Simple security settings After purchasing a Linux VPS server

Source: Internet
Author: User
Tags vps ssh port vps server

first, close the SSH password login


First of all, you need to have your own SSH Key, if you use Windows system, you can use Putty under the PUTTYGEN. EXE generates a private key and a public key.


The first step is to run PUTTYGEN. Exe

In general, we choose the default RSA encryption, the default 1024-bit encryption is sufficient, if you want to secure points, you can choose 2048 or 4,096-bit encryption, red circle:


The second step, click Generate, then the mouse to move around in the blank space

When the progress bar is full, create your SSH Key:

If you want to be more secure, you can set the key Passphrase, which is the password, this password and root password is different, once someone gets your key, without the password he will not be able to load your key.


The third step, click Save Public Key to store your keys, the entire file as follows
----BEGIN SSH2 public KEY----Comment: "showfom-rsa-key-20130701" aaaab3nzac1yc2eaaaabjqaaaqeana/ d52ftz1ynjxnwajauhxrdpcwar8zfwldwhemt64zqtxrz65krxeshfrvnd8xn1gktuqiqmu/d5ffheajfbjosw/n+mz58irzuxdbe34y/nxy1/ iwc6ajz6lx6wt7nndcvoqx8be8j/8sjs7cmfarn3iy+0bsqnon3681+ hefm7mpoyyqrcvbparfiiezb8tnkfzrkjfrciz87yakkncpedcibykjujy2hcik+y+iptldomj5kqksxstjfquffg+ s3fqj9istu4c7bf3zafd4meupa7p90rrujlj95muw/p/ebwgsmvbnxz/xmq3ol/touo85umbsn44dmsb3neq==----END SSH2 public KEY----

One of the middle so long a string, is your public key, you can put in the server ~/.ssh/authorized_keys, we should take the following format:

Ssh-rsa aaaab3nzac1yc2eaaaabjqaaaqeana/d52ftz1ynjxnwajauhxrdpcwar8zfwldwhemt64zqtxrz65krxeshfrvnd8xn1gktuqiqmu/ d5ffheajfbjosw/n+mz58irzuxdbe34y/nxy1/iwc6ajz6lx6wt7nndcvoqx8be8j/8sjs7cmfarn3iy+0bsqnon3681+ hefm7mpoyyqrcvbparfiiezb8tnkfzrkjfrciz87yakkncpedcibykjujy2hcik+y+iptldomj5kqksxstjfquffg+ s3fqj9istu4c7bf3zafd4meupa7p90rrujlj95muw/p/ebwgsmvbnxz/xmq3ol/touo85umbsn44dmsb3neq== showfom-rsa-key-20130701

Where Ssh-rsa is the type of encryption, showfom-rsa-key-20130701 is a description and can be any text, such as Showfom-notebook


Fourth step, click Save Private key to generate the private key for Putty, here we save as SHOWFOM.PPK, the entire file as follows
Putty-user-key-file-2: Ssh-rsaencryption:nonecomment:showfompublic-lines: 4aaaab3nzac1yc2eaaaabjqaaaibtill54roaeekv95vkr6iez9y0d1ipnnqeyk+ eyhptc7jvtmfl0oiho9s2uqquangmlmzljhxrj3cpz1vzinpfqvtgwykwpepgckgi7/ itpnuuz6tkguei5ryaetfgkwf13qc5s8dwlk2fgv7dy5gbsozmhztc+ztl9jpnnca5nw==private-lines:8aaaagewly9tssiciztupywe/ eegd+kh/pbpsunug6mnoaen8ocd5ctsz2ki9lukwgspx0j8f+kmuzu62eikhalgzz+ Nvyklche7qfo2aymcuniuym0mgdn5gjxubfduvvtjiaywd282yo0xtjpwn0djf3jmmsrw6pwmwaa6r6palkantaaaaqqclyrycu3eu0gcgw9g2mvlizohokyp l2e6hjfpqhvsze6akuzptf/dgmkbfy6dh//0zsohue2jngnsalqygbvt/ Aaaaqqcargnl76exhtr28try2pong8ij3yn9mczyg3sdsv8fegakryz8t5b6xzuf9uyvz1lia10i7ulz63s2hvczuxthaaaaqd+ Auxn8fuaylroh8ztm14fyy7grwdn7y7+etz8nuvdlvzp9svpd4v5ti9lpqjtiucp0eelcd5i7zxyv2oheu78=private-mac: ce0968aff198e2c2550704625b23ba7575e6b260

This showfom.ppk you need to pass the Putty directory under the pageant. EXE, so you can login to your VPS without having to enter the root password.


SSH keys for PS:WINSCP and Putty are generic and only need to be imported once.


But Putty Private Key is not standard, can only be used for Putty or WinSCP, if you use Xshell 4, you need to convert to RSA file, can be in PUTTYGEN. EXE in the menu above the Conversions > Export OpenSSH Key mode conversion.


