Vps security settings, server security dog

Source: Internet
Author: User
Tags vps openssh server ssh port

Vps security settings, server security dog

It is suitable for new users and friends who have access to VPS. It focuses on VPS security.

Prohibit ROOT login to ensure security;

Use DDoS deflate to defend against attacks;

Iftop Linux traffic monitoring tool;

Automatically backs up VPS to FTP space every day;

Upgrade NGINX of LNMP to the latest version.

1. Modify the SSH port

Vi/etc/ssh/sshd_config

Find # Port 22 (row 13th), remove #, and change it to Port 3333.

Run the following command to restart the SSH service. Note: use the new port to log on later.

Service sshd restart

2. Prohibit ROOT Login

Add a new account vpsmm, which can be customized:

Useradd vpsmm

Set a password for the vpsmm account:

Passwd vpsmm

Still modify the/etc/ssh/sshd_config file, row 39th: # PermitRootLogin yes, remove the previous #, change yes to no, and then restart the SSH service. Then, log on to the system using vpsmm and then su root to obtain the ROOT management permission.

Login as: vpsmm
Vpsmm @ ip password :*****
Last login: Tue Nov 22 14:39:58 2010 from 1.2.3.4
Su root
Password: *********** # enter the ROOT Password here.

Iii. Use DDos deflate to prevent CC and DDOS attacks

Run the netstat command to check the current link of the VPS to check whether it is under attack:

Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n

The number in front of the IP address is the number of connections. If the number of normal websites is dozens to one hundred, it is a normal connection, but hundreds, or thousands of users can decide that there may be suspicious connections between this IP address and your VPS.

You can use iptables to BAN permanent access from this IP address:

Iptables-a input-s 12.34.56.78-j DROP

Today, we will introduce you to a method that uses the software DDos deflate to automatically detect and BAN data directly. First, we need to confirm the iptables service status. By default, CENTOS is installed, do not read.

Service iptables status

Install DDos deflat:

Wget http://www.inetbase.com/scripts/ddos/install.sh
Chmod + x install. sh
./Install. sh

After installation, modify/usr/local/ddos. conf, mainly because APF_BAN = 1 should be set to 0, because iptables should be used to block some suspicious connections. Note that EMAIL_TO = "root". In this way, an email will be prompted for the ban ip Address:

##### Paths of the script and other files
PROGDIR = "/usr/local/ddos"
PROG = "/usr/local/ddos. sh"
IGNORE_IP_LIST = "/usr/local/ddos/ignore. ip. list" // ip address whitelist
CRON = "/etc/cron. d/ddos. cron" // scheduled execution Program
<G id = "1"> </etc/</G>"
EPT = "/sbin/iptables"
##### Frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with -- cron
##### Option so that the new frequency takes effect
FREQ = 1 // check interval. The default value is 1 minute.
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS = 150 // The maximum number of connections. IP addresses exceeding this value will be blocked. Generally, the default value is enough.
##### APF_BAN = 1 (Make sure your APL version is atleast 0.96)
##### APF_BAN = 0 (Uses iptables for banning ips instead of APT)
APF_BAN = 1 // whether to use the public IP address whitelist or iptables. We recommend that you use iptables to change the value of APF_BAN to 0.
##### KILL = 0 (Bad IPs are 'nt banned, good for interactive execution of script)
##### KILL = 1 (Recommended setting)
KILL = 1 // whether the IP address is blocked. The default value is enough.
##### An email is sent to the following address when an IP is banned.
##### Blank wocould suppress sending of mails
EMAIL_TO = "root" // when the IP address is blocked, send an email to the specified email address. We recommend that you use it in your own email address.
##### Number of seconds the banned ip shoshould remain in blacklist.
BAN_PERIOD = 600 // IP address disabling time. The default value is 600 seconds. It can be adjusted as needed.

