Common VPS Security Settings

New users and friends who are new to VPS will take a look at the content about VPS security:
 
1. Modify the SSH port
 
Vi/etc/ssh/sshd_config
 
Find # Port 22 (row 13th), remove #, and change it to Port 3333.
 
Run the following command to restart the SSH service. Note: use the new port to log on later.
 
Service sshd restart
 
2. Prohibit ROOT Login
 
First, add a new account 80 St, which can be customized:
 
Useradd 80st
 
Set the password for the weidao account:
 
Passwd 80st
 
Still modify the/etc/ssh/sshd_config file, row 39th: # PermitRootLogin yes, remove the previous #, change yes to no, and then restart the SSH service. Then, log in with weidao and then su root to obtain the ROOT management permission.
 
Login as: 80st
Weidao @ ip password :*****
Last login: Tue Nov 22 15:18:18 2011 from 1.2.3.4
Su root
Password: *********** # enter the ROOT Password here.
 
Iii. Use DDos deflate to prevent CC and DDOS attacks
 
Run the netstat command to check the current link of the VPS to check whether it is under attack:
 
Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n
 
The number in front of the IP address is the number of connections. If the number of normal websites is dozens to one hundred, it is a normal connection, but hundreds, or thousands of users can decide that there may be suspicious connections between this IP address and your VPS.
 
You can use iptables to BAN permanent access from this IP address:
 
Iptables-a input-s 12.34.56.78-j DROP
 
To use the software DDos deflate for automatic detection and direct BAN, first check the iptables service status. By default, CENTOS is installed.
 
Service iptables status
 
Install DDos deflat:
 
Wget http://www.inetbase.com/scripts/ddos/install.sh
Chmod + x install. sh
./Install. sh
 
After installation, modify/usr/local/ddos. conf, mainly because APF_BAN = 1 should be set to 0, because iptables should be used to block some suspicious connections. Pay attention to EMAIL_TO = "root". In this way, an email will be prompted for the ban ip Address:
 
##### Paths of the script and other files
PROGDIR = "/usr/local/ddos"
PROG = "/usr/local/ddos. sh"
IGNORE_IP_LIST = "/usr/local/ddos/ignore. ip. list" // ip address White list
CRON = "/etc/cron. d/ddos. cron" // scheduled execution Program
<G id = "1"> <G id = "2"> </G>"
IPT = "/sbin/iptables"
##### Frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with-cron
##### Option so that the new frequency takes effect
FREQ = 1 // check interval. The default value is 1 minute.
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS = 150 // The maximum number of connections. IP addresses exceeding this value will be blocked. Generally, the default value is enough.
##### APF_BAN = 1 (Make sure your APL version is atleast 0.96)
##### APF_BAN = 0 (Uses iptables for banning ips instead of APT)
APF_BAN = 1 // whether to use the public IP address whitelist or iptables. We recommend that you use iptables to change the value of APF_BAN to 0.
##### KILL = 0 (Bad IPs are 'nt banned, good for interactive execution of script)
##### KILL = 1 (Recommended setting)
KILL = 1 // whether the IP address is blocked. The default value is enough.
##### An email is sent to the following address when an IP is banned.
##### Blank wocould suppress sending of mails
EMAIL_TO = "root" // when the IP address is blocked, send an email to the specified email address. We recommend that you use it in your own email address.
##### Number of seconds the banned ip shoshould remain in blacklist.
BAN_PERIOD = 600 // IP address disabling time. The default value is 600 seconds. It can be adjusted as needed.
 
4. Use iftop to view detailed network conditions
 
Install IFTOP software:
 
Yum-y install flex byacc libpcap ncurses-devel libpcap-devel
Wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz
Tar zxvf iftop-0.17.tar.gz
Cd iftop-0.17
./Configure
Make & make install
 
After installation, run iftop to view network conditions. TX, sending traffic; RX, receiving traffic; TOTAL, TOTAL traffic; Cumm, traffic during iftop running; peak, traffic peak; rates, the average traffic is 2 seconds, 10 seconds, and 40 seconds respectively.
 
Shortcut Key: h help, n switch display IP host name, s show local information, d show remote information, N switch port service name, B switch whether traffic graphics.
 
5. Upgrade NGINX in LNMP to the latest version.
 
The latest version is 0.8.53. If a new version is available, you only need to update the version. Run the following command in SSH:
 
Wget http://www.nginx.org/download/nginx-0.8.53.tar.gz
Tar zxvf nginx-0.8.53.tar.gz
Cd nginx-0.8.53
./Configure-user = www-group = www-prefix =/usr/local/nginx-with-http_stub_status_module-with-http_ssl_module-with-http_sub_module
Make
Mv/usr/local/nginx/sbin/nginx. old
Cd objs/
Cp nginx/usr/local/nginx/sbin/
/Usr/local/nginx/sbin/nginx-t
Kill-USR2 'cat/usr/local/nginx/logs/nginx. pid'
Kill-QUIT 'cat/usr/local/nginx/logs/nginx. pid. oldbin'
/Usr/local/nginx/sbin/nginx-v
Cd ..
Cd ..
Rm-rf nginx-0.8.53
Rm-rf nginx-0.8.53.tar.gz
 
6. Common netstat commands:
 
1. view the number of connections on all port 80
 
Netstat-nat | grep-I "80" | wc-l
 
2. Sort connected IP addresses by number of connections
 
Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n
 
3. View TCP connection status
 
Netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn
Netstat-n | awk '/^ tcp/{++ S [$ NF]}; END {for (a in S) print a, S [a]}'
Netstat-n | awk '/^ tcp/{++ state [$ NF]}; END {for (key in state) print key, "\ t ", state [key]}'
Netstat-n | awk '/^ tcp/{++ arr [$ NF]}; END {for (k in arr) print k, "\ t ", arr [k]}'
Netstat-n | awk '/^ tcp/{print $ NF}' | sort | uniq-c | sort-rn
Netstat-ant | awk '{print $ NF}' | grep-v '[a-z]' | sort | uniq-c
 
4. view the 20 IP addresses with the maximum number of connections on port 80
 
Netstat-anlp | grep 80 | grep tcp | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20
Netstat-ant | awk '/: 80/{split ($5, ip ,":"); + A [ip [1]} END {for (I in A) print A, I} '| sort-rn | head-n20
 
5. Use tcpdump to sniff access to port 80 to see who is the highest
 
Tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". '{print $1 ″. "$2 ″. "$3 ″. "$4} '| sort | uniq-c | sort-nr | head-20
 
6. Find More time_wait connections
 
Netstat-n | grep TIME_WAIT | awk '{print $5}' | sort | uniq-c | sort-rn | head-n20
 
7. Search for more SYN connections
 
Netstat-an | grep SYN | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | more