- Principle of Minimal Operation
1.1 Minimal System Installation
When installing the Linux operating system, select only the essential package groups:
base--------------------------basic environment
editors-----------------------editors
development librarys------development libraries
development tools---------development tools
x software development--graphical interface development
system tools----------------system tools
1.2 Minimize Enabled Services
Disable all services at runlevel 3 and enable only essential ones:
for i in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $i off;done
for i in crond network syslog sshd;do chkconfig --level 3 $i on;done
Only keep: crond, network, syslog, sshd
1.3 Login Minimization Principle
Avoid logging in as root during daily operations. Use regular user accounts instead:
useradd developer ; echo "P@ssw0rd123" | passwd --stdin developer
- SSH Service Hardening
Modify the SSH configuration file to enhance security:
vim /etc/ssh/sshd_config
#ListenAddress 0.0.0.0 #listen on all interfaces
Port 52113 #custom SSH port
PermitRootLogin no #deny root login
PermitEmptyPasswords no #deny empty passwords
UseDNS no #disable DNS lookup
GSSAPIAuthentication no #disable GSSAPI authentication
- Sudo Configuration
Sudo allows regular users to execute specific privileged commands without root password.
3.1 Configuration via visudo
When granting full root privileges to a user, they can switch to root using sudo su - without knowing the root password, only their own password.
3.2 Configuraton Syntax
visudo directly edits the configuration with syntax checking:
# User authorization format
Username ALL=(ALL) ALL
User Host=(Target_Role) Commands
# Group authorization (use % prefix)
%groupname Host=(Target_Role) Commands
3.3 Alias Definitions
| Users/Groups | Hosts | Role Permissions | Commands |
|---|---|---|---|
| Root | ALL | (ALL) | ALL |
| User_Alias ADMIN=user1,user2 | Host_Alias HOSTS=server1,server2 | Runas_Alias RUNAS=root,oracle | Cmnd_Alias CMDS=/sbin/* |
3.4 Viewing Sudo Privileges
Users can check their sudo permistions:
sudo -l
3.5 Important Notes
a) Command aliases must use absolute paths
b) Alias names must contain uppercase letters, numbers, and underscores
c) Multiple members in an alias are separated by commas
d) Members must match their alias type (Host_Alias, User_Alias, Runas_Alias, Cmnd_Alias)
e) Each line represents one rule; use backslash for continuation
f) Runas target must be enclosed in parentheses; default is root
g) Use NOPASSWD: to execute without password
h) Use ! prefix to deny specific commands, placed after allowed commands
i) User groups must use % prefix
- User Session Timeout Configuration
echo "export TMOUT=300" >>/etc/profile #timeout in seconds
echo "export HISTSIZE=10" >>/etc/profile #command history count
history -c #clear history
history -d 5 #delete specific entry
- System Locale Configuration
Recommended: Change to appropriate locale for your region
Source the profile to apply changes: source /etc/profile
- Time Synchronization
6.1 Manual Time Setting
date -s "2024/01/15"
hwclock --systohc
date +%F\ %T
6.2 NTP Date Synchronization
ntpdate pool.ntp.org
6.3 NTP Server Configuration
Install ntp package (usually pre-installed):
rpm -qa | grep ntp
Edit /etc/ntp.conf:
restrict 0.0.0.0 mask 0.0.0.0 nomodify notrap noquery
restrict 192.168.1.0 mask 255.255.255.0 nomodify
restrict 127.0.0.1
server 0.pool.ntp.org prefer
server 127.127.1.0 fudge
127.127.1.0 stratum 8
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
Parameter Explanations:
restrict IP_address mask subnet parameters
- ignore: disable all NTP connections
- nomodify: client cannot change server time parameters
- notrust: client must be authenticated
- noquery: disable time queries
6.4 Automated Time Sync via Cron
echo "#time sync task" >> /var/spool/cron/root
echo "*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1" >> /var/spool/cron/root
- File Descriptor Limits
Edit /etc/security/limits.conf to permanently increase file descriptors:
vim /etc/security/limits.conf
#ulimit -n
#ulimit -a
# man limits.conf
Note: Adjust values based on actual needs. Logout and reconnect to apply changes.
