Linux VPS Server Security Settings Tutorial

Source: Internet
Author: User
Tags time interval centos vps iptables ssh port vps server

We need to do some basic security when we have a VPS or server that has a Linux system open.

First, turn off the SSH password login


First, you need to have your own SSH Key, if you use the Windows system, you can use the Putty under the Puttygen. EXE generates private key and public key.

The first step is to run Puttygen. Exe

In general, we choose the default RSA encryption, the default 1024-bit encryption is sufficient, if you want to insure the point, you can choose 2048 or 4,096-bit encryption, such as red circle:

The second step, click Generate, and then the mouse at random in the space to move


When the progress bar is full, you will generate your SSH Key:

If you want to be more secure, you can set the key passphrase, which is the password, this password and the root password is different, once someone has acquired your key, without this password he also can't load your key.

In the third step, click Save Public Key to keep your key, the entire file is as follows

The code is as follows Copy Code
----BEGIN SSH2 Public KEY----
Comment: "showfom-rsa-key-20130701"
Aaaab3nzac1yc2eaaaabjqaaaqeana/d52ftz1ynjxnwajauhxrdpcwar8zfwldw
Hemt64zqtxrz65krxeshfrvnd8xn1gktuqiqmu/d5ffheajfbjosw/n+mz58irzu
Xdbe34y/nxy1/iwc6ajz6lx6wt7nndcvoqx8be8j/8sjs7cmfarn3iy+0bsqnon3
681+hefm7mpoyyqrcvbparfiiezb8tnkfzrkjfrciz87yakkncpedcibykjujy2h
Cik+y+iptldomj5kqksxstjfquffg+s3fqj9istu4c7bf3zafd4meupa7p90rruj
lj95muw/p/ebwgsmvbnxz/xmq3ol/touo85umbsn44dmsb3neq==
----End SSH2 Public KEY----

One of the long string in the middle, is your public key, can be placed in the server's ~/.ssh/authorized_keys, we should take the following format:

1

The code is as follows Copy Code
Ssh-rsa aaaab3nzac1yc2eaaaabjqaaaqeana/d52ftz1ynjxnwajauhxrdpcwar8zfwldwhemt64zqtxrz65krxeshfrvnd8xn1gktuqiqmu/ d5ffheajfbjosw/n+mz58irzuxdbe34y/nxy1/iwc6ajz6lx6wt7nndcvoqx8be8j/8sjs7cmfarn3iy+0bsqnon3681+ hefm7mpoyyqrcvbparfiiezb8tnkfzrkjfrciz87yakkncpedcibykjujy2hcik+y+iptldomj5kqksxstjfquffg+ s3fqj9istu4c7bf3zafd4meupa7p90rrujlj95muw/p/ebwgsmvbnxz/xmq3ol/touo85umbsn44dmsb3neq== showfom-rsa-key-20130701

Where Ssh-rsa is an encryption type, showfom-rsa-key-20130701 is a description and can be any text, such as Showfom-notebook

Fourth step, click Save Private key to generate the private key for Putty, here we save as SHOWFOM.PPK, the entire file as follows

The code is as follows Copy Code
putty-user-key-file-2 : Ssh-rsa
Encryption:none
comment:showfom
Public-lines:4
Aaaab3nzac1yc2eaaaabjqaaaibtill54roaeekv95vkr6iez9y0d1ipnnqeyk+e
YHPTC7JVTMFL0OIHO9S2UQQUANGMLMZLJHXRJ3CPZ1VZINPFQVTGWYKWPEPGCKGI
7/ ITPNUUZ6TKGUEI5RYAETFGKWF13QC5S8DWLK2FGV7DY5GBSOZMHZTC+ZTL9JPN
nca5nw==
Private-lines:8
AAAAGEWLY9TSSICIZTUPYWE/EEGD+KH/PBPSUNUG6MNOAEN8OCD5CTSZ2KI9LUKW
gspx0j8f+kmuzu62eikhalgzz+ Nvyklche7qfo2aymcuniuym0mgdn5gjxubfduv
Vtjiaywd282yo0xtjpwn0djf3jmmsrw6pwmwaa6r6palkantaaaaqqclyrycu3eu
0GCGW9G2MVLIZOHOKYPL2E6HJFPQHVSZE6AKUZPTF/DGMKBFY6DH//0ZSOHUE2JN
gnsalqygbvt/ Aaaaqqcargnl76exhtr28try2pong8ij3yn9mczyg3sdsv8fegak
Ryz8t5b6xzuf9uyvz1lia10i7ulz63s2hvczuxthaaaaqd+ Auxn8fuaylroh8ztm
14fyy7grwdn7y7+etz8nuvdlvzp9svpd4v5ti9lpqjtiucp0eelcd5i7zxyv2ohe
U78=
Private-MAC: ce0968aff198e2c2550704625b23ba7575e6b260

This showfom.ppk you need to pass the pageant in the Putty directory. EXE Import so you can login to your VPS without having to enter the root password.

