Security guard: Server connection and privilege handling

Directory

• Security guard: Server connection and privilege handling
  • Overview
  • Operating system environment
  • Disable password and use Ssh-key
  • Disable Root Login
  • Giving rights to ordinary users
  • Summarize

Security guard: Server connection and privilege handling 1. Overview

Use password directly to ssh Log on to the server, easy to 黑客 use password dictionary brute force hack. So developers have to develop good security habits, starting with the login server:

• Disable password logon
• Use a more secure ssh-key sign-in

TODO: I'll write some articles later on: How to use a dictionary for SSH blasting. To enhance everyone's awareness of safety, this article focuses on the precautionary measures.

2. Operating system environment

• Ubuntu 14.4 LTS

Linux Other distributions are similar in method.

3. Disable password and use Ssh-key

vim/etc/ssh/sshd_config

Modify the following lines:

#启用公钥认证PubkeyAuthentication        yes# The file path Authorizedkeysfile that stores the authorization public key          . ssh/authorized_keys# Disable password login passwordauthentication      no  

And then restartsshd

Service sshd Restart

4. Disable Root Login

Because root the user has Super Administrator privileges, to be safe, try to root prohibit the use of user action. To disable root login, continue with the following settings:

Permitrootlogin No

And then restartsshd

Service sshd Restart

5. Log in using Ssh-key

The main steps are as follows:

1. Generate a set ssh-key of public and private keys on the client
2. Copy the public key to the server's .ssh/authorized_keys designated user

The client can then implement a password-free logon server.

6. Giving rights to ordinary users

There is an action in front: root Disable user logon. So what do you do with some system root commands when you have permissions? This time it needs to sudo be used to raise the rights for ordinary users, upgrade to administrator rights.

The sudo benefits of using the right to the ordinary user are as follows:

• How to let a normal user root temporarily have permissions
• Keep the environment variable traces for ordinary users while operating
• In the event of an exception, the lookup log can target specific user behavior

In ubuntu , view the file etc/sudoers :

... # User privilege Specificationroot    all =(All:all) all...# members of the admin group could gain root privileges%admin all=(All) all...# see Su Doers (5for more"#include"/ETC/SUDOERS.D

From the last sentence #includedir /etc/sudoers.d of the above file content, it is not difficult to see that there are two ways to add users to sudo a group:

• To /etc/sudoers insert a configuration statement
• To /etc/sudoers.d/ Add a configuration file

Note: #include The preceding is # not the note bash under the general statement, but contains the syntax. Before the author 自作聪明 last # year this number, resulting in the normal configuration has been unable to.

In general, it is recommended to use the second method, the way to add configuration files, which can be decoupled at the physical file level, and more detailed permissions configuration.

Use the second method:

1. Add sudoers.d a file under the directorynewsudoers
2. Add newsudoers configuration content tomysudouser ALL=(ALL:ALL) ALL

If you want to add a group to a sudo group, add the following configuration:

sudo mysudogrpall = (All:all) all

Permissions can be mysudogrp mentioned root by users who belong to the group as long as they are.

7. Summary

In today's increasingly widespread use of cloud hosting, many of the important services are basically placed in the public cloud, then these security issues need to pay extra attention. If you are not aware, the following issues may occur:

1. SSH password is brute force hack. You can search by keyword to 200万密码字典” see if your password is in it.
2. The cracked user is root often the user. Because root it linux is the default and determines which users will be.
3. If the login account of more than one operator is not differentiated, the difficulty of locating the problem is quite large even if it is detected by the monitoring system. For example: Monitoring system root to isolate the account in the abnormal log in the remote, then a total of 5 developers, where can be detected?

To sum up: Develop a good server usage habits, is the basic quality necessary for each developer.

Author:	Harmo ha mo
Author Introduction:	Https://zhengwh.github.io
Technical Blog:	Http://www.cnblogs.com/beer
Email:	[Email protected]
Qq:	1295351490
Time:	2016-02
Copyright Notice:	Welcome to learn to exchange for the purpose of the reader to reprint, but please "annotated source"
Support this article:	If you are inspired by the article, you can click the button in the lower right corner of the blog to "recommend"

Security guard: Server connection and privilege handling