Personal experience of CentOS system security reinforcement

CentOS Linux server systems are widely used in large, medium and small enterprises.
As IDC’s operations, the company’s operations, the company’s management, and so on, we
Must see: minimal permissions + minimal service = maximum security!
So, both servers are configured, we must remove any unused service shut down, system permissions set to the minimum, so as to ensure maximum server security.
CentOS Server security settings are below for your reference.
Remember, before you perform these operations must ensure that backup the configuration file that corresponds to the/etc! Want to later operation! {:soso_e113:}
One, comment out the system requires no user and user group
Note: not recommended to delete, when you require a user, his back could be in trouble.
//Passwdbak # modify before backup
/Passwd # edit, preceding it with # commenting out this line
#Ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin # comment out the anonymous FTP account
//Groupbak # modify before backup
/Group # edit group, preceding it with # commenting out this line
Second, turn off system services you don’t need
Service acpid stop chkconfig acpid off # out of service, cancel the startup # power advanced settings, commonly used on a Laptop
Service autofs stop chkconfig autofs off # disable auto mount file system of eucalyptus and week device
Service Bluetooth stop chkconfig Bluetooth off # disable Bluetooth Bluetooth
Service cpuspeed stop chkconfig cpuspeed off # disable control CPU speed is mainly used for power saving
Service cups stop chkconfig cups off # disable the Common UNIX Printing System enables the system to support printer
Service ip6tables stop chkconfig ip6tables off # against IPv6
If you want to restore a service, you can perform the following operations
service acpid start chkconfig acpid on
Three, banned under a non-root user/etc/rc.d/init.d/system commands
chmod -R 700 /etc/rc.d/init.d/*
/RC.d/init.d/* # restore default settings
Four, give the following properties file and cannot be changed, so as to prevent unauthorized user access permissions
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
Chattr +/services # the system services list, file lock preventing unauthorized deletion or adding a service
/////Services # show file properties
Note: after you perform the above permission to modify, it is impossible to add/remove users.
If you want to add or remove a user, you need to cancel this setting, users added after the removal is complete, and then perform the above operation
/Etc/passwd # to cancel permission to lock settings
chattr -i /etc/shadow
chattr -i /etc/group
chattr -i /etc/gshadow
/Etc/services # to cancel the system services list, file locking
You can now add/remove user operation and then lock the catalog file
Five, with the different file permissions
Chattr +a. bash_history # avoid deletion. bash_history or redirected to/dev/null
chattr +i .bash_history
/Vim recovery/Vim
/Tail recovery/tail
/Less recovery/less
/Head recovery/head
Six, prohibiting the use of CTRL + ALT + DEL keys to reboot the server
cp /etc/inittab /etc/inittabbak
/Inittab # comment out the following line
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Seven, not upgrading when using yum update to update your system kernel, only updating packages due to system compatibility issues with hardware, have the potential to cause the server to not start correctly after upgrading the kernel, this is terrible, no special need, feel free to upgrade the kernel is not recommended.
cp /etc/yum.conf /etc/yum.confbak
1, modify the yum configuration file,/yum.conf in the end of the exclude=kernel*
2, directly behind the yum command with the following parameters:
yum –exclude=kernel* update
View the system version/issue
See the kernel version
Eight, close, Centos automatically updates
Chkconfig–list yum-updatesd # display the current system status
Yum-updatesd 0: off 1: off 2:3 is enabled: enables 4:5 is enabled: enable 6: closing
Service yum-updatesd stop # close the opening arguments start
Stop yum-updatesd: [determine]
Service yum-updatesd status # see if closed
Yum-updatesd has stopped
Chkconfig–level 35 yum-updatesd off # banned open boot (System mode 3, 5)
Chkconfig yum-updatesd off # banned open start (total ban all boot mode)
Chkconfig–list yum-updatesd # display the current system status
Yum-updatesd 0: off 1: off 2: enabling 3: off 4: enable 5: off 6: off
Nine, closing redundant virtual console
We know that switching to x from the console window, the General Alt-F7, for what? 6 virtual consoles are defined as system default,
X is the 7th. In fact, many people don’t need so many virtual console, modify the/etc/inittab and comment out those you don’t need.
cp /etc/inittab /etc/inittabbak
vi /etc/inittab
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
Ten, delete MySQL history

Users log the SQL commands will be executed after the database MySQL records in your user directory. mysql_history file.
If the database user using SQL statements to modify the database password, will. mysql_history document leak.
So we shell landed and don’t back up directly after the-p password, but after the prompt and then enter the database password.
We should not let these two files it records the action, just in case.
CP. bash_history. bash_historybak # backup
cp .mysql_history .mysql_historybak
rm .bash_history .mysql_history
ln -s /dev/null .bash_history
ln -s /dev/null .mysql_history
Plenary, modify order history records
cp /etc/profile /etc/profilebak
vi /etc/profile
12, hidden server system information
In the default case, when you log in to a Linux system, it will tell you the Linux distro’s name, version, kernel version, the name of the server.
In order not to let these default information leak out, we carry out the following operations, so that it only shows a “login:” prompt.
Delete/etc/issue and/etc/issue.NET