Undoubtedly, improving server security is one of the most important tasks for system administrators. Therefore, there are many articles, blogs, and Forum posts for this topic. CentOS server security skills
Undoubtedly, improving server security is one of the most important tasks for system administrators. Therefore, there are many articles, blogs, and Forum posts for this topic.
A server consists of a large number of components with different functions, which makes it difficult to provide customized solutions based on the needs of everyone. This article covers as many tips as possible to help administrators ensure the security of servers and users.
Some common sense is that every system administrator should be familiar with it, so the following points will not be mentioned in this article:
- Ensure that the system is up-to-date
- Change Password frequently-use a combination of numbers, letters, and non-letter characters
- Give users minimum permissions to meet their daily needs.
- Only install the software packages that are actually needed
Here are some more interesting content:
Change SSH default port
The first thing to do after building a new server is to change the default port of SSH. This small change can prevent your server from being attacked by thousands of attackers, in this way, they only need a try key to open the lock of your house ).
To change the default SSH port, first open the sshd_config file:
sudo vim /etc/ssh/sshd_config
Find the following line:
#Port 22
"#" Indicates that this line is a comment. First, delete # and change the port number to the destination port. The port number cannot exceed 65535. Make sure that the port number to be specified is not occupied by the system or other services. We recommend that you view the list of commonly used port numbers on [Wikipedia. In this article, use the port number:
Port 16543
Save and close the file, and wait for the change to take effect.
The next step is:
Use SSH key authentication
It is especially important to use an SSH key for authentication when accessing the server through SSH. In this way, the server adds additional protection to ensure that only those with keys can access the server.
Run the following command on the local machine:CommandTo generate an SSH key:
ssh-keygen -t rsa
You will see the following output, ask which file you want to write the key to, and set a password:
Generating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): my_keyEnter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in my_key.Your public key has been saved in my_key.pub.The key fingerprint is:SHA256:MqD/pzzTRsCjZb6mpfjyrr5v1pJLBcgprR5tjNoI20A
Then, two files are obtained:
My_key
My_key.pub
Next, copy my_key.pub ~ /. Ssh/authorized_key
cp my_key.pub ~/.ssh/authorized_keys
Run the following command to upload the key to the server:
scp -P16543 authorized_keys user@yourserver-ip:/home/user/.ssh/
So far, you can access the server without a password from this local machine.
Disable SSH Password Authentication
Now that you have an SSH key, it is safer to disable SSH password authentication. Open and edit sshd_config again, and set as follows:
ChallengeResponseAuthentication noPasswordAuthentication noUsePAM no
Disable Root logon
The following key step is to disable direct access from the root user and use sudo or su to execute administrator tasks. First, you need to add a new user with the root permission, so edit the sudoers file in this path:
/etc/sudoers/
We recommend that you use commands such as mongodo to edit the file because it checks for any possible syntax errors before closing the file. This is useful when you encounter an error while editing the file.
Next, grant the root permission to a user. In this article, the user sysadmin is used. Make sure that the user who used this file after editing is an existing user of the system. Find the following line:
root ALL=(ALL) ALL
Copy this line, paste the next line, and change root to "sysadmin", as shown below:
root ALL=(ALL) ALLsysadmin ALL=(ALL) ALL
Now let's explain the meaning of each option in this line:
(1) root (2)ALL=(3)(ALL) (4)ALL
(1) specify a user
(2) Specify the terminal where the user uses sudo
(3) user roles that a specified user can assume
(4) commands that can be used by this user
The preceding configuration means that the root user can act as any user on any terminal and execute any command .)
You can use this configuration to grant users the permission to access some system tools.
At this time, you can safely save the file.
To disable direct access to root through SSH, You need to enable sshd_config again and find the following line:
#PermitRootLogin yes
Changed:
PermitRootLogin no
Save the file and restart the sshd daemon to make the change take effect. Run the following command:
sudo /etc/init.d/sshd restart
Set firewall
The firewall helps filter inbound and outbound ports and prevent login attempts using the violence law. I prefer to use the strong Firewall (SCF (Config Server Firewall. It uses iptables, which is easy to manage and provides a web interface for users who are not good at command input.