Fifth step, import your Linux VPS or server

If you are local to a Linux desktop environment, it can be done with a simple command:

Ssh-copy-id-i ~/.ssh/id_rsa.pub [email protected]

But most of the users are still Windows users, so I suggest two more simple ways


1. Put your own public key on the https://launchpad.net/website and get an address like Https://launchpad.net/~showfom/+sshkeys, then import your key via the following command

Curl Https://launchpad.net/~showfom/+sshkeys > ~/.ssh/authorized_keys

If you do not have an. SSH directory, you can create a new

mkdir. SSH

2, can also write directly to the Authorized_keys file

Cat >>/root/.ssh/authorized_keys<<eofssh-rsa aaaab3nzac1yc2eaaaabjqaaaqeana/ d52ftz1ynjxnwajauhxrdpcwar8zfwldwhemt64zqtxrz65krxeshfrvnd8xn1gktuqiqmu/d5ffheajfbjosw/n+mz58irzuxdbe34y/nxy1/ iwc6ajz6lx6wt7nndcvoqx8be8j/8sjs7cmfarn3iy+0bsqnon3681+ hefm7mpoyyqrcvbparfiiezb8tnkfzrkjfrciz87yakkncpedcibykjujy2hcik+y+iptldomj5kqksxstjfquffg+ s3fqj9istu4c7bf3zafd4meupa7p90rrujlj95muw/p/ebwgsmvbnxz/xmq3ol/touo85umbsn44dmsb3neq== Showfom-rsa-key-20130701eof

In some service providers of the CentOS system, due to the open SELinux, the default is to prohibit the. SSH directory permissions, you can use the following command to remove the limit:

Restorecon-r-v/root/.ssh

If you encounter Authorized_keys permissions issues, you can use the following command to resolve:

Chattr-i Authorized_keys

You can then reboot to open an SSH window and test if you don't need to enter a password to log in with Root.


Sixth step, close SSH password login

To edit an SSH configuration file:

Vim/etc/ssh/sshd_config

Found it

#PasswordAuthentication Yes

And instead

Passwordauthentication No

Save, exit, restart SSH service


Under Ubuntu:

/etc/init.d/ssh restart

Under CentOS:

Service sshd Restart

OK, so prohibit SSH password landing is done, this step refused 90% of the intrusion risk, of course, your own private key must be preserved, otherwise stolen but do not need a password to be able to enter your server OH.


Second, install the CSF Firewall shield attempt to invade the server's IP


The CSF firewall is simple to install, with a few commands to handle:

RM-FV csf.tgzwget http://www.configserver.com/free/csf.tgztar-xzf csf.tgzcd csfsh install.sh

Then run perl/usr/local/csf/bin/csftest.pl to detect if the installation was successful


To prevent the system from mistakenly masking the local IP, you can modify the/etc/csf/csf.allow and/etc/csf/csf.ignore files to add the whitelist IP you need, and then restart the read configuration file with the Csf-r command.


Third, use iptables only to open the regular port


Generally we only need to open 22, 53, 80, 443 these three common open ports, you can use the following command


Empty iptables Default Rule

Iptables-f

Allow 22 ports to enter and return

Iptables-a input-p TCP--dport 22-j acceptiptables-a output-p TCP--sport 22-m State--state established-j ACCEPT

Allow 53 ports, typically used as DNS service

Iptables-a output-p UDP--dport 53-j acceptiptables-a input-p UDP--sport 53-j ACCEPT

Allow native access to native

Iptables-a input-s 127.0.0.1-d 127.0.0.1-j acceptiptables-a output-s 127.0.0.1-d 127.0.0.1-j ACCEPT

Allows all IP access to 80 and 443 ports, typically for HTTP and HTTPS purposes

Iptables-a input-p tcp-s 0/0--dport 80-j acceptiptables-a output-p TCP--sport 80-m State--state established-j A Cceptiptables-a input-p tcp-s 0/0--dport 443-j acceptiptables-a output-p TCP--sport 443-m State--state ESTABLISH Ed-j ACCEPT

Save Configuration

Iptables-save >/etc/sysconfig/iptables

Reload Iptables

Iptables-l

Iv. Install the Fail2ban Shield and report the IP that scanned the SSH port


There are a lot of energetic guys will scan ssh password all day, of course, directly close SSH password login can prevent, but in order to give them a lesson, can install Fail2ban, shielding, but also can automatically write a report letter to the ISP IP.


Installation under CentOS:


Import Epel Source:


CentOS 6.x 32-bit:

RPM-UVH http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

CentOS 6.x 64-bit:

RPM-UVH http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Installing Fail2ban

Yum-y Install Fail2bancp/etc/fail2ban/jail.conf/etc/fail2ban/jail.localservice Fail2ban start

Ubuntu/debian under Installation:

Apt-get Install Fail2ban-y

By looking /var/log/fail2ban.log at the file, you'll know what excess-energy guys are scanning your SSH all day.


Postscript


Because a lot of recent customers VPS or server was hacked, the reason is to use a very simple root password, so consider selling rogue VPS, directly to do a shielded password system, users buy the time to submit their own SSH key, or the system assigned you an SSH key, so it will be more secure 。 The foreign Amazon EC2, Digitalocean, and hpcloud all have the means to import their SSH Key and shield the password by default, which greatly increases the security.


Reprint Please specify: Tsutenkaku tower? Simple security settings After purchasing a Linux VPS server


Simple security settings After purchasing a Linux VPS server

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.