In daily operations, the security setting for a hardened server is an important environment for the machine. The recommended practice is to:
1) strictly restrict SSH login (refer to: SSH usage under Linux system (based on personal experience)):
Modify the SSH default listener port
Disable root login, set up the account or group for SSH login separately;
Disable password login, use certificate login;
ListenAddress bind this machine intranet IP, that is, SSH can only connect to the local intranet IP for landing;
2) Whitelist restrictions on landed IPs (Iptables,/etc/hosts.allow,/etc/hosts.deny)
3) can be specialized in finding two machines as a bastion machine, other machines to do white list only through the Fortress machine Landing, will be the computer room server landing into the opening of the hole tightened;
In addition, the above limitation of SSH is used on the fortress machine, and it is best to set the two authentication environment after login (Google-authenticator authentication)
4) Strict sudo permissions control (refer to: Linux system permissions knowledge carding)
5) Use the CHATTR command to lock important information files on the server, such as/etc/passwd,/etc/group,/etc/shadow,/etc/sudoers,/etc/sysconfig/iptables,/var/spool/ Cron/root, etc.
6) Disable ping (echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all)
Today we mainly say the server security login whitelist settings, through the following two ways:
1) iptables SSH port restrictions;
2)/etc/hosts.allow and/etc/hosts.deny restrictions; These two files are control of remote access settings, through which he can allow or deny a client of an IP or IP segment access to a Linux service.
If the iptables, Hosts.allow, and Hosts.deny are set or if conflicts are set, the priority is Hosts.allow > Hosts.deny >iptables
Let's take a look at several settings that restrict local server login:
1) iptables and Hosts.allow settings are consistent, Hosts.deny not set. If a conflict occurs, the Hosts.allow setting is the primary.
[Email protected] ~]# Cat/etc/sysconfig/iptables
.....
-A input-s 192.168.1.0/24-m state--state new-m tcp-p TCP--dport 22-j ACCEPT
-A input-s 114.165.77.144-m state--state new-m tcp-p TCP--dport 22-j ACCEPT
-A input-s 133.110.186.130-m state--state new-m tcp-p TCP--dport 22-j ACCEPT
[[email protected] ~]# cat/etc/hosts.allow
#
# hosts.allow This file contains access rules which is Used to
# Allow or deny connections to network services This
# either use the Tcp_wrappers library or that has bee N
# started through a tcp_wrappers-enabled xinetd.
#
# see ' Mans 5 Hosts_options ' and ' Man 5 hosts_access '
# for information on rule syntax.
# see ' Mans TCPD ' for information on Tcp_wrappers
# &NBSP ; , &NB Sp , &NB Sp //Remember: the 192.168.1.* network segment setting here cannot be changed to 192.168.1.0/24, and multiple IPs are separated by commas
sshd:192.168.1.*. 114.165.77.144,133.110.186.130,133.110.186.139:allow //last allow to omit the
[Email protected] ~]# Cat/etc/hosts.deny
#
# Hosts.deny This file contains access rules which is used to
# Deny connections to network services this either use
# The Tcp_wrappers library or that has been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also is set up in
#/etc/hosts.allow with a ' deny ' option instead.
#
# See ' Mans 5 Hosts_options ' and ' Man 5 hosts_access '
# For information on rule syntax.
# see ' Mans TCPD ' for information on tcp_wrappers
#
As set above, although 133.110.186.139 does not appear in the Iptables whitelist settings, but appears in the Hosts.allow settings, then it is allowed to log on to the local server;
In other words, the IP set in the Hosts.allow can be logged into the local server, the Hosts.allow is not set and the IP set in iptables cannot log on to the local server;
So, as long as the Hosts.allow set, iptables in fact there is no need to limit the SSH;
2) Hosts.allow not set, iptables and Hosts.deny settings (both conflict, to Hosts.deny-based)
[Email protected] ~]# Cat/etc/sysconfig/iptables
.....
-A input-s 192.168.1.0/24-m state--state new-m tcp-p TCP--dport 22-j ACCEPT
-A input-s 114.165.77.144-m state--state new-m tcp-p TCP--dport 22-j ACCEPT
-A input-s 133.110.186.130-m state--state new-m tcp-p TCP--dport 22-j ACCEPT
[Email protected] ~]# Cat/etc/hosts.allow
#
# Hosts.allow This file contains access rules which is used to
# Allow or deny connections to network services
# either use of the Tcp_wrappers library or that has been
# started through a tcp_wrappers-enabled xinetd.
#
# See ' Mans 5 Hosts_options ' and ' Man 5 hosts_access '
# For information on rule syntax.
# see ' Mans TCPD ' for information on tcp_wrappers
#
[Email protected] ~]# Cat/etc/hosts.deny
#
# Hosts.deny This file contains access rules which is used to
# Deny connections to network services this either use
# The Tcp_wrappers library or that has been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also is set up in
#/etc/hosts.allow with a ' deny ' option instead.
