Vps security settings, server security dog
It is suitable for new users and friends who have access to VPS. It focuses on VPS security.
Prohibit ROOT login to ensure security;
Use DDoS deflate to defend against attacks;
Iftop Linux traffic monitoring tool;
Automatically backs up VPS to FTP space every day;
Upgrade NGINX of LNMP to the latest version.
1. Modify the SSH port
Find # Port 22 (row 13th), remove #, and change it to Port 3333.
Run the following command to restart the SSH service. Note: use the new port to log on later.
2. Prohibit ROOT Login
Add a new account vpsmm, which can be customized:
Set a password for the vpsmm account:
Still modify the/etc/ssh/sshd_config file, row 39th: # PermitRootLogin yes, remove the previous #, change yes to no, and then restart the SSH service. Then, log on to the system using vpsmm and then su root to obtain the ROOT management permission.
Login as: vpsmm Vpsmm @ ip password :***** Last login: Tue Nov 22 14:39:58 2010 from 1.2.3.4 Su root Password: *********** # enter the ROOT Password here. |
Iii. Use DDos deflate to prevent CC and DDOS attacks
Run the netstat command to check the current link of the VPS to check whether it is under attack:
Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n |
The number in front of the IP address is the number of connections. If the number of normal websites is dozens to one hundred, it is a normal connection, but hundreds, or thousands of users can decide that there may be suspicious connections between this IP address and your VPS.
You can use iptables to BAN permanent access from this IP address:
Iptables-a input-s 12.34.56.78-j DROP |
Today, we will introduce you to a method that uses the software DDos deflate to automatically detect and BAN data directly. First, we need to confirm the iptables service status. By default, CENTOS is installed, do not read.
Install DDos deflat:
Wget http://www.inetbase.com/scripts/ddos/install.sh Chmod + x install. sh ./Install. sh |
After installation, modify/usr/local/ddos. conf, mainly because APF_BAN = 1 should be set to 0, because iptables should be used to block some suspicious connections. Note that EMAIL_TO = "root". In this way, an email will be prompted for the ban ip Address:
##### Paths of the script and other files PROGDIR = "/usr/local/ddos" PROG = "/usr/local/ddos. sh" IGNORE_IP_LIST = "/usr/local/ddos/ignore. ip. list" // ip address whitelist CRON = "/etc/cron. d/ddos. cron" // scheduled execution Program <G id = "1"> </etc/</G>" EPT = "/sbin/iptables" ##### Frequency in minutes for running the script ##### Caution: Every time this setting is changed, run the script with -- cron ##### Option so that the new frequency takes effect FREQ = 1 // check interval. The default value is 1 minute. ##### How many connections define a bad IP? Indicate that below. NO_OF_CONNECTIONS = 150 // The maximum number of connections. IP addresses exceeding this value will be blocked. Generally, the default value is enough. ##### APF_BAN = 1 (Make sure your APL version is atleast 0.96) ##### APF_BAN = 0 (Uses iptables for banning ips instead of APT) APF_BAN = 1 // whether to use the public IP address whitelist or iptables. We recommend that you use iptables to change the value of APF_BAN to 0. ##### KILL = 0 (Bad IPs are 'nt banned, good for interactive execution of script) ##### KILL = 1 (Recommended setting) KILL = 1 // whether the IP address is blocked. The default value is enough. ##### An email is sent to the following address when an IP is banned. ##### Blank wocould suppress sending of mails EMAIL_TO = "root" // when the IP address is blocked, send an email to the specified email address. We recommend that you use it in your own email address. ##### Number of seconds the banned ip shoshould remain in blacklist. BAN_PERIOD = 600 // IP address disabling time. The default value is 600 seconds. It can be adjusted as needed. |
4. Use iftop to view detailed network conditions
Install IFTOP software:
Yum-y install flex byacc libpcap ncurses-devel libpcap-devel Wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz Tar zxvf iftop-0.17.tar.gz Cd iftop-0.17 ./Configure Make & make install |
After installation, run iftop to view network conditions. TX, sending traffic; RX, receiving traffic; TOTAL, TOTAL traffic; Cumm, traffic during iftop running; peak, traffic peak; rates, the average traffic is 2 seconds, 10 seconds, and 40 seconds respectively.
