information source and the

/Var/log/yum.logYum log

Reference to-depth CentOS anti-Cha invasion through journals.
11.1 install LogWatch

Logwatch is a log analysis tool developed using Perl. Linux log files can be analyzed and automatically send mail to the relevant personnel, may have custom-made the demand.

Logwatch mail function using the host system’s mail server email, the system need to install mail server, such as sendmail,postfix,Qmail and so on.

Installation and configuration methods, see blog Linux LogWatch log monitoring.
12. Web server security

Services like Apache or Tomcat server configuration, if there is a security problem you can check out the document for security reinforcement. Time added a new article in the future.