The SSH Key for PS:WINSCP and Putty is generic and only needs to be imported once.

But Putty Private Key is not standard, can only be used for Putty or WinSCP, if you use Xshell 4, you need to convert to RSA file, can be in Puttygen. EXE above menu in Conversions > Export OpenSSH Key mode conversion.

Fifth step, import your Linux VPS or server
If you have a local Linux desktop environment, a simple command can be done:

Ssh-copy-id-i ~/.ssh/id_rsa.pub root@198.51.100.100 But most users are still Windows users, so I recommend two simpler ways

1, put your own public key on the https://launchpad.net/Web site, and get a similar address like Https://launchpad.net/~showfom/+sshkeys, and then through the following command to import your key

Curl Https://launchpad.net/~showfom/+sshkeys > ~/.ssh/authorized_keys If there is no. ssh directory, you can create a new

mkdir. Ssh2, or write directly to Authorized_keys files

Cat >>/root/.ssh/authorized_keys<<eof Ssh-rsa aaaab3nzac1yc2eaaaabjqaaaqeana/ d52ftz1ynjxnwajauhxrdpcwar8zfwldwhemt64zqtxrz65krxeshfrvnd8xn1gktuqiqmu/d5ffheajfbjosw/n+mz58irzuxdbe34y/nxy1/ iwc6ajz6lx6wt7nndcvoqx8be8j/8sjs7cmfarn3iy+0bsqnon3681+ hefm7mpoyyqrcvbparfiiezb8tnkfzrkjfrciz87yakkncpedcibykjujy2hcik+y+iptldomj5kqksxstjfquffg+ s3fqj9istu4c7bf3zafd4meupa7p90rrujlj95muw/p/ebwgsmvbnxz/xmq3ol/touo85umbsn44dmsb3neq== showfom-rsa-key-20130701 Eof

In some service provider's CentOS system, because the SELinux is turned on, the default is to prohibit the permissions of the. SSH directory, you can use the following command to unlock the restrictions:

Restorecon-r-v/root/.ssh If you encounter a Authorized_keys permission problem, you can use the following command to resolve:

Chattr-i Authorized_keys then you can reboot to open an SSH window and test if you don't need to enter a password to log in with Root.

Sixth step, turn off SSH password login
To edit an SSH configuration file:

Vim/etc/ssh/sshd_config found

#PasswordAuthentication Yes and change to

Passwordauthentication no save, exit, reboot SSH service

Ubuntu under:

/etc/init.d/ssh Restartcentos under:

/etc/init.d/sshd restart good, so prohibit SSH password landing is done, this step refused the invasion of 90% risk, of course, your own private key must be kept good, otherwise stolen by others but do not need a password can enter your server OH.

Second, the installation of CSF firewall shielding attempts to invade the server's IP


CSF firewall installation is slightly simpler, a few commands can be done:

RM-FV csf.tgz
wget http://www.configserver.com/free/csf.tgz
Tar-xzf csf.tgz
CD CSF
SH install.sh
Then run perl/usr/local/csf/bin/csftest.pl detect if the installation was successful

To prevent the system from mistakenly masking the local IP, you can modify the/etc/csf/csf.allow and/etc/csf/csf.ignore files to add the whitelist IP you need, and then use the CSF-R command to restart the read configuration file.

Third, with Iptables only open the normal port


Generally we only need to open 22, 53, 80, 443 of these three common open ports, you can use the following command

Empty iptables Default Rule

Iptables-f allows 22 ports to enter and return

Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-m State--state Established-j
Allow port 53, typically used as a DNS service

Iptables-a output-p UDP--dport 53-j ACCEPT
Iptables-a input-p UDP--sport 53-j ACCEPT
Allow native access to this computer

Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
Iptables-a output-s 127.0.0.1-d 127.0.0.1-j ACCEPT
Allow all IP access to ports 80 and 443, generally for HTTP and HTTPS purposes

Iptables-a input-p tcp-s 0/0--dport 80-j
Iptables-a output-p TCP--sport 80-m State--state Established-j
Iptables-a input-p tcp-s 0/0--dport 443-j
Iptables-a output-p TCP--sport 443-m State--state Established-j
Save Configuration

Iptables-save >/etc/sysconfig/iptables Reload iptables

Iptables-l IV, install Fail2ban shield and report IP scan SSH Port
There are a lot of energetic guys will scan the ssh password all day, of course, directly off the SSH password landing can be prevented, but in order to give them a lesson, you can install Fail2ban, shielding, but also can automatically write a report letter to the IP ISP.