Shortcut Key: h help, n switch display IP host name, s show local information, d show remote information, N switch port service name, B switch whether traffic graphics.
5. Back up your VPS every day and upload it to the FTP Space
6. Upgrade NGINX in LNMP to the latest version.
The latest version is 0.8.53. If a new version is available, you only need to update the version. Run the following command in SSH:
Wget http://www.nginx.org/download/nginx-0.8.53.tar.gz Tar zxvf nginx-0.8.53.tar.gz Cd nginx-0.8.53 ./Configure -- user = www -- group = www -- prefix =/usr/local/nginx -- with-http_stub_status_module -- with-http_ssl_module -- with-http_sub_module Make Mv/usr/local/nginx/sbin/nginx. old Cd objs/ Cp nginx/usr/local/nginx/sbin/ /Usr/local/nginx/sbin/nginx-t Kill-USR2 'cat/usr/local/nginx/logs/nginx. pid' Kill-QUIT 'cat/usr/local/nginx/logs/nginx. pid. oldbin' /Usr/local/nginx/sbin/nginx-v Cd .. Cd .. Rm-rf nginx-0.8.53 Rm-rf nginx-0.8.53.tar.gz |
7. Common netstat commands:
1. view the number of connections on all port 80
Netstat-nat | grep-I "80" | wc-l |
2. Sort connected IP addresses by number of connections
Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n |
3. View TCP connection status
Netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn Netstat-n | awk '/^ tcp/{++ S [$ NF]}; END {for (a in S) print a, S [a]}' Netstat-n | awk '/^ tcp/{++ state [$ NF]}; END {for (key in state) print key, "\ t ", state [key]}' Netstat-n | awk '/^ tcp/{++ arr [$ NF]}; END {for (k in arr) print k, "\ t ", arr [k]}' Netstat-n | awk '/^ tcp/{print $ NF}' | sort | uniq-c | sort-rn Netstat-ant | awk '{print $ NF}' | grep-v '[a-z]' | sort | uniq-c |
4. view the 20 IP addresses with the maximum number of connections on port 80
Netstat-anlp | grep 80 | grep tcp | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20 Netstat-ant | awk '/: 80/{split ($5, ip ,":"); + A [ip [1]} END {for (I in A) print A, I} '| sort-rn | head-n20 |
5. Use tcpdump to sniff access to port 80 to see who is the highest
Tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". "'{print $1 ". "$2 ". "$3 ". "$4} '| sort | uniq-c | sort-nr | head-20 |
6. Find More time_wait connections
Netstat-n | grep TIME_WAIT | awk '{print $5}' | sort | uniq-c | sort-rn | head-n20 |
7. Search for more SYN connections
Netstat-an | grep SYN | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | more |
How to configure vps Security 2003
Correctly set the disk security, as shown in the following figure (security settings for virtual machines, using asp program as an example:
1. System Disk permission settings
C: partition part:
C :\
All administrators (this folder, subfolders and files)
All CREATOR owners (only subfiles and files)
System all (this folder, subfolders and files)
IIS_WPG Create File/write data (only this folder)
IIS_WPG (this folder, subfolders and files)
Traverse folders/running files
List folders/read data
Read attributes
Create Folder/additional data
Read Permission
C: \ Documents ents and Settings
All administrators (this folder, subfolders and files)
Power Users (this folder, subfolders and files)
Read and run
List folder Directories
Read
SYSTEM all (this folder, subfolders and files)
C: \ Program Files
All administrators (this folder, subfolders and files)
All CREATOR owners (only subfiles and files)
IIS_WPG (this folder, subfolders and files)
Read and run
List folder Directories
Read
Power Users (this folder, subfolders and files)
Modify permissions
SYSTEM all (this folder, subfolders and files)
Terminal server user (this folder, subfolders and files)
Modify permissions
2. Website and virtual machine permission settings (for example, the website is on an edisk)
Note: assume that all websites are under the wwwsite directory of the edisk and a guest user is created for each virtual machine. The user name is vhost1... vhostn and a webuser group are created. All vhost users are added to this webuser group for convenient management.
