Linux Server Security Tips _linux

Source: Internet
Author: User
Tags ssh ssh port

Undoubtedly, for the system administrator, improving the security of the server is one of the most important things. As a result, there are many articles, blogs and forum posts for this topic.

A server is made up of a large number of functionally diverse components, making it difficult to provide tailored solutions to everyone's needs. This article covers, as far as possible, some helpful tips to help administrators keep servers and users safe.

There are some common sense that every system administrator should know by heart, so the following points will not be mentioned in this article:

    • Make sure the system is up to date
    • Changing passwords frequently-use a combination of numbers, letters, and non-alphanumeric symbols
    • Give the user the minimum permissions to meet their daily usage needs
    • Install only those packages that are really needed

Here are some more interesting things:

Change SSH default port

The first thing to do when you build a new server is to change the default port for SSH. This small change will allow your server to avoid thousands of violent attacks (LCTT does not change the default port) The hacker knows your home number so they need a single test key to unlock your home.

To change the default SSH port, open the Sshd_config file first:

sudo vim/etc/ssh/sshd_config

Find the following line:

#Port 22

The "#" number indicates that the line is a comment. First delete the # number and then change the port number to the destination. The port number cannot exceed 65535, making sure that the port number you want to specify is not occupied by the system or other services. It is recommended to view a list of common port numbers on [Wikipedia]. In this article, use this port number:

Port 16543

Then save and close the file and wait for the change to take effect.

The next step is:

Authentication using SSH key

When accessing a server through SSH, it is particularly important to authenticate with the SSH key. This adds extra protection to the server, ensuring that only those who have the key can access the server.

Run the following command on the local machine to generate the SSH key:

SSH-KEYGEN-T RSA

You will see the output below, ask which file you want to write the key to, and set a password:

Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): My_key
Enter passphrase (empty for no passphrase): 
Enter Same passphrase again: Your identification has been saved in 
My_key.
Your public key has been saved in my_key.pub.
The key fingerprint is:
sha256:mqd/pzztrscjzb6mpfjyrr5v1pjlbcgprr5tjnoi20a

When you're done, you get two files:

My_key

My_key.pub

Next, copy the My_key.pub to the ~/.ssh/authorized_key.

CP My_key.pub ~/.ssh/authorized_keys

Then upload the key to the server using the following command:

scp-p16543 Authorized_keys user@yourserver-ip:/home/user/.ssh/

At this point, you can access the server without a password from this local machine.

Turn off password authentication for SSH

Now that you have an SSH key, it's safer to turn off SSH's password authentication. Open and edit Sshd_config again, as set:

Challengeresponseauthentication no
passwordauthentication no
usepam No

Turn off Root Login

The following key step is to turn off direct access for root users and use sudo or Su to perform administrator tasks. First you need to add a new user with root permissions, so edit the sudoers file under this path:

/etc/sudoers/

It is recommended that you edit the file using a command such as Visudo because it checks for any possible syntax errors before closing the file. This is useful when you have an error editing the file.

Next, give a user root permission. In this article, you use the user sysadmin. Make sure that the user you are using after editing this file is a user that is already on the system. Find the following line:

Root all= (All)

Copy the line, paste it on the next line, and then change root to SysAdmin, as follows:

Root all= (All) all the
sysadmin all= (all)

Now explain the meaning of each option in this line:

(1) root (2) all= (3) (All) (4) All

(1) Specify the user

(2) Specify users to use sudo terminal

(3) Specify user roles that the user can assume

(4) The command that this user can use

LCTT: So the above configuration means that the root user can act as any user at any terminal and execute any command. )

Use this configuration to give users access to some system tools.

At this point, you can safely save the file.

To turn off direct access to root via ssh, you need to open Sshd_configagain and locate the following line:

#PermitRootLogin Yes

Change to:

Permitrootlogin No

Then save the file and restart the sshd daemon for the changes to take effect. Execute the following command:

Sudo/etc/init.d/sshd restart

Setting up Firewalls

Firewalls Help filter access ports and prevent logon attempts to use brute force laws. I prefer to use the SCF (Config Server Firewall) This powerful firewall. It uses iptables, is easy to manage, and provides a web interface for users who are not good at entering commands.