To install the CSF, log on to the server and switch to this directory:
cd /usr/local/src/
Then run the following command as root:
wget https://download.configserver.com/csf.tgztar -xzf csf.tgzcd csfsh install.sh
Just wait until the installation is complete and then edit the configuration file of the CSF:
/etc/csf/csf.conf
By default, the CSF runs in test mode. Switch to product mode by setting the value of "TESTING" to 0.
TESTING = "0"
The following is the port allowed on the server. Locate the following section in csf. conf and modify the port as needed:
# Allow inbound TCP ports TCP_IN = "20, 21, 25, 53, 80,110,143,443,465,587,993,995,165 43" # Allow outbound TCP ports TCP_OUT = "20, 21, 80, 110,113,443,587,993,995,165 43 "# Allow inbound UDP ports UDP_IN =" 20, 21, 53 "# Allow Outbound UDP ports # To allow traceroute requests, add 33434: port 33523 ranges to the list UDP_OUT = "20, 21, 53,113,123"
Set the ports one by one as needed. We recommend that you only use the required ports to avoid setting ports in a wide range. In addition, avoid using insecure ports of insecure services. For example, only ports 465 and 587 are allowed to send emails, replacing the default SMTP port 25. (LCTT Note: Your mail server supports SMTPS)
Important: do not forget to allow custom ssh ports.
It is important to allow your IP addresses to pass through the firewall without being blocked. IP addresses are defined in the following file:
/etc/csf/csf.ignore
The blocked IP address will appear in this file:
/etc/csf/csf.deny
Once the changes are completed, use this command to restart the csf:
sudo /etc/init.d/csf restart
The following is part of the csf. deny file on a server. It is useful to illustrate the following:
.216.48.205 # lfd: (sshd) Failed SSH login from 211.216.48.205 (KR/Korea, Republic of/-): 5 in the last 3600 secs - Fri Mar 6 00:30:35 2015.41.124.53 # lfd: (sshd) Failed SSH login from 103.41.124.53 (HK/Hong Kong/-): 5 in the last 3600 secs - Fri Mar 6 01:06:46 2015.41.124.42 # lfd: (sshd) Failed SSH login from 103.41.124.42 (HK/Hong Kong/-): 5 in the last 3600 secs - Fri Mar 6 01:59:04 2015.41.124.26 # lfd: (sshd) Failed SSH login from 103.41.124.26 (HK/Hong Kong/-): 5 in the last 3600 secs - Fri Mar 6 02:48:26 2015.169.74.58 # lfd: (sshd) Failed SSH login from 109.169.74.58 (GB/United Kingdom/mail2.algeos.com): 5 in the last 3600 secs - Fri Mar 6 03:49:03 2015
As you can see, the IP addresses that try to log on via the violence law are all blocked. It's so boring!
Lock account
If an account is not used for a long time, you can lock it to prevent other users from accessing it. Run the following command:
passwd -l accountName
Of course, this account can still be used by the root user (LCTT: switch from available su to this account ).
Understand the services on the server
The essence of a server is to provide access functions for various services. Enable the server to run only the required services and disable unused services. This will not only release some system resources, but also make the server more secure. For example, if you only run a simple server, you obviously do not need an X Display or desktop environment. If you do not need the Windows network sharing function, disable Samba with confidence.
Run the following command to view the services started with system startup:
chkconfig --list | grep "3n"
If the system runs systemd, run the following command:
systemctl list-unit-files --type=service | grep enabled
Run the following command to close the service:
Chkconfig service off or systemctl disable service
In the preceding example, replace "service" with the name of the service to be stopped. Example:
Chkconfig httpd off or systemctl disable httpd
Summary
This article aims to cover some general security steps to help you protect your servers. You can use more methods to enhance server protection. Please remember that it is your responsibility to ensure server security. You should make wise choices when maintaining server security, although there is no easy way to accomplish this, building "perfect" security requires a lot of time and testing until the desired result is achieved.