General Guide to Linux/CentOS Server Security Configuration

Linux is an open system. Many ready-made programs and tools can be found on the Internet. This is convenient for both users and hackers, because they can easily find programs and tools to sneak into Linux systems or steal important information on Linux systems. However, as long as we carefully configure the various system functions of Linux and take necessary security measures, hackers will have no chance to take advantage.

Generally speaking, security settings for Linux systems include canceling unnecessary services, restricting remote access, hiding important data, patching security holes, using security tools, and regular security checks.

This article is a practical operation for reference. It does not involve principles such as IP spoofing, and security issues cannot be prevented by a few lines of commands.

Here are just the basic security hardening methods on Linux systems, and new content will be added later.

Note: All files must be backed up before modification.

cp /etc/passwd{,.dist}

1. Disable unused users in Linux

Note: It is not recommended to delete directly. When you need a user, it will be troublesome to add it again by yourself. You can also lock it with usermod -L or passwd -l user .

cp /etc/passwd{,.bak} Back up before modifying

vi /etc/passwd Edit the user and add # in front to comment out this line

Username of comment:

# cat /etc/passwd|grep ^#
#adm:x:3:4:adm:/var/adm:/sbin/nologin
#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
#halt:x:7:0:halt:/sbin:/sbin/halt
#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator:x:11:0:operator:/root:/sbin/nologin
#games:x:12:100:games:/usr/games:/sbin/nologin
#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
#nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
#postfix:x:89:89::/var/spool/postfix:/sbin/nologin

Linux Annotated Groups:

# cat /etc/group|grep ^#
#adm:x:4:adm,daemon
#lp:x:7:daemon
#uucp:x:14:
#games:x:20:
#gopher:x:30:
#video:x:39:
#dip:x:40:
#ftp:x:50:
#audio:x:63:
#floppy:x:19:
#postfix:x:89:

2. Linux shuts down unused services

# chkconfig --list |grep '3:on'

Mail service, using company mail server:

service postfix stop
chkconfig postfix --level 2345 off

Generic Unix printing service, not useful for servers:

service cups stop
chkconfig cups --level 2345 off

Adjust CPU speed to save power, commonly used on Laptop:

service cpuspeed stop
chkconfig cpuspeed --level 2345 off

Bluetooth wireless communication, not useful for servers:

service bluetooth stop
chkconfig bluetooth --level 2345 off

Initial settings after system installation, which are useless after the system is started for the first time:

service firstboot stop
chkconfig firstboot --level 2345 off

Linux shuts down nfs service and client:

service netfs stop
chkconfig netfs --level 2345 off
service nfslock stop
chkconfig nfslock --level 2345 off

If you want to restore a service, you can do the following:

service acpid start && chkconfig acpid on

You can also use the setup tool to set

3. Disable IPV6 in Linux

IPv6 is designed to solve the problem of IPv4 address exhaustion, but our servers generally do not use it. On the contrary, disabling IPv6 will not only speed up the network, but also help reduce management overhead and improve security levels. The following steps completely disable ipv6 on CentOS.

Linux prohibits loading IPv6 modules:

To prevent the system from loading ipv6 related modules, you need to modify modprobe related setting files. For the convenience of management, we create a new setting file /etc/modprobe.d/ipv6off.conf with the following content

alias net-pf-10 off
options ipv6 disable=1

Linux disables IPv6-based networking so that it will not be triggered to start:

# vi /etc/sysconfig/network
NETWORKING_IPV6=no

Linux disables the IPv6 settings of the network card so that it runs only in IPv4 mode:

# vi /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=no
IPV6_AUTOCONF=no

Linux turns off ip6tables:

# chkconfig ip6tables off

Restart the system and verify whether it takes effect:

# lsmod | grep ipv6
# ifconfig | grep -i inet6

If there is no output then the IPv6 module is disabled, otherwise it is enabled.

4. Linux iptables rules

Enable Linux firewall to prevent illegal programs from accessing. Use iptable rules to filter inbound, outbound, and forwarded packets. We can grant or deny access to specific UDP/TCP ports based on source and destination addresses.

For more information about firewall settings, please refer to the blog post iptables settings example.

5. Linux SSH Security

If possible, the first thing to do is to change the default port 22 for ssh. Changing it to a larger port such as 20002 will greatly increase the security factor and reduce the possibility of ssh cracking login.

Create identifiable application users such as crm and system management user sysmgr

# useradd crm -d /apps/crm
# passwd crm

# useradd sysmgr
# passwd sysmgr

5.1 Linux only allows users in the wheel group to switch to su

# usermod -G wheel sysmgr

# vi /etc/pam.d/su
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid

When other users switch to root, they will be prompted with su: incorrect password even if they enter the correct password.

5.2 Linux login timeout

If the user is online for 5 minutes without any operation, the connection will be disconnected. Add the following to /etc/profile:

export TMOUT=300
readonly TMOUT

5.3 Linux prohibits root from logging in remotely

# vi /etc/ssh/sshd_config
PermitRootLogin no

5.4 Linux limits the number of failed logins and locks

Add after /etc/pam.d/login

auth required pam_tally2.so deny=6 unlock_time=180 even_deny_root root_unlock_time=180

If the login fails for 5 times, the system will be locked for 180 seconds. You can set whether to include root as needed.

5.5 Linux login IP restriction

(Since it needs to be bound to a fixed IP or IP segment, it has not been set yet)

A more stringent restriction is to define the users and source IP addresses allowed for ssh in sshd_config:

## allowed ssh users sysmgr
AllowUsers [email protected].*
Or use tcpwrapper:

vi /etc/hosts.deny
sshd:all
vi /etc/hosts.allow
sshd:172.29.73.23
sshd:172.29.73.

6. Linux configuration can only use key files to log in

Using key files instead of plain password authentication will also greatly improve security:

[dir@username ~]$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): //Default path, press EnterEnter passphrase (empty for no passphrase): //Enter your key phrase, use it when logging inEnter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
3e:fd:fc:e5:d3:22:86:8e:2c:4b:a7:3d:92:18:9f:64 [email protected]
The key's randomart image is:
+--[RSA 2048]----+
| |
…
| o++o..oo..o|
+-----------------+

Rename the public key to authorized_key:

$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys

Download the private key file id_rsa to your local computer (rename it to hostname_username_id_rsa for easier identification) and save it to a safe place. In the future, the username user must use this private key and the passphrase to log in to this host (the username user's own password will no longer be used)

In addition, you need to modify the /etc/ssh/sshd_config file

Open Annotations

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

We require that the username user (who can switch to other users, especially root) must log in using the ssh key file, while other ordinary users can log in directly with a password. Therefore, you need to add the following to the end of the sshd_config file:

Match User itsection
    PasswordAuthentication no

Restart sshd service

# service sshd restart

In addition, a reminder that this pair of public and private keys must be stored separately on another machine. Losing the public key on the server or the private key (or key phrase) on the connecting end may result in the inability to log in to the server and obtain root permissions!

7. Reduce history command records in Linux

The more historical command records that have been executed, the easier it will be for maintenance to a certain extent, but it will also be accompanied by security issues.

vi /etc/profile

Find HISTSIZE=1000 and change it to HISTSIZE=50 .

Or clean up history，history -c

8. Linux enhances special file permissions

Add unchangeable attributes to the following files to prevent unauthorized users from obtaining permissions

chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/services #Lock the system service port list file to prevent unauthorized deletion or addition of services chattr +i /etc/pam.d/su
chattr +i /etc/ssh/sshd_config

Display the properties of a file

lsattr /etc/passwd /etc/shadow /etc/services /etc/ssh/sshd_config

Note: After executing the above chattr permission modification, you will not be able to add or delete users.

If you want to add or delete users again, you need to cancel the above settings first. After the user addition and deletion is completed, perform the above operations again, for example, cancel the read-only permission chattr -i /etc/passwd . (Remember to reset to read-only)

9. Linux prevents common network attacks

Cyber ​​attacks cannot be avoided with just a few lines of settings. The following are just some simple measures to minimize the possibility and increase the difficulty of the attack, but they cannot completely prevent it.

9.1 Linux ban ping

Block ping If no one can ping your system, security is naturally increased and ping floods can be effectively prevented. To do this, add the following line to the /etc/rc.d/rc.local file:

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Or use iptables to disable ping:

iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -j DROP

Do not allow pinging other hosts:

iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

9.2. Linux prevents IP spoofing

Edit the /etc/host.conf file and add the following lines to prevent IP spoofing attacks.

order hosts,bind #Name interpretation ordermulti on #Allow hosts to have multiple IP addressesnospoof on #Prohibit IP address spoofing

9.3 Linux Prevents DoS Attacks

DoS type attacks can be prevented by setting resource limits for all users of the system, such as the maximum number of processes and memory usage.
You can add the following lines to /etc/security/limits.conf:

* soft core 0
* soft nproc 2048
* hard nproc 16384
* soft nofile 1024
* hard nofile 65536

core 0 means that the creation of core files is prohibited; nproc 128 limits the maximum number of processes to 20; nofile 64 limits the maximum number of files that a user can open simultaneously to 64; * means all users logged into the system, excluding root

Then you must edit the /etc/pam.d/login file to check if the following line exists.

session required pam_limits.so

The values ​​of limits.conf parameters need to be adjusted according to specific circumstances.

10. Linux fixes known security vulnerabilities

Destructive vulnerabilities may occasionally occur on Linux, such as udev , heartbleed , shellshock , ghost , etc. If the server is exposed to the external network, it must be repaired in time.

11. Linux log security check regularly

Move the logs to a dedicated log server to prevent intruders from easily modifying local logs. The following are common Linux default log files and their uses:

/var/log/message – records system logs or current activity logs.
/var/log/auth.log – Authentication log.
/var/log/cron – Crond logs (cron jobs).
/var/log/maillog – Mail server log.
/var/log/secure – Authentication log.
/var/log/wtmp Historical login, logout, startup, and shutdown logs. The lastb command can view users who failed to log in. /var/run/utmp Currently logged in user information log. The information of the w and who commands comes from this. /var/log/yum.log Yum log.

Refer to the in-depth analysis of CentOS to reverse the intrusion through logs.

11.1 Installing logwatch on Linux

Logwatch is a log analysis tool developed using Perl. It can analyze Linux log files and automatically send emails to relevant processing personnel, which can be customized.

Logwatch's mail function uses the host system's own mail server to send mails, so the system needs to install a mail server, such as sendmail, postfix, Qmail, etc.

For installation and configuration methods, see the blog post Linux log monitoring logwatch.

12. Linux web server security

When configuring server-side programs such as Apache or Tomcat, if there are security issues, you can refer to the documentation for security reinforcement. I will add new articles when I have time in the future.

For more Linux server security configuration solutions, please see the following related articles