To install CSF, log on to the server first and switch to this directory:

cd/usr/local/src/

Then execute the following command with root permissions:

wget https://download.configserver.com/csf.tgz
tar-xzf csf.tgz
cd CSF
sh install.sh

Just wait for setup to complete, and then edit the CSF configuration file:

/etc/csf/csf.conf

By default, CSF runs in test mode. Switch to product mode by setting the value of "testing" to 0.

testing = "0"

The following settings are the ports allowed on the server. In csf.conf, navigate to the following section and modify the port as needed:

# Allow inbound TCP port
tcp_in = "20,21,25,53,80,110,143,443,465,587,993,995,16543"
# Allow outbound TCP port
tcp_out = " 20,21,22,25,53,80,110,113,443,587,993,995,16543 "
# Allow inbound UDP port
udp_in =" 20,21,53 "
# Allow outbound UDP ports
# To allow traceroute requests to be made, add 33,434:33,523 ports to the list 
udp_out = "20,21,53,113,123"

If you want to set it up as needed, it is recommended that you use only those ports that you need to avoid setting a wide range of ports. Also, avoid unsafe ports that use unsafe services. For example, only port 465 and 587来 are allowed to send e-mail, instead of the default SMTP port 25. (LCTT: If your mail server supports SMTPS)

Important : Never forget to allow custom SSH ports.

It is important to allow your IP address to pass through the firewall and not be blocked. The IP address is defined in the following file:

/etc/csf/csf.ignore

The blocked IP address appears in this file:

/etc/csf/csf.deny

Once the change is complete, use this command to reboot the CSF:

SUDO/ETC/INIT.D/CSF restart

The following is part of the Csf.deny file on a server to illustrate that CSF is useful:

211.216.48.205 # Lfd: (sshd) Failed SSH login from 211.216.48.205 (Kr/korea, Republic of/-): 5 at the last 3600 Secs-fri Mar 6 00:30:35 2015
103.41.124.53 # LFD: (sshd) Failed SSH login from 103.41.124.53 (Hk/hong kong/-): 5 in the last 3  SECS-FRI Mar 6 01:06:46 2015
103.41.124.42 # LFD: (sshd) Failed SSH login from 103.41.124.42 (Hk/hong kong/-): 5 In the last 3600 SECS-FRI Mar 6 01:59:04 2015
103.41.124.26 # LFD: (sshd) Failed SSH login from 103.41.124.26 (hk/h Ong kong/-): 5 in the last 3600 SECS-FRI Mar 6 02:48:26 2015 109.169.74.58
# LFD: (sshd) Failed SSH login from 109.1 69.74.58 (gb/united kingdom/mail2.algeos.com): 5 in the last 3600 SECS-FRI Mar 6 03:49:03 2015

You can see that the attempt to login through the violence of the IP address is blocked, it is not the eyes of the heart not annoying Ah!

Lock accounts

If an account is not used for a long time, it can be locked to prevent other people from accessing it. Use the following command:

Passwd-l AccountName

Of course, this account can still be used by the root user (LCTT to switch to this account).

Understanding services on the server

The essence of a server is to provide access to a variety of services. Make the server run only the required services, and turn off services that are not in use. This will not only release some system resources, but also make the server more secure. For example, if you just run a simple server, you obviously don't need an X display or a desktop environment. If you do not need the Windows Network Sharing feature, you can safely close samba.

Use the following command to view services that are started with system startup:

Chkconfig--list | grep "3:on"

If the system is running systemd, execute this command:

Systemctl List-unit-files--type=service | grep enabled

Then, use the following command to turn off the service:

Chkconfig service off
or
systemctl disable service

In the example above, replace "service" with the name of the services that you really want to stop. Examples are as follows:

Chkconfig httpd off
or
systemctl disable httpd

Summary

The purpose of this article is to cover some common security steps to help you protect your server. You can do more to enhance the protection of the server. Keep in mind that it's your responsibility to keep your server safe, and make the right choices when it comes to maintaining server security, although there's no easy way to do it, and building "perfect" security takes a lot of time and testing until you reach the desired results.

Via: Original

Author: Marin Todorow Translator: Kayguowhu proofreading: Wxy

This article by LCTT original translation, Linux China honor launch

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.