- Disable the system from responding to any pings from outside/inside
If no one can ping the machine and receive a response, then the security of the server is greatly enhanced. Linux can perform the following settings to prohibit the ping operation.
[root@localhost ~]# echo "1">/proc/sys/net/ipv4/icmp_cho_ignore_all
See the screenshot below to disable the ping command:
By default, the icmp_echo_ignore_all value is 0, which means responding to ping operations.
The above command can be added to the /etc/rc.d/rc.local file to run it automatically after every system reboot.
2. Limit the number of historical commands recorded by the Shell
By default, the Bash Shell will store up to 1000 command records in $HOME/.bash_history. There is such a file in the home directory of every user in the system.
It is not safe to store so many historical command records, so the size of the file must be limited.
You can edit the /etc/profile file to modify the following options.
HISTSIZE=30
This means that the last 30 historical commands are recorded in the file $HOME/.bash_history. If "HISTSIZE" is set to 0, it means that historical commands are not recorded, so you cannot use the up and down keys of the keyboard to search for historical commands.
Three delete unnecessary users and groups in the system
The Linux system provides various system accounts. After the system is installed, if some users and groups are not needed, it must be deleted immediately. Therefore, the more accounts, the less secure the system, and the more vulnerable it is to attack.
Delete unnecessary users of the system with the following command.
[root@localhost ~]# userdel usename
Delete unnecessary groups in the system with the following command.
[root@localhost ~]# groupdel groupname
The default users that can be deleted in Linux are: adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, etc. The groups that can be deleted are adm, lp, news, uucp, games, dip, pppusers, popusers , slipusers, etc.
4 Turn off SELinux
SELinux, short for Security-Enhanced Linux, is a kernel mandatory access control (MAC) security system. Currently,
SELinux has been integrated into the Linux 2.6 mainline and most Linux distributions. Since
there are still some problems in the compatibility of SELinux with existing Linux applications and Linux kernel modules, it is recommended that beginners turn off SELinux first , and
it is not too late to study SELinux
after they have a deep understanding of Linux .
To check whether SELinux is enabled on a Linux system
, you can use the getenforce command.
[root@localhost ~]# getenforce
Enforcing
To turn off
SELinux, in CentOS series distributions, you can directly modify the following files.
[root@localhost ~]# vi /etc/sysconfig/selinux
SELINUX=disabled, SELinux will be stopped after restarting the system.