We need to do some basic security when we have a VPS or server that has a Linux system open.
There are probably several areas:
1. Prohibit root account ssh, use custom account ssh;
This way, the hacker must first guess the account number, then can guess the password;
2. Prohibit account login, use PubKey login;
3. For IP ACLs, allow only a few specific IP access;
4. SSH port Migration, change the default 22 port to other ports;
5. Start as little service as possible and, if not necessary, serve.
Configuration start
First, turn off the SSH password login
First, you need to have your own SSH Key, if you use the Windows system, you can use the Putty under the Puttygen. EXE generates private key and public key.
The first step is to run Puttygen. Exe
In general, we choose the default RSA encryption, the default 1024-bit encryption is sufficient, if you want to insure the point, you can choose 2048 or 4,096-bit encryption, such as red circle:
The second step, click Generate, and then the mouse at random in the space to move
When the progress bar is full, you will generate your SSH Key:
If you want to be more secure, you can set the key passphrase, which is the password, this password and the root password is different, once someone has acquired your key, without this password he also can't load your key.
Step three, click Save Public Key to keep your key, the entire file is as follows
----BEGIN SSH2 public key----
Comment: "showfom-rsa-key-20130701"
AA AAB3NZAC1YC2EAAAABJQAAAQEANA/D52FTZ1YNJXNWAJAUHXRDPCWAR8ZFWLDW
hemt64zqtxrz65krxeshfrvnd8xn1gktuqiqmu/ D5ffheajfbjosw/n+mz58irzu
Xdbe34y/nxy1/iwc6ajz6lx6wt7nndcvoqx8be8j/8sjs7cmfarn3iy+0bsqnon3
681+ HEFM7MPOYYQRCVBPARFIIEZB8TNKFZRKJFRCIZ87YAKKNCPEDCIBYKJUJY2H
cik+y+iptldomj5kqksxstjfquffg+ S3fqj9istu4c7bf3zafd4meupa7p90rruj
lj95muw/p/ebwgsmvbnxz/xmq3ol/touo85umbsn44dmsb3neq==
----End SSH2 Public KEY----
One of the long string in the middle, is your public key, can be placed in the server ~/.ssh/authorized_keys, we should take the following format: Ssh-rsa aaaab3nzac1yc2eaaaabjqaaaqeana/ d52ftz1ynjxnwajauhxrdpcwar8zfwldwhemt64zqtxrz65krxeshfrvnd8xn1gktuqiqmu/d5ffheajfbjosw/n+mz58irzuxdbe34y/nxy1/ iwc6ajz6lx6wt7nndcvoqx8be8j/8sjs7cmfarn3iy+0bsqnon3681+ hefm7mpoyyqrcvbparfiiezb8tnkfzrkjfrciz87yakkncpedcibykjujy2hcik+y+iptldomj5kqksxstjfquffg+ s3fqj9istu4c7bf3zafd4meupa7p90rrujlj95muw/p/ebwgsmvbnxz/xmq3ol/touo85umbsn44dmsb3neq== showfom-rsa-key-20130701
Where Ssh-rsa is an encryption type, showfom-rsa-key-20130701 is a description and can be any text, such as Showfom-notebook
Fourth step, click Save Private key to generate the private key for Putty, here we save as SHOWFOM.PPK, the entire file as follows
Putty-user-key-file-2: Ssh-rsa
encryption:none
comment:showfom
Public-lines:4
Aaaab3nzac1yc2eaaaabjqaaaibtill54roaeekv95vkr6iez9y0d1ipnnqeyk+e
YHPTC7JVTMFL0OIHO9S2UQQUANGMLMZLJHXRJ3CPZ1VZINPFQVTGWYKWPEPGCKGI
7/ ITPNUUZ6TKGUEI5RYAETFGKWF13QC5S8DWLK2FGV7DY5GBSOZMHZTC+ZTL9JPN
nca5nw==
