Linux VPS system security settings basic tutorial


Although Linux systems are more secure than Windows
, some simple security configurations are necessary. There are many tools on the Internet that use a dictionary to scan your administrator password. We can create some trouble and increase the possibility of being deciphered.

Today, I will share some of the experience of security settings for Linux VPS systems.

First, the user rights security settings

root permissions are too high, misuse is quite dangerous, so the daily operation uses a normal account, only use su to switch to root identity.

1, create a new user, such as chendexin

useradd chendexin

2, change the password, such as root123

passwd root123

3 Add the account to the wheel group

usermod -G wheel chendexin

4. Set only the accounts of this group. Use the su command to switch to root

vim /etc/pam .d/su

Find #auth required use_uid

Remove the comment # at the beginning of the line and then use :wq to save and exit

followed by vim /etc/login. Defs

Add SU_WHEEL_ONLY yes at the end, then use wq to save and exit.

Ps: Execute echo "SU_WHEEL_ONLY yes">>/etc/login.defs Also.

Now, if you create a new normal account, you can't use the su command to switch to the root group. You can test the effect if you are interested.

5. Delete unnecessary users and user groups

Disable all default accounts that are started by OS
itself and are unnecessary. The more accounts, the system The more vulnerable it is to attack.

userdel adm

userdel lp

userdel sync

userdel shutdown

userdel halt

userdel news

userdel uucp

userdel operator

userdel games

userdel gopher

userdel ftp

groupdel lp

groupdel news

groupdel uucp

groupdel games

groupdel dip

groupdel pppusers

6, lock password file

Execute the chattr command to add unchangeable attributes to the following files to prevent unauthorized users from gaining access.
BASICchattr +i /etc/passwdchattr +i /etc/shadowchattr +i /etc/groupchattr +i /etc/gshadow

Second, SSH Security Settings (Modify SSH Port)

Default SSH The use of 22 ports, is well known, so we need to customize the port number only known to ourselves, and increase the difficulty of malicious scanning ports, it is recommended to change the SSH port to more than 10000, such as using 23212, modified as follows:

Ps: Before modifying, please execute iptables -nL to confirm that the firewall does not set non-22/80 access restriction rules. Otherwise, it may cause tragedy after using the custom port connection after modification!

vim /etc/ssh/sshd_config Edit SSH configuration file

01, find #Port 22, remove ##, and add Port 23212 below (retain 22 port first, wait for 23212 to connect successfully) Then remove 22, insurance practices)

02, continue to find #UseDNS yes, change to UseDNS no, can improve the connection speed of ssh;

03, find #PermitRootLogin Yes change to PermitRootLogin no Root remote use ssh login

04, find #PermitEmptyPasswords no, remove ##, disable empty password login

Finally, use:wq to save and exit, then execute service sshd restart to restart ssh service Effective.

At this point, you can open a new terminal and test whether it can be connected through port 23212. If you can, delete the previously reserved port 22.

Three, firewall simple security settings

VPS is directly using the public network IP, the firewall still has to be simple settings.

The following planning is as follows:

It is only used as a web server, so you only need to open SSH and HTTP port, that is, just open the 23212 and 80 ports defined above, because you do not use ftp, this The port number 21 is not mentioned in the example. Please pay attention to the actual use.

1, preparation work

Because operating the firewall has a certain risk of misoperation, it is likely to cause itself to be blocked, so you must first set up a firewall before operating the firewall. Schedule tasks, such as:

Execute crontab -e Join:
BASIC*/5 * * * * root /etc/init.d/iptables stop

means to stop the firewall every 5 minutes, Preventing misoperations keeps you out of the way, even if there is a misoperation, it will stop within 5 minutes, and it will not cause tragedy. This is a skill!

2. Firewall setting script

The following code is self-testing, please feel free to use it, policy description:

01, only open HTTP(80) and SSH (automatically Take the port, the other will refuse access! You can add other ports on line 10 according to actual needs, such as FTP port 21 and smtp25 port.

02, one-way ban ping, that is, the external IP can not ping your public IP.

Strategy Code:
BASIC#!/bin/bashssh_port=`netstat -nutlp

Copyright © Windows knowledge All Rights Reserved