4. Use iftop to view detailed network conditions

Install IFTOP software:

Yum-y install flex byacc libpcap ncurses-devel libpcap-devel
Wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz
Tar zxvf iftop-0.17.tar.gz
Cd iftop-0.17
./Configure
Make & make install

After installation, run iftop to view network conditions. TX, sending traffic; RX, receiving traffic; TOTAL, TOTAL traffic; Cumm, traffic during iftop running; peak, traffic peak; rates, the average traffic is 2 seconds, 10 seconds, and 40 seconds respectively.

Shortcut Key: h help, n switch display IP host name, s show local information, d show remote information, N switch port service name, B switch whether traffic graphics.

5. Back up your VPS every day and upload it to the FTP Space

6. Upgrade NGINX in LNMP to the latest version.

The latest version is 0.8.53. If a new version is available, you only need to update the version. Run the following command in SSH:

Wget http://www.nginx.org/download/nginx-0.8.53.tar.gz
Tar zxvf nginx-0.8.53.tar.gz
Cd nginx-0.8.53
./Configure -- user = www -- group = www -- prefix =/usr/local/nginx -- with-http_stub_status_module -- with-http_ssl_module -- with-http_sub_module
Make
Mv/usr/local/nginx/sbin/nginx. old
Cd objs/
Cp nginx/usr/local/nginx/sbin/
/Usr/local/nginx/sbin/nginx-t
Kill-USR2 'cat/usr/local/nginx/logs/nginx. pid'
Kill-QUIT 'cat/usr/local/nginx/logs/nginx. pid. oldbin'
/Usr/local/nginx/sbin/nginx-v
Cd ..
Cd ..
Rm-rf nginx-0.8.53
Rm-rf nginx-0.8.53.tar.gz

7. Common netstat commands:

1. view the number of connections on all port 80

Netstat-nat | grep-I "80" | wc-l

2. Sort connected IP addresses by number of connections

Netstat-ntu | awk '{print $5}' | cut-d:-f1 | sort | uniq-c | sort-n

3. View TCP connection status

Netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn
Netstat-n | awk '/^ tcp/{++ S [$ NF]}; END {for (a in S) print a, S [a]}'
Netstat-n | awk '/^ tcp/{++ state [$ NF]}; END {for (key in state) print key, "\ t ", state [key]}'
Netstat-n | awk '/^ tcp/{++ arr [$ NF]}; END {for (k in arr) print k, "\ t ", arr [k]}'
Netstat-n | awk '/^ tcp/{print $ NF}' | sort | uniq-c | sort-rn
Netstat-ant | awk '{print $ NF}' | grep-v '[a-z]' | sort | uniq-c

4. view the 20 IP addresses with the maximum number of connections on port 80

Netstat-anlp | grep 80 | grep tcp | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-n20
Netstat-ant | awk '/: 80/{split ($5, ip ,":"); + A [ip [1]} END {for (I in A) print A, I} '| sort-rn | head-n20

5. Use tcpdump to sniff access to port 80 to see who is the highest

Tcpdump-I eth0-tnn dst port 80-c 1000 | awk-F ". "'{print $1 ". "$2 ". "$3 ". "$4} '| sort | uniq-c | sort-nr | head-20

6. Find More time_wait connections

Netstat-n | grep TIME_WAIT | awk '{print $5}' | sort | uniq-c | sort-rn | head-n20

7. Search for more SYN connections

Netstat-an | grep SYN | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | more

How to configure vps Security 2003

Correctly set the disk security, as shown in the following figure (security settings for virtual machines, using asp program as an example:

1. System Disk permission settings

C: partition part:

C :\

All administrators (this folder, subfolders and files)

All CREATOR owners (only subfiles and files)

System all (this folder, subfolders and files)

IIS_WPG Create File/write data (only this folder)

IIS_WPG (this folder, subfolders and files)

Traverse folders/running files

List folders/read data

Read attributes

Create Folder/additional data

Read Permission

C: \ Documents ents and Settings

All administrators (this folder, subfolders and files)

Power Users (this folder, subfolders and files)

Read and run

List folder Directories

Read

SYSTEM all (this folder, subfolders and files)

C: \ Program Files

All administrators (this folder, subfolders and files)

All CREATOR owners (only subfiles and files)

IIS_WPG (this folder, subfolders and files)

Read and run

List folder Directories

Read

Power Users (this folder, subfolders and files)

Modify permissions

SYSTEM all (this folder, subfolders and files)

Terminal server user (this folder, subfolders and files)

Modify permissions

2. Website and virtual machine permission settings (for example, the website is on an edisk)

Note: assume that all websites are under the wwwsite directory of the edisk and a guest user is created for each virtual machine. The user name is vhost1... vhostn and a webuser group are created. All vhost users are added to this webuser group for convenient management.

E :\

All Administrators (this folder, subfolders and files)

E: \ wwwsite

All Administrators (this folder, subfolders and files)

System all (this folder, subfolders and files)

Service all (this folder, subfolders and files)

E: \ wwwsite \ vhost1

All Administrators (this folder, subfolders and files)

System all (this folder, subfolders and files)

Vhost1 all (this folder, subfolders and files)

3. Data backup disk

It is best to specify only one specific user to have full operation permissions on the data backup disk.

For example, if Disk F is a data backup disk, only one administrator can perform full operations on it.

4. permission settings elsewhere

Find these files on drive C and set the security to only the specific administrator with full operation permissions.

The following files are only accessible to administrators:

Net.exe

Net1.exet

Cmd.exe

Tftp.exe

Netstat.exe

Regedit.exe

At.exe

Attrib.exe

Cacls.exe

Format.com

5. Delete the c: \ inetpub directory, delete unnecessary mappings in iis, create a trap account, and change the description.

Third: disable unnecessary services to improve security and System Efficiency

The Computer Browser maintains the latest list of computers on the network and provides this list.

Task scheduler allows programs to run at a specified time.

Routing and Remote Access... the remaining full text>

How can I set vps security? Centos5 System

1. disable unnecessary services.
This should be easy to understand. All services that are not required by our system are closed,
One advantage is to reduce memory and CPU usage, and the other advantage is to improve security.

Which services must be retained?
On linux machines, there are usually four services that must be retained.
Iptables
A powerful firewall in linux, as long as the machine needs to connect to the Internet, Where can it be opened?
Network
If the network of a linux machine is not connected to the Internet, it can be disabled.
Sshd
This is an openssh server. If your machine is hosted in an IDC instead of local operations,
The sshd service is used to access the machine.
Syslog
This is the log system of linux, which must be,
Otherwise, the cause cannot be found when the machine encounters a problem.

In addition to the four necessary services, what other services need to be retained?
In this case, it can be determined based on the purpose of the system. For example, the database server needs to enable mysqld (or oracle)
For web servers, you need to enable apache

2. Disable unwanted tty
Edit your/etc/inittab
Find the following section:
1: 2345: respawn:/sbin/mingetty tty1
2: 2345: respawn:/sbin/mingetty tty2
3: 2345: respawn:/sbin/mingetty tty3
4: 2345: respawn:/sbin/mingetty tty4
5: 2345: respawn:/sbin/mingetty tty5
6: 2345: respawn:/sbin/mingetty tty6

This command enables init to open six consoles for you, which can be accessed by alt + f1 to alt + f6 respectively.
By default, all the six consoles reside in the memory. In fact, there is no need to use so many
You can use the ps auxf command to see that there are six processes.
Root 3004 0.0 0.0 1892 412 tty1 Ss + Jun29/sbin/mingetty tty1
Root 3037 0.0 0.0 2492 412 tty2 Ss + Jun29/sbin/mingetty tty2
Root 3038 0.0 0.0 2308 412 tty3 Ss + Jun29/sbin/mingetty tty3
Root 3051 0.0 0.0 1812 412 tty4 Ss + Jun29/sbin/mingetty tty4
Root 3056 0.0 0.0 2116 412 tty5 Ss + Jun29/sbin/mingetty tty5
Root 3117 0.0 0.0 2396 412 tty6 Ss + Jun29/sbin/mi ...... the remaining full text>

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.