CentOS server security configuration settings

In a wide variety of servers, CentOS server is a leader, with their own advantages, CentOS server received the support of many of the Internet users. So how do security on CentOS servers protected? Below, some security issues given to the CentOS server is a good solution.

1, does not need any ports on firewall off, others PING server, threat, most of the natural decrease.

Ways to prevent others to ping:

1) command prompt, 0 means allow, 1 against

echo 1 > /proc/sys/net/ipv4/icmp_ignore_all

2) using a firewall to block (or discarded) ICMP packets

iptables -A INPUT -p icmp -j DROP

3) no response for all ICMP traffic, such as:


2, to enable security mode (as a commercial application servers do not recommend opening)

#/Local/Zend/etc/php.ini (empty ZO PHP.ini file located at:/etc/php.ini).
safe_mode = On

3, locking PHP application directory

#vi /etc tpd/conf.d irtualhost.conf
Php_admin_value open_/*** (*** for the site directory)!

4, do not give unnecessary Directory write permissions, or 777 permissions, remained at 711 access to root directory, if you are not running PHP to 755.

5, shield PHP unsafe parameters (WebShell)

#/Local/Zend/etc/php.ini (empty ZO PHP.ini file located at:/etc/php.ini)
disable_functions = system,exec,shell_exec,passthru,popen

Following is my server shielding parameters:

disable_functions = passthru,exec,shell_exec,system,set_time_limit,ini_alter,dl, .
pfsockopen,openlog,syslog,readlink,symlink,link,leak,fsockopen,popen,escapeshell ..
cmd,error_log .

Above methods solves the security problem of CentOS server with ease.

6, change the SSH port and restrict SSH login IP

Change the SSH port, best to more than 10000 people scan ports are less likely

vi /etc/ssh/sshd_config

The PORT to more than 1000 ports. Also, create a common login user and cancel the direct root login

useradd ‘username’
passwd ‘username’

vi /etc/ssh/sshd_config

In the end, add the following sentence:

PermitRootLogin no # to cancel the direct root remote login

7, change the following file permissions so that no one does not change the account permissions:

chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow

chmod 600 /etc/xinetd.conf

8, delete the system bloated excess account:

userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
Userdel FTP # if you do not allow anonymous FTP, delete the user account
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
groupdel pppusers

Change the following file permissions so that no one does not change the account permissions:

chattr i /etc/passwd
chattr i /etc/shadow
chattr i /etc/group
chattr i /etc/gshadow

Finally, remember to turn off anonymous FTP user login.