Security Hardening
Centos 7 Security Hardening
SSH encryption
yum -y install expect
mkpasswd
All account password on the server should adopt a strong password unrelated password is a combination of uppercase and lowercase letters not less than 16 digital special symbols.
Modify the SSH configuration file
- Change the default port 22 -> 78787
- Prohibit root account
- Specify the allowed login account
SHH root
PermitRootLogin no
AllowUsers ccav
Enable enforce password length policy
vim /etc/login.defs
.....
PASS_MIN_LEN 13
Check if there is a 0 UID except root user
awk -F: '($3 == 0) { print $1 }' /etc/passwd
Detect whether landing system requires a password
awk -F: '($2 == ""){print $1}' /etc/passwd
The complexity of the password and account changed regularly
[root@localhost]# passwd xxxxxx
Disabling NAT
echo 0 > /proc/sys/net/ipv4/ip_forward
Bash log
set the environment variable to read-only:
readonly HISTFILE
readonly HISTFILESIZE
readonly HISTSIZE
readonly HISTCMD
readonly HISTCONTROL
readonly HISTIGNORE
Added to history file
export HISTTIMEFORMAT=‘%F %T’
Setting history file can only be added:
chatter +a ~/.bash_history
Apache
Server Banner Information Hiding
copy the code
apache configuration file
vim /etc/httpd/conf/httpd.conf
...
ServerTokens Prod
ServerSignature Off
PHP configuration file
vim /etc/php.ini
...
expose_php = Off
Copy the code
To prevent the disclosure of sensitive information directory listing
Options Indexes FollowSymLinks
Changed
Options FollowSymLinks
Php ban resolve the specified directory
<Directory "/var/www/html/uploads">
php_flag engine off
</Directory>
Restrict access to specific IP administrator background
<Directory "/var/www/html/admin">
Order Deny,Allow
Deny from all
Allow from 192.168.1.111
</Directory>
Turn off support for .htaccess of
AllowOverride None
Suppress version
server_tokens off;
Or by modifying the source code compile time
vim /src/core/nginx.h
...
#define NGINX_VERSION "1.9.15"
#define NGINX_VER "nginx/" NGINX_VERSION
Php file upload directory ban prohibits
parsing directory is not writable, writeable directory does not resolve
a single directory
location ~ /upload/.*.(php|php5)?$ {
deny all;
}
Multiple directories
location ~ ^/(administrator|upload)/..(php)$ {
deny all;
}
Prohibit access to sensitive files in all directories
location ~. *.(sql|log|txt|rar|zip|sh|py|svn|git) {
deny all;
}
Disable unnecessary HTTP methods
if ($request_method !~ ^(GET|HEAD|POST)$)
{
return 405;
}
Nginx, php-fpm running account and group nobody
Lua + nginx