Common methods of VPS Security Configuration Detail

Source: Internet
Author: User
Tags time interval ssh vps iptables ssh port

First, modify the SSH port

Vi/etc/ssh/sshd_config

Find the #port 22 (line 13th), remove #, and modify to Port 3333

Use the following command to reboot the SSH service, note: Log in later with the new port.

Service sshd Restart

Second, the prohibition of root landing

First add a new account 80st, you can customize:

Useradd 80st

Set password for Weidao account:

passwd 80st

Still modify the/etc/ssh/sshd_config file, line 39th: #PermitRootLogin Yes, remove the front # and change Yes to No, then restart the SSH service. Later, the first use of Weidao login, and then Su root can get root management rights.

Login as:80st
Weidao@ip password:*****
Last Login:tue Nov 15:18:18 from 1.2.3.4
Su Root
password:*********** #注这里输入ROOT的密码

Iii. use of DDoS deflate simple anti-drop cc and DDoS attacks

Use the netstat command to see if the current link to the VPS is being attacked:

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

IP front of the number, that is, the number of connections, if the normal web site, dozens of to 100 belong to the normal connection, but there are hundreds of, or thousands of it can be cultivated this IP and your VPS may be suspicious connection between the phenomenon.

You can use Iptables to ban the permanent access to this IP directly:

Iptables-a input-s 12.34.56.78-j DROP

The use of software DDoS deflate to automatically detect and ban the method, first of all to confirm the Iptables service state, the default CentOS installed, do not see the line.

Service Iptables Status

Install DDoS Deflat:

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod +x install.sh
./install.sh

After installation needs to modify/usr/local/ddos/ddos.conf, mainly apf_ban=1 to set to 0, because to use iptables to seal some suspicious connection, pay attention to email_to= "root", so BAN which IP will have mail prompts:

##### Paths of the script and other files
Progdir= "/usr/local/ddos"
Prog= "/usr/local/ddos/ddos.sh"
Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"//IP address white list
cron= "/etc/cron.d/ddos.cron"//Timed execution procedure
apf= "/etc/apf/apf"
ipt= "/sbin/iptables"
##### frequency in minutes for running the script
##### caution:every time This setting is changed, run the script With–cron
##### option so the new frequency takes effect
Freq=1//Check time interval, default 1 minutes
##### How many connections define a bad IP? indicate that below.
no_of_connections=150//Maximum number of connections, more than this number of IP will be blocked, the general default can be
##### apf_ban=1 (Make sure your APF version is atleast 0.96)
##### apf_ban=0 (Uses iptables for banning IPs instead of APF)
Apf_ban=1//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0.
##### kill=0 (Bad IPs are ' NT banned, good for interactive execution of script)
##### kill=1 (recommended setting)
Kill=1//Whether shielding IP, the default can
##### an email was sent to the following address when a IP is banned.
##### Blank would suppress sending of mails
email_to= "root"///when IP is blocked to send mail to the specified mailbox, recommended to use, change your own mailbox can
##### number of seconds the banned IP should remain in blacklist.
ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to the situation

Iv. use Iftop to view detailed network conditions

Install iftop Software:

Yum-y Install Flex BYACC libpcap ncurses ncurses-devel libpcap-devel
wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz
Tar zxvf iftop-0.17.tar.gz
CD iftop-0.17
./configure
Make && make install

After installation, run with Iftop to view the network situation. TX, send flow, RX, receiving flow, total, overall flow, Cumm, running iftop period flow, peak, peak flow, rates, representing 2 seconds, 10 seconds, 40 seconds of average flow.

Accelerator: H Help, n toggle display IP host name, s whether to display the local information, d whether to display the remote information, n switch port service name, b switch whether the number of hours flow graph bar.

V. Upgrade the Nginx in Lnmp to the latest edition

Now the latest version is 0.8.53, if the next release, as long as the update version number can be run in SSH:

wget http://www.nginx.org/download/nginx-0.8.53.tar.gz
Tar zxvf nginx-0.8.53.tar.gz
CD nginx-0.8.53
./configure–user=www–group=www–prefix=/usr/local/nginx–with-http_stub_status_module–with-http_ssl_module– With-http_sub_module
Make
Mv/usr/local/nginx/sbin/nginx/usr/local/nginx/sbin/nginx.old
CD objs/
CP nginx/usr/local/nginx/sbin/
/usr/local/nginx/sbin/nginx-t
KILL-USR2 ' Cat/usr/local/nginx/logs/nginx.pid '
Kill-quit ' Cat/usr/local/nginx/logs/nginx.pid.oldbin '
/usr/local/nginx/sbin/nginx-v
Cd..
Cd..
RM-RF nginx-0.8.53
RM-RF nginx-0.8.53.tar.gz

Vi. Common netstat commands:

1. View the number of connections for all 80 ports

Netstat-nat|grep-i "80″|wc-l

2. To sort the connected IP by number of connections

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

3. View TCP connection Status

Netstat-nat |awk ' {print $} ' |sort|uniq-c|sort-rn
Netstat-n | awk '/^tcp/{++s[$NF]}; End {for (a in S) print A, s[a]} '
Netstat-n | awk '/^tcp/{++state[$NF]}; End {for (key) print key, "T", State[key]} '
Netstat-n | awk '/^tcp/{++arr[$NF]}; End {to (k in arr) print K, "T", arr[k]} '
Netstat-n |awk '/^tcp/{print $NF} ' |sort|uniq-c|sort-rn
Netstat-ant | awk ' {print $NF} ' | Grep-v ' [A-z] ' | Sort | Uniq-c

4. View the maximum number of 80 port connections 20 IP

Netstat-anlp|grep 80|grep Tcp|awk ' {print $} ' |awk-f: ' {print $} ' |sort|uniq-c|sort-nr|head-n20
Netstat-ant |awk '/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i in A) print A,i} ' |sort-rn|head-n20

5. Use tcpdump to sniff the 80-port access to see who is the tallest

Tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $1″. ' $2″. " $3″. " $} ' | Sort | uniq-c | Sort-nr |head-20

6. Find more time_wait connections

Netstat-n|grep Time_wait|awk ' {print $} ' |sort|uniq-c|sort-rn|head-n20

7. Search for more SYN connections

Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.