Although Linux systems are more secure than Windows
, some simple security configurations are necessary. There are many tools on the Internet that use a dictionary to scan your administrator password. We can create some trouble and increase the possibility of being deciphered.
Today, I will share some of the experience of security settings for Linux VPS systems.
First, the user rights security settings
root permissions are too high, misuse is quite dangerous, so the daily operation uses a normal account, only use su to switch to root identity.
1, create a new user, such as chendexin
2, change the password, such as root123
3 Add the account to the wheel group
usermod -G wheel chendexin
4. Set only the accounts of this group. Use the su command to switch to root
vim /etc/pam .d/su
Find #auth required pam_wheel.so use_uid
Remove the comment # at the beginning of the line and then use :wq to save and exit
followed by vim /etc/login. Defs
Add SU_WHEEL_ONLY yes at the end, then use wq to save and exit.
Ps: Execute echo "SU_WHEEL_ONLY yes">>/etc/login.defs Also.
Now, if you create a new normal account, you can't use the su command to switch to the root group. You can test the effect if you are interested.
5. Delete unnecessary users and user groups
Disable all default accounts that are started by OS
itself and are unnecessary. The more accounts, the system The more vulnerable it is to attack.
6, lock password file
Execute the chattr command to add unchangeable attributes to the following files to prevent unauthorized users from gaining access.
BASICchattr +i /etc/passwdchattr +i /etc/shadowchattr +i /etc/groupchattr +i /etc/gshadow
Second, SSH Security Settings (Modify SSH Port)
Default SSH The use of 22 ports, is well known, so we need to customize the port number only known to ourselves, and increase the difficulty of malicious scanning ports, it is recommended to change the SSH port to more than 10000, such as using 23212, modified as follows:
Ps: Before modifying, please execute iptables -nL to confirm that the firewall does not set non-22/80 access restriction rules. Otherwise, it may cause tragedy after using the custom port connection after modification!
vim /etc/ssh/sshd_config Edit SSH configuration file
01, find #Port 22, remove ##, and add Port 23212 below (retain 22 port first, wait for 23212 to connect successfully) Then remove 22, insurance practices)
02, continue to find #UseDNS yes, change to UseDNS no, can improve the connection speed of ssh;
03, find #PermitRootLogin Yes change to PermitRootLogin no Root remote use ssh login
04, find #PermitEmptyPasswords no, remove ##, disable empty password login
Finally, use:wq to save and exit, then execute service sshd restart to restart ssh service Effective.
At this point, you can open a new terminal and test whether it can be connected through port 23212. If you can, delete the previously reserved port 22.
Three, firewall simple security settings
VPS is directly using the public network IP, the firewall still has to be simple settings.
The following planning is as follows:
It is only used as a web server, so you only need to open SSH and HTTP port, that is, just open the 23212 and 80 ports defined above, because you do not use ftp, this The port number 21 is not mentioned in the example. Please pay attention to the actual use.
1, preparation work
Because operating the firewall has a certain risk of misoperation, it is likely to cause itself to be blocked, so you must first set up a firewall before operating the firewall. Schedule tasks, such as:
Execute crontab -e Join:
BASIC*/5 * * * * root /etc/init.d/iptables stop
means to stop the firewall every 5 minutes, Preventing misoperations keeps you out of the way, even if there is a misoperation, it will stop within 5 minutes, and it will not cause tragedy. This is a skill!
2. Firewall setting script
The following code is self-testing, please feel free to use it, policy description:
01, only open HTTP(80) and SSH (automatically Take the port, the other will refuse access! You can add other ports on line 10 according to actual needs, such as FTP port 21 and smtp25 port.
02, one-way ban ping, that is, the external IP can not ping your public IP.
The YUV format has two broad categories: planar and packed. For the planar YUV format, the Y of all
1. Hard disk partition configuration: C drive: Win7 (NTFS format ——
The process is simply a process of executing a program, it is a dynamic concept. No matter what sys
For ease of use, we will save the Xshell session. How to transfer the session information saved on
For the daily use of the Linux system, it is necessary to use the command line to carry out, for ex