Linux system vps server entry level security configuration guide

Although Linux systems are much more secure than Windows, some simple security configurations are necessary.

There are many tools on the Internet that use a dictionary to scan your administrator password. We can create some trouble and increase the possibility of being deciphered. Let's take a look at the entry-level security configuration.

First: remote management port

Modify the login port of ssh, the default port is 22. Scanning dictionary exhaustive passwords are all starting from the default.

If you change the port to 4 digits, it will greatly improve their difficulty and time.

Use the vi command to edit the ssh configuration file (the vi command uses several simple commands such as editing and saving and exiting. If you are not familiar or will not be able to search Baidu or this site):

vi /etc/ssh/sshd_config

Locate #Port 22, remove the previous #, and change it to Port 1998 (this number should use 4 digits as much as possible to avoid being used by other ports),

, restart sshdservice sshd restart,

Don't forget to restart the ssh client to change the new port before logging in.

Second, set a strong password for the root user (preferably 10 or more: the letter + number is so difficult to be deciphered by the dictionary is as difficult as the lottery ticket)

This general The background can be modified, such as the SolusVM platform can be directly modified:

If other management panels do not change the password function, you can also use the passwd command in ssh to modify:

(of course, you can also disable the root user to create A new user gives root privileges but the Hawks think it's not necessary as long as the password is strongly deciphered.

Third, small-scale defense ddos ​​and cc

ddos ​​has appeared for many years, 90% of domestic computer rooms have certain defense capabilities, (with hardware firewall) attack principle is very simple Block your network with fake data packets, but most foreign IDCs don't provide defense. We can only use software assistance to mitigate attacks to a certain extent. But this has a lot to do with the server hardware configuration and bandwidth. Generally, it can only defend against small-scale attacks. If the traffic is large, it will still be embarrassing.

The Windows platform has soft defense and modify the registry to achieve this goal. The software under Linux is introduced today by DDos deflate and the system's own iptables. The specific operations are as follows:

The service iptables staus service is usually included by default;

Then start the installation;

After the installation is completed, the following is displayed:

After the installation is complete, you need to configure the file with vi editing. :

vi /usr/local/ddos/ddos.conf

Here is mainly APF_BAN=1 is changed to 0 (using iptables), and EMAIL_TO=”root” can be modified by root For your email address, so which system does the IP, you will be prompted by email.

There are some problems with the system default whitelist, and there are often mistakes. Therefore, it is best to set the manual whitelist and not modify it.

After the above configuration, the basic security configuration is OK. Of course, there are many similar free firewalls under the liunx platform, but basically all of them are in English. It takes more learning to practice.