#
# See ' Mans 5 Hosts_options ' and ' Man 5 hosts_access '
# For information on rule syntax.
# see ' Mans TCPD ' for information on tcp_wrappers
#
Sshd:133.110.186.130:deny//Last Deny can be omitted
Although the above 133.110.186.130 in the iptables set, but also set in Hosts.deny, this time to follow the Hosts.deny settings, that is, 133.110.186.130 this IP can not log on to the local server;
In other words, only 192.168.1.0 network segment and 114.165.77.144 can log on to local server;
3) When iptables, Hosts.allow, Hosts.deny are set, the hosts.allow! to follow
[[email protected] ~]# cat/etc/sysconfig/iptables
.....
-a input-s 192.168.1.0/24-m state--state new-m tcp-p TCP--dport 22-j ACCEPT
-a input-s 114.165.77.144-m St Ate--state new-m tcp-p tcp--dport 22-j ACCEPT
-A input-s 133.110.186.130-m State--state new-m tcp-p TCP--dpo RT 22-j Accept
-a input-s 133.110.186.133-m state--state new-m tcp-p TCP--dport 22-j accept
-a input-s 133. 110.186.137-m State--state new-m tcp-p TCP--dport 22-j ACCEPT
[[email protected] ~]# cat/etc/hosts.allow
#
# hosts.allow This file contains access rules which is Used to
# Allow or deny connections to network services This
# either use the Tcp_wrappers library or that has bee N
# started through a tcp_wrappers-enabled xinetd.
#
# see ' Mans 5 Hosts_options ' and ' Man 5 hosts_access '
# for information on rule syntax.
# see ' Mans TCPD ' for information on Tcp_wrappers
sshd:192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139: Allow //Last allows to omit
[Email protected] ~]# Cat/etc/hosts.deny
#
# Hosts.deny This file contains access rules which is used to
# Deny connections to network services this either use
# The Tcp_wrappers library or that has been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also is set up in
#/etc/hosts.allow with a ' deny ' option instead.
#
# See ' Mans 5 Hosts_options ' and ' Man 5 hosts_access '
# For information on rule syntax.
# see ' Mans TCPD ' for information on tcp_wrappers
Sshd:all:deny//Last Deny can be omitted
After the above settings, only hosts.allow inside the 192.168.1.*,114.165.77.144,133.110.186.130,133.110.186.139 these IP can log on to the local server
4) There is also a setting, Hosts.deny, set deny
in Hosts.allow [[[email protected] ~]# cat/etc/sysconfig/iptables
....
-a input-s 192.168.1.0/24-m state--state new-m tcp-p TCP--dport 22-j ACCEPT
-a input-s 114.165.77.144-m St Ate--state new-m tcp-p tcp--dport 22-j ACCEPT
-A input-s 133.110.186.130-m State--state new-m tcp-p TCP--dpo RT 22-j ACCEPT
[[email protected] ~]# cat/etc/hosts.allow
#
# hosts.allow This file contains access rules which is Used to
# Allow or deny connections to network services This
# either use the Tcp_wrappers library or that has bee N
# started through a tcp_wrappers-enabled xinetd.
#
# see ' Mans 5 Hosts_options ' and ' Man 5 hosts_access '
# for information on rule syntax.
# see ' Mans TCPD ' for information on Tcp_wrappers
#
Sshd:192.168.1.*, 114.165.77.144,133.110.186.130,133.110.186.139:allow //The last allow can be omitted
Sshd:all:deny () nbsp //This is a setup that would have been in the hosts.deny, or it could be placed on this, indicating that the above IP was restricted from landing.
[Email protected] ~]# Cat/etc/hosts.deny
#
# Hosts.deny This file contains access rules which is used to
# Deny connections to network services this either use
# The Tcp_wrappers library or that has been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also is set up in
#/etc/hosts.allow with a ' deny ' option instead.
#
# See ' Mans 5 Hosts_options ' and ' Man 5 hosts_access '
# For information on rule syntax.
# see ' Mans TCPD ' for information on tcp_wrappers
#
Linux Server secure Login settings