Although Linux systems are more secure than Windows
, some simple security configurations are necessary. There are many tools on the Internet that use a dictionary to scan your administrator password. We can create some trouble and increase the possibility of being deciphered.
Today, I will share some of the experience of security settings for Linux VPS systems.
First, the user rights security settings
root permissions are too high, misuse is quite dangerous, so the daily operation uses a normal account, only use su to switch to root identity.
1, create a new user, such as chendexin
useradd chendexin
2, change the password, such as root123
passwd root123
3 Add the account to the wheel group
usermod -G wheel chendexin
4. Set only the accounts of this group. Use the su command to switch to root
vim /etc/pam .d/su
Find #auth required pam_wheel.so use_uid
Remove the comment # at the beginning of the line and then use :wq to save and exit
followed by vim /etc/login. Defs
Add SU_WHEEL_ONLY yes at the end, then use wq to save and exit.
Ps: Execute echo "SU_WHEEL_ONLY yes">>/etc/login.defs Also.
Now, if you create a new normal account, you can't use the su command to switch to the root group. You can test the effect if you are interested.
5. Delete unnecessary users and user groups
Disable all default accounts that are started by OS
itself and are unnecessary. The more accounts, the system The more vulnerable it is to attack.
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
groupdel pppusers
6, lock password file
Execute the chattr command to add unchangeable attributes to the following files to prevent unauthorized users from gaining access.
BASICchattr +i /etc/passwdchattr +i /etc/shadowchattr +i /etc/groupchattr +i /etc/gshadow
Second, SSH Security Settings (Modify SSH Port)
Default SSH The use of 22 ports, is well known, so we need to customize the port number only known to ourselves, and increase the difficulty of malicious scanning ports, it is recommended to change the SSH port to more than 10000, such as using 23212, modified as follows:
Ps: Before modifying, please execute iptables -nL to confirm that the firewall does not set non-22/80 access restriction rules. Otherwise, it may cause tragedy after using the custom port connection after modification!
vim /etc/ssh/sshd_config Edit SSH configuration file
01, find #Port 22, remove ##, and add Port 23212 below (retain 22 port first, wait for 23212 to connect successfully) Then remove 22, insurance practices)
02, continue to find #UseDNS yes, change to UseDNS no, can improve the connection speed of ssh;
03, find #PermitRootLogin Yes change to PermitRootLogin no Root remote use ssh login
04, find #PermitEmptyPasswords no, remove ##, disable empty password login
Finally, use:wq to save and exit, then execute service sshd restart to restart ssh service Effective.
At this point, you can open a new terminal and test whether it can be connected through port 23212. If you can, delete the previously reserved port 22.
Three, firewall simple security settings
VPS is directly using the public network IP, the firewall still has to be simple settings.
The following planning is as follows:
It is only used as a web server, so you only need to open SSH and HTTP port, that is, just open the 23212 and 80 ports defined above, because you do not use ftp, this The port number 21 is not mentioned in the example. Please pay attention to the actual use.
1, preparation work
Because operating the firewall has a certain risk of misoperation, it is likely to cause itself to be blocked, so you must first set up a firewall before operating the firewall. Schedule tasks, such as:
Execute crontab -e Join:
BASIC*/5 * * * * root /etc/init.d/iptables stop
means to stop the firewall every 5 minutes, Preventing misoperations keeps you out of the way, even if there is a misoperation, it will stop within 5 minutes, and it will not cause tragedy. This is a skill!
2. Firewall setting script
The following code is self-testing, please feel free to use it, policy description:
01, only open HTTP(80) and SSH (automatically Take the port, the other will refuse access! You can add other ports on line 10 according to actual needs, such as FTP port 21 and smtp25 port.
02, one-way ban ping, that is, the external IP can not ping your public IP.
Strategy Code:
BASIC#!/bin/bashssh_port=`netstat -nutlp
The YUV format has two broad categories: planar and packed. For the planar YUV format, the Y of all
1. Hard disk partition configuration: C drive: Win7 (NTFS format ——
The process is simply a process of executing a program, it is a dynamic concept. No matter what sys
For ease of use, we will save the Xshell session. How to transfer the session information saved on
Detailed instructions for using the Route command in the Linux operating system
How to use rz and sz to transfer files in SecureCRT
Log all IP user operation logs by login IP
Linux system PPPoE broadband connection setting method
How to modify SWAP space size under Linux
CentOS installs Nginx with yum
ARM ADS assembly and Gnu assembly conversion
AMH VPS control panel always fails to log in. The password is not registered.
How to add drivers to the Linux kernel
Master solution for Win 7 installation system optimization settings (2)
Completely solve the win7 game can not be full screen two ways
What should I do if there is only one recycle bin left on the Win10 desktop?
The king glory experience service has no computer version
Turn on remote desktop functionality on Windows 2000 Server
Win7 system installation and uninstallation IE10 preview version of the method
Win XP system search for four major faults and solutions
High compatibility Microsoft Windows 7 Professional Edition sold 550 yuan
How to restore Vista/XP dual boot menu
Win7 manually enable Windows Event Log service error solution