Private-lines:8
AAAAGEWLY9TSSICIZTUPYWE/EEGD+KH/PBPSUNUG6MNOAEN8OCD5CTSZ2KI9LUKW
gspx0j8f+kmuzu62eikhalgzz+ Nvyklche7qfo2aymcuniuym0mgdn5gjxubfduv
Vtjiaywd282yo0xtjpwn0djf3jmmsrw6pwmwaa6r6palkantaaaaqqclyrycu3eu
0GCGW9G2MVLIZOHOKYPL2E6HJFPQHVSZE6AKUZPTF/DGMKBFY6DH//0ZSOHUE2JN
gnsalqygbvt/ Aaaaqqcargnl76exhtr28try2pong8ij3yn9mczyg3sdsv8fegak
Ryz8t5b6xzuf9uyvz1lia10i7ulz63s2hvczuxthaaaaqd+ Auxn8fuaylroh8ztm
14fyy7grwdn7y7+etz8nuvdlvzp9svpd4v5ti9lpqjtiucp0eelcd5i7zxyv2ohe
U78=
Private-MAC: ce0968aff198e2c2550704625b23ba7575e6b260
This showfom.ppk you need to pass the pageant in Putty directory. EXE Import so you can login to your VPS without having to enter the root password.
The SSH Key for PS:WINSCP and Putty is generic and only needs to be imported once.
But Putty Private Key is not standard, can only be used for Putty or WinSCP, if you use Xshell 4, you need to convert to RSA file, can be in Puttygen. EXE above menu in Conversions > Export OpenSSH Key mode conversion.
Fifth step, import your Linux VPS or server
If you have a local Linux desktop environment, a simple command can be done:
Ssh-copy-id-i ~/.ssh/id_rsa.pub root@198.51.100.100
But most users are still Windows users, so I recommend two simpler ways
1, put your own public key on the https://launchpad.net/Web site, and get a similar address like Https://launchpad.net/~showfom/+sshkeys, and then through the following command to import your key
Curl Https://launchpad.net/~showfom/+sshkeys > ~/.ssh/authorized_keys
2, can also write directly to the Authorized_keys file
Cat >>/root/.ssh/authorized_keys<<eof
Ssh-rsa aaaab3nzac1yc2eaaaabjqaaaqeana/d52ftz1ynjxnwajauhxrdpcwar8zfwldwhemt64zqtxrz65krxeshfrvnd8xn1gktuqiqmu/ d5ffheajfbjosw/n+mz58irzuxdbe34y/nxy1/iwc6ajz6lx6wt7nndcvoqx8be8j/8sjs7cmfarn3iy+0bsqnon3681+ hefm7mpoyyqrcvbparfiiezb8tnkfzrkjfrciz87yakkncpedcibykjujy2hcik+y+iptldomj5kqksxstjfquffg+ s3fqj9istu4c7bf3zafd4meupa7p90rrujlj95muw/p/ebwgsmvbnxz/xmq3ol/touo85umbsn44dmsb3neq== showfom-rsa-key-20130701
In some service provider's CentOS system, because the SELinux is turned on, the default is to prohibit the permissions of the. SSH directory, you can use the following command to unlock the restrictions:
Restorecon-r-v/root/.ssh
If you experience Authorized_keys permission issues, you can use the following command to resolve:
Chattr-i Authorized_keys
You can then reboot to open an SSH window and test if you don't need to enter a password to log in with Root.
Sixth step, turn off SSH password login
To edit an SSH configuration file:
Vim/etc/ssh/sshd_config
Found it
#PasswordAuthentication Yes
and replace it with
Passwordauthentication No
Save, exit, reboot SSH service
Ubuntu under:
/etc/init.d/ssh restart
CentOS under:
/etc/init.d/sshd restart
OK, so prohibit SSH password landing is done, this step refused 90% of the invasion risk, of course, your own private key must be kept good, otherwise stolen by others but do not need a password can enter your server OH.
