Undoubtedly, for the system administrator, improving the security of the server is one of the most important things. As a result, there are many articles, blogs and forum posts for this topic.
A server is made up of a large number of functionally diverse components, making it difficult to provide tailored solutions to everyone's needs. This article covers, as far as possible, some helpful tips to help administrators keep servers and users safe.
There are some common sense that every system administrator should know by heart, so the following points will not be mentioned in this article:
- Make sure the system is up to date
- Changing passwords frequently-use a combination of numbers, letters, and non-alphanumeric symbols
- Give the user the minimum permissions to meet their daily usage needs
- Install only those packages that are really needed
Here are some more interesting things:
Change SSH default port
The first thing to do when you build a new server is to change the default port for SSH. This small change will allow your server to avoid thousands of violent attacks (LCTT does not change the default port) The hacker knows your home number so they need a single test key to unlock your home.
To change the default SSH port, open the Sshd_config file first:
sudo vim/etc/ssh/sshd_config
Find the following line:
#Port 22
The "#" number indicates that the line is a comment. First delete the # number and then change the port number to the destination. The port number cannot exceed 65535, making sure that the port number you want to specify is not occupied by the system or other services. It is recommended to view a list of common port numbers on [Wikipedia]. In this article, use this port number:
Port 16543
Then save and close the file and wait for the change to take effect.
The next step is:
Authentication using SSH key
When accessing a server through SSH, it is particularly important to authenticate with the SSH key. This adds extra protection to the server, ensuring that only those who have the key can access the server.
Run the following command on the local machine to generate the SSH key:
SSH-KEYGEN-T RSA
You will see the output below, ask which file you want to write the key to, and set a password:
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): My_key
Enter passphrase (empty for no passphrase):
Enter Same passphrase again: Your identification has been saved in
My_key.
Your public key has been saved in my_key.pub.
The key fingerprint is:
sha256:mqd/pzztrscjzb6mpfjyrr5v1pjlbcgprr5tjnoi20a
When you're done, you get two files:
My_key
My_key.pub
Next, copy the My_key.pub to the ~/.ssh/authorized_key.
CP My_key.pub ~/.ssh/authorized_keys
Then upload the key to the server using the following command:
scp-p16543 Authorized_keys user@yourserver-ip:/home/user/.ssh/
At this point, you can access the server without a password from this local machine.
Turn off password authentication for SSH
Now that you have an SSH key, it's safer to turn off SSH's password authentication. Open and edit Sshd_config again, as set:
Challengeresponseauthentication no
passwordauthentication no
usepam No
Turn off Root Login
The following key step is to turn off direct access for root users and use sudo or Su to perform administrator tasks. First you need to add a new user with root permissions, so edit the sudoers file under this path:
/etc/sudoers/
It is recommended that you edit the file using a command such as Visudo because it checks for any possible syntax errors before closing the file. This is useful when you have an error editing the file.
Next, give a user root permission. In this article, you use the user sysadmin. Make sure that the user you are using after editing this file is a user that is already on the system. Find the following line:
Root all= (All)
Copy the line, paste it on the next line, and then change root to SysAdmin, as follows:
Root all= (All) all the
sysadmin all= (all)
Now explain the meaning of each option in this line:
(1) root (2) all= (3) (All) (4) All
(1) Specify the user
(2) Specify users to use sudo terminal
(3) Specify user roles that the user can assume
(4) The command that this user can use
LCTT: So the above configuration means that the root user can act as any user at any terminal and execute any command. )
Use this configuration to give users access to some system tools.
At this point, you can safely save the file.
To turn off direct access to root via ssh, you need to open Sshd_configagain and locate the following line:
#PermitRootLogin Yes
Change to:
Permitrootlogin No
Then save the file and restart the sshd daemon for the changes to take effect. Execute the following command:
Sudo/etc/init.d/sshd restart
Setting up Firewalls
Firewalls Help filter access ports and prevent logon attempts to use brute force laws. I prefer to use the SCF (Config Server Firewall) This powerful firewall. It uses iptables, is easy to manage, and provides a web interface for users who are not good at entering commands.
