Today, share with you the most basic security configuration of VPS.
First, modify the SSH port
VPS Default SSH port is 22, those who scan the poor lift password, also bound to start from 22, so, modify 22 for an additional number, is very necessary.
OK, SSH login vps, modify configuration file.
Vi/etc/ssh/sshd_config
Locate #port 22, remove the previous #, and modify it to Port 1380 (this number is used as much as 4 digits to avoid being occupied), and then restart the sshd
Service sshd Restart
Note: If you are afraid to modify the error, so that you can not login to the VPS, but also find #port 22 Remove #, then add a line port 1380, open another Putty window, try a new port login, confirm OK, then delete port 22!
Second, disable root login, add new account
First, add a new user account
Useradd ax2016 #此用户自定义, here take ax2016 as an example
Set a new user password
passwd 123456 #密码尽量复制
After entering the password two times, OK.
The next step is to disable root login by modifying the configuration file, still modifying the/etc/ssh/sshd_config.
Vi/etc/ssh/sshd_config
Find #permitrootlogin Yes, remove the previous # and change Yes to No, and then restart sshd.
Service sshd Restart
Try to log in with a new user and then use Su root to access root.
Login as:ax2016 #新用户名 [email protected]*.*.*.* password:***** #新用户密码Last Login:thu Mar 5 08:14:21 from *.*.*.*su Roo T #提权Password:* ********** #ROOT密码
Note: Setting strong password is also a barrier to ensure the security of the account, such as the use of complex, random password to do root password, the probability of being poor to guess the solution is very small, with the same as the purchase of welfare lottery!
Third, install DDoS deflate defense lightweight cc and DDoS
In the WP forum to see a hostigation open free friend said a very classic words: Now children will D station ... Low-key is the best choice. Try not to show off in some places, too ostentatious, also counted as a security defense! The words often walk along the river, which have not wet shoes? It is necessary to prevent it from happening. Okay, crap says a bunch, now install DDoS deflate.
Before we talk about DDoS deflate, we need to know one thing: iptables
Iptables is a Linux kernel-integrated IP packet filtering system that allows simple addition, editing, and removal of rules that are followed and composed by firewalls when making packet filtering decisions.
We prefer to confirm the status of the Iptables service (this general VPS system is brought)
Service Iptables Staus
After confirmation, install the DDoS deflate
wget http://www.inetbase.com/scripts/ddos/install.shchmod +x install.sh./install.sh
After the installation is complete, you also need to modify the configuration file to achieve the purpose of automatically locking IP with iptables.
Vi/usr/local/ddos/ddos.conf
Next change, here is mainly apf_ban=1 modified to 0 (using iptables), in addition email_to= "root" can be changed to the root of your email address, so that the system to run off which IP, there will be a message to you.
##### Paths of the script and other filesprogdir= "/usr/local/ddos" prog= "/usr/local/ddos/ddos.sh" ignore_ip_list= "/usr/ Local/ddos/ignore.ip.list "//IP address white list cron="/etc/cron.d/ddos.cron "//Timed Execution Program apf="/ETC/APF/APF "ipt="/sbin/iptables "# # # # Frequency in minutes for running the script##### caution:every time this setting is changed, run the script WITH–CR on##### option So, the new frequency takes effectfreq=1//check interval, default 1 minutes ##### How many connections define a B Ad IP? Indicate that below.no_of_connections=150//maximum number of connections, more than this number of IP will be blocked, the general default can be ##### apf_ban=1 (make sure your APF version are at least 0.96) ##### apf_ban=0 (Uses iptables for banning IPs instead of APF) apf_ban=0//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0. ##### kill=0 (Bad IPs is ' NT banned, good for interactive execution of script) ##### kill=1 (Recommended setting) kill=1/ /whether to block IP, default can ##### an e-mail is sent to the following address when a IP is banned.##### Blank would suppress sending of Mai ls[email p rotected]//When IP is blocked to send mail to a designated mailbox, it is recommended to use it for your own mailbox ##### number of seconds the banned IP should remain in blacklist. ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to the situation
Because this system default white list some problems, often have errors, so we'd better set the manual white list is not modifiable
Vi/usr/local/ddos/ignore.ip.list #手工设置白名单IPchattr +i/usr/local/ddos/ignore.ip.list #强制不允许修改chattr-I/ usr /local/ddos/ignore.ip.list #解除不允许修改
Uninstall the DDoS deflate method.
wget Http://www.inetbase.com/scripts/ddos/uninstall.ddoschmod Uninstall.ddos./uninstall.ddos
OK, for the simple security configuration, just say the above, of course, you can also cooperate with the system firewall, do more advanced settings.
Linux VPS Practical Simple Security Configuration