Second, the installation of CSF firewall shielding attempts to invade the server's IP
CSF firewall installation is slightly simpler, a few commands can be done:
RM-FV csf.tgz
wget http://www.configserver.com/free/csf.tgz
Tar-xzf csf.tgz
CD CSF
SH install.sh
Then run perl/usr/local/csf/bin/csftest.pl detect if the installation was successful
To prevent the system from mistakenly masking the local IP, you can modify the/etc/csf/csf.allow and/etc/csf/csf.ignore files to add the whitelist IP you need, and then use the CSF-R command to restart the read configuration file.
Third, with Iptables only open the normal port
Generally we only need to open 22, 53, 80, 443 of these three common open ports, you can use the following command
Empty iptables Default Rule
Iptables-f
Allow 22 ports to enter and return
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-m State--state Established-j
Allow port 53, typically used as a DNS service
Iptables-a output-p UDP--dport 53-j ACCEPT
Iptables-a input-p UDP--sport 53-j ACCEPT
Allow native access to this computer
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
Iptables-a output-s 127.0.0.1-d 127.0.0.1-j ACCEPT
Allow all IP access to ports 80 and 443, generally for HTTP and HTTPS purposes
Iptables-a input-p tcp-s 0/0--dport 80-j
Iptables-a output-p TCP--sport 80-m State--state Established-j
Iptables-a input-p tcp-s 0/0--dport 443-j
Iptables-a output-p TCP--sport 443-m State--state Established-j
Save Configuration
Iptables-save >/etc/sysconfig/iptables
Reload Iptables
Iptables-l
Iv. Installing Fail2ban shielding and reporting IP scanning of SSH ports
There are a lot of energetic guys will scan the ssh password all day, of course, directly off the SSH password landing can be prevented, but in order to give them a lesson, you can install Fail2ban, shielding, but also can automatically write a report letter to the IP ISP.
Install under CentOS:
Import Epel Source:
CentOS 6.x 32-bit:
RPM-UVH http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
CentOS 6.x 64-bit:
RPM-UVH http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Install Fail2ban
Yum-y Install Fail2ban
Cp/etc/fail2ban/jail.conf/etc/fail2ban/jail.local
Service Fail2ban Start
Install under Ubuntu/debian:
Apt-get Install Fail2ban-y
By looking at the/var/log/fail2ban.log file, you'll know which energy-surplus guys are scanning your SSH all day.
User Management
User Rights
1) limit Root
echo "Tty1" >/etc/securetty
chmod 700/root
2) Password Policy
echo "passwords expire every 180 days"
Perl-npe ' s/pass_max_dayss+99999/pass_max_days 180/'-i/etc/login.defs
echo "Passwords May is changed once a day"
