Linux System VPS Server necessary Simple Security configuration

Although Linux is more secure than Windows, some simple security configurations are necessary.

There are a lot of tools on the Internet to scan your admin password with a dictionary, we can create some trouble and increase the possibility of being deciphered. Let's look at the entry level security configuration.

First, remote management ports.

Modify the SSH login port, the default port is 22. Scan Dictionary Poor lift password They all start with the default.

If you change the port to a 4-digit number, it greatly increases their difficulty and time.

Use the VI command to edit the SSH profile (vi command to use the edit and save a few simple commands such as exit, if unfamiliar or can not Baidu or site search):

Vi/etc/ssh/sshd_config

Find #port 22, remove the front # and change to Port 1998 (this number uses 4 digits as much as possible, avoiding other ports),

Then, restart Sshdservice sshd restart

Don't forget to reboot after the SSH client also has to change the new port before landing

second. Set a strong password for the root user it's best to have 10 letters + digits so the likelihood of being deciphered by the dictionary is as difficult as winning the lottery.

This general background can be modified such as SOLUSVM platform can be directly modified

If the other management panel does not modify the password function, you can also use the passwd command in SSH to modify

Enter two times

(You can, of course, disable the root user to create a new user to give root permission but the eagle doesn't think it's necessary as long as the password is strong enough to decipher the possibility of a very small)

Third, small-scale defensive DDoS and CC

DDoS appears for many years, the domestic room 90% have a certain defense capabilities, (configured hardware firewall) Attack principle is very simple is to use false data packets to block your network, but most of the foreign IDC is not to provide defense, we can only use software assistance, Can mitigate the attack to some extent. But this has much to do with the configuration and bandwidth of the server hardware itself. Generally also can only defend against the small scale attack, the traffic is big or will be paralyzed.

Windows platform has a soft defense and modify the registry to achieve this goal, Linux under the software today is the DDoS deflate and the system comes with the iptables to achieve the following specific operations:

First confirm the service iptables Staus services generally default to take;

then start the installation;

DDos deflate

wget http://www.inetbase.com/scripts/ddos/install.sh

chmod +x install.sh

./install.sh

When the installation is complete, it appears as follows:

After installation, show as above

The files need to be configured with the VI editor when the installation is complete

Vi/usr/local/ddos/ddos.conf

Here is the main apf_ban=1 modified to 0 (using iptables), in addition to the email_to= "root" can be changed to the root of your email address, so that the system to run the IP, there will be mail prompts you.

##### Paths of the script and other files

progdir= "/usr/local/ddos"

prog= "/usr/local/d dos/ddos.sh "

ignore_ip_list="/usr/local/ddos/ignore.ip.list "//IP address white list

cron="/etc/cron.d/ddos.cron " Timed execution program

apf= "/etc/apf/apf"

ipt= "/sbin/iptables"

##### frequency in minutes for running the SCR IPT

##### caution:every time This setting are changed, run the script With–cron

##### option so th e new frequency takes effect

freq=1//check interval, default 1 minutes

##### How many connections a bad IP? indicate that below.

no_of_connections=150//maximum number of connections, more than this IP will be blocked, the general default can be

##### apf_ban=1 (make sure your APF version is atleast 0.96)

##### apf_ban=0 (Uses iptables for banning IPs instead of APF)

Apf_ban=0//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0.

##### kill=0 (Bad IPs are ' NT banned, good for interactive execution of script)

##### kill=1 (Recommended setting)

Kill=1//Whether to mask IP, the default can be

##### an email was sent to the "following address" when a IP is ban Ned.

##### Blank would suppress sending of mails

Email_to=admin@vpsck.com//When IP is blocked, send mail to the specified mailbox, recommend use, and replace it with your own mailbox

##### number of seconds the banned IP should remain in blacklist.

ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to circumstances

System default Whitelist There are some problems, there are often errors, so we'd better set up the manual white list and can not be modified.

Vi/usr/local/ddos/ignore.ip.list #手工设置白名单IP

chattr +i/usr/local/ddos/ignore.ip.list #强制不允许修改

chattr-i/usr/local/ddos/ignore.ip.list #解除不允许修改

After the above configuration of the basic security configuration is OK, of course, Liunx platform There are many of the same kind of free firewall, but basically are English literature. Need to learn more practice to actually deploy

Article Source: Eagle Blog http://www.vpsck.com/355.html