Linux CentOS 幾項安全性設置

。將 / , /tmp , /var/tmp, /home, /var, /var/www , /boot 分割獨立的partition

。掛載以上的partition加入 nosuid, noexec, nodev

# /etc/fstab
/                        ext3      defaults   1   1
/tmp                  ext3      defaults,nosuid,noexec,nodev   1   2
/var/tmp            ext3      defaults,nosuid,noexec,nodev   1   2
/home               ext3      defaults,nosuid,nodev 1 2
/var                   ext3      defaults,nosuid 1 2
/var/www          ext3      defaults,nosuid,nodev 1 2
/boot                 ext3      defaults,nosuid,noexec,nodev 1 2

。禁用 ctrl + alt + del 能重開機

# 註解 /etc/inittab
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

。使用單人模式時需要輸入密碼

# /etc/inittab 加入
~~:S:wait:/sbin/sulogin

即時生效  init q

。sysctl

#  編修 /etc/sysctl.conf 加入，sysctl -p 使用生效
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0

。關閉不必要的服務，使用 ntsysv 或 chkconfig

。定期 yum update

。關閉ipv6，因為還不普及，關閉以免影響效能

# vi /etc/modprobe.conf

alias net-pf-10 off
alias ipv6 off

# vi /etc/sysconfig/network

NETWORKING_IPV6=no

。GRUB開機管理程式，進入時需輸入密碼 : http://ssorc.tw/?p=122

ref: http://www.cyberciti.biz/tips/linux-security.html
ref: http://wiki.centos.org/HowTos#head-ed8017672e89d33d57ffd0ed8148abd139e88421