A Linux Server Security tour

One day, I got up early in the morning and found that a machine could not be operated through SSH, And the password was always wrong. The machine was completely exposed to the Internet. SSH was logged on as root, the Firewall was not enabled, and several services were started; it was confirmed that the hacker had intruded, but this person was stupid enough to steal the host. He was so stupid that he had to change the root password. Instead, he had to go to the site for maintenance; the maintenance procedure is as follows:

 

1.Modify root in standalone ModePassword:

1. When entering the selection menu, you can press the up and down key to stay in this menu, press the letter 'E', then select the kernel, and then press 'e' to enter the editing, enter single in =/to enter single user mode. Press enter to confirm.

2. Then press 'B' to start to single-user mode.

3. Enter passwd in the prompt. Now you can enter the password again.

 

2. Prohibit root users from accessing through SSH remotely and restrict some users from remotely logging on

/Etc/ssh/sshd_config file

Modify the sshd listening port to disable remote logon by the root user:

VI/etc/ssh/sshd_config

Port 50022

Protocal 2

Permitrootlogin No

Service sshd restart

[Root @ linuxsir001 root] # service sshd restart
3. Restrict Remote logon for some users
This account is currently not available.
Sometimes users in the same group can log on, and some users disable remote logon to view account information (/etc/passwd ), if the account information shell is/sbin/nologin, remote logon is prohibited. If you want to allow remote logon, change it to a shell that can be logged on, such as/bin/bash.

4.Modify the user name and password:

Take the user name as an example,

Add User: useradd name,

Set the password: passwd name. Enter the password twice as prompted.

Deleting a user: userdel name is not completely deleted, but the user cannot log on and the files in the directory are still retained.

5. Grub Encryption

There are two types of grub passwords: plaintext and MD5.Algorithm.

Plaintext encryption: edit the grub. conf file

Vim/boor/GRUB/grub. conf add a line of Password = 1234567890 Under default = 0 (this is the plaintext password)

MD5 encryption: First Command grub-md5-crypt to calculate the MD5 value, and then copy this value to grub. password in the conf file -- MD5 $ byxen $ e5x/xots2ptpppwtgimhu1 (this is the value encrypted with MD5)

6. Enable the firewall and only allow SSH access

Iptables-P input drop

Iptables-A input-p tcp-dport 50022-J accept

Iptables-A output-p tcp-Transport 50022-J accept

Iptables-save>/home/iptables_bak

Iptables-Restore