E :\
All Administrators (this folder, subfolders and files)
E: \ wwwsite
All Administrators (this folder, subfolders and files)
System all (this folder, subfolders and files)
Service all (this folder, subfolders and files)
E: \ wwwsite \ vhost1
All Administrators (this folder, subfolders and files)
System all (this folder, subfolders and files)
Vhost1 all (this folder, subfolders and files)
3. Data backup disk
It is best to specify only one specific user to have full operation permissions on the data backup disk.
For example, if Disk F is a data backup disk, only one administrator can perform full operations on it.
4. permission settings elsewhere
Find these files on drive C and set the security to only the specific administrator with full operation permissions.
The following files are only accessible to administrators:
Net.exe
Net1.exet
Cmd.exe
Tftp.exe
Netstat.exe
Regedit.exe
At.exe
Attrib.exe
Cacls.exe
Format.com
5. Delete the c: \ inetpub directory, delete unnecessary mappings in iis, create a trap account, and change the description.
Third: disable unnecessary services to improve security and System Efficiency
The Computer Browser maintains the latest list of computers on the network and provides this list.
Task scheduler allows programs to run at a specified time.
Routing and Remote Access... the remaining full text>
How can I set vps security? Centos5 System
1. disable unnecessary services.
This should be easy to understand. All services that are not required by our system are closed,
One advantage is to reduce memory and CPU usage, and the other advantage is to improve security.
Which services must be retained?
On linux machines, there are usually four services that must be retained.
Iptables
A powerful firewall in linux, as long as the machine needs to connect to the Internet, Where can it be opened?
Network
If the network of a linux machine is not connected to the Internet, it can be disabled.
Sshd
This is an openssh server. If your machine is hosted in an IDC instead of local operations,
The sshd service is used to access the machine.
Syslog
This is the log system of linux, which must be,
Otherwise, the cause cannot be found when the machine encounters a problem.
In addition to the four necessary services, what other services need to be retained?
In this case, it can be determined based on the purpose of the system. For example, the database server needs to enable mysqld (or oracle)
For web servers, you need to enable apache
2. Disable unwanted tty
Edit your/etc/inittab
Find the following section:
1: 2345: respawn:/sbin/mingetty tty1
2: 2345: respawn:/sbin/mingetty tty2
3: 2345: respawn:/sbin/mingetty tty3
4: 2345: respawn:/sbin/mingetty tty4
5: 2345: respawn:/sbin/mingetty tty5
6: 2345: respawn:/sbin/mingetty tty6
This command enables init to open six consoles for you, which can be accessed by alt + f1 to alt + f6 respectively.
By default, all the six consoles reside in the memory. In fact, there is no need to use so many
You can use the ps auxf command to see that there are six processes.
Root 3004 0.0 0.0 1892 412 tty1 Ss + Jun29/sbin/mingetty tty1
Root 3037 0.0 0.0 2492 412 tty2 Ss + Jun29/sbin/mingetty tty2
Root 3038 0.0 0.0 2308 412 tty3 Ss + Jun29/sbin/mingetty tty3
Root 3051 0.0 0.0 1812 412 tty4 Ss + Jun29/sbin/mingetty tty4
Root 3056 0.0 0.0 2116 412 tty5 Ss + Jun29/sbin/mingetty tty5
Root 3117 0.0 0.0 2396 412 tty6 Ss + Jun29/sbin/mi ...... the remaining full text>