Linux Server Security Tips

Source: Internet
Author: User
Tags ssh port

Undoubtedly, for system administrators, improving server security is one of the most important things. As a result, there are many articles, blogs and forum posts on this topic.

The fact that a server is made up of a large number of functionally diverse components makes it difficult to provide customized solutions to everyone's needs. This article covers as many helpful tips as possible to help administrators ensure server and user security.

There is some common sense that every system administrator should know the heart, so the following points will not be mentioned in this article:

    • Make sure the system is up to date

    • Frequent password change-use a combination of numbers, letters, and non-alphabetic symbols

    • Give users the least privilege to meet their daily use needs

    • Install only those packages that are really needed

Here are some of the more interesting things:

Change the SSH default port

The first thing to do after setting up a new server is to change the default port for SSH. This small change will prevent your server from being subjected to thousands of violent attacks (LCTT: not changing the default port is equivalent to hackers knowing your home number, so they only need a single test key to open your home lock).

To change the default SSH port, first open the Sshd_config file:

sudo vim/etc/ssh/sshd_config

Find the following line:

#Port 22

The "#" number indicates that the line is a comment. First remove the # number and then change the port number to the destination port. The port number cannot exceed 65535, ensuring that the port number to be specified is not occupied by the system or other services. It is recommended to see a list of commonly used port numbers on [Wikipedia]. In this article, use this port number:

Port 16543

Then save and close the file and wait for the changes to take effect.

The next step is to:

Using SSH key authentication

When accessing the server via SSH, it is particularly important to use SSH keys for authentication. This adds additional protection to the server, ensuring that only those who have the key have access to the server.

Run the following command on the local machine to generate the SSH key:

SSH-KEYGEN-T RSA

You will see the following output, asking which file to write the key to, and setting a password:

Generating public/private Rsakey pair.

Enter file in which to Savethe key (/ROOT/.SSH/ID_RSA): My_key

Enter passphrase (empty Forno passphrase):

Enter same Passphrase again:

Your identification have beensaved in My_key.

Your public key have beensaved in My_key.pub.

The key fingerprint is:

sha256:mqd/pzztrscjzb6mpfjyrr5v1pjlbcgprr5tjnoi20a

When you're done, you get two files:

My_key

My_key.pub

Then copy the my_key.pub into the ~/.ssh/authorized_key.

CP My_key.pub~/.ssh/authorized_keys

Then use the following command to upload the key to the server:

scp-p16543 [Email protected]:/home/user/.ssh/

At this point, you can access the server without a password from this local machine.

Turn off password authentication for SSH

Now that you have an SSH key, it's safer to turn off SSH password authentication. Open and edit the Sshd_config again, set as follows:

Challengeresponseauthenticationno

Passwordauthentication No

Usepam No

Close Root Login

The following key step is to turn off direct access for the root user and use sudo or su to perform the administrator task. First you need to add a new user with root privileges, so edit the sudoers file under this path:

/etc/sudoers/

It is recommended to edit the file with a command such as Visudo because it will check for any syntax errors that may occur before closing the file. This is useful when you make an error while editing a file.

Next, give a user root privileges. In this article, you use the user sysadmin. Make sure that the user you are using when you edit this file is a user that is already in the system. Find the following line:

Root all= (All) all

Copy this line, paste it on the next line, and then change the root to "sysadmin" as follows:

Root all= (All) all

SysAdmin all= (All) all

Now explain the meaning of each of the options in this line:

(1) root (2) all= (3) (All) (4) All

(1) Specify user

(2) Specify a terminal for users to use sudo

(3) Specify user roles that users can assume

(4) commands that the user can use

(LCTT: So the above configuration means: The root user can act as any user at any terminal and execute any command.) )

Use this configuration to give users access to some system tools.

At this point, you can safely save the file.

In order to turn off direct access to root via ssh, you need to open sshd_config again to find the following line:

#PermitRootLogin Yes

Change to:

Permitrootlogin No

Then save the file and restart the sshd daemon for the changes to take effect. Execute the following command:

Sudo/etc/init.d/sshd restart

Set up a firewall

Firewalls Help filter access ports and login attempts that block the use of brute force laws. I tend to use the strong firewall of SCF (Config Server Firewall). It uses iptables, is easy to manage, and provides a web interface for users who are not good at entering commands.

