Server security issues are not complex, and the following principles prevent the most common attacks.
Experienced administrators know that as the number of servers and users increases, the cost of user management will be greater
The following name takes Ubuntu for example, and other versions of Linux will be different.
passwd
First change the root password is very complex, because you do not need to remember it, just need to save it in a safe place.
Apt-get Update
Apt-get Upgrade
Update the software source list and update the package.
Install Fail2ban
Apt-get Install Fail2ban
Fail2ban can monitor your system log, and then match the log error message (regular match) to perform the appropriate shielding action (in general, call the firewall iptables mask), such as: When someone is testing your ssh, SMTP, ftp password, as long as you reach the preset number, Fail2ban will call the firewall screen this IP, and can send e-mail notification system administrator, is a very practical, very powerful software!
Configure logged-in user, if user name is deploy
Useradd Deploy
Mkdir/home/deploy
Mkdir/home/deploy/.ssh
chmod 700/home/deploy/.ssh
Use public key authentication, more secure, more convenient
PublicKey is used for public use, and can be placed in the SSH server's own account, and Privatekey can only be kept by themselves, to prove their identity, add id_rsa.pub content on the server, and configure permissions.
Vim/home/deploy/.ssh/authorized_keys
chmod 400/home/deploy/.ssh/authorized_keys
Chown Deploy:deploy/home/deploy-r
Test new user & Allow sudo
To set the sudo password for the logged-on user
passwd Deploy
Configuring Authorization for Deploy users
Visudo
#添加如下
Root all= (All)
Deploy all= (All)
To start or disallow SSH users and IP logins
Block password and root login while allowing IP to be specified
Vim/etc/ssh/sshd_config
#添加如下行
Permitrootlogin No
Passwordauthentication No
Allowusers deploy@ (YOUR-IP) deploy@ (Another-ip-if-any)
#修改完成后重启
Service SSH Restart
Setting up Firewalls
Ubuntu provides the UFW command to make the firewall configuration simpler.
UFW allow from {YOUR-IP} to any port 22
UFW Allow 80
UFW Allow 443
UFW Enable
Above according to their actual requirements configuration.
Automatic security updates
Installation Unattended-upgrades can be automatically updated, or have a selective security update.
Apt-get Install Unattended-upgrades
Vim/etc/apt/apt.conf.d/10periodic
#更新如下内容
APT::P eriodic::update-package-lists "1";
APT::P eriodic::D ownload-upgradeable-packages "1";
APT::P eriodic::autocleaninterval "7";
APT::P eriodic::unattended-upgrade "1";
Update profile 50unattended-upgrades for security updates only.
Unattended-upgrade::allowed-origins {
"Ubuntu lucid-security";
"Ubuntu lucid-updates";
};
Install Logwatch
Logwatch can analyze the Linux log files and automatically send mail to the relevant handlers to customize the requirements so that you can immediately track and detect the attack behavior.
Apt-get Install Logwatch
Vim/etc/cron.daily/00logwatch
#添加如下
/usr/sbin/logwatch--output Mail--mailto test@gmail.com--detail High
OK, the above configuration, you only need to spend 5 minutes, you can make your server defense most attacks and easy to maintain