First, modify the SSH port
Vi/etc/ssh/sshd_config
Find the #port 22 (line 13th), remove #, and modify to Port 3333
Use the following command to reboot the SSH service, note: Log in later with the new port.
Service sshd Restart
Second, the prohibition of root landing
First add a new account 80st, you can customize:
Useradd 80st
Set password for Weidao account:
passwd 80st
Still modify the/etc/ssh/sshd_config file, line 39th: #PermitRootLogin Yes, remove the front # and change Yes to No, then restart the SSH service. Later, the first use of Weidao login, and then Su root can get root management rights.
Login as:80st
Weidao@ip password:*****
Last Login:tue Nov 15:18:18 from 1.2.3.4
Su Root
password:*********** #注这里输入ROOT的密码
Iii. use of DDoS deflate simple anti-drop cc and DDoS attacks
Use the netstat command to see if the current link to the VPS is being attacked:
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
IP front of the number, that is, the number of connections, if the normal web site, dozens of to 100 belong to the normal connection, but there are hundreds of, or thousands of it can be cultivated this IP and your VPS may be suspicious connection between the phenomenon.
You can use Iptables to ban the permanent access to this IP directly:
Iptables-a input-s 12.34.56.78-j DROP
The use of software DDoS deflate to automatically detect and ban the method, first of all to confirm the Iptables service state, the default CentOS installed, do not see the line.
Service Iptables Status
Install DDoS Deflat:
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod +x install.sh
./install.sh
After installation needs to modify/usr/local/ddos/ddos.conf, mainly apf_ban=1 to set to 0, because to use iptables to seal some suspicious connection, pay attention to email_to= "root", so BAN which IP will have mail prompts:
##### Paths of the script and other files
Progdir= "/usr/local/ddos"
Prog= "/usr/local/ddos/ddos.sh"
Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"//IP address white list
cron= "/etc/cron.d/ddos.cron"//Timed execution procedure
apf= "/etc/apf/apf"
ipt= "/sbin/iptables"
##### frequency in minutes for running the script
##### caution:every time This setting is changed, run the script With–cron
##### option so the new frequency takes effect
Freq=1//Check time interval, default 1 minutes
##### How many connections define a bad IP? indicate that below.
no_of_connections=150//Maximum number of connections, more than this number of IP will be blocked, the general default can be
##### apf_ban=1 (Make sure your APF version is atleast 0.96)
##### apf_ban=0 (Uses iptables for banning IPs instead of APF)
Apf_ban=1//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0.
##### kill=0 (Bad IPs are ' NT banned, good for interactive execution of script)
##### kill=1 (recommended setting)
Kill=1//Whether shielding IP, the default can
##### an email was sent to the following address when a IP is banned.
##### Blank would suppress sending of mails
email_to= "root"///when IP is blocked to send mail to the specified mailbox, recommended to use, change your own mailbox can
##### number of seconds the banned IP should remain in blacklist.
ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to the situation
Iv. use Iftop to view detailed network conditions
Install iftop Software:
Yum-y Install Flex BYACC libpcap ncurses ncurses-devel libpcap-devel
wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz
Tar zxvf iftop-0.17.tar.gz
CD iftop-0.17
./configure
Make && make install
After installation, run with Iftop to view the network situation. TX, send flow, RX, receiving flow, total, overall flow, Cumm, running iftop period flow, peak, peak flow, rates, representing 2 seconds, 10 seconds, 40 seconds of average flow.
Accelerator: H Help, n toggle display IP host name, s whether to display the local information, d whether to display the remote information, n switch port service name, b switch whether the number of hours flow graph bar.
V. Upgrade the Nginx in Lnmp to the latest edition
Now the latest version is 0.8.53, if the next release, as long as the update version number can be run in SSH:
wget http://www.nginx.org/download/nginx-0.8.53.tar.gz
Tar zxvf nginx-0.8.53.tar.gz
CD nginx-0.8.53
./configure–user=www–group=www–prefix=/usr/local/nginx–with-http_stub_status_module–with-http_ssl_module– With-http_sub_module
Make
Mv/usr/local/nginx/sbin/nginx/usr/local/nginx/sbin/nginx.old
CD objs/
CP nginx/usr/local/nginx/sbin/
/usr/local/nginx/sbin/nginx-t
KILL-USR2 ' Cat/usr/local/nginx/logs/nginx.pid '
Kill-quit ' Cat/usr/local/nginx/logs/nginx.pid.oldbin '
/usr/local/nginx/sbin/nginx-v
Cd..
Cd..
RM-RF nginx-0.8.53
RM-RF nginx-0.8.53.tar.gz
Vi. Common netstat commands:
1. View the number of connections for all 80 ports
Netstat-nat|grep-i "80″|wc-l
2. To sort the connected IP by number of connections
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
3. View TCP connection Status
Netstat-nat |awk ' {print $} ' |sort|uniq-c|sort-rn
Netstat-n | awk '/^tcp/{++s[$NF]}; End {for (a in S) print A, s[a]} '
Netstat-n | awk '/^tcp/{++state[$NF]}; End {for (key) print key, "T", State[key]} '
Netstat-n | awk '/^tcp/{++arr[$NF]}; End {to (k in arr) print K, "T", arr[k]} '
Netstat-n |awk '/^tcp/{print $NF} ' |sort|uniq-c|sort-rn
Netstat-ant | awk ' {print $NF} ' | Grep-v ' [A-z] ' | Sort | Uniq-c
4. View the maximum number of 80 port connections 20 IP
Netstat-anlp|grep 80|grep Tcp|awk ' {print $} ' |awk-f: ' {print $} ' |sort|uniq-c|sort-nr|head-n20
Netstat-ant |awk '/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i in A) print A,i} ' |sort-rn|head-n20
5. Use tcpdump to sniff the 80-port access to see who is the tallest
Tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $1″. ' $2″. " $3″. " $} ' | Sort | uniq-c | Sort-nr |head-20
6. Find more time_wait connections
Netstat-n|grep Time_wait|awk ' {print $} ' |sort|uniq-c|sort-rn|head-n20
7. Search for more SYN connections
Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More