To install CSF, log in to the server first, and switch to this directory:

cd/usr/local/src/

Then execute the following command with root privileges:

Wgethttps://download.configserver.com/csf.tgz

Tar-xzf csf.tgz

CD CSF

SH install.sh

Just wait for setup to complete, and then edit the CSF configuration file:

/etc/csf/csf.conf

By default, the CSF runs in test mode. Switch to product mode by setting the value of "testing" to 0.

testing = "0"

The following settings are the ports that are allowed on the server. In csf.conf, navigate to the following section and modify the ports as needed:

# Allow inbound TCP ports

tcp_in = "20,21,25,53,80,110,143,443,465,587,993,995,16543"

# Allow outbound TCP ports

Tcp_out = "20,21,22,25,53,80,110,113,443,587,993,995,16543"

# Allow inbound UDP ports

udp_in = "20,21,53"

# Allow outbound UDP ports

# to allow traceroute requests to be made, add 33,434:33,523 port range to the list

Udp_out = "20,21,53,113,123"

Please set it up as needed, and recommend using only those ports that you need to avoid setting up a wide range of ports. Also, avoid unsafe ports that use unsafe services. For example, only port 465 and 587来 are allowed to send e-mail instead of the default SMTP port 25. (LCTT: If your mail server supports SMTPS)

Important : Don't forget to allow your custom SSH port.

It is important to allow your IP address to pass through the firewall and never be blocked. The IP address is defined in the following file:

/etc/csf/csf.ignore

The blocked IP address will appear in this file:

/etc/csf/csf.deny

Once the changes are complete, use this command to restart the CSF:

SUDO/ETC/INIT.D/CSF restart

The following is part of the Csf.deny file on a server to illustrate the usefulness of CSF:

211.216.48.205 # Lfd: (sshd) Failed SSH login from 211.216.48.205 (Kr/korea, Republic of/-): 5 in the last3600 Secs-fri M AR 6 00:30:35 2015

103.41.124.53 # Lfd: (sshd) Failed SSH login from 103.41.124.53 (Hk/hong kong/-): 5 in the last 3600 Secs-fri Mar 6 01:06: 46 2015

103.41.124.42 # Lfd: (sshd) Failed SSH login from 103.41.124.42 (Hk/hong kong/-): 5 in the last 3600 Secs-fri Mar 6 01:59: 04 2015

103.41.124.26 # Lfd: (sshd) Failed SSH login from 103.41.124.26 (Hk/hong kong/-): 5 in the last 3600 Secs-fri Mar 6 02:48: 26 2015

109.169.74.58 # Lfd: (sshd) Failed SSH login from 109.169.74.58 (gb/united kingdom/mail2.algeos.com): 5 Inthe Last 3600 sec S-FRI Mar 6 03:49:03 2015

You can see that the attempt to log in through the violence of IP addresses are blocked, it is really blind heart not to bother Ah!

Lock your account

If an account is not used for a long period of time, it can be locked to prevent other people from accessing it. Use the following command:

Passwd-l AccountName

Of course, this account can still be used by the root user (LCTT: Available su switch to the account).

Understanding services on the server

The nature of the server is to provide access to a variety of services. Enable the server to run only the required services and close unused services. Not only does this release some system resources, but it also makes the server more secure. For example, if you just run a simple server, you obviously don't need an X display or a desktop environment. If you do not need the Windows Network Sharing feature, you can safely turn off samba.

Use the following command to view the services that are started with the system boot:

Chkconfig--list | grep "3:on"

If the system is running SYSTEMD, execute this command:

Systemctl List-unit-files--type=service | grep enabled

Then use the following command to close the service:

Chkconfig Service off

Or

Systemctl Disable Service

In the example above, replace "service" with the name of the services you really want to stop. Examples are as follows:

Chkconfig httpd off

Or

Systemctl Disable httpd

Summary

The purpose of this article is to cover some common security steps to help you protect your server. You can take more steps to enhance the protection of the server. Keep in mind that it is your responsibility to keep your servers secure and make the best choice when maintaining your servers, although there is no easy way to do this, and building "perfect" security takes a lot of time and testing until you get the results you want.

free pick up brother even it education original Cloud Computing Training video/Detailed Linux tutorials, details of the website customer service: http://www.lampbrother.net/linux/ or hooking up with q2430675018~.

Welcome to the Linux Communication Group 478068715


Linux Server Security Tips

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.