Linux system security

Method One:

1. The password is complex enough

   The length of the password is greater than 8 bits, preferably greater than 14 bits. The complexity of a password is a combination of numbers, uppercase and lowercase characters, and a special character as much as possible.

2. Modify the default SSH port

Use Iptables to close ports that you do not need to use

sshd default port number: 22

Vim/etc/ssh/sshd_config

#Port 22

Port 81

Service sshd Restart

3. Use the scan tool to see which ports are open to the host.

Yum Install Nmap

Nmap 192.168.103.117

4. Do not log in with the root user name, so that hackers can not guess your user name, you will not be able to brute force

Do not use the root user, but need to have root privileges, there are two ways:

If the root user is not logged on, the root user's/bin/bash is changed to/sbin/nologin

(1) Bob User's UID and GID are changed to 0, so that Bob user has root privileges. So Bob user also has root privileges, but the difference with root itself is that their home directory is not the same, log in is a #, permissions are the same.

(2) can also give users sudo permission

Visudo or Vi/etc/sudoers

Root all= (All) all

Bob All= (All) all

5. User login allows them to log on with the key, and the password is also set on the key.

Use the method in my blog to find.

6. Preventing violent cracking

Case: Recently, the company network has been a violent crack sshd service password, although not successful, but will lead to high system load, because in the time of brute force, the system will continue to authenticate users, thereby increasing the system resources additional costs, resulting in a slow company network.

Tool Description: Fail2ban can monitor your system log, but match the log error information (regular matching) to perform the corresponding shielding action (usually a firewall), and I can send an email notification system administrator, the function is very powerful.

Fail2ban operation mechanism: simple to say its function is to prevent brute force, working principle is through the analysis of the relevant service log within a certain time, will meet the action of the relevant IP use iptables added to the Dorp (discard) list for a certain time.

Set conditions: SSH telnet for 5 minutes 3 times password Authentication failed, the user IP is forbidden to access the host 1 hours, 1 hours after the limit is automatically lifted.

Package Download:

Https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz

Installation steps:

wget https://github.com/fail2ban/fail2ban/archive/0.9.4.tar.gz

Tar zxvf 0.9.4.tar.gz

CD fail2ban-0.8.14

General installation steps can be found in readme.md.

Vim readme.md

To install, just do:

Tar xvfj fail2ban-0.9.4.tar.bz2

CD fail2ban-0.9.4

Python setup.py Install

The python development environment needs to be installed, and the version is greater than 2.4

View Python version

Python-v

Installation:

Phthon setup.py Install

Vi/etc/fail2ban/jail.conf

..... Cond

This article is from the "It po" blog, please be sure to keep this source http://907832555.blog.51cto.com/4033334/1943472

Linux system security