- Kernel Parameter Tuning
Edit /etc/sysctl.conf:
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
sysctl -p #apply changes
- Locking Critical System Files
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
- Load Balancer Kernel Parameters
For LVS/HAProxy environments:
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_max = 25000000
- Web Server Kernel Optimization
For Nginx/Apache production servers:
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 91500000 94371840
- CDN Cache Server Optimization
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_max_tw_buckets = 1800000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_retries1 = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_synack_retries = 3
- Removing Login Banners
#Remove version information to prevent fingerprinting
cat /dev/null > /etc/issue #local login banner
cat /dev/null > /etc/issue.net #remote login banner
cat /dev/null > /etc/motd #message of the day
- TCP Wrappers Configuration
Control access to services via /etc/hosts.allow and /etc/hosts.deny:
/etc/hosts.allow takes precedence over /etc/hosts.deny
Optional: Remove unnecessary system accounts
- Optimization Summary
1) Use regular users with sudo instead of root
2) Change default SSH port and disable root login
3) Configure automatic time synchronization
4) Use local yum mirrors for faster updates
5) Disable SELinux and iptables (configure later)
6) Increase file descriptor limits
7) Schedule cleanup of /var/spool/clientmqueue/
8) Minimize startup services
9) Tune kernel parameters
10) Configure locale (English recommended to avoid encoding issues)
11) Lock critical system files
12) Clear /etc/issue to hide system information
- Kernel Crash Recovery
1) Reinstall system without partitioning
2) Select old /boot, / and swap partitions, remount and format
3) After installation, remount data partitions
This preserves user data.
- CentOS 7 Optimization Checklist
Disable SELinux
sed -i 's#SELINUX=.*#SELINUX=disabled#g' /etc/selinux/config
setenforce 0
getenforce
Disable Firewalld
systemctl stop firewalld
systemctl disable firewalld
Configure Sudo for Regular User
useradd developer
echo "SecurePass456" | passwd --stdin developer
cp /etc/sudoers{,.backup}
echo "developer ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
visudo -c
Set Locale
cp /etc/locale.conf{,.backup}
echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
source /etc/locale.conf
Time Synchronization
/usr/sbin/ntpdate ntp.aliyun.com
echo "*/5 * * * * /usr/sbin/ntpdate ntp.aliyun.com >/dev/null 2>&1" >> /var/spool/cron/root
Security Timeout Settings
echo 'export TMOUT=600' >> /etc/profile
echo 'export HISTSIZE=10' >> /etc/profile
echo 'export HISTFILESIZE=10' >> /etc/profile
source /etc/profile
Encrease File Descriptors
echo '* - nofile 65535' >> /etc/security/limits.conf
ulimit -SHn 65535
Kernel Tuning
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
iptables Tuning
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.wmem_max = 16777216
net.core.rmem_max = 16777216
Install Essential Tools
yum install tree nmap dos2unix lrzsz nc lsof wget tcpdump htop iftop iotop sysstat nethogs -y
yum install psmisc net-tools bash-completion vim-enhanced -y
Harden SSH
cp /etc/ssh/sshd_config{,.backup}
sed -i 's/^#Port 22/Port 22222/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords yes/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
Lock System Files
chattr +i /etc/passwd /etc/shadow /etc/group
chattr +i /etc/inittab /etc/fstab /etc/sudoers
Remove Login Banners
> /etc/issue.net
> /etc/issue
Remove Unnecessary Accounts
userdel -r adm
userdel -r lp
userdel -r games
userdel -r ftp
groupdel adm
groupdel lp
groupdel games
groupdel video
groupdel ftp
GRUB Password Protection
grub2-setpassword
cat /boot/grub2/user.cfg
Disable ICMP Ping
echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
sysctl -p
Apply System Updates
yum update -y
Minimize Startup Services
systemctl list-unit-files | grep enabled | grep -vE "sshd.service|crond.service|sysstat|rsyslog|NetworkManager|irqbalance" | awk '{print "systemctl disable",$1}' | bash
Production Environment Principles
1) Minimal software packages
2) Minimal user permissions
3) Minimal file/directory permissions
4) Minimal startup services
5) Minimal service running users