Install under CentOS:

Import Epel Source:

CentOS 6.x 32-bit:

RPM-UVH Http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpmCentOS 6.x 64-bit:

RPM-UVH http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm Installation Fail2ban

Yum-y Install Fail2ban
Cp/etc/fail2ban/jail.conf/etc/fail2ban/jail.local
Service Fail2ban Start
Install under Ubuntu/debian:

Apt-get install fail2ban-y to see the/var/log/fail2ban.log file to find out what energy-surplus guys are scanning your SSH all day.

Iv. use of DDoS deflate simple anti-drop cc and DDoS attacks

Use the netstat command to see if the current link to the VPS is being attacked:

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

IP front of the number, that is, the number of connections, if the normal web site, dozens of to 100 belong to the normal connection, but there are hundreds of, or thousands of it can be cultivated this IP and your VPS may be suspicious connection between the phenomenon.

You can use Iptables to ban the permanent access to this IP directly:

Iptables-a input-s 12.34.56.78-j DROP

The use of software DDoS deflate to automatically detect and ban the method, first of all to confirm the Iptables service state, the default CentOS installed, do not see the line.

Service Iptables Status

Install DDoS Deflat:

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod +x install.sh
./install.sh

After installation needs to modify/usr/local/ddos/ddos.conf, mainly apf_ban=1 to set to 0, because to use iptables to seal some suspicious connection, pay attention to email_to= "root", so BAN which IP will have mail prompts:

##### Paths of the script and other files
Progdir= "/usr/local/ddos"
Prog= "/usr/local/ddos/ddos.sh"
Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"//IP address white list
cron= "/etc/cron.d/ddos.cron"//Timed execution procedure
apf= "/etc/apf/apf"
ipt= "/sbin/iptables"
##### frequency in minutes for running the script
##### caution:every time This setting is changed, run the script With–cron
##### option so the new frequency takes effect
Freq=1//Check time interval, default 1 minutes
##### How many connections define a bad IP? indicate that below.
no_of_connections=150//Maximum number of connections, more than this number of IP will be blocked, the general default can be
##### apf_ban=1 (Make sure your APF version is atleast 0.96)
##### apf_ban=0 (Uses iptables for banning IPs instead of APF)
Apf_ban=1//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0.
##### kill=0 (Bad IPs are ' NT banned, good for interactive execution of script)
##### kill=1 (recommended setting)
Kill=1//Whether shielding IP, the default can
##### an email was sent to the following address when a IP is banned.
##### Blank would suppress sending of mails
email_to= "root"///when IP is blocked to send mail to the specified mailbox, recommended to use, change your own mailbox can
##### number of seconds the banned IP should remain in blacklist.
ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to the situation

V. Use IFTOP to view detailed network conditions

Install iftop Software:

Yum-y Install Flex BYACC libpcap ncurses ncurses-devel libpcap-devel
wget http://www.ex-parrot.com/pdw/iftop/download/iftop-0.17.tar.gz
Tar zxvf iftop-0.17.tar.gz
CD iftop-0.17
./configure
Make && make install

After installation, run with Iftop to view the network situation. TX, send flow, RX, receiving flow, total, overall flow, Cumm, running iftop period flow, peak, peak flow, rates, representing 2 seconds, 10 seconds, 40 seconds of average flow.

Accelerator: H Help, n toggle display IP host name, s whether to display the local information, d whether to display the remote information, n switch port service name, b switch whether the number of hours flow graph bar.

Because recently many customers of the VPS or server was hacked, the reason is to use a very simple root password, so consider after selling rogue VPS, directly to do a shielding password system, users buy the time to submit their own SSH key, or the system assigned to you an SSH key, so it will be more secure 。 The foreign Amazon EC2, Digitalocean and Hpcloud have the way to import their SSH Key and the default shielding password, greatly increasing the security.

And, of course, you can ban root logging .

First add a new account 111cn.net, you can customize:

Useradd 111cn.net

Set password for 111cn.net account:

passwd 111cn.net

Still modify the/etc/ssh/sshd_config file, line 39th: #PermitRootLogin Yes, remove the front # and change Yes to No, then restart the SSH service. Later, the first use of 111cn.net login, and then Su root can get root management rights.

Login As:111cn.net
111cn.net@ip password:*****
Last Login:tue Nov 15:18:18 from 1.2.3.4
Su Root
password:*********** #注这里输入ROOT的密码

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.