Perl-npe ' s/pass_min_dayss+0/pass_min_days 1/g '-i/etc/login.defs
Use sha512 to protect passwords without MD5
Authconfig--passalgo=sha512--update
3) Umask limit
Change Umask to 077
Perl-npe ' S/umasks+0d2/umask 077/g '-I/ETC/BASHRC
Perl-npe ' S/umasks+0d2/umask 077/g '-I/ETC/CSH.CSHRC
4) Pam Modification
Touch/var/log/tallylog
Cat << ' EOF ' >/etc/pam.d/system-auth
#%pam-1.0
# This file is auto-generated.
# User changes'll be destroyed the next time Authconfig is run.
Auth Required pam_env.so
Auth sufficient pam_unix.so Nullok Try_first_pass
Auth requisite pam_succeed_if.so uid >= quiet
Auth Required pam_deny.so
Auth Required pam_tally2.so deny=3 onerr=fail unlock_time=60
Account Required Pam_unix.so
Account sufficient pam_succeed_if.so UID < quiet
Account Required Pam_permit.so
Account Required Pam_tally2.so Per_user
Password requisite pam_cracklib.so try_first_pass retry=3 minlen=9 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
Password sufficient pam_unix.so sha512 shadow Nullok try_first_pass Use_authtok remember=10
Password Required pam_deny.so
Session optional Pam_keyinit.so Revoke
Session Required Pam_limits.so
session [Success=1 Default=ignore] pam_succeed_if.so service in Crond quiet Use_uid
Session Required Pam_unix.so
Eof
/var/log/tallylog is a binary log that records authentication failures. You can use the Pam_tally2--reset-u username unlock
5) Recycling of idle users
echo "Idle users ' would be removed after minutes"
echo "ReadOnly tmout=900" >>/etc/profile.d/os-security.sh
echo "ReadOnly histfile" >>/etc/profile.d/os-security.sh
chmod +x/etc/profile.d/os-security.sh
6 Cron and at limits
echo "Locking down Cron"
Touch/etc/cron.allow
chmod 600/etc/cron.allow
Awk-f: ' {print $} '/etc/passwd | Grep-v root >/etc/cron.deny
echo "Locking down at"
Touch/etc/at.allow
chmod 600/etc/at.allow
Awk-f: ' {print $} '/etc/passwd | Grep-v root >/etc/at.deny
Remove system-specific users and groups
Userdel username
Userdel Adm.
Userdel LP
Userdel Sync
Userdel shutdown
Userdel Halt
Userdel News
Userdel UUCP
Userdel operator
Userdel Games
Userdel Gopher
The above deleted users are created by default for the system, but some accounts are not used in common servers, but these accounts are often used by hackers and attacking servers.
Groupdel username
Groupdel Adm.
Groupdel LP
Groupdel News
Groupdel UUCP
Groupdel Games
Groupdel Dip
Similarly, the above deletion is the system installation is the default created by some group accounts. This reduces the chance of being attacked.
Service Management
Turn off services not used by the system
Chkconfig level APMD off
Chkconfig level Netfs off
Chkconfig level YPPASSWDD off
Chkconfig level Ypserv off
Chkconfig level DHCPD?
Chkconfig level Portmap off
Chkconfig level LPD off
Chkconfig level NFS Off
Chkconfig level SendMail off
Chkconfig level snmpd off
Chkconfig level rstatd off
Chkconfig level atd off??
Update system regularly
Yum-y Update, you can add to a cron job.
SSH Service Security
Use the certificate login system, specifically not detailed, please see this article http://www.centos.bz/2012/02/strengthen-ssh-security-login-with-certificate/
Lamp safe
System file Permissions
Modify init directory File execution permissions
Chmod-r 700/etc/init.d/*
Modify suid and Sgid permissions for part of a system file
chmod a-s/usr/bin/chage
chmod a-s/usr/bin/gpasswd
chmod a-s/usr/bin/wall
chmod a-s/USR/BIN/CHFN
chmod a-s/usr/bin/chsh
chmod a-s/usr/bin/newgrp
chmod a-s/usr/bin/write
chmod a-s/usr/sbin/usernetctl
chmod a-s/usr/sbin/traceroute
chmod a-s/bin/mount
chmod a-s/bin/umount
chmod a-s/bin/ping
chmod a-s/sbin/netreport
modifying system boot Files
chmod 600/etc/grub.conf
Chattr +i/etc/grub.conf
Log Management
1. System boot Log
Dmesg
Use the DMESG command to quickly see the boot log of the last system boot. It usually has a lot of content, so you will often want to pass it through a channel to a reader.
2. System running Log
A, the Linux log is stored in the/var/log directory.
There are several log files maintained by the system, but other services and programs may also put their logs here. Most logs can be read only by root, but only if you modify the file's access rights to make them readable.
The following are common system log file names and their descriptions:
Lastlog record user last successful logon time
Loginlog bad landing attempt record?