To install CSF, log on to the server first and switch to this directory:
cd/usr/local/src/
Then execute the following command with root permissions:
wget https://download.configserver.com/csf.tgz
tar-xzf csf.tgz
cd CSF
sh install.sh
Just wait for setup to complete, and then edit the CSF configuration file:
/etc/csf/csf.conf
By default, CSF runs in test mode. Switch to product mode by setting the value of "testing" to 0.
testing = "0"
The following settings are the ports allowed on the server. In csf.conf, navigate to the following section and modify the port as needed:
# Allow inbound TCP port
tcp_in = "20,21,25,53,80,110,143,443,465,587,993,995,16543"
# Allow outbound TCP port
tcp_out = " 20,21,22,25,53,80,110,113,443,587,993,995,16543 "
# Allow inbound UDP port
udp_in =" 20,21,53 "
# Allow outbound UDP ports
# To allow traceroute requests to be made, add 33,434:33,523 ports to the list
udp_out = "20,21,53,113,123"
If you want to set it up as needed, it is recommended that you use only those ports that you need to avoid setting a wide range of ports. Also, avoid unsafe ports that use unsafe services. For example, only port 465 and 587来 are allowed to send e-mail, instead of the default SMTP port 25. (LCTT: If your mail server supports SMTPS)
Important : Never forget to allow custom SSH ports.
It is important to allow your IP address to pass through the firewall and not be blocked. The IP address is defined in the following file:
/etc/csf/csf.ignore
The blocked IP address appears in this file:
/etc/csf/csf.deny
Once the change is complete, use this command to reboot the CSF:
SUDO/ETC/INIT.D/CSF restart
The following is part of the Csf.deny file on a server to illustrate that CSF is useful:
211.216.48.205 # Lfd: (sshd) Failed SSH login from 211.216.48.205 (Kr/korea, Republic of/-): 5 at the last 3600 Secs-fri Mar 6 00:30:35 2015
103.41.124.53 # LFD: (sshd) Failed SSH login from 103.41.124.53 (Hk/hong kong/-): 5 in the last 3 SECS-FRI Mar 6 01:06:46 2015
103.41.124.42 # LFD: (sshd) Failed SSH login from 103.41.124.42 (Hk/hong kong/-): 5 In the last 3600 SECS-FRI Mar 6 01:59:04 2015
103.41.124.26 # LFD: (sshd) Failed SSH login from 103.41.124.26 (hk/h Ong kong/-): 5 in the last 3600 SECS-FRI Mar 6 02:48:26 2015 109.169.74.58
# LFD: (sshd) Failed SSH login from 109.1 69.74.58 (gb/united kingdom/mail2.algeos.com): 5 in the last 3600 SECS-FRI Mar 6 03:49:03 2015
You can see that the attempt to login through the violence of the IP address is blocked, it is not the eyes of the heart not annoying Ah!
Lock accounts
If an account is not used for a long time, it can be locked to prevent other people from accessing it. Use the following command:
Passwd-l AccountName
Of course, this account can still be used by the root user (LCTT to switch to this account).
Understanding services on the server
The essence of a server is to provide access to a variety of services. Make the server run only the required services, and turn off services that are not in use. This will not only release some system resources, but also make the server more secure. For example, if you just run a simple server, you obviously don't need an X display or a desktop environment. If you do not need the Windows Network Sharing feature, you can safely close samba.
Use the following command to view services that are started with system startup:
Chkconfig--list | grep "3:on"
If the system is running systemd, execute this command:
Systemctl List-unit-files--type=service | grep enabled
Then, use the following command to turn off the service:
Chkconfig service off
or
systemctl disable service
In the example above, replace "service" with the name of the services that you really want to stop. Examples are as follows:
Chkconfig httpd off
or
systemctl disable httpd
Summary
The purpose of this article is to cover some common security steps to help you protect your server. You can do more to enhance the protection of the server. Keep in mind that it's your responsibility to keep your server safe, and make the right choices when it comes to maintaining server security, although there's no easy way to do it, and building "perfect" security takes a lot of time and testing until you reach the desired results.
Via: Original
Author: Marin Todorow Translator: Kayguowhu proofreading: Wxy
This article by LCTT original translation, Linux China honor launch