Tue. Jul 14th, 2020

How to secure a CentOS system

2 min read

Comment out unwanted users and user groups

vi /etc/passwd

vi /etc/group

Add immutable attributes to the following files to prevent unauthorized users from gaining permissions

chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow

After the permissions are modified, users cannot be added or deleted. To cancel previous edits,

lsattr /etc/passwd /etc/shadow /etc/group /etc/gshadow

Limit su command
When you don’t want anyone to be able to su as root, you can edit the /etc/pam.d/su file and add the following two lines:

auth sufficient /lib/security/pam_rootok.sodebug
auth required /lib/security/pam_wheel.sogroup=isd

Stop ping, defend against SYN flood
If no one can ping the system, the security is naturally increased. To this end, we can add the following line to the /etc/rc.d/rc.local file
echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
The Linux kernel provides several SYN-related configurations with the command:

sysctl -a | grep syn

tcp_max_syn_backlog is the length of the SYN queue, tcp_syncookies is a switch, whether to enable the SYN cookie function, this function can prevent some SYN attacks. tcp_synack_retries and tcp_syn_retries define the number of SYN retries.
To adjust the above settings:
vi /etc/rc.d/rc.local, add the following command
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.tcp_synack_retries=3
sysctl -w net.ipv4.tcp_syn_retries=3
Prevent IP Spoofing
Edit the /etc/host.conf file and add the following lines to prevent IP spoofing attacks.
order hosts,bind
multi on
nospoof on
Prevent Ddos attack
Setting resource limits for all users of the system can prevent DoS attacks, such as the maximum number of processes and memory usage.
For example, you can add the following lines to /etc/security/limits.conf:
* hard core 0
* hard rss 5000
* hard nproc 20
Restrict permissions on different files
chmod 700 /usr/bin/
chmod 750 /usr/bin/*++*
chmod 750 /usr/bin/c++*
chmod 750 /usr/bin/ld
chmod 750 /usr/bin/as
locate sqlaccess
chmod 755 /opt/lampp/bin/mysqlaccess
chattr +a .bash_history
chattr +i .bash_history
chmod 700 /bin/ping
chmod 700 /usr/bin/finger
chmod 700 /usr/bin/who
chmod 700 /usr/bin/w
chmod 700 /usr/bin/locate
chmod 700 /usr/bin/whereis
chmod 700 /usr/bin/vim
chmod 700 /usr/bin/make
chmod 700 /bin/netstat
chmod 700 /usr/bin/tail
chmod 700 /usr/bin/less
chmod 700 /usr/bin/head
chmod 700 /bin/cat
chmod 700 /bin/uname
chmod 500 /bin/ps
chmod 500 /usr/sbin/lsof