Messages records output to the system console and messages generated by the SYSLOG system service Program
Utmp log each user currently logged in
UTMPX Extended Utmp
WTMP Records history information for each user logon and logoff wtmpx extended wtmp
Vold.log record errors using external media
Xferkig Record FTP Access Sulog record the use of the SU command
Acct record the commands that each user has used
Aculog dial out automatic call log
B,/var/log/messages
The messages log is the core system log file. It contains the boot message when the system starts, and other status messages when the system is running. IO errors, network errors, and other system errors are recorded in this file. Other information, such as a person's identity switch to root, is also listed here. If the service is running, such as a DHCP server, you can observe its activity in the messages file. Typically,/var/log/messages is the first file you want to see when you troubleshoot.
C,/var/log/xfree86.0.log
This log records the results of the last execution of the Xfree86 xwindows server. If you are having problems booting to graphics mode, you will generally find the reason for the failure in this file.
Network security
Using Tcp_wrappers
Using Tcp_wrappers can make your system secure against external intrusions. The best strategy is to stop all
Host (add "All:all@all, Paranoid" in the "/etc/hosts.deny" file), and then add the list of all hosts that are allowed to access in the/etc/hosts.allow file.
First step:
Edit the Hosts.deny file (vi/etc/hosts.deny) and join the line below
# Deny access to everyone.
All:all@all, Paranoid
This means that all services and addresses are blocked unless the address packet is in the list of hosts that are allowed to be accessed.
Step Two:
Edit the Hosts.allow file (vi/etc/hosts.allow) to add a list of hosts that are allowed to access, more than
Such as:
ftp:202.54.15.99 foo.com
202.54.15.99 and foo.com are the IP addresses and host names that allow access to the FTP service.
Step Three:
The TCPDCHK program is the TEPD wrapper setup check program. It is used to check your TCP wrapper settings and report the potential and real problems found. When you are finished, run the following command:
[Root@kapil/]# Tcpdchk
iptables Firewall use
Iptables rules for Web servers
ipt= "/sbin/iptables"
$IPT--delete-chain
$IPT--flush
$IPT-P INPUT DROP #1
$IPT-P FORWARD DROP #1
$IPT-P OUTPUT DROP #1
$IPT-A input-m State--state related,established-j ACCEPT #2
$IPT-A input-p tcp-m tcp--dport 80-j ACCEPT #3
$IPT-A input-p tcp-m tcp--dport 22-j ACCEPT #3
$IPT-A input-p tcp-m tcp--dport 21-j ACCEPT #3
$IPT-A input-p tcp-m tcp--dport 873-j ACCEPT #3
$IPT-A input-i lo-j ACCEPT #4
$IPT-A input-p icmp-m ICMP--icmp-type 8-j ACCEPT #5
$IPT-A input-p icmp-m ICMP--icmp-type 11-j ACCEPT #5
$IPT-A output-m State--state related,established-j ACCEPT #6
$IPT-A output-p udp-m UDP--dport 53-j ACCEPT #7
$IPT-A output-o lo-j ACCEPT #4
$IPT-A output-p tcp-m tcp--dport 80-j ACCEPT #8
$IPT-A output-p tcp-m tcp--dport 25-j ACCEPT #9
$IPT-A output-p icmp-m ICMP--icmp-type 8-j ACCEPT #10
$IPT-A output-p icmp-m ICMP--icmp-type 11-j ACCEPT #10
Service Iptables Save
Service Iptables Restart
Save As script iptables.sh, perform SH iptables.sh automatic configuration firewall.
Explain:
#1, set the Input,forward,output chain default target is drop, that is, external and server cannot communicate.
#2, set to allow data to enter the server when the connection status is related and established.
#3, set the external client Connection server port 80,22,21,873.
#4, allow internal data to follow back.
#5, allow external ping servers.
#6, set the state to related and established data can be sent from the server to the outside.
#7, allows the server to resolve domain names using external DNS.
#8, set the server to connect to external server port 80.
#9, allow the server to send mail.
#10, allowing external ping from the server.