centos系統組件優化

時間 2019-11-17

原文原文鏈接

CentOS Linux在公司服務器上普遍被使用，本文總結了一些常見的加固方法。安全

基本原則：服務器

最小的權限+最小的服務=最大的安全
操做以前先備份；
爲避免配置錯誤沒法登陸主機，請始終保持有一個終端已用root登陸並不退出，在另外一個終端中作配置修改。這樣即便改錯，也不至於因系統沒法登陸致使永遠沒法登陸或恢復配置。

操做項：app

1、註釋掉系統不須要的用戶和用戶組ssh

注意：不建議直接刪除，當你須要某個用戶時，本身從新添加會很麻煩。
cp  /etc/passwd  /etc/passwdbak #修改以前先備份
vi /etc/passwd  #編輯用戶，在前面加上#註釋掉此行
#adm:x:3:4:adm:/var/adm:/sbin/nologin
#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync:x:5:0:sync:/sbin:/bin/sync
#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
#halt:x:7:0:halt:/sbin:/sbin/halt
#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator:x:11:0perator:/root:/sbin/nologin
#games:x:12:100:games:/usr/games:/sbin/nologin
#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin #註釋掉ftp匿名帳號
  cp /etc/group /etc/groupbak #修改以前先備份
  vi /etc/group  #編輯用戶組，在前面加上#註釋掉此行
  #adm:x:4:root,adm,daemon
  #lp:x:7:daemon,lp
  #uucp:x:14:uucp
  #games:x:20:
  #dip:x:40:tcp

2、關閉系統不須要的服務post

使用命令 chkconfig|grep on 檢查開機自啓動的服務；優化

abrt-ccpp 0:off 1:off 2:off 3:on 4:off 5:on 6:off
abrtd 0:off 1:off 2:off 3:off 4:off 5:on 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off
certmonger 0:off 1:off 2:off 3:on 4:on 5:on 6:off
cgconfig 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
kdump 0:off 1:off 2:off 3:off 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:off 4:on 5:on 6:off
mcelogd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:offspa

服務說明：.net

auditdrest	The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel.
blk-availability	Controls availability of LVM2 block devices.
cgconfig	Start cgconfigparser.
cgred	This is a daemon for automatically classifying processes into cgroups based on UID/GID.
cpuspeed	This program monitors the system's idle percentage and reduces or raises the CPUs' clock speeds and voltages accordingly to minimize power consumption when idle and maximize perfor-mance when needed.
crond	The daemon to execute scheduled commands.
ip6tables	It's IPv6 packet filter administration.
iptables	It's administration tool for IPv4 packet filtering and NAT.
lvm2-monitor	Monitor LVM2 with using dmeventd.
netconsole	It sends printk message from kernel on UDP.
netfs	NFS clinet.
network	Network system.
postfix	SMTP service daemon.
rdisc	Detect routers in local subnets.
restorecond	It's the daemon that watches for file creation and then sets the default SELinux file context.
rsyslog	It reads and/or clears kernel message ring buffer; set console_loglevel.
saslauthd	saslauthd is a daemon process that handles plaintext authentication requests on behalf of the SASL library.
sshd	OpenSSH sshd daemon.
udev-post	Moves the generated persistent udev rules to /etc/udev/rules.d.

（見http://www.server-world.info/en/note?os=CentOS_6&p=initial_conf&f=4）

關閉沒必要要的服務

  service acpid stop;chkconfig acpid off #電源進階設定，經常使用在 Laptop 上
  service cpuspeed stop;chkconfig  cpuspeed  off #停用控制CPU速度主要用來省電
  service cups stop;chkconfig cups off #停用 Common UNIX Printing System 使系統支援印表機
  service ip6tables stop;chkconfig ip6tables off #禁止IPv6

3、禁止非root用戶執行/etc/rc.d/init.d/下的系統命令
chmod -R 700 /etc/rc.d/init.d/* (chmod -R 755 /etc/rc.d/init.d/* #恢復默認設置)

4、修改history命令記錄

cp /etc/profile /etc/profilebak
vi /etc/profile
找到 HISTSIZE=1000 改成 HISTSIZE=50

5、調整文件描述符大小

echo "ulimit -SHn 65535" >> /etc/rc.local

/etc/security/limits.conf

* soft nofile 65535

* hard nofile 65535
* soft stack unlimited
* hard stack unlimited

6、同步系統時間

cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

crontab -e
0-59/10 * * * * /usr/sbin/ntpdate us.pool.ntp.org | logger -t NTP

chkconfig --list | grep ntp #看下服務狀況

chkconifg ntpd on

service ntpd start

7、內核參數優化

vi /etc/sysctl.conf #末尾添加以下參數 (備註：內核參數優化根據不一樣服務器不一樣業務進行調整)

net.ipv4.tcp_max_tw_buckets = 6144
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304

net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144

net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 1024 65000

vm.swappiness = 5
vm.zone_reclaim_mode = 0
net.ipv4.tcp_max_syn_backlog = 5000
vm.dirty_ratio = 60
vm.dirty_background_ratio = 5

8、CentOS 系統優化
cp  /etc/profile  /etc/profilebak2
   vi /etc/profile    #在文件末尾添加如下內容
   ulimit -c unlimited
   ulimit -s unlimited
   ulimit -SHn 65535
   source  /etc/profile #使配置當即生效
   ulimit -a #顯示當前的各類用戶進程限制

9、去除系統相關信息

事先備份到安全的地方哈：）

echo "Welcome to Server" >/etc/issue

echo "Welcome to Server" >/etc/issue.net

echo "Welcome to Server" >/etc/redhat-release

10、SSH服務安全配置

vi /etc/ssh/sshd_config

1. 禁用root遠程登陸

PermitRootLoginno

PermitEmptyPasswords no #禁止空密碼登陸

2.不要支持閒置會話，並配置 Idle Log Out Timeout 間隔：
ClientAliveInterval 600 # (Set to 600 seconds = 10 minutes)
ClientAliveCountMax 0

3.禁用用戶的 .rhosts 文件：

IgnoreRhosts yes

4.PasswordAuthentication no

6.ssh安全技巧之更改 SSH 端口
建議改爲 10000 以上，以下降掃描到端口的機率。

Port 36000

7.使用iptables容許特定的主機鏈接
做爲TCP wrappers的一個代替品，你可使用iptables來限制SSH訪問（但能夠同時使用這個兩個的），這裏有一個簡單的例子，指出瞭如何容許一個特定的主機鏈接到你的SSH服務：
iptables -A INPUT -p tcp -m state --state NEW --source 193.180.177.13 --dport 22 -j ACCEPT

保存後重啓ssh服務。

11、添加普通用戶並進行sudo受權管理

useradd -d /home/goal user (指定home目錄與用戶名不一樣)
passwd user #設置密碼
vi /etc/sudoers #或visudo打開，添加user用戶全部權限
root ALL=(ALL) ALL
user ALL=(ALL) ALL

12、安裝安全補丁（常常更新爲好）

yum install yum-security

檢查安全更新
yum –security check-update
只安裝安全更新
yum update –security
檢查特定軟件有無安全更新
yum list-security software_name
列出更新的詳細信息
yum info-security software_name

十3、將 SSH 程序包和須要的庫保持爲最新：
yum update openssh-server openssh openssh-clients -y

十4、清空防火牆並設置規則 配置防火牆以接受僅來自已知網段的 SSH 鏈接：

iptables -t filter -P INPUT ACCEPT

iptables -t filter -F INPUT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT