Linux system security

Source: Internet
Author: User
Tags system log ssh port

Method One:

    1. The password is complex enough

      The length of the password is greater than 8 bits, preferably greater than 14 bits. The complexity of a password is a combination of numbers, uppercase and lowercase characters, and a special character as much as possible.

    2. Modify the default SSH port

Use Iptables to close ports that you do not need to use

sshd default port number: 22


#Port 22

Port 81

Service sshd Restart

3. Use the scan tool to see which ports are open to the host.

Yum Install Nmap


4. Do not log in with the root user name, so that hackers can not guess your user name, you will not be able to brute force

Do not use the root user, but need to have root privileges, there are two ways:

If the root user is not logged on, the root user's/bin/bash is changed to/sbin/nologin

(1) Bob User's UID and GID are changed to 0, so that Bob user has root privileges. So Bob user also has root privileges, but the difference with root itself is that their home directory is not the same, log in is a #, permissions are the same.

(2) can also give users sudo permission

Visudo or Vi/etc/sudoers

Root all= (All) all

Bob All= (All) all

5. User login allows them to log on with the key, and the password is also set on the key.

Use the method in my blog to find.

6. Preventing violent cracking

Case: Recently, the company network has been a violent crack sshd service password, although not successful, but will lead to high system load, because in the time of brute force, the system will continue to authenticate users, thereby increasing the system resources additional costs, resulting in a slow company network.

Tool Description: Fail2ban can monitor your system log, but match the log error information (regular matching) to perform the corresponding shielding action (usually a firewall), and I can send an email notification system administrator, the function is very powerful.

Fail2ban operation mechanism: simple to say its function is to prevent brute force, working principle is through the analysis of the relevant service log within a certain time, will meet the action of the relevant IP use iptables added to the Dorp (discard) list for a certain time.

Set conditions: SSH telnet for 5 minutes 3 times password Authentication failed, the user IP is forbidden to access the host 1 hours, 1 hours after the limit is automatically lifted.

Package Download:


Installation steps:


Tar zxvf 0.9.4.tar.gz

CD fail2ban-0.8.14

General installation steps can be found in


To install, just do:

Tar xvfj fail2ban-0.9.4.tar.bz2

CD fail2ban-0.9.4

Python Install

The python development environment needs to be installed, and the version is greater than 2.4

View Python version



Phthon Install


..... Cond

This article is from the "It po" blog, please be sure to keep this source

Linux system security

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.